FORENSIC ANALYSIS
- Chris Sanders has released a new online course for using ELK for Security Analysis.
New Online Course: ELK for Security Analysis - The guys at Cyber Forensicator shared a post by Quentin Jerome at RawSec on carving EVTX files.
Carving EVTX - Devon Ackerman at AboutDFIR investigates the connection between whoer.net and https://mc.yandex.ru/metrika/watch.js seen in an RDP connection investigation.
Yandex.ru and Intrusion Investigations - Didier Stevens posted a few times this week
- He shows how he analyses ISO files that contain malicious executables.
Quickpost: Analyzing .ISO Files Containing Malware - He shows how Zone Identifiers are not transferred to files contained within ISO files. So when you download a file off the internet, the ISO will get the ZoneID, but the files inside do not
.ISO Files With Zone.Identifier - He also shows how to run his oledump tool over multiple files by combining it with his process-command.py tool
oledump.py *.vir
- He shows how he analyses ISO files that contain malicious executables.
- Marcos at ‘Follow The White Rabbit’ shows how to use Bulk Extractor.
¿Quién es el Señor ‘X’? Averigüémoslo con #BulkExtractor y #Patterns de #Egrep (Somos lo que navegamos) - Anton at Have You Secured? shows how to “visualize some Sysmon logs with Neo4j.”
Visualize Windows Logs With Neo4j - Paraben performed a brief analysis of the TextNow mobile app
TextNow App Review - The SANS InfoSec Reading Room shared Stefan Winkel’s whitepaper on using ELK to perform a forensic investigation of a Docker container.
Forensicating Docker with ELK - Dr. Ali Dehghantanha shares a post on the SANS Internet Storm Centre Handler Diaries regarding various Windows based artefacts relating to the BitTorrent Sync application.
Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts), (Tue, Jul 18th) - Andrea Fortuna at “So Long, and Thanks for All the Fish” posted a few times this week
- The first post continues his Volatility cheat sheet, showing how to “find kernel modules into the memory dump.”
Volatility, my own cheatsheet (Part 4): Kernel Memory and Objects - The second shows how to use a couple of different tools to parse the MFT.
How to extract data and timeline from Master File Table - The last shows how to extract event logs from memory in different Windows operating systems
How to recover event logs from a Windows memory image
- The first post continues his Volatility cheat sheet, showing how to “find kernel modules into the memory dump.”
- Dr. Neal Krawetz at The Hacker Factor Blog analyses the NTP packets from his honeypot and shares his findings.
Timing Attacks
THREAT INTELLIGENCE/HUNTING
- Ryan Murphy from Carbon Black shared a section of the book “Threat Hunting for Dummies”.
How to Become a Master Threat Hunter - The guys at Countercept discuss the journey one takes from an SOC analyst to becoming a threat hunter.
A Journey From MSSP SOC Analyst To Threat Hunter - Roberto Rodriguez at Cyber Wardog Lab examines “the MITRE ATT&CK framework in the form of a heat map in order to measure the effectiveness of a Hunt Team”. He then uses Excel “and the MITRE ATT&CK matrix structure to show you how to build your own heat map and start measuring the effectiveness of your hunt team for free.”
How Hot Is Your Hunt Team? - Jared Atkinson at SpecterOps examines how attackers can utilise the Extended Attributes on the NTFS file system to store malware.
Host-based Threat Modeling & Indicator Design - The SANS InfoSec Reading Room shared Matthew Hosburgh’s whitepaper on threat hunting and active defense.
Offensive Intrusion Analysis: Uncovering Insiders with Threat Hunting and Active Defense
UPCOMING WEBINARS
- Scar at Forensic Focus provided an overview of the upcoming Techno Security Conference held in San Antonio September 18th-20th.
Techno Security 2017 – San Antonio September 18th-20th - The CFP for the 1st International Workshop on Big Data Analytic for Cyber Crime Investigation and Prevention is open. It is co-located with IEEE International Conference on Big Data 2017 that will take place in Boston, USA, December 11-14, 2017
IEEE BigData 2017 – International Workshop on Big Data Analytic for Cyber Crime Investigation and Prevention
PRESENTATIONS/PODCASTS
- BSides London uploaded James Stevenson’s presentation on profiling malicious actors
Profiling Malicious Actors (Working Title) – James Stevenson - Crowdstrike have shared Jackie Castelli’s webcast on fileless attacks.
