Hello, welcome to the Monday, June 22nd, 2020 edition of the Sands and Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Let's start out with some diaries from this weekend. First of all, Remko wrote about Sigma rules. Sigma is a language that allows

you to describe rules for sims, but it does so in a vendor agnostic format. It's a simple

YAML form, and then you can convert, compile as they call it, these rules into the particular sim that you

are using. Simple things in open source like, for example, Elasticsearch, but you can also,

for example, use Asia Sentinel and Asia Log analytics, Sumologics, ArcSite, and other commercial sims can be used

with Sigma rules. So it's a real easy way to exchange different detection techniques in an open

format. Yes, there is a large repository of these rules available.

And when I announced the workshop that we'll have on Tuesday, the SandsTech Tuesday,

where we are going to talk about installing the D-D-Shield Honeypot,

well, what I sort of recommend that you bring is a Raspberry Pi 3 or an Ubuntu virtual machine,

but Tom took a look to see if it also works using the Pi Zero, which is sort of the

smallest and cheapest of the Raspberry Pi family. And indeed, it works just fine. So certainly something to consider.

Now, he used USB wired Ethernet adapters. I highly recommend that. Wired usually works

quite a bit better than wireless, in particular for a Honeypot. they're sort of waiting for unsolicited incoming

connections. Now, if you're infected with any kind of malware, be it some backdoor, keystroke

logger, or more recently, ransomware, one of the dangerous things to do is to just remove

the malware and hope everything is fine.

Bleeping Computer has a good warning that in recent ransomware cases, the ransomware operator

kept hanging around in the network even after the ransomware had been deployed and caused

its damage.

...