Sandfly 2.8.2 is here and features many upgrades including over 1,000 compromise detection and incident response modules for Linux. This update features: User password entry decoder to search for password age, expiration and hash parameters. …
READ MORESandfly 2.8.2 – Over 1,000 Linux Compromise Detection Modules and More
A big myth around investigating Linux malware is that the first tool you need is a debugger and deep knowledge of assembly to understand what it does. It’s easy for admins and security personnel responding …
READ MORELinux Malware Investigation Myth: You Don’t Need a Debugger
Let’s talk about Linux file descriptors and how to investigate a malicious process using them. What Is a File Descriptor? Since the inception of Unix (on which Linux is based), everything is a file. We …
READ MOREInvestigating Linux Process File Descriptors for Incident Response and Forensics
Sandfly 2.8.0 is released and features a major new upgrade allowing users to automatically respond to detected Linux attacks agentlessly. In addition to this we have made large performance upgrades to the backend server and …
READ MORESandfly 2.8.0 – Agentless Active Attack Response for Linux
Sandfly 2.7.2 has been released. This is a bug fix release to address a performance issue. In the last release Sandfly introduced more extensive process decloaking for stealth rootkits. The technique effectively decloaks many kinds …
Let’s talk about how to be effective detecting intruders. Or what we at Sandfly Security simply call: Getting in the fight. First to lay some groundwork, the policy of Sandfly Security is that we don’t …
We have released a new tool called sandfly-processdecloak designed to decloak hidden processes from two common and easily deployed Linux Loadable Kernel Module (LKM) stealth rootkits: Diamorphine and Reptile. You can download the tool from …
READ MORELinux Stealth Rootkit Process Decloaking Tool – sandfly-processdecloak
Sandfly 2.7.0 is now out and features some significant upgrades. Sandfly modules now are tagged with Mitre ATT&CK categories and tactics. We are able to completely decloak even more hidden processes with Linux Loadable Kernel …
A developing threat to Linux over the last several years has been the idea of fileless malware. Fileless malware is designed to inject itself into a running Linux system and leave no traces on the …
READ MOREDetecting Linux memfd_create() Fileless Malware with Command Line Forensics