Hello, welcome to the Tuesday, October 19th, 2000, 21 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Riyadh, Saudi Arabia.

Well, attackers have problems, too, and one of those problems is how do they prevent systems that are not infected by their malware, for example, researchers and such, from connecting to their command and control servers.

So essentially attackers would like to authenticate the software that is connecting back in order to receive new commands.

One strong way to do authentication, of course, is certificates.

And Xavier ran into some interesting malware written all in PowerShell that

implements Glineside certificate-based authentication.

While cryptographically, well, pretty strong,

the problem, of course, remains how do you protect the credentials?

In this case, the certificate and private key.

The malware that Xavier ran into does use a password,

but then again, the password has to be included in the malware as well.

It was, in this case, just password literally.

And given the challenges, of course, how to protect a password like this, it doesn't really

make a difference that the password was trivial.

At this point, given the novelty of the approach,

probably this really comes down more to security through obscurity,

because many analysts aren't ready yet to look for a certificate

that is being used to authenticate to a command and control channel.

Of course, as a side effect,

you also protect the channel itself from various machine in the middle attacks.

And sticking with PowerShell here for another story,

...