I’m curious to get feedback from people regarding writing up links going forward. I haven’t really seen a hit in the page views between links only and doing the full writeup, but I do save a significant amount of time by just compiling the links. Any feedback would be greatly appreciated.
Extra special thanks to my new contributor Lodrina Cherne for helping me out with the Malware and Threat Hunting sections this week (and hopefully again!). Lodrina has offered to help out for the next few weeks, and maybe more so she may be popping up again soon. Also, whilst Lordina has taken over these sections, she’s also awesome at forensic analysis.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
QuickPic for Android – Don’t forget external/emulated storage! - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
- Daily Blog #595: Solution Saturday 1/12/19
- Daily Blog #596: Sunday Funday 1/13/19
- Daily Blog #597: Tool Spotlight MD Viewer
- Daily Blog #598: Forensic Lunch Test Kitchen 1/15/19 Syscache Mimikatz Server 2008 R2
- Daily Blog #599: Forensic Lunch Test Kitchen 1/16/19 Syscache Server 2008 R2 Mimikatz
- Daily Blog #600: Windows 10 Search Artifacts are going to change again
- Daily Blog #601: Live registry triage and testing
- Daily Blog #602: Solution Saturday 1/19/19
- Alexander Jäger
- Andrew Skatoff at ‘DFIR TNT’
LogParser EVTX Adventures - Oleg Afonin at Elcomsoft
- Hideaki Ihara at Port139
RDP and UserAssist (Win 10) - Carl Osborne at IntaForensics
A look at the potential value of the Apple Data Download - Liam Booth at ‘Security EDC’
Marshall in the middle. - Matt Seyer
No run counts in UserAssist - Maxim Suhanov
NTFS today - SalvationData
[Tips] How to Inspect a Smartphone’s Data without the Forensic Software?
THREAT INTELLIGENCE/HUNTING
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides an explanation of DNS tunneling for data exfiltration including a video from Jamie Blasco’s presentation at the Kaspersky Security Analyst summit.
DNS tunneling techniques in cyberattacks - Andreas Sfakianakis at ‘Tilting at windmills’ links to his favorite 20 CTI videos of the year, including DFIR, red team / blue team, and ICS content.
My Top 20 CTI/DFIR Talks for 2018 - Matt at ‘Bit_of_Hex’ summaries the 400+ page report on the suspected APT breach of the SingHealth patient database between late 2017 and mid 2018 using ATT&CK.
ATT&CKing the Singapore Health Data Breach - Richard Bejtlich at Corelight gives a history of network monitoring including the utility of Todd Heberlein’s Network Security Monitor at the Air Force Computer Emergency Response Team.
Monitoring. Why Bother? - Wee-Jing Chung at Countercept looks at methods for detecting and IOCs for the post-exploitation agent SILTENTTRINITY. A malicious .XML file starts the infection, and with dynamic .NET assembly and reflective loading the attack concludes with running malicious Python code.
Hunting for SILENTTRINITY - Patrick Olsen at ‘Incident Response Readiness’ posted a few times this week
- After installing Docker for Windows, Patrick provides a video (9m) to build a container using an image.
DFIR Lab – Docker Images and Containers - Patrick also began a series of blog posts on “What’s behind Wireshark?” with exploring the Libpcap file and PCAP headers.
Part 1 – What’s behind Wireshark? - He goes into the bytes in the Ethernet frame.
Part 2 – What’s behind Wireshark? – Ethernet - And then continues with the Internet header; look for the UDP header up next.
Part 3 – What’s behind Wireshark? – IP
- After installing Docker for Windows, Patrick provides a video (9m) to build a container using an image.
- Following on the highs and lows of the secret Office 365 Activities API in 2018, LGM reports the MessageBind function is back and logged for all users in O365 as of February 2019! This will help investigators determine if emails were read or accessed (preview pane or opened), be able to access search history and more.
The Office 365 Magic Unicorn Tool Lives! - Matt Suiche at Comae Technologies discusses using the Microsoft Graph Security API, in particular the Alerts API, and wrote a PowerShell script (GetProcessSecurityAlerts.ps1) to leverage this information. From here an analyst has further information should they perform a memory dump and analyze it with Comae.
Leveraging Microsoft Graph API for memory forensics - Frank Duff at MITRE provides a review of EDR detections in the first round of MITRE reports, including common pitfalls in reading the “stoplight” chart.
Would a Detection by Any Other Name Detect as Well? — Part 1 - Nextron released ASGARD v1.7 with a new file and memory evidence collection capability.
