Hello, welcome to the Monday, January 17th, 2020 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida. Friday got some little bit odd scans from researchers that apparently are looking for alternate data streams.

At least that's sort of

what the scans are looking like. The other thing they sort of share is that they're looking

for index.jsp. So what you would see is index.jSP, then colon, colon, dollar data,

which does match the format of the NT file system, alternate data streams.

Not sure if it will actually work.

I tried it against a quick window system I had set up here.

Didn't really work for me, but again, it did not actually run Java.

So not sure if that's only Java or if I didn't have to write file system.

If anybody has any insight into what they were looking for, let me know.

Also, later we got some feedback that other attackers are looking for similar patterns,

not just against index.jsp.

The intent here is likely according to some of the FAQs from OASP, for example, and their cheat sheets

to bypass filters that essentially are trying to reach a certain file like index.js.p,

but you're not trying to use that file name

by appending colon-colon-dollar data.

Functionally, the same thing as looking at index.js.

But a weblication file wall or some other filter like this

may get fooled into believing

that you're actually looking for a different page.

And after releasing its monthly updates last week, Microsoft, of course, experienced some problems

...