Hello and welcome to the Monday, February 13, 2023 edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Got a couple of interesting diaries this weekend. The first one was a brief one by Xavier talking about attackers using PowerShell to disable

script block logging. Script block logging is, well, as the name sort of implies,

used to log what PowerShell scripts do, and attackers don't like that, so they tend to disable it.

In this particular example that Xavier has, there's sort of some obfuscated code being used

using collection generic dictionary object in order to disable this logging.

Interesting little code snippet and probably something kind of

that should be considered suspicious or malicious as is. And SEAC is certainly one of my favorite,

if not the favorite tool to analyze PCAP data. Now often you don't run SEAC at the time that you collect the packets, but you

are running SEACs later on packets that you collected, for example, from some incident.

And Jesse is walking you through the process in a second diary from this weekend, talking about

how to prepare your P-Caps to run them through Seek.

For the most part, well, a Seek will just read P-Caps, but there are a couple of artifacts that sometimes you block that or that you may run into.

One is if the packet capture got sort of disrupted in the middle of capturing a packet,

it often happens if you sort of exit out of T's-B-Dump with Control Z.

Then we also do sometimes want to merge different P-Caps,

and Jesse is just walking you through the process of using PCAP fix

and then a merge cap to actually get the packet capture ready, and then also a couple sort of little hints on using the seek data.

And with new tools come, new vulnerabilities.

One of the interesting tools, of course, being revealed and really sort of

taking off this last month is GPT3-based chat engines, like most notably chat, GPT, but also

the new in limited beta Bing chat bot.

...