SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Monday, January 12th, 2026: PEB Manipulation; YARA Update; VideoLAND and Apache NimBLE Patches
10 snips
Jan 12, 2026 Explore how malware can manipulate a Windows process environment block, hiding critical metadata. Learn about the new YARA-X version that warns against invalid hash matches. Discover the latest VLC update which addresses multiple vulnerabilities, along with the potential risks of exploitation. Finally, hear about crucial patches for the Apache NimBLE Bluetooth stack that enhance security in IoT devices, fixing serious flaws like pairing takeover. Dive into essential insights for cyber security enthusiasts!
AI Snips
Chapters
Transcript
Episode notes
PEB Can Be Manipulated To Mislead Analysts
- The Process Environment Block (PEB) holds process metadata like command line and is writable by users.
- Xavier shows malware can alter or hide PEB contents, complicating analysis and triage.
Capture PEB At Process Creation
- Log the PEB at process creation to capture the real structure before tampering occurs.
- This approach helps analysts detect when malware rewrites or hides PEB data.
YARA-X Warns On Invalid Hashes
- YARA-X 1.11 issues warnings when a hash rule cannot possibly match due to invalid length.
- This change catches common copy-paste typos and prevents pointless matches.