I’m back! Thanks to everyone who gave feedback. It was a mixed bag of “links only is fine”, “I like the commentary”, “Do whatever you want”. So I’m doing the last one. I find that writing the summaries is beneficial for me, especially with my incessant need to know who to bug when I have a problem.

Also thanks to Lodrina for taking on the threat hunting and malware sections. Definitely gave me a bunch more free time. Whilst Lodrina is around, these sections will continue to get summaries, but if she decides she wants her weekends back (and I wouldn’t blame her) then they’ll go to links only until I have a need to start writing summaries for them too.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
  • This week’s Sunday Funday is on testing the effects of running executables from different locations on the syscache. Unfortunately, no one submitted anything this week
    Daily Blog #603: Sunday Funday 1/20/19
  • Dave shares some brief thoughts on the SANS CTI Summit.
    Daily Blog #605: CTI Summit 2019
  • Dave also comments on Oleg Afonin’s post last week on acquiring SSDs
    Daily Blog #606: Elcomsoft blog about Factory Access Mode 

• Blanche Lagny has written an extensive paper on a year’s worth of testing on the AmCache. Dave Cowen also shares his thoughts on the paper
  Analysis of the AmCache 

• Arman Gungor at Metaspike takes a look at manipulating emails stored on Gmail using Outlook and lists what to look for if tasks with examining a suspect email
  Forensic Examination of Manipulated Email in Gmail 

• Oleg Afonin at Elcomsoft comments on Apple’s move to distributing iTunes via the Microsoft Store and how this Apple behaves slightly differently with regards to backups.
  Apple iTunes: Standalone vs. Microsoft Store Edition 

• Hideaki Ihara at port139 takes a look at the Active Directory “When-Created” and “When-Changed” attributes.
  Active Directory When-Created and When-Changed (1) 

• Antonio Stanz at ‘Security Art Work’ walks through a forensic analysis of a fictional scenario involving fileless malware
  • Agujas, pajares e imanes: Análisis forense de malware fileless (I)
  • Agujas, pajares e imanes: Análisis forense de malware fileless (II) 

• Silv3rHorn has released a “simple script based on yarp that parses Syscache.hve to csv”
  Check out @Silv3rHorn’s Tweet 

• Kevin Pagano at Stark 4N6 looks into the AxCrypt encryption tool.
  Chopping Down Artifacts from AxCrypt 

• Tom Wisniewski at ‘My Journey in Tech’ demonstrates how to add an LVM volume to Encase.
  Adding LVM volumes to an EnCase case
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn posted a few times this week
  • How do you write a good rule or yara signature? Is the rule sufficient or optimal, and what are the time penalties to include a good pattern vs exclude a bad one?
    A short wishlist for signature/rules writers
  • Timestamp stomping or tampering can be hard to detect, and with potentially even more so with an endpoint managed over network – are network timestamps when activity occurred or when activity was synced? Good questions to think about even without getting into time zones.
    Timestomping and event spoofing in the cloud?
  • Testing what happens to a system when adding 100k Registry entries? What happens to Regedit.exe?
    Don’t stress about a bit of stress testing
  • Testing part 2 continues adding up to 100k Sysmon rules; 100k seems to be past the upper limit for Sysmon.
    Don’t stress about a bit of stress testing #2 

• Elisha Girken at AlienVault looks at the steps in Incident Response according to NIST and SANS.
  Incident Response Steps Comparison Guide 

• Atul Kabra writes about the importance of event logs in IR and the philosophical question of events vs logs (is every log an event?). Once defined, there’s a lot of data to go through; osquery examples are shown for live collection / monitoring / response.
  In Log, We Trust 

• Chetan Nayak at Network Intelligence describes an on site data exfil intrusion exercise over 4 days. Day 2 has Chetan accessing a printer and the steps to eventually getting Domain Admin. Days 3 and 4 were using Sysinternals tools to better understand the network as well as performing the actual exfiltration.
  Intrusion Testing – From Evil Printers to Parent Domain Controllers 

• Matt Dahl at CrowdStrike reports on DNS hijacking infrastructure and targets, theorizing on possible objectives from delivery of malware to data collection.
  Widespread DNS Hijacking Activity Targets Multiple Sectors 

