Early post this week, just in case I didn’t have time to finish it tomorrow.
FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog looks at the effects of file system tunnelling on the USN journal
File System Tunneling and E:\ - Faisal AM Qureshi at ‘Deriving Cyber Threat Intelligence and Threat Hunting’ demonstrates how to use Alan Orlikoski’s Cylr, Cdqr, Skadi combination for threat hunting.
Live forensic collection and triage using CyLR, CDQR and Skadi - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging with a Sunday Funday and more test kitchen Object ID testing
- This weeks Sunday Funday asks about the other artefacts that can be used to determine which paths may have been typed into an explorer window if Windows clears out the data.
Daily Blog #500: Sunday Funday 10/7/18 - Daily Blog #501: Forensic Lunch Test Kitchen 10/8/18
- Daily Blog #502: Forensic Lunch Test Kitchen 10/9/18
- Daily Blog #504: Forensic Lunch Test Kitchen 10/11/18
- Daily Blog #503: Forensic Lunch Test Kitchen 10/10/18
- Daily Blog #505: Forensic Lunch Test Kitchen 10/12/18
- This weeks Sunday Funday asks about the other artefacts that can be used to determine which paths may have been typed into an explorer window if Windows clears out the data.
- Alexis Brignoni at ‘Initialization vectors’ demonstrates the benefits of sandboxing apps for DF purposes. I like doing this as an alternative to booting a live VM of the image; it’s much easier to take a screenshot of the app processing the data rather than trying to parse it yourself.
Quick DFIR analysis using a sandbox - Trey Amick at Magnet Forensics demonstrates how to use Axiom Cloud to obtain and examine Instagram data.
How AXIOM Cloud Can Help Save Time Investigating Instagram - Over on my ThinkDFIR blog, I showed how to use mimikatz to pull the NTLM hash from the SAM file on a Win10 Anniversary Update system as some tools haven’t been updated to obtain the hash properly. Hopefully the major vendors go back and take a look at whether they are reporting the hashes incorrectly; I’d test it for people, but I don’t have personal licenses for most tools. If companies want to donate research licenses however…
WinTeNTLM Issues - Iria Piyo demonstrates that file system tunnelling occurs when a file is downloaded with Chrome and overwrites a file with the same name.
NTFSのトンネリングとFileDownload
THREAT INTELLIGENCE/HUNTING
- Marc Rivero López walks through the setup process for Cuckoo Sandbox.
How to deploy Cuckoo Sandbox - Jayden Zheng at Countercept describes a persistence mechanism that launches an executable when a user accesses a library folder.
Abusing Windows Library Files for Persistence - CrowdStrike released their 2018 Mid-Year OverWatch Report.
New Report Offers a Front Line View from Leading Threat Hunters - Mathias Fuchs at Cyberfox examines some data on his test network using Tanium to assist in investigating RDP lateral movement.
Attackers and RDP MRUs - Alert Centre for “G Suite [is now] generally available. The alert center provides a single, comprehensive view of essential security-related notifications, alerts, and actions across G Suite.”
Alert center for G Suite generally available to help identify security threats - Adam at Hexacorn shared a number of persistence mechanisms this week
- Tazz at OSINT Soup has a post describing when you should go about hiring a threat intel analyst and how to go about doing it
When and How to Hire a Threat Intelligence Analyst - Anton Tyurin at Positive Technologies describes various methods that attackers can use to gain control over Active Directory and detection methods.
Advanced attacks on Microsoft Active Directory: detection and mitigation - Red Canary posted the Q&A from part 2 of their ongoing “Threat Hunting with ATT&CK” webinar series.
Q&A: Visibility, Testing Critically Important for Hunting - StillzTech has released “CBR: Mass Acquire. As the name implies, this script is used to perform mass file acquisitions on either a list of files or directories provided”
Carbon Black Response: Mass Acquire - Michael Haag has started a series demonstrating his hunting methodology using Splunk’s Boss of the SOC dataset
Hunting Methodology — Splunk BOTS (Boss of the SOC) — Part 1 - David French at Threat Punter demonstrates how an attacker may utilise WMI for persistence as well as detection using sysmon.
Detecting & Removing WMI Persistence
UPCOMING WEBINARS/CONFERENCES
- Andreas Dewald at Insinuator announced the Incident Analysis and Digital Forensics Summit 2018, held in Heidelberg on 14. November 2018
Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018 - Cody Bryant and Warren Pamukoff at Magnet Forensics will be hosting a couple of webinars on the differences between IEF and Axiom. The webinars will take place on Wednesday, October 24th @ 1:00PM EST and Thursday, October 25th @ 9:00AM EST
Still Using IEF? Learn What You May Be Missing Out On
PRESENTATIONS/PODCASTS
- John Strand at Black Hills Information Security has a webcast on building a “C2/Implant/Malware test bed”. John shows how to “cross reference some different malware specimens with the MITRE ATT&CK framework and cover how you can use these techniques to test your defensive solutions at both the endpoint and the network.”
