Thanks to Lodrina for her help, you can catch her teaching FOR500 in St Louis next month, and she’s also asked me to share that her company is hiring in Boston.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday is on shellbags and users viewing preferences. Adam Ferrante and Kevin Pagano posted their answers, with Kevin taking the win
Daily Blog #610: Sunday Funday 1/27/19 - Dave takes a look at Deep Freeze on Win 10 in a couple of test kitchen videos: 1/30/19 and 1/31/19
- Dave and Matthew hosted Blanche Lagney to talk about her recently released AmCache paper, as well as Jessica Hyde, Vico Marziale, Brett Shavers, and Tony Knutson to talk about the DFIR Review initiative.
Daily Blog #615: Forensic Lunch 2/1/19 Blanche Lagney Amcache DFIR Review
- This week’s Sunday Funday is on shellbags and users viewing preferences. Adam Ferrante and Kevin Pagano posted their answers, with Kevin taking the win
- Marco Fontani at Amped demonstrates a picture manipulation detection mechanism for digital photographs using EXIF data
Exif Metadata Sometimes Tells More Than it Seems - There were a couple of posts on the Elcomsoft blog this week
- Oleg Afonin compares the data available to investigators from Apple Health and Google Fit
Securing and Extracting Health Data: Apple Health vs. Google Fit - Oleg also demonstrates a method to verify “manufacturers’ claims about the SSD NAND configuration, determine the model of your SSD controller and its NAND configuration.”
Identifying SSD Controller and NAND Configuration
- Oleg Afonin compares the data available to investigators from Apple Health and Google Fit
- Gabriele Zambelli at ‘Forense nella Nebbia’ shares some details of application specific file access or website access logging
Using small details to add additional context to other artifacts - Heather Mahalik at Smarter Forensics describes a method of freely obtaining and examining an encrypted iOS 12 backup, as well as identifying whether an iPhone was restored from iCloud or iTunes
How was an iPhone setup? - Joshua Hickman at ‘The Binary Hick’ has started a blog!
- For his first post he takes a look at the data stored in Google Assistant by Android Auto
Ka-Chow!!! Driving Android Auto - Joshua also shared the Android 7.x image that he created last month and shared out through AboutDFIR
Android 7.x Image
- For his first post he takes a look at the data stored in Google Assistant by Android Auto
- Justin Boncaldo examines the Alexa Win10 app for useful forensic data
Alexa Application -Windows 10 Store - Lavine Oluoch at ‘Forensically Fit’ describes the two types of Recycle Bin files found on Windows systems
Windows Recycle Bin Forensics - Marcos at ‘Un minion curioso’ comments on the duty to understand your tooling and demonstrates a file recovery examination where different tools had different results
#DFIR: Duty to know and understand; Need to know - Antonio Sanz at ‘Security Art Work’ continues his investigation into a fileless malware attack
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn posted a few times this week
- Adam writes about how the % can be interpreted as strings, incorrectly, in the Windows Event Log.
Too much % makes Event Viewer drunk - He continues the Run key series with how an attacker could replace files such that a user running an uninstaller actually runs an attacker application.
Beyond good ol’ Run key, Part 101 - He also writes about how the “Documents and Settings” folder could be recreated as a real directory to store files.
Trivial Anti-BlueTeam trick #2 - And comments on a couple of sysmon configs for detecting mimikatz
Can we stop detecting mimikatz please?
- Adam writes about how the % can be interpreted as strings, incorrectly, in the Windows Event Log.
- Tawnya Lancaster at Alien Vault gives an overview of APT10 aka Cloud Hopper including the targeting of MSSPs.
APT10 Group Targets Multiple Sectors, But Seems to Really Love MSSPs - Andreas Sfakianakis at ‘Tilting at windmills’ posted a couple of times this week
- He shared the ENISA Threat Landscape report for 2018 and recommends it for all CTI practitioners. It highlights the top 15 cyber threats including mail/phishing as the top malware infection vector.
ENISA Threat Landscape 2018 Report - Andreas also collected 75 good reads on threat intel from January.
Threat Intel Reads – January 2019
- He shared the ENISA Threat Landscape report for 2018 and recommends it for all CTI practitioners. It highlights the top 15 cyber threats including mail/phishing as the top malware infection vector.
