Hello and welcome to the Thursday, February 2nd, 2003 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Well, One-Note files that is currently sort of one-vector, how an attacker can smuggle malicious code into your network,

even if you have things configured reasonably tight.

And if you can't really just outright block one node files, then of course you need some way to detect these malicious files.

DDA has a great diary today with some rules to detect a one-note file.

First of all, some rules contributed by Florian.

Florian wrote some Yara rules that not just detect one-note files, but also one-note files,

for example, with embedded PE bad files,

visual basic files, also link files, which is something that's a particular has been seen here.

Secondly, Did he also published some Suricata rules. So this way you can detect some of these files on the network.

Did he also explain some of the artifacts that these rules are looking for?

So you may be able to modify these rules or even adapt them to whatever detection

language you're using in-house if neither Yara nor

Suricata will do it for you. I would say must-read for anybody who is looking for some meaningful

detection rules for this relatively new threat. Talking about defending Microsoft is doubling down on its support for non-Windows operating

systems in its Microsoft Defender line of products.

Microsoft Defender for Endpoint is now able to support isolation for Linux devices.

The nice thing with isolation is that it essentially allows you to remotely limit network

connections that a certain device is able to establish if you are suspecting that a device is

compromised.

This gives you sort of the level of isolation that hopefully will prevent any data

...