Hello, welcome to the Monday, October 25th, 2021 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Al-Kobar, Saudi Arabia.

Brad decided to release another challenge for October. This is a packet capture that if you solve the case correctly,

you'll be able to qualify for a raspberry pie drawing. You do have about a week until Sunday,

October 31st, to submit your entry. Please read Brad's diary first. It has further instructions

as to how to exactly submit the entry and how to qualify for the Raspberry Pi drawing.

And as long as you're submitting your entry by deadline, what will matter in order to participate

in the drawing is the accuracy

of your results.

And the DE came across an interesting SIP file that contained file names with character returns.

Now, character turns, of course, are not legal in file names, and apparently it depends on the particular utility that

you use to investigate the SIP file, whether or not the file is even displayed or whether it's

extractable. DDA isn't sure what the intention is of this odd file name, but one suggestion is that this may throw off

some automatic utilities that are decompressing files for further analysis, and as a result,

well, it may slip past some anti-malar checks as you commonly have them set up, for example, for mail servers.

And then we have another DDE news item. This one comes via his day job and Vissau, Belgium

consulting company. And one thing that DDA has looked at in the past, and he has also written about on the Internet Storm Center, is Cobalt Strike.

Now, Cobalt Strike uses an encrypted scheme for its communication.

It's AES encrypted, and then there is an RSA public-private key scheme in order to transmit the AES

symmetric key. By searching virus total, Dedi found a total of six private keys that are used

for this encrypted channel for Cobalt Strike.

And the D.D. now looked into, well, how commonly are these keys used?

...