Hello and welcome to the Tuesday, February 21st, 2020,

edition of the Sandin and Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm

recording from Jacksonville, Florida. The day today published a follow-up to an earlier diary

that he published regarding Suricata rules for OneNote files.

Now, OneNote files still a big deal, still actively being abused in order to bypass

some of the macro restrictions that Microsoft has put in place.

So having good rules to detect these kind of attacks

remains very valuable.

The one thing that DDA really adds in this new diary entry

is detailed explanations as to what these rules are looking for.

And this is of course very helpful as attacks evolve, as different

file types may be used, or as these OneNote files are used differently to understand what

these rules are able to detect and what they're not able to detect, but also how to possibly

adjust them if you ever need to modify these rules to make them work with new variations of these attacks.

And talking about new attacks, Symantec has an interesting write-up about a new Microsoft IIS backdoor that's being used in order to gain persistent access to a compromised

IIS server. So the backdoor itself is not really the weakness here. It's the result of

another vulnerability, maybe in your application, maybe in your configuration that's then being

used to install this backdoor. What makes this backdoor

unique is that it injects itself into an existing legitimate DLL. Samantha calls this backdoor,

and I hope I'm pronouncing it right here, FREP and IIS. The first part FRIB that comes from the Failed Request Event Buffering.

That's the actual feature kind of being abused here.

Failed request event buffering is implemented by DLL, ISFRIB.DL, and it's used in order to trace failed request to help you debug what's

...