ASGARD v1.7.2 with File and Memory Collection - Lee Holmes at ‘Precision Computing’ sets out to answer the question “Is it possible to extract the content of scripts (from disk) that were executed, even if those files were not captured?” Using WinDbg to create a known sample dump file, then searching through data using SOS and looking up the results with online documentation in PowerShell Source, Lee successfully recover PS commands from memory.
Extracting Forensic Script Content from PowerShell Process Dumps - Secjuice share a source of threat intel sites you can use to enhance your SIEM
Feed Your SIEM With Free Threat Intelligence Feeds
UPCOMING WEBINARS/CONFERENCES
- 2019 CTIN Conference
2019 CTIN Conference - Magnet Forensics
Memory Analysis for Investigations of Fraud and Other Wrongdoing - With WannaCry still prevailing in the wild, Ben Nahorney at Cisco looks at exploiting the SMB protocol including EternalBlue. The takeaway? Stop using SMB!
SMB and the return of the worm - Virus Bulletin
VB2019 call for papers – now open!
PRESENTATIONS/PODCASTS
- CARDS 2019
Call for Papers CARDS 2019 (Formerly ICDF2C) - Trey Amick at Magnet Forensics
Recording Information off iOS Devices – A Minute with Magnet: Tips & Tricks Edition - Digital Forensic Survival Podcast
DFSP # 152 – CEWL - Richard Davis at 13Cubed
Pulling Threads - SANS
Quantify Your Hunt: Not Your Parents’ Red Team – SANS Threat Hunting Summit 2018 - Virus Bulletin
VB2018 paper: From Hacking Team to hacked team to…?
MALWARE
- There were a few posts on the Carbon Black blog this week
- Crypt0r ransomware, similar to WannaCry and NotPetya in making use of EternalBlue, an early indicator is running notepad.vbs from a Temp folder, then deleting VSCs. Files get a random extension or “personal service ID” which is written in the ransomware note “_Help.txt”
TAU Threat Intelligence Notification – Crypt0r Ransomware - Swee Lai Lee posted about the MongoLock ransomware. The malware uploads files from common locations (Desktop, Recent folder, Documents, etc) then deletes them from the local drive. Files are hosted on TOR and a “Warning.txt” ransom note is left in the affected folders.
TAU Threat Intelligence Notification – MongoLock Ransomware - Using research from Taha Karim, Erika Noerenberg presents a review of the WindShift APT group focusing on the Middle East and a macOS backdoor delivered through an Office document. Meeting_Agenda.zip contains Meeting_Agenda.app which establishes startup persistence.
TAU Threat Intelligence Notification – WindTail (OSX)
- Crypt0r ransomware, similar to WannaCry and NotPetya in making use of EternalBlue, an early indicator is running notepad.vbs from a Temp folder, then deleting VSCs. Files get a random extension or “personal service ID” which is written in the ransomware note “_Help.txt”
- CERT Poland unveils the Malware Database (MWDB) for users to store their malware samples, be able to see basic metadata, parent child relationships, and be able to search for shared indicators across samples. The malware you store can be accessed by an API or built on with Python. Note that third party access to “samples located in MWDB can be shared by external entities.”
MWDB – our way to share information about malicious software - Checkpoint writes about GandCrab ransomware which no longer depends on PowerShell except for the first stage delivery. The next stage uses AutoIT to deliver 2 variants of GandCrab ransomware along with Betabot/Neuvert and AzorUlt data stealers.
Check Point Forensic Files: GandCrab Returns with Friends (Trojans) - Aaron Riley and Marcel Feller at Cofense identified a South American banking trojan campaign using Windows Control Panel icons (.CPL file extensions). The second-stage payload are banking trojans with key logger capability like Banload.
Phishing Campaigns are Manipulating the Windows Control Panel Extension to Deliver Banking Trojans - Marcus Edmonson posted a couple of times this week
- He documented testing out Vidar trojan in Remnux, confirming the tepingost[.]ug domain associated with the malware and documented additional .dll files dropped under a randomly named folder in ProgramData. Data from the infected system including passwords from Outlook get stored in “information.txt” and “outlook.txt” before being zipped up and exfiltrated. (Notably, Microsoft identifies the Flash exploit as a clean file on VirusTotal as of this writing)
Rig Exploit Kit – Vidar Behavioral Analysis - Marcus also shared an analysis of Black Energy, targeting powergrids in the Ukraine and associated with Sandworm Team. Using a .doc file and tools including Remnux, RegShot, and ProcMon, Marcus shows how a .lnk file in the Startup folder is created for persistence and also includes an analysis of the VBA macros dropped.
