Three videos in 2 days? Thanks a ton Ippsec, you material is always amazing and appreciated

Love this approach! When I pop a box I always run "whoami / whoami /all". We created a Azure KQL query to look for those command and additional arguments across the organization and run a custom detection rule when it finds such possible post exploitation activities on any endpoint. Dropping ATP EDR on Linux machine with custom KQL queries can help a lot , especially when one sees the offensive arguments being executed. We look for argument that contain "/dev/tcp/" for example. Very helpful. Every time I watch your videos I adjust the queries lol One can always limit egress traffic on Azure NSG to just drop the revere shell if it gets popped and limit inbound traffic on NSG to limit the overall attack surface Working with Microsoft a lot. , they are not fixing it because it does "not affect back-end infrastructure"

Preparing for OSCP your video's are helping so much ❤️❤️❤️❤️❤️

More Blue team stuffs please!! Big up ippsec

Thanks for the video, very nice to see blue side here, but at the same time I feel like it shows how hard it is to create an universal auditd policy. Even with basic set of best practice rules and reasonably standard fresh Linux install, auditd still flooded logs by misbehaving package manager

Really insightful, thanks!!

Thanks so usefull you are the one IPPsec love you :)

Great video! I started using Laurel after your tweet, then watched the video. Unfortunately, wazuh does not have any rules for Laurel. And translating audit rules to laurel versions takes time. I gave up, for instance. Do you know if any other SIEMs can consume Laurel log easily?

Thanks for the vid!

Thanks for defender content

thanks for the A/D content from Twitter :)

This is really good.

Would be good to log the pathname for the mknod syscall

Echo is a builtin, it does not do any exec syscall (only write(1))

Great video!!! Question for you - how could we send this information to Kafka? I saw an Rsyslog plugin to output to Kafka but do you have any recommendations? Maybe use something like Fluent and scrape the laurel audit.log?

Fun fact: You sound like the host of the LGR youtube channel 😊

21:00 I know asking is lazy but I assume doing a `chmod 4000 /bin/bash` would be recorded in the audit log

how does this affect the logging of something like apparmor profiles in complain or enforce mode???

Question: I‘m watching your video on my ipad while in bed…so, I apologize for my laziness to try it out by myself. If a user deletes 1000000 files…what happens to the auditd log? Will it explode or insane IO?

Am I the only one that can't get logging with apparmor to work when auditd is installed?

Can you make video about selinux to prevent system exploitation.

Dude…dnf is not a redhat firewall…it is the successor of the yum package manager AND the key also states software_mgmt. 😂😊

Can you please let me know if I can combine the following rules: -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_mod -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod As: -a always,exit -F arch=b32 -S chmod -S chown -S fchmod -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod OR -a always,exit -F arch=b32 -S chmod,chown,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_mod Is this valid? thanks

RTFM! This video is so inaccurate that Steve Grubb is rolling in his grave - and the fella is not even dead yet...