Hello, welcome to the Tuesday, April 19, 2020 edition of the Sands Internet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Marriester, Florida.

The DEA today took an in-depth look at Sysmon and by in-depth, well, it went into decompiling part of SISMON to look

into how it is exactly logging the SISMON Event ID-13, which is a registry event value set.

The question here was originally, well, if binary data is being written, then

Sysmon typically just logs a string says binary data. And if there is a way to actually get

access to the binary data that was set here, well, sadly, no, that's the answer from

the day after decompiling the respective

driver in Sisman. And the string here is just fixed and set to binary data. That's the actual

string. So there is no actual binary data that's being saved here by Sisman, sadly.

On one website you probably should keep an eye on these days is the Ukrainian cert.

Now, you may not specifically be targeted by some of the attacks they're describing here,

but I find it fairly insightful some of the details and exploits that

they are seeing used. For example, in some attacks targeting Ukrainian government organizations,

CIMPRA cross-site scripting vulnerability was leveraged. Simpra is the on-premise open source webmail system that is somewhat

popular for people who don't necessarily want to rely on cloud services. They also see the use of

iced ID. Iced ID is typically more associated with banking malware, but in general,

it is a crime where. It can be used to steal credentials, so certainly it can be used for

targets beyond banking accounts, which it was sort of originally created for. I'll add links

to the two articles. Now. They're only available in

Ukrainian. However, I find Google Translate does a pretty good job in getting across the content

of these fairly short posts. And NSO, the Israeli company behind the famous Pegasus spyware tool.

...