Black Energy – Analysis
- He documented testing out Vidar trojan in Remnux, confirming the tepingost[.]ug domain associated with the malware and documented additional .dll files dropped under a randomly named folder in ProgramData. Data from the infected system including passwords from Outlook get stored in “information.txt” and “outlook.txt” before being zipped up and exfiltrated. (Notably, Microsoft identifies the Flash exploit as a clean file on VirusTotal as of this writing)
- Vitali Kremez at Flashpoint explains that PowerRatankba was used in the recent Redbanc intrusion in Chile; the malware has ties to N. Korea associated APT group Lazarus (aka Hidden Cobra / Kimsuky). A Redbac IT employee, applying for a job posted on social media, executed a malicious executable as part of the interview process. The fake job application checks for admin privs and if an administrator account is found, establishes a foothold using services persistence.
Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties - Abel Toro at Forcepoint examine the GoodSender malware that uses Telegram as C2, and then use this against the threat actor to uncover them.
Tapping Telegram Bots - There were a couple of posts by Fortinet this week
- Anthony Giandomenico provides an overview of the last 3 years of malware Internet of Things (IoT) trends, from the Mirai botnet, Hajime ransomware worm, Brickerbot, and Hide ‘N Seek (HNS). Suggestions for protection of devices include identifying IoT assets and segmenting devices on a network.
Fighting the Evolution of Malware - Xiaopeng Zhang breaks down the NanoCore RAT which can perform key logging, capture passwords, upload files, and more. Starting with delivery by Word document, there is a detailed analysis of the VBA code that executes when macros are enabled, and analysis of the second stage payloads.
.Net RAT Malware Being Spread by MS Word Documents
- Anthony Giandomenico provides an overview of the last 3 years of malware Internet of Things (IoT) trends, from the Mirai botnet, Hajime ransomware worm, Brickerbot, and Hide ‘N Seek (HNS). Suggestions for protection of devices include identifying IoT assets and segmenting devices on a network.
- There were a few posts by Malwarebytes this week
- William Tsing gives an overview of APT10, commonly associated with the Chinese Ministry of State Security, which often attacks high value foreign targets. Common malware deployed includes Scanbox, Sogu, Poison Ivy, and PlugX. Citing the recent PWC/BAE report, the suggestion is made that Managed Service Providers may be the next APT10 focus.
The Advanced Persistent Threat files: APT10 - Jérôme Segura shares that the Fallout exploit kit is back, recently being distributed through malvertising and delivering GandCrab ransomware. New to this version of Fallout EK, Flash is exploited in order to delivery the PowerShell payload.
Improved Fallout EK comes back after short hiatus - Pieter Arntz looks at takedowns for sites hosting malware, particularly on fake bank sites (the real financial institutions suffer the most from customers falling for fake sites). Arntz finds that the average time for a hosting provider to take down a site is 8 hours, with many being quicker and some being unresponsive, and suggests that users look at the reputation of hosting providers when signing up to do business with one.
Hosting malicious sites on legitimate servers: How do threat actors get away with it?
- William Tsing gives an overview of APT10, commonly associated with the Chinese Ministry of State Security, which often attacks high value foreign targets. Common malware deployed includes Scanbox, Sogu, Poison Ivy, and PlugX. Citing the recent PWC/BAE report, the suggestion is made that Managed Service Providers may be the next APT10 focus.
- Mike R looks at a malicious Word document targeted at Japanese targets using the Developer tab inside Word itself. Mike then moves onto Remnux, oletools, and Sysmon and looking at additional files dropped.
Analyzing a Japanese Language Malicious Word Document - ASERT reports on Lojax and Fancy Bear, identifying LoJax servers and C2 domains, and looks at C2 domain registration back to 2004 and the spike in 2016/2017.
LoJax: Fancy since 2016 - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Rob VandenBrink describes Local Administrator Password Solution (LAPS) by Microsoft. From the Blue team: Restricting accessibility of passwords using MS Local Administrator Password Solution (LAPS) – just don’t put your DC in LAPS! From the Red team: an authorized user can still read these passwords in the clear!
Microsoft LAPS – Blue Team / Red Team, (Mon, Jan 14th) - Brad Duncan describes three new campaigns for both Epoch 1 and Epoch 2 delivery types. Emotet has recently delivered other malware like Gootkit and IcedID/Bokbot.
Emotet infections and follow-up malware, (Wed, Jan 16th)
- Rob VandenBrink describes Local Administrator Password Solution (LAPS) by Microsoft. From the Blue team: Restricting accessibility of passwords using MS Local Administrator Password Solution (LAPS) – just don’t put your DC in LAPS! From the Red team: an authorized user can still read these passwords in the clear!
