Week 4 – 2019

I’m back! Thanks to everyone who gave feedback. It was a mixed bag of “links only is fine”, “I like the commentary”, “Do whatever you want”. So I’m doing the last one. I find that writing the summaries is beneficial for me, especially with my incessant need to know who to bug when I have a problem.

Also thanks to Lodrina for taking on the threat hunting and malware sections. Definitely gave me a bunch more free time. Whilst Lodrina is around, these sections will continue to get summaries, but if she decides she wants her weekends back (and I wouldn’t blame her) then they’ll go to links only until I have a need to start writing summaries for them too.

As always, Thanks to those who give a little back for their support!



  • Atul Kabra writes about the importance of event logs in IR and the philosophical question of events vs logs (is every log an event?). Once defined, there’s a lot of data to go through; osquery examples are shown for live collection / monitoring / response.
    In Log, We Trust 
  • Chetan Nayak at Network Intelligence describes an on site data exfil intrusion exercise over 4 days. Day 2 has Chetan accessing a printer and the steps to eventually getting Domain Admin. Days 3 and 4 were using Sysinternals tools to better understand the network as well as performing the actual exfiltration.
    Intrusion Testing – From Evil Printers to Parent Domain Controllers 
  • Dirk-jan Mollema combines Exchange privileges with NTLM authentication vulnerabilities, how to exploit them, and releases PoC tool “PrivExhange”. Dirk-jan also provides a section of recommendations that can be invoked to prevent against this type of attack which otherwise allows escalation “from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”
    Abusing Exchange: One API call away from Domain Admin 
  • David Pany, Steve Miller, and Danielle Desfosses at Fire Eye look at using RDP to more laterally across systems including PuTTY Link (Plink) and daisy chaining RDP sessions. They suggest establishing a baseline on RDP usage and looking at host-based prevention like disabling RDP on systems that don’t need it. Host-based detections are also provided including Registry keys and Event Log artifacts.
    Bypassing Network Restrictions Through RDP Tunneling 
  • Josiah Smith at InQuest goes over some basic capabilities of PowerShell Empire and then goes on to InQuest tool Empire detections.
    Detecting Empire with InQuest 
  • Frank Duff at MITRE discusses the delineation between “main” and “modifier” categories and the further breakdown of “enrichment” vs “specific behavior” (main) and “configuration change”, “delayed” alerts, and “tainted” detections (modifier). Frank also overs MSSPs in testing and the value of forensic capabilities (forensic analysis was out of scope for the ATT&CK evaluations).
    Part 2: Would a Detection by Any Other Name Detect as Well? 



  • On this week’s Digital Forensic Survival Podcast, Michael talks “about the Google Hacking Database.”
    DFSP # 153 – Google Dorks 


  • 0verfl0w_ at 0ffset writes a follow up about RogueRobin PowerShell trojan which use Google Drive* for C2 communication. An Excel document does a PowerShell AppLocker bypass using regsvr32.exe. A second stage PS script opens the RogueRobin .NET executable. The malware not only checks for sandbox evasion but appears to leave an easter egg for anyone attempting RE! *Note: dropped files on disk include OneDrive.lnk and C2 servers include skydrive[.]services however, RogueRobin really is using the Google Drive API
    Post 0x16: Analyzing the “New” Tools of DarkHydrus 
  • Andrew Costis, Cathy Cramer, Emily Miner and Jared Myers at Carbon Black break down a recent GandCrab and Ursnif campaign. Beginning with a Word doc and VBScript, second stage PowerShell downloads commands from pastebin.com executed in memory to run the Empire Invoke-PSInject module almost verbatim to deliver GandCrab ransomware. The second stage payload is Ursnif which performs credential stealing and dropping additional malware.
    Carbon Black TAU & ThreatSight Analysis: GandCrab and Ursnif Campaign 
  • Lucas Ashbaugh at Cofense describes Jigsaw ransomware, running as drpbx.exe and firefox.exe (which have the same hash), to encrypt files with extensions including “.fun” – if you’ve been infected bu Jigsaw ransomware, Lucas provides a link to a free decrypter written by Michael Gillespie.
    Jigsaw Ransomware Returns With Extortion Scam Ploys 
  • Cyber Forensicator writes about .CHM Compiled HTML files used by Silence APT creating scheduled tasks or renamed cmd.exe to continue the second stage of the attack which might take weeks or months to complete. Additionally, looking for evidence in the “Microsoft-Windows-TaskScheduler%4Operational.evtx” event log can be a good place to look for historic scheduled task events. ReaQta also share details about the Silence groups operations
    Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis 
  • Marcus Edmondson does a quick post on a PowerShell downloader which delivers Emotet. Marcus looks at the process tree in Task Manager and what the script on disk looks like.
    PowerShell Downloader – Emotet 
  • Pavel Shoshin at Kaspersky discusses the Razy trojan which downloads malicious browser extensions on Chrome, Firefox, and Yandex browsers. Think of Razy as a man-in-the-browser attack which targets cryptocurrency sites and search results.
    Crazy Razy, bitcoin thief 
  • Malwarebytes links to their “2019 State of Malware” report, looking back on trends from 2018 including trojans in business environments, information stealers like Emotet, and malicious browser extensions. Forward looking predictions include IoT botnets, more SMB vulnerabilities, and digital skimming from online shopping carts.
    2019 State of Malware report: Trojans and cryptominers dominate threat landscape 
  • Erik Hjelmvik at NETRESEC looks at Emotet and TrickBot and the ETERNALCHAMPION exploit from a network point of view in a video (22 mins) using CapLoader, NetworkMiner, and Wireshark.
    Video: TrickBot and ETERNALCHAMPION 
  • Kaspersky Lab ICS CERT team writes about GreyEnergy activity called Zebrocry which could be a successor to the BlackEnergy (aka Sandworm) group. Zebrocry appears to focus on EMEA government targets.
    GreyEnergy’s overlap with Zebrocy 
  • John Arneson at Cisco Talos discusses a recent Ursnif campaign, including deobfuscating the PowerShell command that delivers the second stage infection. Registry persistence and more obfuscated PowerShell eventually lead to exfiltration of a CAB file containing keylogger data.
    AMP tracks new campaign that delivers Ursnif 
  • The Security Response Attack Investigation Team at Symantec discusses living off the land tools and malware used against West African financial companies. Four trends include NanoCore with PsExec; PowerShell, Mimikatz, and Cobalt Strike; RAT backdoors with Mimikatz and RDP; and commodity RAT Imminent Monitor.
    West African Financial Institutions Hit by Wave of Attacks 
  • Bill Malik at Trend Micro looks at trends in Business Email Compromise (BEC) which appears to be targeting lower level employees through spear phishing campaigns rather than executives.
    BEC Will Reach Two Levels Deeper 
  • Virus Bulletin shares a paper from Gabriela Nicolao from Deloitte (Argentina) where she discusses the Formbook form-grabber / info stealer. The paper discusses previous campaigns targeting defence and manufacturing, what the control panel looks like to a malicious operator, and how the malware operates.
    VB2018 paper: Inside Formbook infostealer 


