Hello, welcome to the Tuesday, December 28, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Living off the land attacks is still a big deal, and Renato came across an interesting trick that he documented in a post today where MS build is being used, the Microsoft build engine, which for the Unix folks out here roughly sort of compares to like the make utility in Unix.

MS build is used to build software, but as part of this, it's able to execute scripts.

And that's exactly what the attacker did here.

They used MSBuild to run a script that then essentially turned out to be the good old

Cobalt Strike Beacon.

As Bernato points out, this is of a typical trust, a developer tool that's being used

here. Not uncommon.

The NetHacker takes advantage of those tools.

Microsoft does recommend to pluck these tools with the Windows Defender application control.

May not always work because, of course, there are legitimate uses for these tools and people are

some a little bit hesitant to just turn off tools like this but if you're interested

in how MS build was used here and Renato goes to quite a bit of depth like you know

how to decrypt the connection and that Cobalt strike establishes via a proxy.

Lots of interesting things in this post.

So take a look and see what Renato has to teach you here.

And we have yet another interesting way to bypass Apple's gatekeeper and code signing requirements.

Patrick Wardle has details in his blog post regarding a bug that was recently fixed in

macOS, Big Sur.

Gatekeeper, notarization, and these technologies are used by Apple in order to warn the user if unsigned software is

...