Hello and welcome to the Tuesday, March 18th,

2025 edition of the Sands and then at Storm Center's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

And a week or so ago, Diddy wrote about Malver that he found that had the

Cobalt Strike Beacon encoded as UUIDs.

Now, D-D also maintains a script 1768.P.Y that helps you decode Cobalt Strike Beacons

and extract the serial number and such for the particular Cobalt Strike instance,

which, of course, is useful for attributions and also to confirm that you're actually dealing with a Cobalt strike.

Well, in this case, DDA now added the ability to 1768.P.Y to decode these UUIDs and then essentially just with a simple Python script,

you now get everything you need from these UUIDs that are encoded in the Malver.

Interesting, nice addition to his script, the case you wonder why the script is called

1768.PY. Well, it turns out

to be the melting point of cobalt in Kelvin, the only true temperature scale. Well, and

yesterday I talked about a vulnerability in the Ruby implementation for Samo. Today, it's Node.js' turn. The problem here is the XML

crypto library. If you're using this to parse SAML messages, well, then you have a problem.

The problem here is actually, looks a little bit familiar. A couple of years ago, Duo, I think, found a number of SAML implementations being

vulnerable to how they are parsing comments in SAML messages.

Comments are essentially supposed to be ignored.

Well, if I would have implemented it, I would have just removed the comments and then parsed the message. But that's not what they did. And so they

ended up with a bunch of sort of ambiguities around comments. This is yet another one. The root issue

here is that the digest value, that's where you usually find the signature.

Well, XML Crypto uses the first child element from the digest value.

...