• CyberDefenses goes over basic reasons to use SIEM, management and tuning, logging and threat reporting.
  Machine Learning for Cyber Security – Static Detection of Malicious PE Files Using Machine Learning 

• Dirk-jan Mollema combines Exchange privileges with NTLM authentication vulnerabilities, how to exploit them, and releases PoC tool “PrivExhange”. Dirk-jan also provides a section of recommendations that can be invoked to prevent against this type of attack which otherwise allows escalation “from any user with a mailbox to Domain Admin in probably 90% of the organisations I’ve seen that use Exchange.”
  Abusing Exchange: One API call away from Domain Admin 

• David Pany, Steve Miller, and Danielle Desfosses at Fire Eye look at using RDP to more laterally across systems including PuTTY Link (Plink) and daisy chaining RDP sessions. They suggest establishing a baseline on RDP usage and looking at host-based prevention like disabling RDP on systems that don’t need it. Host-based detections are also provided including Registry keys and Event Log artifacts.
  Bypassing Network Restrictions Through RDP Tunneling 

• Josiah Smith at InQuest goes over some basic capabilities of PowerShell Empire and then goes on to InQuest tool Empire detections.
  Detecting Empire with InQuest 

• Frank Duff at MITRE discusses the delineation between “main” and “modifier” categories and the further breakdown of “enrichment” vs “specific behavior” (main) and “configuration change”, “delayed” alerts, and “tainted” detections (modifier). Frank also overs MSSPs in testing and the value of forensic capabilities (forensic analysis was out of scope for the ATT&CK evaluations).
  Part 2: Would a Detection by Any Other Name Detect as Well? 

• Patrick Olsen at ‘Incident Response Readiness’ covers continues the series of different packet headers by covering the (relatively very short) UDP header.
  Part 4 – What’s behind Wireshark? – UDP 

• Nigel Weber at Cisco discusses detections and indicators of malicious Registry activity.
  Suspicious Registry Keys and Requested files: A Threat Grid Case Study
  

UPCOMING WEBINARS/CONFERENCES

• Magnet Forensics’ Jessica Hyde, and Aaron Sparling will be hosting a webinar on memory analysis on Tue, Mar 19, 2019 at 1:00 PM.
  Hide, Seek, and Find: Memory Analysis for Fast Incident Response 

• Jeff Hedlesky and Sunali Sagar at OpenText will be hosting a webinar on the Tableau TX1 on January 29 at 11 am CST
  Register For Webinar: Valuable New Capabilities of the Tableau TX1
  

PRESENTATIONS/PODCASTS

• Blackbag Technologies uploaded a number of ‘tip of the day’ videos to YouTube
  • BlackBag Tip of the Day: Windows Jump Lists
  • BlackBag Tip of the Day: Windows User Assists
  • BlackBag Tip of the Day: System Logs
  • BlackBag Tip of the Day: WiFi Information
  • BlackBag Tip of the Day: Location Data
  • BlackBag Tip of the Day: Top Contacts
  • BlackBag Tip of the Day: Tear Off Window
  • BlackBag Tip of the Day: User Accounts
  • BlackBag Tip of the Day: File Downloads
  • BlackBag Tip of the Day: Device Connections 

• Karl Scheuerman at CrowdStrike shared his presentation from ATT&CKcon 2018.
  Analyzing Targeted Intrusions Through the ATT&CK Framework Lens  [VIDEO] 

• On this week’s Digital Forensic Survival Podcast, Michael talks “about the Google Hacking Database.”
  DFSP # 153 – Google Dorks 

• Mike Mimoso in the Collective Intelligence podcast from Flashpoint joins in a discussion about the recent Redbanc incident including PowerRatankba.
  Collective Intelligence Podcast, Vitali Kremez on Redbanc Attack and Lazarus Group 

• Mathias Fuchs at CyberFox explains the Userassist registry key
  DFIR in 120 seconds – Userassist
  
  

• Forensic Focus shared ElMouatez Billa Karbab’s presentation from DFRWS EU 2018.
  Data-Driven Approach For Automatic Telephony Threat Analysis 

• OALAbs explains “why some recent malware samples have been crashing in x64dbg”
  Malware Samples Crashing x64dbg Fixed! 

