Hello and welcome to the Friday, March 3, 2023 edition of the Sands and its Storms, Stormcast.

My name is Johannes Ulrich, and that I'm recording from Jacksonville, Florida.

The DA today continued his task to come up with ways to detect malicious OneNote files. And well, of course, the reason

we keep talking about OneNote files is because attackers continue to use them to deliver

malware after Microsoft did limit what can be done with other office formats. In order to deliver

their malicious content using OneNote files,

an attacker has to embed a file into the OneNote file. Now, a popular, harmless embedded file type

that you may find in OneNote files are images. If you are trying to find malicious one-note files,

a good idea is to look for one-out files

that have embedded files that are not images.

But of course, in addition to that,

they may contain some harmless images as well.

And that's what the here accomplished with Yara rules, Yara, the open source detection

language. And essentially, all he did here was he counted the number of embedded files. Then he

subtracted, of course, the number of images in the one-o document. If something is left over, well, that's not an image,

and that's sort of what the rule does.

Also important, of course, to know what the right strings are that you have to look for

that identify these different embedded file types.

And in recent years, small quadcopter drones have become really popular.

And of course, with that, there have also been problems with these drones interfering, for example,

with commercial air traffic.

The market leader in this particular segment, DJI, did implement an interesting proprietary

...