WEBCAST: Creating and Keeping a Malware Zoo - Yuma Kurogome’s presentation on de-obfuscation was shared out on Speaker Deck
The Art of De-obfuscation - Nuix posted a “brief demonstration showing how Nuix Adaptive Security can be used to handle a credential harvesting attack.”
Responding to Credential Harvesting Attacks - On this week’s Digital Forensic Survival Podcast, Michael talks about OWASP
DFSP # 138 – OWASP Top 10 - Richard Davis at 13Cubed demonstrates the CyberChef toolkit
Cooking with CyberChef - SANS have uploaded the presentations from their 2018 EU DFIR Summit.
SANS DFIR Prague Summit & Training 2018 (October 2018) - SANS shared Jake Williams talk from the 2018 DFIR Summit titled “Living in the Shadow of the Shadow Brokers”
Living in the Shadow of the Shadow Brokers – SANS DFIR Summit 2018
MALWARE
- Daniel Grant at Endgame demonstrates how to build a deobfuscator for PowerShell scripts.
Deobfuscating PowerShell: Putting the Toothpaste Back in the Tube - John Bergbom at Forcepoint continues examining a Wasm binary “by looking at the Wasm text format.”
Manual reverse engineering of WebAssembly: static code analysis - There were a couple of posts on Hackers-Arise this week
- They walk through the examination of a sample of IRC.SRVCP.Trojan in a live environment.
Reverse Engineering Malware, Part 6: System Level or Behavioral Analysis - They also have a post taking a look at the BlackEnergy 3 Scada malware.
SCADA Hacking: Anatomy of a SCADA Malware, BlackEnergy 3
- They walk through the examination of a sample of IRC.SRVCP.Trojan in a live environment.
- John Ferrell at Huntress Labs examines some interesting PowerShell and walks through how he decoded the resultant malware with Python and shellen
Deep Dive: Examining A Powershell Payload - Jared Greenhill at ‘Just Another DFIR Blog’ has written up some of the Flare-on challenges
- Brian Laskowski at Laskowski-Tech examines some malspam with some interesting infrastructure
Malware infrastructure breakdown - Vishal Thakur has a guest post on ‘Lemon’s InfoSec Ramblings’ shows some of the new changes to the Emotet downloader.
Emotet Downloader: Major Changes In New Version - Lenny Zeltser describes the history of fileless attacks and provides his “perspective on the methods that comprise modern fileless attacks”
The Language and Nature of Fileless Attacks Over Time - Hasherezade and Jérôme Segura at Malwarebytes Labs examine an attack that targets users of vulnerable MikroTik routers
Fake browser update seeks to compromise more MikroTik routers - Samip Pokharel provides “a quick walkthrough for MalwareTech’s Beginner Malware Reversing CTF challenge Virtual Machine 1”
MalwareTech’s vm1 : Static Analysis Walkthrough - Alexandre Mundo, John Fokker and Thomas Roccia at McAfee Labs examine Gandcrab 5.0.2
Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation - Michael Gorelik at Morphisec examines different samples utilised by the Carbanak group
Cobalt Group 2.0 - Brad Duncan at Palo Alto Networks demonstrates how a fake flash update has been used to distribute XMRig
Fake Flash Updaters Push Cryptocurrency Miners - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens expands on his previous post about XOR Strings being implemented in YARA
YARA XOR Strings: Some Remarks, (Sun, Oct 7th) - Xavier Mertens describes the benefits of NetFlow data for detecting malicious activity
“OG” Tools Remain Valuable, (Wed, Oct 10th) - Xavier also examines a maldoc from a phishing email.
New Campaign Using Old Equation Editor Vulnerability, (Wed, Oct 10th)
- Didier Stevens expands on his previous post about XOR Strings being implemented in YARA
- The team at Securelist examine a maldoc associated with a recent Muddywaters campaign.
MuddyWater expands operations - Vitor Ventura at Cisco’s Talos blog examines the GPlayed Android trojan
GPlayed trojan – .Net playing with Google Market - Erika Mendoza, Anjali Patil and Jay Yaneza at TrendLabs examine some malspam distributing ursnif.
Phishing Campaign uses Hijacked Emails to Deliver URSNIF by Replying to Ongoing Threads - Anton Cherepanov and Robert Lipovsky at WeLiveSecurity examine “a recent backdoor used by TeleBots – the group behind the massive NotPetya ransomware outbreak – uncovers strong code similarities to the Industroyer main backdoor, revealing a rumored connection that was not previously proven”
New TeleBots backdoor: First evidence linking Industroyer to NotPetya
MISCELLANEOUS
- James Habben at 4n6IR comments on Magnet’s method of progress reporting in Axiom
Processing Progress in Axiom - There were a couple of posts on Forensic Focus this week
- Scar de Courcier recaps ICDF2C 2018.
