Hello and welcome to the Monday, May 8, 2003 edition of the Sand and its Stormontas Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We've got a number of interesting diaries to talk about from this weekend.

The last one was one by D.D. where he's taking part, a revenge rat,

a PPM file. PPM, these are these PowerPoint macros that are sometimes used for malware.

This particular sample came from Malware Bazaar, but the reason did he pick the sample because it nicely

showcased how the built-in decoders and other decoders that are sort of part of the DDA's

tool set can be used in order to not just extract the malicious content here, but also quickly

decoded.

And if you're looking for some good datasets in order to test your analysis tools, Russ has a nice diary about the use of the cyber attack database.

That's something maintained by the University of Maryland.

And then he sort of shows how various tools can be used to basically make sense of that data.

It's the first of a two-part diary, so the second part will hopefully come soon and give you a little bit sort of an idea about what different

tools can do with this kind of data. Living off the land still alive and well, the latest

example comes from Renato and this was Friday's diary. Renato noticed the use of colorcpl.e.e. being used. As typical for living

of the land techniques, colorcpl.l.exe is a normal Windows binary. It's used for color management.

So why are attackers interested in it? Well, apparently it is used as a replacement for good old copy.

The destination directory is always the System 32 spool driver's color directory,

so probably also a good place to sort of tuck away dangerous binaries.

But other than that, no-proage escalation here,

probably just trying to sort of hide the use of the copy command,

which may trigger under some circumstances.

...