ISC StormCast for Friday, September 29th 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 29 September 2017
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, September 29th, 2017 edition of the Sands Internet Storm Center's Stormcast. |
| 0:09.0 | My name is Johannes Ulrich and I am recording from Baltimore, Maryland. |
| 0:14.0 | Well, I'm here in Baltimore teaching intrusion detection, so really fitting that Xavier today posted about how to analyze huge amounts |
| 0:24.1 | of PCAP data. One really interesting tool here is MoLock. Moloch is a database that collects |
| 0:32.8 | essentially PCAP data and then makes it available via an elastic search database. It also |
| 0:40.1 | implements a real neat and slick web front end. Xavier shows how to install these |
| 0:46.2 | components really quickly using a Docker container and then goes over some of the |
| 0:52.7 | features of Moloch. |
| 0:55.0 | So we'll create weekend project and of course a hat tip to William Saluski, the person behind Moloch. |
| 1:03.0 | And CyberArk found an interesting vulnerability that can be used to bypass Windows Defender and possibly other anti-malware systems as |
| 1:14.3 | well. They call it illusion gap and it relies on the victim downloading the malicious file |
| 1:21.0 | from an SMB file share. The problem here is that initially the victim will download the file using a process on the system. |
| 1:29.3 | Creating that process does trigger antivirus to then check on the file, which triggers an additional request from the antivirus software to the file share in order to download and inspect the file. |
| 1:43.3 | Illusion gap relies on identifying whether or not a request was initiated by a process the |
| 1:50.3 | user started or by anti-malware. |
| 1:53.6 | Whenever the user downloads the file, the malicious file is served. |
| 1:58.3 | If anti-malware downloads the file, then a benign file is served, essentially |
| 2:04.3 | confusing anti-malware and allowing the particular file to run. Now, CyberArk did notify Microsoft |
| 2:12.1 | about this issue. The problem here is that Microsoft doesn't really see it as a big problem because in order |
| 2:18.7 | to download the file from this particular SMB server, the user first has to trust and |
| 2:25.6 | connect to that SMB share, which triggers a number of pop-ups. This could not be exploited by |
| 2:32.8 | uploading this file on a share. user already trusts, because in order to switch the file, the attacker actually has to swap out the SMB server used to serve the files. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.