ISC StormCast for Friday, November 6th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 6 November 2020
⏱️ 16 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, November 6, 2020 edition of the Sansonet Storm Center's Stormcast. |
| 0:08.2 | My name is Johannes Ulrich and I'm recording from Jacksonville, Florida. |
| 0:14.0 | Interesting post from Xavier today with an interesting lesson the obfuscating PowerShell code in particular, |
| 0:20.2 | trying to spot the Invoke expression command. |
| 0:24.5 | Invoke expression, roughly equivalent to Eval in JavaScript or exec in Python, is a PowerShell |
| 0:31.8 | command that can be used to execute commands represented in a string. |
| 0:38.3 | Now, this of course is often used in obfuscation techniques, |
| 0:42.3 | so spotting invoke expression is often a good sign |
| 0:47.3 | that you're dealing with malicious power shell code. |
| 0:51.3 | But because this is such a popular signature, the Invoke Expression Command itself |
| 0:57.3 | is often obfuscated. So Xavier is going over soft techniques that attackers are using to |
| 1:05.4 | accomplish this and make it more difficult to spot this particular command. |
| 1:11.6 | So if you're dealing with malicious PowerShell script, |
| 1:14.6 | nice little exercise here for you to go over these different off-your-scation techniques. |
| 1:21.6 | Well, Apple today released updates for everything for iOS, iPadOS, WatchOS, Mac OS, and probably also TVOS. |
| 1:33.3 | I have to double check. I haven't noticed that coming along yet. |
| 1:38.3 | But that's very typical, of course, for Apple because these operating systems share so much code, they're often affected by the same vulnerabilities. |
| 1:48.0 | Of note are three vulnerabilities in iOS that apparently are already being actively exploited in the wild. |
| 1:58.0 | And I think the set of vulnerabilities is also interesting because it's really sort of a neat little exploit chain that you have there. First, we have a vulnerability in Apple's font parser that can be exploited to execute arbitrary code. So that's how an attacker would attempt to originally get access to the phone |
| 2:22.3 | by sending a message or something with a malicious font. Next, we have a vulnerability that is closest |
| 2:29.4 | kernel memory. That's often used to bypass certain anti-exploit protection. And lastly, there is a |
| 2:37.9 | vulnerability that provides a malicious application with the ability to run arbitrary code with |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.