Webcast Unpacks Fileless Attacks and Explains What it Takes to Fight Them - Deepak Kumar shared a few presentations regarding getting into the DFIR field.
FORENSICS AS CAREER - The guys at IMF Security have uploaded a video on “Hunting so called “Fileless malware” or “Non-Malware malware” using LOG-MD Professional”
Hunting Fileless Malware using LOG-MD Professional - Jamie McQuaid at Magnet Forensics shared a few videos showcasing various methods of phone acquisition on Samsung devices using Axiom
- Nuix shared a webinar on YouTube where Paul Slater, David Smith, and Michael J Staggs on Intelligence, Collaboration, and Analytics for Digital Investigations in US Government
- On this week’s Digital Forensics Survival Podcast, Michael discussed the “Detecting Lateral Movement through Tracking Event Logs” blogpost by JPCERT.
DFSP # 074 – Detecting Lateral Movement - Richard Davis has uploaded an intro to “Hashcat, a cross-platform CPU and GPU password “recovery” tool.”
Introduction to Hashcat - Rob Lee at SANS presented on the updated FOR500 course.
Windows 10 and beyond – What is your digital forensics investigation missing?
MALWARE
- Dimitrios Slamaris at ((0x64 ∨ 0x6d) ∨ 0x69 ) has begun reversing a NoPetya/Wiper variant
Reverse Engineering NoPetya/Wiper pt 1/? - Bogdan Botezatu at Bitdefender Labs shares “an in-depth analysis of this Inexsmar campaign”
Inexsmar: An unusual DarkHotel campaign - The guys at ClearSky share a maldoc related to Winnti as well as various Indicators of Compromise.
Recent Winnti Infrastructure and Samples - Tim Parisi, Doug Clendening and Jai Musunuri at Crowdstrike show how a malicious adversary “leveraged customized forms – not macros – in Microsoft Outlook that allowed Visual Basic code to execute on a system just by opening or previewing an email message”.
Using Outlook Forms for Lateral Movement and Persistence - The Cylance Threat Guidance Team examines the Fireball malware
Threat Spotlight: Is Fireball Adware or Malware? - Ruben Dodge at Dodge This Security shows how to analyse encrypted maldocs containing Ursniff
Detecting Ursnif Infected Word Documents through metadata. - Ashkan Hosseini at Endgame has documented 10 process injection techniques
Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques - Robert Galvan at Huntress Labs reverse engineers “an encrypted Redosdru DLL to better understand the threat”
Redosdru — Encrypting DLL Payloads to Avoid On-Disk Signatures - Malware Breakdown share some IOCs for the HookAds campaign/RIG exploit kit
HookAds Continues to use RIG EK to Drop Dreambot - Brad Duncan at Palo Alto Networks analyses the distribution of the Banload malware downloader.
Malspam Targeting Brazil Continues to Evolve - Didier Stevens has a post on the SANS Internet Storm Centre showing how to extract a malicious executable from within an ISO file that was received and stored in an EML file
Malicious .iso Attachments, (Fri, Jul 21st) - There were a couple of posts on the Securelist blog this week
- Sergey Yunakovsky examines the source code of the NukeBot banking Trojan
The NukeBot banking Trojan: from rough drafts to real threats - The GReAT team compare WannaCry and ExPetr
A King’s Ransom It is Not
- Sergey Yunakovsky examines the source code of the NukeBot banking Trojan
- Paul Rascagneres and Warren Mercer at Cisco’s Talos blog describe “how to analyse PowerShell scripts by inserting a breakpoint in the .NET API [and] how to easily create a script to automatically unpack .NET samples following analysis of the packer logic.”
Unravelling .NET with the Help of WinDBG - There were a couple of posts by the guys at TrendLabs this week
- Lenart Bermejo, Jordan Pan, and Cedric Pernet analyse the GhostCtrl Android backdoor
Android Backdoor GhostCtrl can Silently Record Your Audio, Video, and More - Joseph C Chen examines the “new exploit kit Sundown-Pirate” that they have dubbed “ProMediads”.