• SANS have uploaded the slides from the 2019 CTI Summit.
  Cyber Threat Intelligence Summit & Training 2019 (January 2019) 

• SANS shared Josh Pyorre’s presentation from the 2018 Threat Hunting Summit.
  Uncovering and Visualizing Malicious Infrastructure – SANS Threat Hunting Summit 2018
  

MALWARE

• 0verfl0w_ at 0ffset writes a follow up about RogueRobin PowerShell trojan which use Google Drive* for C2 communication. An Excel document does a PowerShell AppLocker bypass using regsvr32.exe. A second stage PS script opens the RogueRobin .NET executable. The malware not only checks for sandbox evasion but appears to leave an easter egg for anyone attempting RE! *Note: dropped files on disk include OneDrive.lnk and C2 servers include skydrive[.]services however, RogueRobin really is using the Google Drive API
  Post 0x16: Analyzing the “New” Tools of DarkHydrus 

• 0xffff0800 walks through “a quick way to Decompile/Deobfuscate some packed malware that uses AutoIT Obfuscation(.au3).”
  Defeating .au3 obfusticated Malware. 

• Andrew Costis, Cathy Cramer, Emily Miner and Jared Myers at Carbon Black break down a recent GandCrab and Ursnif campaign. Beginning with a Word doc and VBScript, second stage PowerShell downloads commands from pastebin.com executed in memory to run the Empire Invoke-PSInject module almost verbatim to deliver GandCrab ransomware. The second stage payload is Ursnif which performs credential stealing and dropping additional malware.
  Carbon Black TAU & ThreatSight Analysis: GandCrab and Ursnif Campaign 

• Darrel Rendell at Cofense looks at the Kutaki password stealer which will run as “hyuder.exe” from under the user AppData\Roaming directory.
  The Kutaki Malware Bypasses Gateways to Steal Users’ Credentials 

• Lucas Ashbaugh at Cofense describes Jigsaw ransomware, running as drpbx.exe and firefox.exe (which have the same hash), to encrypt files with extensions including “.fun” – if you’ve been infected bu Jigsaw ransomware, Lucas provides a link to a free decrypter written by Michael Gillespie.
  Jigsaw Ransomware Returns With Extortion Scam Ploys 

• Cyber Forensicator writes about .CHM Compiled HTML files used by Silence APT creating scheduled tasks or renamed cmd.exe to continue the second stage of the attack which might take weeks or months to complete. Additionally, looking for evidence in the “Microsoft-Windows-TaskScheduler%4Operational.evtx” event log can be a good place to look for historic scheduled task events. ReaQta also share details about the Silence groups operations
  Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis 

• Cyber Forensicator also shares a link to “malice” on GitHub which aims to be “a free open source version of VirusTotal”.
  Malice: Open Source Malware Analysis Framework 

• Yasmin Bokobza and Yosef Arbiv at Cyberbit discuss static PE file analysis at scale 51k benign files and 17k malicious files. By using machine learning to classify files then having an analyst check the results, they derive the most important criteria in identifying malicious files is section entropy. Unsigned/unverified signatures and nonstandard section names were also good indicators.
  Machine Learning for Cyber Security – Static Detection of Malicious PE Files Using Machine Learning 

• Marcus Edmondson does a quick post on a PowerShell downloader which delivers Emotet. Marcus looks at the process tree in Task Manager and what the script on disk looks like.
  PowerShell Downloader – Emotet 

• Eric Lackey at Flashpoint reviews recent trends with Chinese economic espionage operations.
  Nation-State Actors Leverage Insiders for Economic Espionage 

• Pavel Shoshin at Kaspersky discusses the Razy trojan which downloads malicious browser extensions on Chrome, Firefox, and Yandex browsers. Think of Razy as a man-in-the-browser attack which targets cryptocurrency sites and search results.
  Crazy Razy, bitcoin thief 

• Malwarebytes links to their “2019 State of Malware” report, looking back on trends from 2018 including trojans in business environments, information stealers like Emotet, and malicious browser extensions. Forward looking predictions include IoT botnets, more SMB vulnerabilities, and digital skimming from online shopping carts.
  2019 State of Malware report: Trojans and cryptominers dominate threat landscape 

• Michael Gillespie reverses “a .NET ransomware with a few interesting traits, and see if we can exploit its C2 server to recover the password.”
  Analyzing Ransomware –  .NET Ransomware with a C2 Server 

