Hello, welcome to the Tuesday, January 12, 2021 edition of the Sandstone at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

And this week I'm actually teaching the SEC 5-22 defending web application class in Washington, D.C.

At least, well, that's sort of the virtual location

of our Cloud Defender event this week.

Rob today completed his three-part series about how to use the NIST National Vulnerability

database with automated PowerShell tools in order

to augment and assist with your vulnerability management program.

Interesting PowerShell script that he came up with in the end, and it is available on GitHub.

And Microsoft released a new version of the SIS Internals tool

with two significant updates to SysMON and Process Monitor.

SISMON added additional events that will alert you

if a mapped image file in memory doesn't match the on-disc image file.

Also, if the image is locked for exclusive access, which is of course a common sign that process

hollowing does take place.

That's where an attacker essentially modifies an image of a process in memory

in order to inject malicious code. And process monitor will now also monitor the rec safe key,

reg load key, and rec restore key APIs. In particular, the Sysmon update sounds really interesting and would be interesting

to hear from you if that works for you, if you detected anything, if there are any false

positive issues with this new feature. Based on that I in the past have gotten quite a few

requests for how to install our honeypot behind ubiquity

perimeter device. I'm assuming that quite a few of you are using ubiquity equipment,

...