ProMediads Malvertising and Sundown-Pirate Exploit Kit Combo Drops Ransomware and Info Stealer
- Lenart Bermejo, Jordan Pan, and Cedric Pernet analyse the GhostCtrl Android backdoor
- Vitali Kremez reverses the Betabot trojan and unpacks the final payload.
Let’s Learn: Reversing Packed Betabot Trojan
MISCELLANEOUS
- James Habben at 4n6ir discusses the general discomfort one feels when reading job listings – the reason being that they appear to list every skill under the sun as requirements which may dissuade people from submitting an application, or not getting passed HR when they are qualified, just don’t tick every box (which is just as bad). He also talks about ways that people are able to get around the HR process. And as always, if you start a blog, let me know 🙂
Infosec Jobs - Jim Hoerricks at Amped Software describes how and why Amped Five’s reporting works the way that it does (specifically relating to standards and cases)
Hands-off the keyboard! - Yulia Samoteykina at Atola Technology shows how to use the compare function to compare the source and the target and “help you identify and locate the modified sectors”
Comparing Hashes of Source and Target to Find Modified Data - Mike Vizard at Barracuda comments on various surveys that have been conducted on SOC performance/workload. He advises that “in the absence of a well-defined incident response plan far too many organizations are incurring more costs responding to potential threats than they are from that actual malware infecting their systems”
Turns Out Incident Response Is Way More than Half the IT Security Battle - The Grugq posted on the Comae Technologies blog regarding the recent investigation and subsequent shutdown of the darknet markets, AlphaBay and Hansa.
Dark Net Trap - DFIR Guy at DFIR.Training wrote two posts this week
- The first post talks about continuous learning/training/reading to assist in your investigations
Clearing Old Cases - The second talks about the many ways to get into the field and then specifically about a DIY college degree. A number of job postings indicate that a degree is a requirement (to pass HR) but a DIY degree of in-person and online training and conference attending in conjunction with blog/book reading and self-driven research goes a lot further in the eyes of those in the field. Going the extra mile and doing your own research, sharing it, and becoming “known” in the field will most probably be looked favourably by hiring managers in the future.
A DIY Cyber Security Degree
- The first post talks about continuous learning/training/reading to assist in your investigations
- Scar de Courcier at Forensic Focus posted a roundup of some of the forum conversations
Forensic Focus Forum Round-Up - Scar also shared an article from the BBC regarding the use of pacemaker data in a court case
Judge Rules Pacemaker Data Admissible In Court - Bradley Schatz at Inside Out has shared the “the Advanced Forensic Format 4 Working Group (AFF4 WG) is calling for interested parties to join the second working group meeting, to be co-located at the DFRWS Conference 2017, in Austin, TX”.
Call for participation – AFF4 Working Group meeting at DFRWS 2017 USA - Magnet Forensics shares a case study of “how Lt. Meadows’ team [at the Houston County Sheriff’s Office] uses AXIOM to help solve the problems”
How Customers Sort Through the Noise Using Magnet AXIOM - Brian Maloney at Malware Maloney continues his series on ProcDOT plugin writing, expanding on the previous articles, by showing how to add a context menu and then how to add conditions around it.
ProcDOT plugin writing. Part 4 – Context Menu and CanBeVerified - Christopher Woods at Nuix provides his thoughts on ways that backlogs can be cleared – this involves getting the person with intimate knowledge of the case in front of the evidence, rather than moving the data around to a forensic analyst and asking them to find the evidence. This is sound advice as the case agent knows what they’re looking for. The only caveat is the case agent may not understand the information being presented to them – a picture located in temporary cache does not have the same value as a picture on the desktop for example.
Placing Case Agents at the Forefront of Criminal Investigations - Richard Wartell at Palo Alto Networks advised that “the LabyREnth Capture the Flag (CTF) challenge ends in less than a week!”
