Hello, welcome to the Wednesday, March 16th, 2020 edition of the Sandsenet Storm Center's

Stormcast. My name is Johannes. All right. And I'm recording from Jacksonville, Florida.

I've got a quick diary by Xavier today about behavioral analysis and how it sort of relates to

endpoint detection and response or

EDR. That's of course the latest greatest, well, maybe not quite a busword here that

everybody is striving to. The goal is to detect not just that an odd binary runs like

PowerShell, but also how it runs, for example, if

a Vird or another office product started it. Now, one problem here, of course, is always

false positives, like with any kind of detection rules, and Xavier has a couple of hints here.

First of all, there's a project called W. Asterix F. Bins.

This project is trying to track some of these sort of false positives.

It's a little bit like the Lulbus project, as Xavier points out.

That project sort of tracks Microsoft's tools that may be abused by attackers,

while W. Asterix F. Binz is really more going after the false positives, basically, normal

processes that may be flagged because they exhibit some of these odd behaviors.

And this is published an interesting advisory outlining a technique

that's used apparently by Russian state-sponsored cyber actors

in order to bypass dual two-factor authentication.

The problem here is that you may have accounts registered with Duo that expired.

In this case, an attacker in the default configuration of Duo is able to re-enroll the device, just guessing the username and password. So you're back to one-factor

authentication and guessing weak or using stolen passwords. This can be fixed. You have to make sure

that dormant accounts cannot sort of automatically re-enroll in dual and that of course will block this particular attack.

...