ISC StormCast for Thursday, January 28th, 2021
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 28 January 2021
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Thursday, January 28th, 2021 edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:14.4 | Hopefully a big win for the good guys today was the takedown of the Emotet botnet. Now, Emotet, of course, has been around |
| 0:24.2 | for a while. What's a little bit different about this takedown is that it didn't just involve |
| 0:30.7 | a couple of command and control servers, but authorities in the Ukraine did serve a search warrant on the actual headquarters |
| 0:41.4 | of what is believed to be the Amotet Crew, the company, the organization behind this botnet. |
| 0:49.1 | Some good video of that particular rate, kind of showing you the sophisticated adversaries we are |
| 0:56.1 | up against here and what equipment they are using. After all, MWThead is probably one of the |
| 1:01.9 | more prolific botnets and crimeware operations. Of course, Emwoodhead operates like many of these |
| 1:10.4 | crimeware operations that we have talked about |
| 1:13.4 | in the past by essentially sending emails with Word documents and macros that the user |
| 1:20.3 | is then supposed to execute. |
| 1:23.2 | Even with Emot Head Gun, this technique is probably not going away. So today we have a diary by Daniel looking at whether or not the attack surface reduction |
| 1:35.1 | rules that Microsoft introduced can help us mitigate some of these attacks. |
| 1:41.4 | And yes, to celebrate the takedown, he is using Emotet as an example. |
| 1:49.4 | So with the attack surface reduction rules, you can monitor and even block some behavior |
| 1:54.7 | that you would not like to see on your Windows systems. You may say why didn't Microsoft introduce or include |
| 2:05.3 | rules like this by default? Well, sometimes this behavior is needed, so these are rules that you |
| 2:12.0 | have to apply carefully. And Daniel looked at a couple that look promising, like, for example, |
| 2:20.9 | to block all office applications from creating child processes. Daniel had mixed results |
| 2:27.8 | with all of this, and for example, the detection of the child process itself didn't trigger, but what did trigger |
| 2:37.5 | is block process creations from originating from PSX and WMI commands. |
| 2:45.3 | And yes, Emotet does use WMI as part of its macro code. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.