christian_taillon
@christian_tail
Followers
648
Following
199
Media
21
Statuses
272
Cyber nerd who enjoys hunting for evil and helping others fight black hats. Can close Vim without consulting Google. Probably sipping ☕. Opinions are my own.
Earth, Milky Way
Joined June 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Chiefs
• 360550 Tweets
namjoon
• 317714 Tweets
Lamar
• 118766 Tweets
Adalet
• 103436 Tweets
Chester
• 74080 Tweets
For Asia
• 69655 Tweets
علي النبي
• 63715 Tweets
小泉進次郎
• 43568 Tweets
Hayırlı Cumalar
• 41909 Tweets
サブスク解禁
• 41801 Tweets
MUSINSA BEAUTY WITH KARINA
• 32796 Tweets
エイリアン
• 29814 Tweets
Engin Polat
• 27624 Tweets
#BAEKHYUN_PINEAPPLESLICE
• 27356 Tweets
PRETTY GIRL ERA MILKLOVE
• 26972 Tweets
小泉さん
• 24898 Tweets
#يوم_الجمعه
• 23935 Tweets
資さんうどん
• 22670 Tweets
TransisiSEJUK PRABOWOJKW
• 21980 Tweets
KitaKOMPAK KitaMENANG
• 21094 Tweets
知的レベル
• 20464 Tweets
KPLC
• 18797 Tweets
ちいかわ寿司
• 18677 Tweets
資さん買収
• 17391 Tweets
ベイマックス
• 13248 Tweets
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
You're correct.
Full of zeros at least.
75
292
2K
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
My only theories...
1. Corrupted File - Not correctly transferred or improperly written to disk.
2. Error in File Creation - Bug or issue in the development pipeline.
3. Malicious Content - Created to disrupt operations
6
5
74
@postmindfuck
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
I have no deep knowledge, but I am very curious.
I actually became an expert this morning. ;)
I haven't rebooted a Windows device in years, but I - just like everyone else on twitter - am now an expert at BSOD and I am full of ideas ;)
1
1
66
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
The .sys files responsible for the issue, named C-00000291-*.sys, cause the actual CS driver (CSAgent.sys) to crash, possibly due to their invalid formatting. Not sure why. I wish CrowdStrike would inform us more comprehensively rather than leaving us to piece this together.
2
2
31
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Full txt too long for X. 32 is bad. 33 is fixed.
c2076a538892265f10a2da864dc0f8b9 C-00000291-00000000-00000032.sys
f3e1448dcdc79d9e5759a9a09e9d5c80 C-00000291-00000000-00000033.sys
1
5
24
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
What will be more interesting at this point is CSAgent.sys, which may reference these .sys files. Which explains the new 33 file.
I've been using ClownStrike.
1
4
24
Mallard Spider’s Qakbot is being delivered with a new strategy, Windows Script files (.wsf). Malicious JS embedded within the certificate portion of .wsf file.
Stay vigilant!
1
3
18
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Regarding the speculation of the 2015 first-seen date in VT.
I believe this is not related to Crowdstrike at all.
One submission file name is `dbwen-US.res`, LirbreOffice Database wizard functionalities resource files. This just also happened to have the same null bytes.
2
2
16
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
While I am pontificating with little evidence:
There seem to be variations of this 3x series channel file. I wonder if it is something that is based on the OS flavor.
Others have also reported my first observed c2076***0f8b9, but there are other corrupted versions as well.
1
5
15
Crowdstrike came out with a Falcon Windows Host Recovery Tool. It helps create a bootable USB for just this task. Many of us have been using live Linux boot USBs (or images for Virtual infrastructure). If you're still struggling with the Crowdstrike outage, this tool simplifies
0
4
14
This is my big problem with this.
Mistakes will happen. I'm sure I make more than the average dev at CrowdStrike.
Out-of-band content updates ignoring customer rollout/update policy should not include changes that have the capacity to BSOD.
Note "channel updates ...bypassed client's staging controls and was rolled out to everyone regardless"
A few IT folks who had set the CS policy to ignore latest version confirmed this was, ya, bypassed, as this was "content" update (vs. a version update)
7
41
360
0
2
13
@RobertMLee
Indeed. It's painful to hear finance and tech influencers call it a store of value and even an inflation hedge. At best it's a speculative asset.
Too bad. I think crypto's strength was never as a store of value or growth investment but as a decentralized exchange of value.
1
0
10
@jaikeysarraf
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Almost certainly. There is just a significantly high probability that the threats were not nationally so ;)
We will see as more information comes out, I'm relatively confident that, like CrowdStrikes legal team is posting, this was a mistake that they fixed.
We shall see.