- Atul Kabra reviews what should be covered in an audit, including file, process, and network activity; removable media; and a check of security software and logs.
Using osquery for Audits and compliance — Windows - Michael Dockry at Carbon Black shows an example of WannaMine attack remediation.
CB ThreatSight Uncovers & Stops Active WannaMine Cryptocurrency Attack Targeting Software Provider - Matt Hillman at Countercept demos why PowerShell is so popular for exploits, and shows how RemotePSpy can log what happens in a PS session.
RemotePSpy: Remote PowerShell Visibility for Older Versions - Eyal Aharoni at Cymulate reviews the recent DarkHydrus APT attack using Google Drive as a C2 channel. Eyal indicates general signs of an APT attack may include unexpected traffic, suspicious logons, recurring malware, and creations of large bundles of data in unexpected locations.
Seeing the Unseen: Detecting and Preventing the Advanced Persistent Threat - Daniel Miessler describes what a purple team is
The Definition of a Purple Team - Dragos summarizes their webinar given by Sergio Caltagirone and Joe Slowik on activity groups, how the groups are identified, how attribution is made, looking at trends over time, and associated groups.
Webinar Summary: Uncovering ICS Threat Activity Groups - Graneed looks at decoding WebShell activity.
WebShell型ハニーポットを設置してWebShellに対するスキャンを観察した(続) - Leonid Grustniy at Kaspersky looks at O365 attacks from the last year, with emails disguised as invitations to collaborate in SharePoint, with links to OneDrive for Business, leading to credential theft. Because the links in emails lead to a “clean” OneDrive link, these types of attacks are hard to stop at the mail filter and cites user education as a key way to guard against these types of attacks.
Hunting for Office 365 accounts - Daniel Berman at Logz.io looks at legacy SIEM systems and newer SIEM solutions.
SIEM vs. Security Analytics - Mike at nullsec made a program to get all event logs in a given timeframe and output them to csv.
EventFinder2 – Finding Events by Time - Palantir gives an introduction to privilege, detecting escalation, and preventing abuse. Suggestions for privilege auditing include using Windows Event Forwarding (WEF) and looking at event codes 4672, 4703, 4673, and 4674.
Windows Privilege Abuse: Auditing, Detection, and Defense - Brian Donohue at Red Canary recaps five talks from the recent SANS CTI summit including discussions about logging, ATT&CK, looking at malicious activity in real time, using new tools to look at old threats, and different frameworks to understand adversaries.
Five Great Talks from the SANS CTI Summit - Richard Bejtlich at Corelight goes into a brief history of encryption on the network security monitoring (NSM). Richard sets up for a deeper discussion of HTTPS in coming posts.
Network security monitoring is dead, and encryption killed it. - Richard Bejtlich also posts at his TaoSecurity blog
- He posted about a way to spin up personal labs and how to get your own lab up and running with detailed command line instructions to set up DetectionLab from Chris Long.
Trying DetectionLab - And posts a detailed walkthrough about fixing interactions with RDP servers offered by VirtualBox.
Fixing Virtualbox RDP Server with DetectionLab
- He posted about a way to spin up personal labs and how to get your own lab up and running with detailed command line instructions to set up DetectionLab from Chris Long.
- There were a couple of posts on the StillzTech blog this week
- They demonstrate how to use Sublime Text to take a large amount of log data and quickly filter it down to relevant entries.
Apache log analysis with Sublime Text 3 - And also looks at how to leverage AWS for incident response using the free application Terraform to set up a new S3 bucket (where contents are encrypted at rest).
Leveraging AWS for Incident Response: Part 2
- They demonstrate how to use Sublime Text to take a large amount of log data and quickly filter it down to relevant entries.
- Trend Micro have a couple posts on the various techniques that attackers are using to avoid detection, as well as APT groups
- TrustedSec writes a three-part series on an RDP honeypot.
- The first post gives an intro to RDP.
Adventures of an RDP Honeypot – Part One: RDP Security - Part 2 goes into system setup, accounts attempting to be brute forced (almost 60k logon attempts in 9 days), and what happened during some of the interactive sessions.
Adventures of an RDP Honeypot – Part Two: Know Your Enemy - Part 3 dives back into system configuration and lessons learned.
Adventures of an RDP Honeypot – Part Three: Creation of an RDP Honeypot
- The first post gives an intro to RDP.
