FORENSIC ANALYSIS
- Hideaki Ihara at the Port 139 blog demonstrates amcache activity for process tracking on Win10
USB and Amcache
- Justin Boncaldo examines the Win10 Netflix app
Netflix -Windows 10 Appstore Forensics
- Brian Moran at BriMor Labs walks through his process of parsing Skype Lite data
Skype Hype/Gripe
- Oleg and Vladimir at Elcomsoft have written articles on the security of Apple Health data and how to obtain it from iCloud and iOS devices.
- Matt Shannon at F-Response explains how SIP and APFS affect an engagement using F-Response. I don’t know much about the SIP side of things, but the APFS problem will slowly go away. Unfortunately, it just takes a bit of time.
F-Response, APFS, and SIP – Oh my
- Will Ascenzo at Gillware describes the Ext4 file system and data recovery
How to Recover Data on an Ext4 File System
- There’s a post on Hacker-Arise examining an attack utilising the EternalBlue exploit
Network Forensics, Part 2: Packet-Level Analysis of the EternalBlue Exploit
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- No winners for last weeks Sunday Funday challenge
Daily Blog #548: Solution Saturday 11/25/18
- This week’s Sunday Funday asks about how long it takes for a GUI executable to appear in the Win7 amcache. Maxim Suhanov answers the call and in the process shows that process execution may get tracked in the CIT database within the Registry.
Daily Blog #549: Sunday Funday 11/25/18
- There were more test kitchens! Dave continues to focus on the amcache
- And a forensic lunch with Matt where they talked about DFVFS, current tools and hashsets, as well as MUS and their CTFaas
Daily Blog #553: Forensic Lunch 11/30/18
- No winners for last weeks Sunday Funday challenge
- Sarah Edwards at Mac4n6 walks through her process for testing the effects of user or app interaction on iOS devices
Do it Live! Dynamic iOS Forensic Testing
- SalvationData have a post about the Seagate diagnostic port lock, and how their DRS tool can be used to circumvent this
[Case Study] Computer Forensics: An Introduction of Seagate Diagnostic Port Lock
- Jaco at ‘The Swanepoel Method’ demonstrates some of the indicators that an email is a phishing email
DON’T CLICK THAT LINK (Unless it’s us)
THREAT INTELLIGENCE/HUNTING
- Emre Tinaztepe at Binalyze provides an overview of YARA and demonstrates how YARA is implemented in IREC for IR engagements
Extending YARA for Incident Response
- Katie Dematteis shares Carbon Black’s “Top 5 Threat Hunting Myths” ebook
Top 5 Threat Hunting Myths: “EDR Is Threat Hunting”
- ClearSky Research Team share details of recent operations by the MuddyWater threat group
MuddyWater Operations in Lebanon and Oman
- Matt Suiche at Comae Technologies describes a new feature in Stardust allowing for examinations of process dumps.
Process Dump Support in Comae Stardust
- Adam Meyers at CrowdStrike provides a summary of the Helix Kitten threat group
Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN
- Assaf Dahan and Joakim Kandefelt at Cybereason examine recent attacks by Brasilian threat actors
Pervasive Brazilian financial malware targets bank customers in Latin America and Europe
- Richard Gold at Digital Shadows maps some recent threat group activities to the Australian Signals Directorate Essential 8
Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework
- Vikram Hegde at FireEye “presents a machine learning (ML) approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints”.
Obfuscated Command Line Detection Using Machine Learning
- Adam at Hexacorn demonstrates a persistence mechanism that utilises ‘The Bat’ email client
Beyond good ol’ Run key, Part 95
- Brian Laskowski at Laskowski-Tech walks through detecting and responding to an Emotet infection.
