Hello, welcome to the Monday, November 11th, 2019 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Many of our diaries are talking about how standard Microsoft software can be abused by malicious code in order to essentially

assist the code to, for example, download further malicious content.

That's often not detected well because these applications are whitelisted and the malicious

code is really just using features that these applications

provide. On Friday our handler Xavier wrote about how all of this can be done and also how, for example,

you can use your standard Excel to download a file or to execute PowerShell. And

attackers that live off the land like this, they of course try to avoid detection. So

Xavier is outlining some techniques to detect these misuses of standard Microsoft software.

And our handler Jan Kopriva took a look at how the recent use of the blue key vulnerability

to install crypto miners affected patching practices.

Yan's somewhat sad but probably unsurprising conclusion is that the use of the vulnerability

in such a highly publicized way did not significantly affect the rate at which systems

are patched.

Microsoft patched this vulnerability back in May and in the five months since then, there has

been a quite strong effort from Microsoft and other organizations to convince people to

apply this patch.

And well, it's likely that five months into it, the systems that are still not patched

are either unmaintained or intentionally unpatched for whatever reasons where administrators

figured it's too risky to patch or just too much work.

...