Hello and welcome to the Wednesday, December 6, 2020,

edition of the Sandus and Stormstar, Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

The day today published a great diary with an update to his 1768.py tool.

That's the tool that's used to analyze Cobalt Strike configuration.

Now, traditionally, it was only able to deal with the configuration from the Cobalt Strike Beacons.

But thanks to the update that Did he put together in version 070, it's now able

to actually get the runtime configuration that's stored on the heap. So that's basically

what the CC++ code creates and is able to parse it. The tool will look for the

configuration, will extract the information, and then represent it. DDI has a little sort of demo

in the diary that goes over how to use this particular tool and what the output will look like.

But you'll, for example, get the IP address where that's being sent to URLs, user agents and such

being used by this particular Cobalt Strike configuration.

So create information to then go back and figure out what systems were exactly affected by

this compromise and to just learn more about how this particular install of Cobalt Strike

was configured.

And talking about good blog posts, Sisa has a nice write-up with details regarding some recent

attacks involving Cold Fusion. The vulnerability being addressed here is not terribly new, I think

March was released. Exploids were available pretty easily soon after the vulnerability became known and the patch was released.

But, well, still, Cold Fusion is not necessarily the easiest thing to patch, lots of dependencies,

depending on what software you run on top of it.

So good here for Sisa to actually walk us through how some of these exploits work and how this particular vulnerability is being taking advantage of.

Always a huge fan of people actually talking openly about compromises like this, because I think that's how we all learn how to better detect these attacks.

...