Hello, welcome to the Monday, September 13th, 2021 edition of the Santernat Storm Center's Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida. This weekend, Guy published a couple quick instructions on how to actually ship Microsoft DNS logs to Elastic Search.

Couple steps required here. First of all, Logstash, of course, is used for some of the data

manipulation and the actual shipping. But then you also need to enable the debug logging

in Windows in order to obtain appropriate

logs.

It's a very common challenge.

I've seen many people having a hard time getting good insight into DNS logs on Windows

systems.

Of course, you could use network logging, but it's not often that easy to really get access to all the network segments that you need to in order to log these queries.

So there's another alternative that you have by just log them directly from the system.

And of course, DNS logs based on the size of the logs, is probably the most useful

log that you can have in your network.

So something you definitely should get a handle on and should collect.

And a quick update regarding the MSHtml vulnerability in Microsoft Office, CVE 2021-444.

Nothing new for Microsoft here.

The advisory was last updated on September 9th.

But on GitHub, we now have what looks like a rather reliable proof-of-concept exploit, where really all

you have to do is insert the DLL that you would like to execute, and then run one Python

script to create the exploit, and a second Python script to actually then run the server, delivering

the document.

So super easy to exploit now, almost negligible if you are a bad guy and not at least

giving this exploit a try.

...