Hello, welcome to the Monday, June 10th, 2019 edition of the Sansonet Stormsendos Stormcast.

My name is Johannes Ulrich, and I'm recording from Neptune, New Jersey.

We've got some feedback regarding the Goldbrood bot scanning for open RPP servers that we wrote about last week.

One user via Twitter reported what looks like a slightly modified payload that included

sort of jihadist spam, also a lot of other random text.

We downloaded payload that our variant offered actually several times from different systems,

different IP addresses, and never really got anything different.

So never really saw any purpose in this bot beyond just scanning and enumerating, essentially,

vulnerable RDP servers.

So for everybody who reported this other variant seems to refer to the same GitHub repository.

So it seems to be a single source at this point that offers this variant with more of a payload.

In weekend diaries, we got two logging-related data. this variant with more of a payload.

In weekend diaries, we got two logging-related diaries. First one by Xavier about WMI logs.

WMI, short for Windows management instrumentation, is remote management technology built

into Windows, and well, of course, Malver likes that

as well. So logging WMI activity is certainly important. Now, Xavier shows how to enable event

tracing for WMI to get more meaningful logs. Otherwise, you really only get sort of failed access to WMI.

Xavier also points out that if you do actually enable event tracing, since it's a debugging

feature, it's intended to only run for a short time, and Windows will by default only collect 8 kilobytes worth of WMI tracing logs.

The second logging-related diary comes from Dilliers. He points out that Sysmon will add DNS logging

to an upcoming release of SIS internals.

Now, I've mentioned logging DNS traffic multiple times here in the podcast.

...