Detecting Emotet, and other Downloader Malware with OSSEC/Wazuh
- McAfee Labs shared their 2019 Threat Predictions report
McAfee Labs 2019 Threats Predictions Report
- Hadar Feldman and Yarden Albeck at the ‘Windows Defender ATP team’ share a recent attack targeting “several high-profile organizations in the energy and food and beverage sectors in Asia”. “The attackers used bitsadmin.exe to download and execute a randomly named payload from a remote server”
Windows Defender ATP device risk score exposes new cyberattack, drives Conditional access to protect networks
- MITRE have published a post on how various EDR vendors fared “based on real-world adversary behaviors found in ATT&CK”. Frank Duff has published a post on medium explaining the methodology used. The posting also resulted in responses from vendors included in the testing, such as those listed below
First Round of MITRE ATT&CK™ Evaluations Released
- Scott Lundgren at Carbon Black
Why I’m Ecstatic About the MITRE ATT&CK Results
- Mark Dufresne at Endgame
Putting the MITRE ATT&CK Evaluation into Context
- Roberto Rodriguez at SpecterOps provides detection guidance against an attack where an adversary coerces “a domain controller (DC) to authenticate to a server configured with unconstrained delegation, capture the domain controller’s Ticket-Granting-Ticket (TGT), and export the TGT in order to impersonate the DC and perform attacks such as DCSync to request any domain user’s password”
Hunting in Active Directory: Unconstrained Delegation & Forests Trusts
- Robert M. Lee provides some context about why he and Richard Bejtlich disagree on hunting definitions.
Threat Hunting, TTPs, Indicators, and MITRE ATT&CK – Bingo
- Olaf Hartong demonstrates detecting the use of the NoPowerShell tool through Cobalt Strike
Cobalt Strike Remote Threads detection
- Pablo Delgado at Syspanda shares his master’s thesis on using “the ELK Stack as a potential SIEM replacement solution”
Developing an Adaptive Threat Hunting Solution: The Elasticsearch Stack (Masters Thesis)
UPCOMING WEBINARS/CONFERENCES
- The CFP for DFRWS 2019 has opened and will close January 25 2019. The event will take place July 14-17th
Check out @DFRWS’s Tweet
- John Priest, Detective Rob Mauro, and John Kennedy at Cellebrite and FBINAA will be hosting a webinar on using social media data in investigations. The webinar will take place on Monday, December 10th at 1pm Eastern/10 am Pacific Time
Building an Investigation Using Social Media
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the videos from SecureWV/Hack3rcon 2018
SecureWV/Hack3rcon 2018 Videos
- Cyber Forensicator shared a presentation by Mikhail Arshinskiy titled “Forensic Challenges due to Encryption Mechanisms”
Forensic Challenges due to Encryption Mechanisms
- Some of the videos from the DEF CON 26 Data Duplication village were uploaded
- Forensic Focus shared the transcript and presentation from the recent webinar by Justin Matsuhara at Blackbag Technologies
Webinar: What’s New In BlackLight – How To Streamline Investigations
- Magnet Forensics uploaded Jessica Hyde’s recent webinar on iOS 12
Recorded Webinar: Apple’s Tween Years: iOS’ Maturation from 10 through 11 and into 12
- Corey Tomlinson at the Nuix Unscripted Podcast interviewed Chris Woods and Chris Brewer about their presentation at Sector 2018 on developing threat intel
Homebrew Threat Intelligence
- On this week’s Digital Forensic Survival Podcast, Michael walks through PDF document analysis
DFSP # 145 – PDF Forensics
- SANS uploaded my presentation from the 2018 DFIR Summit on examining Google Home devices. Losing my voice and nerves were definitely apparent, might have to re-record it at some point.
Investigating Rebel Scum’s Google Home Data – SANS DFIR Summit 2018
- I recorded my monthly podcast for November.
This Month In 4n6 – November– 2018
- A couple of presentations from VB2018 were uploaded
MALWARE
- There’s a post on the Joe Security blog describing the PE packing process
Generic Unpacking Detection
- There were a couple of posts on the Check Point Research blog
- Ido Solomon and Adi Ikan provide an overview of the KingMiner malware.
KingMiner: The New and Improved CryptoJacker
- Itay Cohen gives an overview of the Backswap malware
The Evolution of BackSwap
- Ido Solomon and Adi Ikan provide an overview of the KingMiner malware.
- Hod Gavriel at Cyberbit advises how to mitigate malware that utilises “direct system calls in order to evade security product hooks.”
Malware Mitigation when Direct System Calls are Used
- Tali Ash at Microsoft describes how Azure Advanced Threat Protection can be used “identify exactly how attackers can move laterally inside your network.”