3
0
11
@BaryLevy_
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
That is what we all couldn't figure out this morning. I figured things crashed earlier because it wasn't the correct format. It was Channel File content for the System Driver CSAgent.sys.
2
1
10
I guess we are all just waiting to hear the intern's name at this point.
0
1
7
Love my CS friends, just memeing through the pain.
PRC to hire laid-off CrowdStrike staff to create a new team for developing new methods ways to bring down entire countries' IT systems.
#CrowdStrikeUpdate
#bsod
0
1
7
@thomasmechen
@CroodSolutions
@mneimsky
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
When I saw this, I wondered if the issue may have been caused previously. I cannot find anything yet.
Pontificating:
Compilation Errors
Empty Source Code
Linker Issues
Misconfiguration
Build System Problems
Any of these could have occurred in 2015.
1
0
6
@IamRenganathan
@cyberpion
I didn't believe in magic until cyberpion
But seriously, the data they can give you to prioritize vulnerabilities is phenomenal.
Also,
@corelight_inc
. Not sure if it's still a startup. Benefits of FOSS with the features and polish of an Enterprise product.
2
1
6
I'd like to retweet this post that I didn't fully understand the technical aspects of, where the author talks about people retweeting posts they didn't understand.
I used ChatGPT to explain it all to me like I was five. It helped a little.
This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n
285
4K
17K
0
0
6
@vxunderground
Starting a web store where you sell access to the password for a nominal fee.
They will Google it.
If that fails, you might make some cheddar.
1
0
6
@ena_bbq
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Files sourced from Crowdstrike when they deployed them to my environment yesterday ;)
1
1
5
Me yesterday. So relatable.
0
0
4
@UK_Daniel_Card
@CroodSolutions
@SamunoskeX
@MalwareJake
@SwiftOnSecurity
I agree; while it isn't impossible, it seems highly unlikely, particularly with CrowdStrike's response.
I think something corrupted the system driver.
0
0
4
Except I bet most Linux users work at companies whose IT departments have Windows.
0
0
4
Diving deep into the OpenAI API from the terminal has never been easier. My CLI tool lets you swiftly "train" ChatGPT on your local tools, supports markdown rendering, and the peace of mind that your inputs won't be used for future model training.
0
0
4
I finished compiling some of my research on what's new with Qbot this fall. Hoping it is a helpful analysis and summary of what we have learned from the last few weeks facing Qbot.
Happy Duck Hunting!
#qakbot
#bot
#malware
#threatintel
0
0
3
@WokeHeresy
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
But to answer your question, Cybersecurity companies in Crowdstrike's space could not offer effective solutions to protect their customers without access to information and controls only made available through drivers like these.
1
1
3
Sharing an article on the CrowdStrike BSOD issue I contributed to with
@CroodSolutions
.
Initially, chaos ensued, and various theories were circulated. As experts provided clarity, at least by dispelling theories and correcting Twitter threads, the fight against misinformation
0
1
3
Did CrowdStrike do to Linux what it did to Windows months before the BSOD-magedon?
I've noticed a lot of casual references to the "Linux kernel panics CrowdStrike caused" and not enough analysis of it. After responding to numerous questions from colleagues, I decided to compile
0
1
3
@AccidentalCISO
@CroodSolutions
@SamunoskeX
Agreed, well put. This problem exists in other security solutions as well but it is particularly present in SIEM products. There is such a spectrum. Some offerings are so weak that orgs use other tools to fill the futures that their SIEM lacks. One reason I like leveraging FOSS.
0
0
3
@TheFl0orIsLaVa
Me this morning with a Linux laptop and all the technologies I'm responsible for running on Linux servers. ❤️🐧
0
0
3
Llama3.1:405b is now available through ollama.
This is huge (literally and figuratively).
0
0
3
@HardyViper
@CroodSolutions
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Resolution does involve a reboot
1
0
3
1
0
3
This is true... For Manjaro. One Nvidia driver update away from bricking your system. Don't get me started on their security experiences. Glad to say I've put less work into maintaining my system since switching to Debian Test. EndeavorOS has also treated me well.
Linux is free ... if your time has no value.
EU/UK:
US/CAN:
70
26
314
1
0
3
@attrc
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Just to confirm
@attrc
, we did confirm there is nothing but zeros. Here is the output of your suggestion as well:
1
0
3
@cyb3rops
This sad. Under the guise of sharing Intel, Threat Hunting is being turned into a sales opportunity to sell more MS product by teasing people with a solutions only readily available if you buy more.
This behavior makes adopting Sigma even more important.
0
0
2
@nixcraft
Audio was a pain until last year I moved to Dell XPS 13 and XPS 15. I haven't had issues since.
