Hello, welcome to the Tuesday, May 5th, 2020 edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

Now, when Sysmon was updated last week to Sysmon 11, one of the great new features that was added was file deletion protection, which essentially

will make automatic backups of files that are being deleted.

Didy today took a closer look at the feature and sort of explored a little bit its limits.

First of all, if you overwrite a file with tools like S-Delete

that will delete the file and then override the disk space with zeros, well, the undelete

feature in Filemon still works. Where it doesn't work, of course, is if you override the file

a byte at a time with zeros, and

then delete it, then you only end up with a backup of the file with all zeros.

However, if you do override it in blocks of one megabyte or smaller blocks, if the file

itself isn't one megabyte in size, then it actually worked and preserved the original file.

So pretty interesting.

Now, a reader kind of reported a little bit an odd issue with removable drives.

Apparently, once you enabled that Sysmon feature feature, you can no longer cleanly unmount

to drive because SysMond keeps files open on the device.

And Sys Internals promised a fix for this issue in a future update.

And yesterday I mentioned how the salt vulnerability is being used to attack various systems.

Well, we have another noteworthy victim here, and that's DigiCert's certificate transparency log.

On Sunday, DigiCert reported that they discovered a compromise of the system that's operating

their certificate transparency log, and the attacker had access to the secret key being used

to sign entries in this transparency log.

...