- There were a couple of posts at Cisco’s Talos blog
- Edmund Brumaghin examines the latest strain of Emotet distributed by a recent campaign.
Emotet re-emerges after the holidays - Chris Marczewski unpacks a series of Imminent RAT samples. “Imminent is a commercially available RAT that retails for $25 to $100, depending upon the size of the customer’s expected user base. While it is not intended for malicious use, in this case, its detection suggested otherwise.”
What we learned by unpacking a recent wave of Imminent RAT infections using AMP
- Edmund Brumaghin examines the latest strain of Emotet distributed by a recent campaign.
- There were a couple of posts by Trend Micro this week
- Chaoying Liu and Joseph C. Chen look at increased skimmer activity on websites using injection into a Java-based ad company.
New Magecart Attack Delivered Through Compromised Advertising Supply Chain - Kevin Sun examines two apps previously available on the Google Play Store, BatterySaveMobi and Currency Converter, that had been infected with Anubis banking trojan payload.
Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics
- Chaoying Liu and Joseph C. Chen look at increased skimmer activity on websites using injection into a Java-based ad company.
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics
Three Newer Things that May Surprise You about iOS Forensics - Yulia Samoteykina at Atola
Using extension modules with TaskForce - Sumuri
SUMURI Gives Back Online Voting - Cyber Forensicator
- Devon at AboutDFIR
- DME Forensics
What to Look For in a Write Blocker - Forensic Focus
- Joshua James at ‘Digital Forensic Science’
Research 101: How to do research in digital forensics - Justin Boncaldo
Can my IT team handle digital evidence - Ryan Benson at dfir.blog
New Year, New dfir.blog - Jordan Wright at ‘The Duo Blog’
SANS Holiday Hack 2018 Writeup - Graneed
The 2018 SANS Holiday Hack Challenge Writeup
SOFTWARE UPDATES
- Eric Zimmerman
- Winpmem
Release 3.2 - Brian Carrier at Cyber Triage
ReversingLabs Integration Provides Improved Malware Scanning - Digital Detective
NetAnalysis® v2.9 and HstEx® v4.9 Released - David Dym at EasyMetaData
MDViewer 1.0 initial release - ExifTool
ExifTool 11.25 - hasherezade’s 1001 nights
PE-bear – version 0.3.9 available - Matt Shannon at F-Response
F-Response v8 – Pre-Release Now Available - MobilEdit
MOBILedit Forensic Express 6.0 Released! - Radare2
3.2.1 - Sarah Edwards at Mac4n6
Apple Pattern of Life Lazy Output’er (APOLLO) Updates & 40 New Modules (Location, Chat, Calls, Apple Pay Transactions, Wallet Passes, Safari & Health Workouts) - Autopsy 4.10.0
Autopsy 4.10.0 was released - The Sleuth Kit 4.6.5
The Sleuth Kit 4.6.5 was released - X-Ways Forensics
X-Ways Forensics 19.7 SR-4
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
I think just having the links is a great tool. I used to just scan the links anyway until I got to one I was interested in, and then I would read the description. I can just as easily click on the link and read the intro. Thanks for your work in putting this together each week.
LikeLiked by 1 person
Phil,
Thanks for putting together the weekly rundown of interesting links. I look forward to reading it, and it’s a great list.
In terms of links vs. link + description, I’d say very brief descriptions are appreciated.
The bigger bit of feedback I’d say is how the email subscription comes across. Right now it shows a snippet of your post and that’s it (screenshot below). It’d be great if it was more in a newsletter type format. Not a big deal, but wanted to pass along in case you’re interested.
Keep up the good work!
Regards, Jamie
[image: image.png]
On Sat, Jan 19, 2019 at 10:39 PM This Week In 4n6 wrote:
> Phill Moore posted: “Iâm curious to get feedback from people regarding > writing up links going forward. I havenât really seen a hit in the page > views between links only and doing the full writeup, but I do save a > significant amount of time by just compiling the links. Any feed” >
LikeLiked by 1 person
Hi Jamie, The email notification is a wordpress feature so don’t have much control of it.
I might consider adding a newsletter feature as a patreon reward if there’s a call for it, because otherwise it’s just an extra bit of work for me to remember to do
LikeLike
I appreciate the links to take a deeper dive or discover new site for future references
LikeLiked by 1 person
You might never see a dip if you only published links, but the brief descriptions are immensely useful. Thank you for all the time you spend on this project – it’s amazing.
LikeLike