• Erik Hjelmvik at NETRESEC looks at Emotet and TrickBot and the ETERNALCHAMPION exploit from a network point of view in a video (22 mins) using CapLoader, NetworkMiner, and Wireshark.
  Video: TrickBot and ETERNALCHAMPION 

• Ashwin Vamshi at Netskope Threat Research Labs looks at malicious PDFs targeting government and financial institutions across the world including targets in the Philippines, Nepal, India, South Africa, and Russia.
  Targeted Attacks Abusing Google Cloud Platform Open Redirection 

• Brad Duncan at SANS ISC breaks down a Word document from a malspam campaign. After enabling macros, PowerShell pulls down a gzip archive with a malicious DLL that runs in memory.
  Malspam with Word docs uses macro to run Powershell script and steal system data, (Thu, Jan 24th) 

• Kaspersky Lab ICS CERT team writes about GreyEnergy activity called Zebrocry which could be a successor to the BlackEnergy (aka Sandworm) group. Zebrocry appears to focus on EMEA government targets.
  GreyEnergy’s overlap with Zebrocy 

• John Arneson at Cisco Talos discusses a recent Ursnif campaign, including deobfuscating the PowerShell command that delivers the second stage infection. Registry persistence and more obfuscated PowerShell eventually lead to exfiltration of a CAB file containing keylogger data.
  AMP tracks new campaign that delivers Ursnif 

• The Security Response Attack Investigation Team at Symantec discusses living off the land tools and malware used against West African financial companies. Four trends include NanoCore with PsExec; PowerShell, Mimikatz, and Cobalt Strike; RAT backdoors with Mimikatz and RDP; and commodity RAT Imminent Monitor.
  West African Financial Institutions Hit by Wave of Attacks 

• Bill Malik at Trend Micro looks at trends in Business Email Compromise (BEC) which appears to be targeting lower level employees through spear phishing campaigns rather than executives.
  BEC Will Reach Two Levels Deeper 

• Trend Micro looked at hourly Emotet activity patterns – they found that “off” hours of the day were 01:00 – 06:00 UTC. Also looked at packer timestamp distribution and theorized that machines are in UTC+7 or UTC+0.
  Going In-depth with Emotet: Multilayer Operating Mechanisms 

• Virus Bulletin shares a paper from Gabriela Nicolao from Deloitte (Argentina) where she discusses the Formbook form-grabber / info stealer. The paper discusses previous campaigns targeting defence and manufacturing, what the control panel looks like to a malicious operator, and how the malware operates.
  VB2018 paper: Inside Formbook infostealer 

• Vitali Kremez posted a couple of times this week
  • An extensive breakdown of APT28 attributed AutoIT scripts using Zebrocy/Zepakab downloaders.
    Let’s Learn: Progression of APT28 AutoIt Zebrocy Downloaders: Source-Code Level Analysis
  • An analysis of PowerRatankba.B, similar to the toolkit used in the recent Redbanc incident attributed to Lazarus group.
    Let’s Learn: Dissecting Lazarus PowerShell PowerRatankba.B, Installer Script & Keylogger: Pakistan Version
    

MISCELLANEOUS

• DFIR Review has been launched on the DFRWS website. This process seeks to provide peer review for material that may not be academic enough for a journal publication, but the author still wants another set of eyes to go over it. By doing so, it adds an element of credibility, which may help examiners looking to cite specific posts. Brett has also shared his opinion on the topic here.
  DFIR Review 

• Joe Sylve advised that “Apple’s APFS documentation now contains information about software encryption.”
  Check out @jtsylve’s Tweet 

• Brett Shavers at DFIR.Training comments on the recent discussion on Twitter with regards to forensic imaging. For those not on Twitter, Forensic Focus posted a link to a forum topic on imaging, and I responded saying that imaging as the first step without consideration isn’t always the best thing to do. I’ll probably expand further on this in the podcast.
  Forensic imaging raises its head 

• Computer Forensics World has started a contributor challenge for the next month. The prizes include access to some of Brett Shavers’ training, Harlan’s recently released IWS, Hunchly and Black Hat Python, as well as access to Forensic Notes.
  Contributor Challenge 

