Hello, welcome to the Friday, January 13th, 2017 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from Jacksonville, Florida.

You may have run into this where you had a compromise system, but really the system wasn't configured with any kind of central logging and well not really configured much for security at

all so how do you analyze an event like this well in the windows world you have a pretty interesting

tool as mark points out the system resource utilization monitor problem with that was well

the file it leaves with all the

information. There wasn't really a convenient way to access the data short of buying the fairly

expensive NK's product. To help with that, Mark wrote a little program that will dump the information

from this file into an Excel spreadsheet

and then will allow you to review it.

You'll get a lot of details about which programs first started and who started them

and lots of context around that.

And of course the tool is available for free.

Mark has a GitHub repository

from which you can download it. And Docker released a security announcement and with that

an update to Docker version 1.12.6. This update fixes a privilege escalation vulnerability

that could allow an attacker to escape out of a container.

Now, usually previous escalation vulnerabilities aren't really all that super critical,

but in this particular case, because Docker is often used to isolate untrusted processes,

it's probably something that you would like to

address rather quickly. And then we have yet another reminder how important it is to keep track

of your DNS configuration. In this latest example, the problem was that a domain that was used by

...