Hello and welcome to the Monday, June 23rd, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, and this episode brought you by the Graduate Certificate Program in Industrial Control Systems Security is recorded in Stockholm, Germany.

So off this podcast, I have mentioned the mark of the web

and also alternate data streams.

Now, if you're running Windows and you're using the NTFS file system,

then, well, the mark of the web is encoded in the file as an alternate data stream.

But of course, we sometimes also have other interesting data, sometimes malicious data,

hidden in alternate data streams.

DDA today talked about how to decode some of these alternate data streams using some of his tools,

most notably cut-bytes.py.

That's one of the many Python tools that Didi maintains,

but he also has file scanner, which is faster, it's written in C,

but not maybe quite as flexible as the cut bytes tool.

Both tools make it really easy to get the information out of these alternative data streams.

And personally, I think specifically for the mark of the web to sort of see the provenance of a particular file that was downloaded.

Well, that's certainly quite useful. And Microsoft made some changes to make their virtualized cloud PCs more secure.

Now, this affects virtual cloud PCs running in Windows 11.

And really, the goal of these cloud PCs is to have sort of this isolated system in the cloud

that's, well, not really connected to anything locally.

Of course, by default, this hasn't been true in the past.

For example, by default clipboards were connected connected or you had USB pass through enabled.

This is now disabled by default, starting in the second half of the year.

...