Hello, welcome to the Monday, September 11th, 2017 edition of the Sancton Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Las Vegas, Nevada.

This weekend, DDIE wrote a diary about analyzing JPEX. Now, JPEX are typically not at the top of the list when it comes to suspicious and malicious

file formats, but certainly JPEX can be used in order to trigger arbitrary code execution

vulnerabilities.

So they certainly do sometimes deserve some attention, and DDIH is going over how to analyze the JPEC structure and

how to look for any suspicious content. In his particular case, he's examining a JPEC that was created

using Medasploid. Now, if you're looking for a simple way to audit common security issues on Windows systems,

Russ has a nice tool for you, WynSpec.

Now, WynSpeck is a PowerShell script.

It does produce an easy-to-read, fairly concise report that does summarize a lot of the important security settings,

patch level, and other related items.

It's still under active development, and the developer does look for feedback on the tool.

They already are discussing some additional extensions they're going to put at it.

So I find this is probably something that you should consider in particular if you're trying

to run scripts like this at scale. An endpoint security company N-Silo found an interesting

vulnerability or bug in Windows. Now, a lot of anti-malware software needs to be

notified whenever a new piece of software is started. And in order to accomplish this, Windows has

a system call PS-set load image notify routine.

Now, this particular callback is triggered whenever there is a new driver or a new process loaded in memory,

and anti-mailver can register for this and then receive data about the process, which includes the path of the

respective file, and that, of course, can then be used to verify whether or not this particular

file is malicious. The problem here is that the path, the file name being passed, may actually

...