ISC StormCast for Monday, November 30th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 30 November 2020
⏱️ 7 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, November 30th, 2020 edition of the Sand Center and Storm Center's Stormcast. |
| 0:07.7 | My name is Johannes Ulrich. Entertainment recording from Jacksonville, Florida. |
| 0:13.7 | Well, the long weekend left me with a couple of diaries to talk about the first one by Xavier about how attackers are using PowerShell |
| 0:24.6 | to actually patch Windows API calls and with that disable antivirus. |
| 0:31.6 | This accomplished using a trick that has been around for a year or so and and it targets the anti-malver scan interface, or AMSI. |
| 0:41.5 | That's a library that comes with Windows, |
| 0:44.4 | and it's used by anti-malver from different vendors, |
| 0:49.0 | so by patching in particular the AMSI scan buffer function |
| 0:53.7 | and have it return nothing. |
| 0:57.0 | The anti-malver is essentially taken out of the loop if it doesn't detect the code before it runs. |
| 1:05.1 | Let me got two diaries that are dealing with Yarm and I think I mentioned Yarm last week. It's a library that |
| 1:13.1 | Salesforce came up with. Now, Salesforce, of course, has provided the passive TLS fingerprinting |
| 1:21.3 | library, JA3, and that has been heavily used by various threat hunting software like Seek and such, for example, uses it. |
| 1:31.9 | But with Jarm, it sort of takes an active approach. |
| 1:36.2 | So you can use Jarm to scan a TLS server and then deduct a part of its function as command control servers in particular one that |
| 1:47.2 | I think already pointed out, Cobalt Strike, but also as some malware uses command control servers |
| 1:54.4 | with very specific TLS signatures so they can be identified using the Jarm library. |
| 2:02.9 | Rick's diary from Friday shows how to use Jarm and how to sort of incorporate it into your |
| 2:08.9 | threat hunting efforts. Now, the second diary by DDI shows how to use Jarm with Sox proxy. So if you don't want to expose, for example, your own |
| 2:21.3 | IP address. And again, JARM does active scanning, so use it with care. Let me go to a couple |
| 2:31.0 | stories that I sort of would like to summarize here. They're not necessarily new, but I think a little bit of urgency now with the holiday shopping season starting and people looking for gifts for relatives and such. |
| 2:45.7 | Well, be a little bit careful with various IoT devices. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.