UPCOMING WEBINARS/CONFERENCES
- David Cowen at the ‘Hacking Exposed Computer Forensics’ blog posted the schedule for the Forensic Lunch for the next few months
Daily Blog #611: Forensic Lunch Schedule 2019 - The CFP for the 12th International Workshop on Digital Forensic, held in Canterbury, Kent / UK, August 26 – August 29, 2019
The 12th International Workshop on Digital Forensics - The CFP for the Diana Initiative 2019 is open.
- Eric Oldenburg at Griffeye will be hosting a webinar discussing “how to use the VICS (OData) Export function within Analyze DI Pro to seamlessly share case data between users” on Feb 13, 2019 3 pm CET (9 am EST)
Webinar: Collaboration workflows in Analyze DI Pro – using the VICS (OData) Export function - TrustedSec will be hosting a webinar on MITRE ATT&CK on February 13th, 2019, AT 1:00 PM EST
Webinar: Using MITRE ATT&CK(TM) for Coverage and Effectiveness Assessments
PRESENTATIONS/PODCASTS
- Adrian Crenshaw uploaded the presentations from BSides Tampa 2019
- Blackbag Technologies posted some more ‘tip of the day’ videos
- Cellebrite uploaded a number of short videos about their Analytics tool
- On this week’s Digital Forensic Survival Podcast, Michael talks about XXE attacks
DFSP # 154 – OWASP: XXE - Forensic Focus shared a couple of presentations from DFRWS EU 2018
- Jad Saliba at Magnet Forensics invites everyone to the Magnet User Summit in Nashville
An Invitation to Magnet User Summit // 2019 - SANS posted a couple of videos this week
- Alissa Torres explains what’s new in the FOR526 class
What’s new with FOR526 Advanced Memory Forensics and Threat Detection - They also shared John Moran’s presentation from the 2018 Threat Hunting Summit.
Threat Hunting Using Live Box Forensics – SANS Threat Hunting Summit 2018
- Alissa Torres explains what’s new in the FOR526 class
- I posted my ‘This Month in 4n6’ podcast for January
This Month In 4n6 – January– 2019 - Martijn Grooten at Virus Bulletin posts a paper and presentation (26mins) about mobile spyware used on (ex)partners in the paper “Little Brother is watching – we know all your secrets!” by Rasthofer, Huber and Arzt
VB2018 paper: Little Brother is watching – we know all your secrets!
MALWARE
- Brian Laskowski at Laskowski-Tech examines web traffic to reveal attempted exploit of a vulnerability in Think PHP. The dropped malware “runs mimikatz, drops executables, schedules tasks, runs a crypto miner” and more, and provides IOCs to detect the malware delivered by this type of attack.
Everything and the Kitchen Sink - Carbon Black gives an example of spoofing Parent ID Processes; similar examples of this were brought up in the DFIR community by Didier Stevens about 10 years ago
TAU Threat Intelligence Notification: PPID Spoofing – Explorer CLSID - Cert Polska covers new tools Modlishka and evilginx2 which can automate MITM proxy based phishing attacks which they have seen being used against Polish banks. Certain types of 2-factor authentication such as U2F hardware tokens are suggested as solutions against the attack.
Recommendations on mitigation of man-in-the-middle phishing attacks (evilginx2/Modlishka) - Hod Gavriel at Cyberbit writes about a new variety of Ursnif targeting Italian users. Hod focuses on decrypting, deobfuscating, and decompressing the various layers inside this Ursnif sample which are layered one on top of another like a Russian nesting doll.
New Ursnif Malware Variant – a Stunning Matryoshka (Матрёшка) - Sarah Hawley, Ben Read, Cristiana Brafman-Kittner, Nalani Fraser, Andrew Thompson, Yuri Rozhansky, Sanaz Yashar at FireEye report on APT39 based in Iran. FireEye believes they have traced activity of the group as early as 2014 and have seen a focus on the telecom and travel sectors, including activity to collect personal information for monitoring and tracking. Backdoors leveraged by the group include SEAWEED, CACHEMONEY, and POWBAT. While there are similarities to APT34, FireEye believes APT39 to be separate and provides tools seen at each stage of the attack lifecycle.
