Hello, welcome to the Thursday, December 14th, 2017 edition of the Sansonet Storms and a Stormcast.

My name is Johannes Ulrich, and I'm recording from Washington, D.C.

But we're looking at malicious domains.

One thing that often comes up is that hackers will register a new domain, for example, for use as a command

and control channel, and then immediately start using it. So one indicator that the domain is up to no

good is that it was just registered. Most other domains are being registered, then websites and services are being built,

and then they're actually used. So having a list available of recently registered domain names

is quite useful to sort of add additional background information to your logs. Xavier found an

interesting website that does publish a free list of

new domains that were registered and he has a little script here for you that you can use in order

to include this list in Splunk. Of course, you could also use this list to find any newly registered domains that,

for example, try to impersonate any domain that you own. Exposing web-based consoles for your

security devices is always a bad idea, and if you need any more evidence for this, look at the latest

patch for Palo Alto Networks firewalls. Three different vulnerabilities were disclosed in

the web-based admin interface for Palo Alto that together can be used to execute arbitrary

code as root. Really nice set of vulnerabilities showcasing some of the more popular flaws.

Number one is a deserilization vulnerability, something that was just added to the OVASP top 10.

In this particular case, it can be used to bypass authentication

because Palo Alto kind of decided to do it all themselves

instead of using the built-in authentication

and serialization functions that you have available in PHP.

The second flaw allows the creation of arbitrary directories

...