  • DFIR Review has been launched on the DFRWS website. This process seeks to provide peer review for material that may not be academic enough for a journal publication, but the author still wants another set of eyes to go over it. By doing so, it adds an element of credibility, which may help examiners looking to cite specific posts. Brett has also shared his opinion on the topic here.
    DFIR Review 
  • Joe Sylve advised that “Apple’s APFS documentation now contains information about software encryption.”
    Check out @jtsylve’s Tweet 
  • Brett Shavers at DFIR.Training comments on the recent discussion on Twitter with regards to forensic imaging. For those not on Twitter, Forensic Focus posted a link to a forum topic on imaging, and I responded saying that imaging as the first step without consideration isn’t always the best thing to do. I’ll probably expand further on this in the podcast.
    Forensic imaging raises its head 
  • Computer Forensics World has started a contributor challenge for the next month. The prizes include access to some of Brett Shavers’ training, Harlan’s recently released IWS, Hunchly and Black Hat Python, as well as access to Forensic Notes.
    Contributor Challenge 
  • Robert Merriott also has a post on Computer Forensics World regarding taking notes with Word and OneNote. Robert indicates that the issue with using an electronic document taking system that isn’t designed for accountability may cause issues at court. Personally, I think that never is a bit strong. Once an image has been taken of a drive, or files have been preserved, then using something like Word or OneNote shouldn’t cause any issues. Your notes are designed to assist you in remembering what you did, organising your thoughts (which may not be sequential), and ultimately building your report/notifications. Handwritten notes aren’t immune to the issue of rewriting if they are kept in free sheets instead of a notebook, and at some point, you do have to trust the examiner (unless there’s a gaping hole that they can’t explain). Jesse Spangenberger at Cyber Fēnix Tech also shares his thoughts.
    Contemporaneous Notes – NEVER Use MS Word or OneNote 
  • Devon at AboutDFIR has made a number of updates to the website, including a new tool & artefact database that’s aim is to list the ‘right tool for the job’, as opposed to a collection of all of the available tools.
    AboutDFIR.com updates across the board 
  • Eric Huber at ‘A Fistful of Dongles’ shares his experience with burnout
  • Michael Karsyan at ‘Event Log Explorer’ describes how to use the Event Log Database Export Utility.
    Event Log Database Exporter 


  • CDQR 4.3 was released, with a complete “refactor of the parsers for Plaso v20181219”
  • Eric Zimmerman released a PowerShell downloader for his tools, as well as updating RBCmd, Registry Explorer, and AppCompatCacheParser
  • ExifTool 11.26 (developmental) was released with new tags and enhancements
    ExifTool 11.26 
  • A new version of MISP (2.4.101) has been released with 3 main new features (tag collections, improved tag/galaxy selector and MISP instance caching), along with a host of improvements and bug fixes.
    MISP 2.4.101 released (aka 3 features for free) 
  • Velociraptor 0.2.8 was released with a number of “improvements to scalability and efficiency.”
    Release 0.2.8 

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s