APT39: An Iranian Cyber Espionage Group Focused on Personal Information - Raul Alvarez at Fortinet discusses how Jaff ransomware, first seen in 2017, is delivered as a PDF email attachment where the user is prompted to open an embedded document. From there the macros and API calls involved are detailed, ending with files being encrypted with the .jaff extension.
Looking Into Jaff Ransomware - Amirreza Niakanlahiji and Pedram Amini at InQuest look at an Excel document found in the wild starting with Python scripts, Structured Storage Viewer, and a hex editor.
Extracting “Sneaky” Excel XLM Macros - Sherri Davidoff at LMG Security writes about a case where a healthcare org was hit with a successful ransomware attack. While their client paid the ransomware fee, LMG detonated the decryption tool in a sandbox and found the vaccine included delivery of the IcePoint RAT.
Ransomware Decryption is Like a Box of Chocolates… - There were a couple of posts on the Malwarebytes blog
- Pieter Arntz interviews Head of Threat Intelligence at Malwarebytes, Jérôme Segura. Segura cites the book Virtual Honeypots by Provos and Holz and gives advice for getting into the field, including to always “publish your work and discoveries”.
Interview with a malware hunter: Jérôme Segura - Hasherezade looks at the Trojan.CryptoStealer.Go data stealer written in GoLang including how data is packaged up for exfil. A detailed walkthrough of looking at the malware using IDAGolangHelper by George Zaytsev in IDA Pro is provided.
Analyzing a new stealer written in Golang
- Pieter Arntz interviews Head of Threat Intelligence at Malwarebytes, Jérôme Segura. Segura cites the book Virtual Honeypots by Provos and Holz and gives advice for getting into the field, including to always “publish your work and discoveries”.
- Marco Ramilli writes about how .csv files have been previously documented as being potentially malicious if opened in Excel, providing links to work previously done using this technique, then poses a question about if similar content can be delivered over GoogleSheets. By using a .csv file, the technique appears to evade Google filters, and a user downloading a GoogleSheet could be subject to infection.
Spreading CSV Malware over Google Sheets - Marcus Edmonson at ‘Data Analytics & Security’ (and one of the newest GREM analysts – congrats!) dives into a sample associated with APT32 looking at network traffic and code to show dropper functionality.
APT 32/OceanLotus – Sample:D592B06F9D112C8650091166C19EA05A - Samip Pokharel at mas_kop9 discusses the NetWiredRC trojan used by APT33, breaking down the code and the C2 structure. There are over 100 different capabilities of the trojan including starting a remote shell and taking audio recordings and screenshots.
Analysis of NetWiredRC trojan - Michael Gorelik, Alon Groisman and Bruno Braga at Morphisec look at targeted campaigns delivering the Orcus RAT from an actor they call PUSIKURAC, focused on information stealing and .NET evasion. Some interesting identifiers of the downloader include delivery of a Coca-Cola commercial, the video of which is appended with the Orcus RAT .NET executable.
New Campaign delivers orcus rat - Matthew Bing at Arbor discusses CoAP reflection/amplification DDoS attacks, seen in use against mobile phones in China. CoAP is “a simple UDP protocol that is intended for low-power computers on unreliable networks, like Internet of Things (IoT) or mobile devices” – as such, the authors predict the attack may be seen more as IoT devices become more common.
CoAP Attacks In The Wild - The Radware blog write about why cryptomining is popular for ease of use and ability to leverage the cryptomining foothold in conjunction with other types of attacks.
The Rise in Cryptomining - Denis Legezo at Kaspersky writes about a Remexi campaign targeting foreign diplomats in Iran and “associated with an APT actor that Symantec calls Chafer.” The trojan uses legitimate Microsoft utilities like bitsadmin.exe, extract.exe, and taskkill.exe for exfil and C2. Remexi uses components written in C and AutoIT and varying persistence methods detailed by Denis.
Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities - Edmund Brumaghin and Paul Rascagneres with Jungsoo An at Cisco Talos detail an attack that hits close to home, a Word document purporting to be a job posting for Cisco Korea.
Cisco Job Posting Targets Korean Candidates - Dan Chabala and Joseph Fleming at PhishLabs look at changes to mobile banking trojan BankBot Anubis, including the use of Telegram Messenger for delivery of C2 URLs.