ICDF2C 2018 – Recap - Scar also provided the results of the 2018 Forensic Focus survey. One of the statements regarding the differences between criminal and civil forensics is interesting, and how “next to nothing is catered to the civil side”; can someone from the civil side list out what they’re after? Alternatively, why aren’t those on the civil side filling that need? It’s hard to criticise an event for not catering to an audience if they don’t get the submissions.
Findings From The Forensic Focus 2018 Survey
- Scar de Courcier recaps ICDF2C 2018.
- Applied Network Defence announced a new course by Josh Brower titled “Osquery for Security Analysis”
Check out @DefensiveDepth’s Tweet - Magnet Forensics have announced a new training course, AX310, which teachers examiners how to use Axiom in incident response investigations.
New Training Course: Magnet AXIOM Incident Response Examinations (AX310) - Infosec_Samurai at Measured Response has a post on reporting on certainty during an examination.
Don’t Think, Know - Rusolut have released a “new automatic tool eMMC-NAND Reconstructor” which may be useful for mobile forensics extractions that require chip removal.
- Chris Crowley has announced that the SANS MGT517 course has been cancelled from any future runs.
File under #Failure: MGT517 cancelled - SalvationData have a post describing some of the upcoming features to their VIP (Video Investigation Portable) product.
[Case Study] DVR Forensics: Recovering Inaccessible Surveillance Video Data from DVR or NVRs
SOFTWARE UPDATES
- Arsenal released new versions of HiveRecon and HbinRecon. “HiveRecon v1.0.0.48 Alpha has improved Registry hive extraction from hibernation and crash dump files, particularly those from Windows 10 Build 17134 onward. Support for decompression of compressed hive bins and performance improvements have been added as well”. “HbinRecon v1.0.0.35 Alpha has added key path reconstruction (Mode 0 only), UserAssist hive bin hunting, a hive bin counter, and performance improvements.”
New Versions of HiveRecon and HbinRecon Launched - Arsenal also released Beta’s of Hibernation Recon (v1.1.0.68), Registry Recon (v2.2.2.0065), and Arsenal Image Mounter (v2.6.40)
- Matt Suiche at Comae Technologies announced the release of Dmp2Json which allows examiners to convert a crash dump “into a series of multiple JSON files for the different artifacts contained inside the image (objects, drivers, processes, dlls, services, etc.)”
The release of Dmp2Json & Querying Memory Images through JSON format - Mike Cary at ‘DFIR on the Mountain’ has released a script to automatically download Eric Zimmerman’s tools. Alternatively, Eric posts them on chocolatey.
More Automation: Get-ZimmermanTools.ps1 - Eric Zimmerman updated a number of his tools this week to fix some minor bugs; LECmd 1.1.0.1, JLECmd 1.1.0.1, Jumplist Explorer 0.7.0.1, and Registry Explorer 1.1.0.6
- ExifTool 11.13 (development) was released with new tags, bug fixes, and other improvements.
ExifTool 11.13 - Oxygen Forensics updated their Detective product to v11.0 with additional support across phones, IoT devices, and drones.
Oxygen Forensics Enhances Cloud And Decryption Capabilities - Magnet Forensics updated Axiom to v2.6, adding “WhatsApp backups, iCloud and Cloud Administrator account support” to Axiom Cloud, as well as “improvements to Magnet.AI and to overall performance.”
Enhanced WhatsApp Support and Much More in Magnet AXIOM 2.6 - “A new version of MISP (2.4.96) has been released with a complete rework, refactoring and simplification of the restSearch API, allowing for more flexibility, improved search capabilities, performance and extendability.”
MISP 2.4.96 released (aka API everywhere release) - MOBILedit Forensic version 10 was released with an updated UI, as well as additional support for new operating system and devices, as well as other improvements and bug fixes.
MOBILedit 10 Released! - Microsystemation have released XRY Drone, powered by URSA. This allows examiners to extract data from drones, and their companion phone apps. I’m unsure if this is a separate add-on or incorporated product within XRY.
XRY Drone – new technology to acquire and analyze drone data – is introduced by MSAB and URSA - Apache Tika 1.19.1 was released with some minor updates
Release 1.19.1 – 10/4/2018 - GetData released Forensic Explorer v4.4.8.7822 to fix some minor issues
10 Oct 2018 – v4.4.8.7822 - Passmark Software released OSForensics V6.1.1001 with a number of new improvements and bug fixes.
V6.1.1001 – 9th Oct 2018 - Tableau Firmware Update v7.25 was released to update the TX1 Forensic Imager to version 2.0, adding a number of new features, enhancements, and bug fixes.
Tableau Firmware Update Revision History for v7.25
And that’s all for Week 41! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 
I thought the civil vs. criminal comment was interesting too – it wasn’t something I’d ever really thought of, but looking back I can see what they mean. Unfortunately they didn’t give any more detail than that in their response to our survey, but perhaps someone can shed some light!
LikeLike