Now it's using Teams on Linux. I use the PWA and it doesn't keep track of my availability status well at all. It thinks I'm gone unless I am working in Teams itself.
0
0
2
@UK_Daniel_Card
♥️
Right on. This is a tough day.
Another potential lesson. System drivers should go to n, then n-1, then n-2, etc. A system driver capable of BSOD is not an out-of-band minor "content update."
Said from a recovering Arch Linux user.
6
0
2
@CroodSolutions
@BHinfoSecurity
I never bought the expansion pack yet. Been years since I played.
Great one to play with kids to. You can talk about the concepts on the cards as they come up.
0
0
2
@cyb3rops
A time attribute is a valuable property in datasets. Whenever I teach on Threat Intel feeds, I always recommend that indicator matching be done against logs a few weeks old in addition to recent data. Sometimes the intel is a few weeks old. You have to use it appropriately.
0
1
2
Awesome anlysis on the xz backdoor.
0
0
2
@WokeHeresy
@CroodSolutions
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
A better question is, why is a system driver pushed as an "out of band content update" rather than as a package with an updated sensor version?
Customers across n, n-1, n-2, and even with pinned versions were impacted by this.
0
0
2
@TechnoTimLive
I use KVM + QEMU for my home servers. I have some cloud instances on Digital Ocean but have been checking out AWS more and have some always free tier services. Loving AWS + Terraform.
0
0
2
Crowdstrike Overwatch made some excellent points regarding internal threat hunting. But I disagree with their conclusion. In this post, I offer a different perspective along with strategies to make part-time threat hunting more effective and efficient.
0
0
2
@janekm
@UK_Daniel_Card
@giridamerla
@CroodSolutions
@drahcir_rahl
@juanmtrejo
@Panopticonomy
@ErrataRob
@SamunoskeX
@MalwareJake
@SwiftOnSecurity
Sure, they would be an attractive target to own, but likely not one to go after. The Teamviewers of the word are far easier targets.
Also, CS isn't a rootkit. This driver functionality enables visibility and preventative controls.
No current reason to suspect compromise.
1
0
2
I, like many, like to make jokes about Ubuntu. I'm not a fan of snap. It is no longer one of the few easy to install and use distros, most modern options are just as polished. But if it gets you on Linux, then welcome to the community! You can always distro hop around later.
1
0
2
Debian 12 is 6 days old! One of the most stable flavors has all the latest and greatest right now. Great time to try leaving windows.
Don't even have audio issues. But this is still too funny.
0
0
2
@MikeYup10
@UK_Daniel_Card
@CroodSolutions
@SamunoskeX
@MalwareJake
@SwiftOnSecurity
If someone tries to use this as a reason for wiping the computer disk, it wouldn't be a good justification as it is completely unnecessary. This issue doesn't justify disk wiping (particularly the use of bitbleach or similar software to make data unrecoverable).
1
0
2
@CroodSolutions
@AccidentalCISO
Honestly, if ChatGPT could just run all my email. That would be great. But alas...
0
0
2
I am at the front of the line wanting to avoid a Log4j type situation again, but the implications of making the non-profit foundations liable will result in new open source licensing which will make it illegal to use open source wherever such laws apply.
0
0
2
@nixcraft
Debian for stability. Debian Test for my personal laptop and Debian Stable for my work laptop.
For some reason I gravitate back to RHEL variants for personal servers (CentOS Stream and soon Alma Linux).
Alpine for specific cases.
0
0
2
Mallard Spider's
#QakBot
is back in significant volume! Some to know.
1. The adversary effectively uses Email Chain Compromise / Email Thread Injection, where they reply to an existing conversation obtained from a previously compromised account.
2
0
2
@giridamerla
@CroodSolutions
@drahcir_rahl
@juanmtrejo
@Panopticonomy
@ErrataRob
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Official statements from Crowdstrike are likely 100% accurate. This isn't a cyberattack.
I wouldn't be surprised if they testify before Congress, and no one would risk jail time to save their bottom line.
Stock impacted. It would be fraud they couldn't hide.
Mistakes happen
1
0
2
Working on a Sigma Rule: will continue to update as I test more samples/scenarios.
0
0
2
0
0
2
The more I try other IDEs, I appreciate more about Atoms simplicity and power. Not saying others are bad, but Atom was an IDE was pretty great. Who knows what could have been had Microsoft not bought GitHub.
0
0
1
Finished the Windows installer and tested on Windows 10 & 11 with Windows Terminal. Mac and Linux installers have been improved as well.
Check out the tool I built to integrate the GPT models into your terminal.
1
0
1
ProphetSpider is at it again, published a writeup that I hope can be helpful.
