Hello, welcome to the Monday, January 24th, 2020 edition of the Sands and the Storms

and it's Storms on a stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

I keep seeing this about network traffic, but the same is also true about systems.

If you look at systems or network traffic at a time of an incident, well, it's kind

of too late to figure out what's normal.

And that can be very important to know as you need to identify if a certain artifact

that you're seeing is just, well, the way the system is supposed to behave or maybe something that's related to the attack.

Where this came up was in an incident that Boyan was working on, and this was a list of domain

names that the victim found in Wynet.dll.

Now, Wynet.t.dl is one of those basic Windows libraries

that deals with network connections,

and it had a very long and extensive list of domains here,

some of them relatively obscure.

Well, it turned out that this was perfectly normal.

Modern operating systems, modern browsers are supporting a feature referred to as strict transport security,

where a website may indicate that it's only accessible via HDPS.

Well, as part of this feature, there's also a preload capability where you can add your website to a list of websites that are automatically being flagged as HTTP only by the operating system or the browser.

And turns out that wheninet.dl contains exactly that list.

So this is a list of websites that registered himself as being HDPS only.

And the list, of course, well, the only common denominator here is that these websites are listed.

...