Hello, welcome to the Monday, August 29th, 2020 edition of the Sands Internet Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

This weekend, we had a number of nice Internet Storm Center diary posts, so let's start with one by DDA showing how to deal with false positives when scanning

memory dumps for Cobalt Strike Beacons.

To do so, DDA updated his 1768.PY tool.

This tool typically searches for the beacon information in memory dumps by looking for the header.

But while that particular pattern may show up in unrelated memory segments and that of course gets you then false positives, a new option to the tool will now apply additional sanity checks, removing the false positives

from the output.

Now, the sanity checks that they introduced will check if the payload type and the public

key values are reasonable, basically whatever numbers come back for payload type, that

is one that's actually being

used. One cause of these false positives is also that antivirus signatures will sometimes

contain those patterns. Of course, they're also looking for those patterns. And that sort of is

how they end up in memory. An additional feature that the 1768.P.Y.

tool has is to offer a verbose mode. With the verbose mode, you'll sort of get a little memory dump,

basically, around the area where the signature was matched.

And in the case of antivirus tools, you often then see strings indicating essentially the malware signature, the malware name that is then being associated with that signature.

So that usually gives you a good idea that you're dealing here with signatures,

not with the actual malware.

And Gion, Saturday, took a look at HDP2,

somewhere to seeing TLS requests to non-TLS servers.

If you have an HTP2 request

...