Reduce your potential attack surface using Azure ATP Lateral Movement Paths
- Robert Neumann at Forcepoint examines a malicious sample that exploits the AutoCAD software
AutoCAD Malware – Computer Aided Theft
- Florian Hockmann and Stefan Hausotte at G Data demonstrate why using a graph database for malware analysis is beneficial
G DATA Techblog: Malware Analysis with a Graph Database
- Michael Gillespie analysed some ransomware components
- Michael Gorelik at Morphisec examines the malware associated with a recent “Pied Piper” campaign
Morphisec Uncovers Global “Pied Piper” Campaign
- Josh Grunzweig and Kyle Wilhoit at Palo Alto Networks provide details of the ‘Fractured Block’ campaign which is utilising the Carrotbat malware “to deliver lures primarily pertaining to the South Korea and North Korea region.”
The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia
- Sysopfb at ‘Random RE’ takes a look at the TrickBot worm module
TrickBot worming detection
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Xavier Mertens shared a malicious shell script provided by a reader that was found on “a QNap NAS running QTS 4.3”
Obfuscated bash script targeting QNap boxes, (Mon, Nov 26th)
- Xavier also shares a malicious shell script identified in an Apple .dmg file “delivered through a fake Flash update webpage”
More obfuscated shell scripts: Fake MacOS Flash update, (Tue, Nov 27th)
- Russ McRee provides an overview of ViperMonkey
ViperMonkey: VBA maldoc deobfuscation, (Mon, Nov 26th)
- Brad Duncan examines some malspam pushing the Shade ransomware
Russian language malspam pushing Shade (Troldesh) ransomware, (Thu, Nov 29th)
- Remco Verhoef walks through an attack on “Elasticsearch [that was] being exploited using queries with script_fields”
CoinMiners searching for hosts, (Fri, Nov 30th)
- Xavier Mertens shared a malicious shell script provided by a reader that was found on “a QNap NAS running QTS 4.3”
- Warren Mercer and Paul Rascagneres at Cisco’s Talos blog break down an attack distributing the DNSpionage malware.
DNSpionage Campaign Targets Middle East
- Rodel Mendrez at TrustWave SpiderLabs examine a malicious “XML-format MS Office Document”
Demystifying Obfuscation Used in the Thanksgiving Spam Campaign
- The Symantec Security Response team shared some indicators of Miuref and Kovter infections
Operation Eversion: 捜査当局が 8 人を逮捕、起訴
- Steven Alexander at ‘The Bug Charmer’ walks through the process of examining a maldoc with the ‘Hybrid Analysis’ service
Analyzing infected documents
- There were a few posts on the TrendLabs blog this week
- Lorin Wu and Ecular Xu link the XLoader and FakeSpy malware to the Yanbian Gang, “a Chinese cybercriminal group infamous for stealing money from account holders of South Korean banks.”
A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang
- Carl Maverick R. Pascual examines an AutoIT worm “that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor.”
AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor
- Echo Duan analyses malicious fake voice apps on the Google Play store
Fake Voice Apps on Google Play, Botnet Likely in Development
- Michael Villanueva and John Sanchez demonstrate some attacks using PowerShell core, which is a cross-platform version of PowerShell (look for pwsh rather than powershell.exe)
Proofs of Concept Abusing PowerShell Core: Caveats and Best Practices
- Jaromir Horejsi examines “a few interesting delivery documents similar to the known MuddyWater TTPs”
New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools
- Lorin Wu and Ecular Xu link the XLoader and FakeSpy malware to the Yanbian Gang, “a Chinese cybercriminal group infamous for stealing money from account holders of South Korean banks.”
- Vitali Kremez examines the “C# code from the Sofacy Group new loader/backdoor called “Cannon””
Let’s Learn: In-Depth on Sofacy Cannon Loader/Backdoor
- Rohan Viegas at VMRay examines a malware sample that “exhibits location-based behavior”
Analyzing Location-Based Malware with Geo Anonymization
MISCELLANEOUS
- Eric Huber at ‘A Fistful of Dongles’ continues his ‘Life After Law Enforcement’ series, this time covering resume writing. The post got me thinking that it’s worthwhile writing down your achievements throughout your career at your current workplace because one day you will need to use it to remind yourself. I definitely have forgotten details of some of the projects or cases I’ve worked on, so having it written down somewhere makes your life easier down the line
Life After Law Enforcement: Can We Talk About Your Resume?