0
0
1
@GossiTheDog
I saw a screenshot I took was shared on LinkedIn. The screenshot was boring showing nothing interesting in my post was basically a "yeah I have no idea in the world what this is" - hoping others would explain.
I guess it doesn't take much.
0
0
1
@adarsh____gupta
Microsoft didn't integrate with Atom. Now Atom is being sunset. I have toyed with it recently in VS Code. It's pretty sweet.
0
0
1
@SecurePeacock
@klrgrz
I aliken it to a doctor visit.
Reactive SOC: go to doctor for a fever and sore throat
Proactive Hunter: coming in for check up to ensure nothing is wrong
Both visits will have some overlap in what is examined. Both visits have similar purposes, but different functions.
0
0
1
This is hilarious.
In my next employment interview, I'm going to have to admit that my weakness is email.
@AccidentalCISO
a few of us wrote up this new CVE based upon our frustration with email backlog, and I immediately thought of you.
CVE-2020-65837 "Read After Months Flaw, Allowing Messages and Customer Requests in Queue to Go Unread"
CVSS score of 3.1 / Exploitability Level
2
1
4
0
0
1
@cyberqueenmeg
Lol! It's Saturday, I spoke highly of Ubuntu this week while teaching a Linux class about enterprise Linux use, and I haven't bothered with Manjaro in well over 6 months.
I'll keep it at, if I were to compromise in a delay in package releases, which can delay security fixes...
0
1
1
@cyb3rops
Interesting thought.
The -f option already exists and allows users to specify patterns to match from a file.
Many programs accept options specified with flags but do not require a flag to specify the file/path the file will be executed upon.
Example: we dont cat - f a file.
1
0
1
Signed a lease for a third year at my apartment.
My new monthly rent is now 48% more than my initial rent in 2020 for the same apartment. In that same time, the FED reports a 6.1% increase in rent for Primary Residence in U.S. City.
I must be one very unfortunate outlier.
1
0
1
4. Watching out for command script files like .bat or .cmd files.
5. They use compromised web servers; the domains and registration may be "clean" in Threat Intel and more than several years old.
0
0
1
I'm so excited for the honor of speaking at CactusCon again. Such a great event. See you all there tomorrow!
Join us online or in person on January 27th with
@christian_tail
presenting:
"Can Ducks Teach Us how to Share: What hunting Qakbot and other threats teach us about CTI"
Register now or check out our amazing schedule @ !
#infosec
#cc11
0
2
6
0
0
1
@ReplikaMr
I ping-ping between skill development for either from months to month. Thankfully, they arent mutually exclusive.
Depending on licenses, organizations, or research partnerships you have, some forensics capabilities can be fine fule for CTI!
1
0
1
I'm thankful to say I don't have problems with Linux audio. The audio issues I've experienced using Linux for work have been user error.
Still, the concept is so relatable.
For example, Linux tried to dim brightness on my OLED by sending signal to decreasing backlight. Lol.
1
0
1
@UK_Daniel_Card
I think about this all the time. So far my imagination's been worse than reality, for now.
0
0
1
This is great. But evidently I need to grow an epic beard.
0
0
1
@cocktailpeanut
@ollama
I would say grab popcorn but you could probably take a whole course on cooking and cook dinner before it is complete.
0
0
1
@vxunderground
It was really convenient!
I haven't booted a Windows device in years, but I woke up and just like everyone else, was an expert in drivers, Windows EDR dev, and BSOD - like everyone else on Twitter.
Please, Crowdstrike should have been asking me what happened!
#CrowdStroke
0
0
1
@RobertMLee
Me waiting until I feel knowledgeable enough to feel comfortable enough to no longer consider myself a complete novice in cybersecurity.
0
1
0
0
0
1
@AlyssaM_InfoSec
Well said. ♥️
I'm a bit of a CS fan here.
I'll take a moment to express my appreciation to everyone in an IT Support role today.
My time in IT Support helps me see that many people are venting, with some decent justification. IT Support is hearing a lot today. They can vent
0
0
1
It may be unwise to run xz to check your version.
Jia Tan's git commit to turn off Landlock sandboxing one week after Lasse Collin improved it. I understand the sandbox is for xz, the command line tool, and Jia did not need to disable it for the SSHD backdoor. 🤔The xz command also activates the backdoor?
10
162
1K
0
0
1
2. Watch out for emails with links to password-protected zip downloads.
3. Watch out for shortcut files (.LNK) that lead to file downloads.
0
0
1
@CroodSolutions
@MikeYup10
@SamunoskeX
@MalwareJake
@UK_Daniel_Card
@SwiftOnSecurity
Agreed.
Their clarification has helped a lot. It was kind of frustrating having to piece together a narrative ourselves. Their new response does seem to explain everything.
Waiting for RCA.
0
0
1