Hello, welcome to the Monday, January 10th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Last week, we had an interesting write-up by Renato about an attack tool that took advantage of MS-built-in in order to launch malicious code.

Now, of course, this weekend we have to follow up from DDIHs, showing how to decrypt the

Cobalt Strike beacon that was deployed by this script.

The hex encoding was slightly not standard.

Some leading Ceres were missing, soDGA had to adjust his script,

but once that was done, he could apply his 1768.PY script to extract the configuration,

and of course, with that everything you need, including the keys being used by Cobalt Strike.

And remember when we talked about J&I and Log 4J, one of the comments was that, hey,

J&I is actually used in other contacts.

It's not something that Log 4J sort of uses exclusively and looks like we do see some other similar vulnerabilities

pop up. Most notably this weekend, the H2 database, which is a lightweight Java database.

The console that actually processes data that's being received by the database is susceptible

to the JNDI issue, basically

where you are able to execute code in the database by using JNDI.

What makes it a little bit less severe than what happened with Log 4J is that the console

by default only listens on loopback, so that makes it a little bit

less severe.

Also a little bit easier to find because the attack would work against the database itself.

So it wouldn't get processed later on like with Log 4J once the data is being logged,

but as the data is being logged, but as the data

...