- Brett Shavers shares a couple of stories where people assume that DFIR is simple, and underestimate the simple but important tasks that we undertake to ensure our work holds up against scrutiny. I think that the basics of preservation are really important, easy to learn and easy to screw up, but if they’re done right then you can pretty much do whatever you want after that. Knowing when you’re out of your depths, and how to identify different scenarios requiring bringing in subject matter experts or further training is very important.
Digital Forensics is Really Easy
- Expanding on this at DFIR.Training, Brett breaks down some of the fundamentals
A Proposal of Basic Foundational DFIR Knowledge
- Cellebrite shared a case study on how their Advanced Services assisted in a homicide investigation.
Learn how GPS logs lead to the location of a homicide victim
- Brian Carrier and Chris Ray at Cyber Triage advise that Demisto can now launch a Cyber Triage investigation
Demisto Integration Provides Faster Responses for Cyber Triage Users
- DME Forensics have posted an explanation of their split frame correction feature in DVR Examiner 2.5
Feature Focus: Split Frame Correction
- There were a couple of posts on the Forensic Notes blog this week
- They provided a brief overview of the interface
Overview of Application Interface
- As well as an article on how to document your investigations with the tool
How to Document Digital Forensic Investigations with Forensic Notes
- They provided a brief overview of the interface
- The folks at MantaRay Forensics shared out a hashset from the Virus Share malware repository in a variety of formats
Check out @MantaRay4ensics’s Tweet
- Chris Crowley at ‘Risk, Failure, Survival’ shares some details about why his SANS MGT517 course was cancelled and advises that he’s going to try to keep the content available in 2019 via a non-SANS vehicle
Very Good: Not Good Enough
- Richard Bejtlich at Tao Security gives a history lesson in the origin of the term Indicator of Compromise
The Origin of the Term Indicators of Compromise (IOCs)
- The students at Champlain College provided an update on their projects
- Andrew Case at Volatility Labs shares details of the 2019 offering of the newly updated Malware and Memory Forensics training course.
Malware and Memory Forensics Training in 2019!
SOFTWARE UPDATES
- Belkasoft Evidence Centre v9.4 was released with a number of new features and improvements
What’s new in BEC v.9.4
- Cellebrite released UFED Cloud Analyzer 7.5, improving support for Facebook, Amazon, and Apple cloud data
UFED Cloud Analyzer 7.5 [November 2018]
- Elcomsoft updated Elcomsoft Phone Breaker to v9.0 to allow for downloading iOS health data
Elcomsoft Extracts Apple Health Data from iCloud
- Ross Wolf and Paul Ewing at Endgame advise that Endgame has released their Event Query Language tool. “This release includes the core EQL language, a schema mapping to Sysmon, and a set of analytics initially focused on Atomic Blue.”
EQL for the Masses
- Evimetry 3.0.12 was released with a number of bug fixes
Release 3.0.12
- GetData released Forensic Explorer v4.4.8.8020, updating “Bitlocker/FileVault encryption detection”
27 Nov 2018 – v4.4.8.8020
- “A new version of MISP (2.4.98) has been released with new features such as improved UI consistency (such as attributes search output), improved validation error messages, a new built-in experimental SleuthKit mactime import, new small features and many bugs fixed.”
MISP 2.4.98 released (aka usability improvements and SleuthKit mactime import)
- MobileEdit Forensic Express 5.7 was released with a number of new features, improvements, and bug fixes
Forensic Express 5.7 Released!
- OpenText released Encase Forensic 8.08 adding support for additional cloud-based evidence sources, encryption schemes (including APFS), and Microsoft Edge artefacts. Release notes are behind a login page though, so can’t link to them, unfortunately.
- OSForensics v6.1 build 1005 was released with some bug fixes
V6.1 build 1005 28th Nov 2018
- radare2 3.1.0 was released with a number of improvements and fixes
3.1.0 – codename Shibboleet
- “Sandfly 1.5.0 has been released with many new detection methods for Linux rootkits, malware and suspicious activity”
Sandfly 1.5.0 Released
- Didier Stevens advised that Wireshark v2.6.5 was released and demonstrates the included capinfos tool
Wireshark update 2.6.5 available, (Sat, Dec 1st)
- USB Detective v1.3.5 was released, adding a number of new features and improvements.
Version 1.3.5 (11/28/2018)
- Maxim Suhanov released yarp 1.0.27
1.0.27
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
As always, thanks to those who give a little back for their support!
This Week In 4n6 