Hello, welcome to the Wednesday, January 30th, 2019 edition of the Sands and its Storm centers.

Stormcast, my name is Johannes Ulrich, and I'm quoting from Jacksonville, Florida.

Just a quick update on the Microsoft Exchange of Vulner, the Priv Privilege escalation exploit that it brings along

with it. Yesterday I talked about it already and one thing I said we didn't have yet was a good

way to detect if you're under attack. Well, figured it out thanks to readers that also commented on this

and the thing to look for is event code 4624.

You should see then a log on type 3 and authentication package NTLM.

This will then detect the account, the NTLM relayed part of the attack.

So that's where the attacker actually tries then to escalate privileges.

Another good event to look for is 5136. This one is the event that'll show up if the axe

control lists have been modified. So that would be after the attack succeeded.

Boyan added details regarding this to the diary post from yesterday.

But also got sort of interesting, a little bit different good old fishing attack today. Now, it arrived as an email

as they often do and the lure here was attachment that promised final closing statement. So

someone who is just about to close on a house of of course, would be at risk here.

And the intent is not really to infect you here.

The link, this PDF, actually, just goes to a legitimate OneDrive page.

And from there, well, you're being then redirected to the attacker's page.

The attacker actually went through the trouble to get something

that looks a little bit, OneDrive like the host name they're using is Drive Document 1. But they made

a crucial mistake here in that they weren't ready for IPV6.

They do deploy as many of these phishing pages a blacklist where they're sort of trying

...