LabyREnth CTF 2017 Final Week: Beat the Maze! - It appears that SalvationData are giving away licenses of their DVR Forensics software – although the accompanying blogpost doesn’t specify if this is a trial, LE only, full version for a defined period, etc
Check out @SalvationDATA’s Tweet - Scott J Roberts answered the question “What books or papers should a new cyber threat intelligence analyst read first”
CTI Reading List - David Cowen announced an unofficial CTF to be held at Defcon/bsides LV. Unfortunately, it’s already filled up, but if you’re around DEFCON then it’ll definitely be worth giving the guys a shout and going to see what they’re up to.
Take a look at @HECFBlog’s Tweet - Jóseph Mlodzìanowskì tweeted that there will be a number of hands on workshops at the Packet Hacking village at Defcon this week
Take a look at @cedoxX’s Tweet - Martijn Grooten at Virus Bulletin explains the “the VB2017 programme features several talks on such APTs”
Advanced and inept persistent threats to be discussed at VB2017
SOFTWARE UPDATES
- Blackbag Technologies have released MacQuisition 2017R1
MacQuisition 2017R1 - Didier Stevens updated a number of his tools this week
- He released a new tool in beta that “can interpret bytes as various integers”
Beta: format-bytes.py - He updated zipdump to version 0.0.11, adding the ability to auto-generated a YARA rule based off a string, and then search a zip file.
Update:zipdump.py Version 0.0.11 - He updated oledump to version 0.0.28 to support “YARA rules provided via the command-line”.
Update: oledump.py Version 0.0.28 - He also updated emldump to version 0.0.10, adding the ability to output “the filename for attachments”.
http://blog.didierstevens.com/2017/07/21/update-emldump-py-version-0-0-10/ Update: emldump.py Version 0.0.10
- He released a new tool in beta that “can interpret bytes as various integers”
- Preston Miller at DPM Forensics updates his Go Phish script, adding “functionality to alert on one-off emails potentially coming from throwaway email accounts.”
Hasty Scripts: Go Phish v2 - Elcomsoft Explorer for WhatsApp 2.10 has been released. The tool “can now access iPhone users’ encrypted WhatsApp communication histories stored in Apple iCloud Drive”. Oleg Afonin has also provided a “step-by-step guide to extracting and decrypting WhatsApp backups from iCloud Drive.”
Elcomsoft Explorer for WhatsApp Extracts iPhone WhatsApp Backups from iCloud - Evimetry 3.0.1 was released with a few fixes and improvements.
Release 3.0.1 - Phil Harvey updated ExifTool to version 10.60 (development releases), adding various tags and fixing some bugs.
ExifTool 10.60 - GetData released Forensic Explorer v3.9.8.6604
21 July 2017 – v3.9.8.6604 - David Cowen advised that they have updated their HFS+ Journal Parser
Check out @HECFBlog’s Tweet - Sarah Edwards at Mac4n6 has updated her Mac MRU Parser Python script adding Spotlight Shortcuts, blob/alias parsing, and adding legacy keys for the recentitems plist. I had a plist that had legacy keys (from a previous version of OSX) as well as the expected keys (from the installed version) so Sarah was able to update the script to accommodate.
Script Update – Mac MRU Parser – Spotlight Shortcuts & BLOB Parsing! - Magnet Forensics released Axiom v1.1.3 adding various enhancements to mobile device processing, and improvements to reporting.
Bringing Enhanced Mobile Acquisition, iOS Processing & Analysis, and Reporting Improvements to Magnet AXIOM 1.1.3 - Log-MD Free and Professional v1.2 were released. Updates include an autoruns report, locked files report, and DNS Client Event logs collection.
- Sanderson Forensics released Forensic Browser for SQLite v3.2.8, fixing a few bugs
Version 3.2.8 released - Xabier Ugarte Pedrero at Cisco’s Talos blog shares “PyREBox, our Python scriptable Reverse Engineering sandbox. PyREBox is based on QEMU, and its goal is to aid reverse engineering by providing dynamic analysis and debugging capabilities from a different perspective.”
PyREBox, a Python scriptable Reverse Engineering sandbox - Johan Berggren has announced “a new version of Timesketch, codename “Donnie Darko”. This release brings exciting new backend features such as a Python API client and Neo4j graph database support.” The guys have also “set up a live demo server over at https://demo.timesketch.org/.”
Timeline analysis from the future
And that’s all for Week 29! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 