Hello, welcome to the Friday, June 3, 2020 edition of the Sandsenet Storm Center's Stormcast. My name is

Johannes Ulrich, and today I'm recording from Jacksonville, Florida. Sorry for pushing out yesterday's

podcast a bit late, just forgot to run the bash script that does the post-processing, and thanks for everybody

noting that makes me feel like someone is actually listening. So you may see actually

two Friday podcasts because the Thursday one came out a little bit late, then was labeled as Friday.

If you're getting into incident response and forensics, of course, one of the challenges

always sort of that initial, I call it, triage part where you have a system that's likely

compromised and you quickly need to figure out how bad is it, is it worth diving in deeper?

So to help you answer this, we today have a diary by one of our undercredit interns, Logan Fluk, who wrote up a quick

introduction into RecMD, and that's a tool that was created by Eric Zimmerman. If you are into instant response, you are for sure familiar with his tools.

And essentially a command line interface for registry explorer to extract values from the registry hive using a little batch file where you can specify what values

you may be interested in. The output is a CSV file, so ideally suited for an additional processing

with simple command line tools, or if you insist to throw it into a tool like Excel or Timeline Explorer, for

example, and that's what Logan is explaining here.

So if you're interested in a tool, you can see the quick walkthrough in today's diary.

Let me have a coordinated release between aaxity and Adelaation regarding vulnerability

in Adelaideon confluence.

That's already actively exploited.

It's an unauthenticated remote code execution vulnerability, so about as bad as it gets.

CVE 2022-26-134, and Vlexity has observed exploitation, and the attacker

then used a memory-based implant in order to evade detection. All versions of Confluence

server and data center are affected.

...