• Robert Merriott also has a post on Computer Forensics World regarding taking notes with Word and OneNote. Robert indicates that the issue with using an electronic document taking system that isn’t designed for accountability may cause issues at court. Personally, I think that never is a bit strong. Once an image has been taken of a drive, or files have been preserved, then using something like Word or OneNote shouldn’t cause any issues. Your notes are designed to assist you in remembering what you did, organising your thoughts (which may not be sequential), and ultimately building your report/notifications. Handwritten notes aren’t immune to the issue of rewriting if they are kept in free sheets instead of a notebook, and at some point, you do have to trust the examiner (unless there’s a gaping hole that they can’t explain). Jesse Spangenberger at Cyber Fēnix Tech also shares his thoughts.
  Contemporaneous Notes – NEVER Use MS Word or OneNote 

• Devon at AboutDFIR has made a number of updates to the website, including a new tool & artefact database that’s aim is to list the ‘right tool for the job’, as opposed to a collection of all of the available tools.
  AboutDFIR.com updates across the board 

• Eric Huber at ‘A Fistful of Dongles’ shares his experience with burnout
  Burnout 

• Michael Karsyan at ‘Event Log Explorer’ describes how to use the Event Log Database Export Utility.
  Event Log Database Exporter 

• Bradley Schatz at Evimetry discusses considerations with regards to read and write speeds of your source and target media. Identifying bottlenecks in your processing will definitely speed things up
  Efficient forensic workflow: Is your bridge a bottleneck? 

• Justin Boncaldo discusses whether anti-forensics is legal
  DFS #7 Is Anti-Forensics Legal? 

• Marcos at ‘Un minion curioso’ has compiled a list of the available Linux distros built for DFIR, as alternatives to Kali, which was built with offensive security in mind.
  #DFIR: No. Kali is not a distribution oriented to digital forensic analysis 

• SalvationData provide some guidance in configuring the advanced imaging parameters in their Data Recovery System tool.
  [Tips] How Do the Parameters Work in DRS Advanced Imaging 

• SANS officially announced the beta of the new FOR498 course aimed at acquiring data from a variety of devices and getting answers quickly.
  FOR498: Battlefield Forensics & Data Acquisition 

• Yulia Samoteykina at Atola demonstrates how to verify the integrity of an existing E01 image
  Calculating dual hash of an existing E01 file
  

SOFTWARE UPDATES

• CDQR 4.3 was released, with a complete “refactor of the parsers for Plaso v20181219”
  4.3 

• Cellebrite released Cloud Analyzer v7.6, improving support for a number of apps and services
  Retrieve digital evidence from drones, routers, the UBER app, mobile web browsers and more 

• Didier Stevens updated his msoffcrypto-crack.py Python script to version 0.0.3. Didier also uploaded a video showing the features of the tool.
  Update: msoffcrypto-crack.py Version 0.0.3 

• Elcomsoft Phone Viewer 4.30 was released, adding support for Graykey iOS images, and automatically identifying iOS backups created by the Microsoft Store version of iOS
  Elcomsoft Phone Viewer 4.30 supports GrayKey images, Microsoft Store version of iTunes 

• Eric Zimmerman released a PowerShell downloader for his tools, as well as updating RBCmd, Registry Explorer, and AppCompatCacheParser
  ChangeLog 

• ExifTool 11.26 (developmental) was released with new tags and enhancements
  ExifTool 11.26 

• GetData released Forensic Explorer 4.4.8.8148 adding some improvement to the file system parsers.
  21 Jan 2019 – v4.4.8.8148 

• A new version of MISP (2.4.101) has been released with 3 main new features (tag collections, improved tag/galaxy selector and MISP instance caching), along with a host of improvements and bug fixes.
  MISP 2.4.101 released (aka 3 features for free) 

• MobilEdit released Forensic Express 6.0.1 with improvements and bug fixes
  Forensic Express 6.0.1 Released 

• Paraben Corporation have released E3 2.1 Bronze Edition with a variety of improvements
  E3 2.1 Bronze Edition is now available! 

• Velociraptor 0.2.8 was released with a number of “improvements to scalability and efficiency.”
  Release 0.2.8 

• X-Ways Forensics 19.8 Beta 4 was released
  X-Ways Forensics 19.8 Beta 4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!