BankBot Anubis Switches to Chinese and Adds Telegram for C2 - Lorin Wu at Threat Micro looks at mobile beauty apps that exhibit malicious indicators like application hiding and code packing, in addition to adware and pornography that can pop up in a mobile browser. Users upload their photos expecting to get them beautified, and it is suspected that the malware “authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.” While Google has already taken down these apps, their popularity with over 1 million downloads for some apps, is staggering.
Various Google Play “Beauty Camera” Apps Sends Users Pornographic Content, Redirects Them to Phishing Websites and Collects Their Pictures - Martijn Grooten at Virus Bulletin shares a tweet by Robert M. Lee at Dragos suggesting the utility of journalists to threat intelligence teams. Martijn cites the prior work of Juan Andrés Guerrero-Saade from VB2015 paper which looks at security research becoming intelligence brokering.
Threat intelligence teams should consider recruiting journalists - Juraj Jánošík at WeLiveSecurity posted a couple of times this week
- They look at Russian-language spam delivering Shade / Troldesh ransomware. JavaScript attachments, delivered in a .zip file, are used as an attack vector. The downloader is named ssj.jpg, then masquerades as csrss.exe, before Shade / Troldesh is delivered, encrypting files with the .crypted000007 extension.
Russia hit by new wave of ransomware spam - And also writes about the resurgence of the “Love You” malspam campaign – just ahead of Valentines Day! The latest campaign, targeting Japan, delivers all kinds of malware including a “cryptominer, a system settings changer, a malicious downloader, the Phorpiex worm, and the infamous ransomware GandCrab version 5.1.” Like the Shade / Troldesh ransomware that Juraj also writes about this week, “Love You” is delivered in a .zip file containing Javascript.
“Love you” malspam gets a makeover for massive Japan-targeted campaign
- They look at Russian-language spam delivering Shade / Troldesh ransomware. JavaScript attachments, delivered in a .zip file, are used as an attack vector. The downloader is named ssj.jpg, then masquerades as csrss.exe, before Shade / Troldesh is delivered, encrypting files with the .crypted000007 extension.
- Stefan Hausotte at G DATA takes Ldpinch, an old info stealer, as an example of how to unpack and examine the different code blocks within a PE file.
Unpacking 101: Writing a static Unpacker for Ldpinch
MISCELLANEOUS
- Zachary Burnham demos the steps to “format a USB device as a VMFS Datastore to ESXI”.
Manually attach USB Device as a VFMS Datastore in ESXI - Chapin Bryce at Pythonic Forensics has built “a tool to allow us to efficiently query and report on historic AWS IP address information “
Looking Back at AWS IPs - Mary Ellen Kennel at AboutDFIR shares some details about her recent additions to the site
Catching Up - DME Forensics have a post about creating a disk image using DVR Examiner
Feature Focus: Create a Disk Image with DVR Examiner - Oxygen Forensics have a post on Forensic Focus about collecting WhatsApp data from devices and the cloud.
WhatsApp Challenges: Finding Evidence With Oxygen Forensic Detective - Magnet Forensics announced the first winner of the Magnet Forensics Scholarship Program
Announcing the First Winner of the Magnet Forensics Scholarship Program - Sunali Sagar at OpenText describes some of the new features in Encase 8.08 and the Tableau TX1
- Greg Kipper at Paraben Corporation comments on what the future holds for DFIR with regards to cloud forensics and Forensics as a Service
Cyber-Forensics 2019 Predictions - SalvationData have a post on the Vivo screen unlock method in their SPF Pro
[Case Study] Mobile Forensics: How to Unlock Vivo Screen Lock of the Latest Models
SOFTWARE UPDATES
- Yogesh Khatri released his script to “read macOS Unified Logging tracev3 files.”
UnifiedLogReader - Plaso 20190131 was released
Plaso 20190131 released - UFED Physical Analyser 7.14 was released, with additional support for drone data, as well as the Zello and Facebook apps
New support for drones and social media apps - Eric Zimmerman updated JLECmd, LECmd, MFTECmd, and AppCompatCacheParser
ChangeLog - Evimetry 3.1.9-unstable was released with a number of improvements and fixes
Release 3.1.9-UNSTABLE - Browser History Examiner v1.9 was released, adding a website history summary view, a search history word cloud, and the ability to export to excel
Browser History Examiner v1.9 released - GetData released Forensic Explorer v4.4.8.8184 with some minor improvements
01 Feb 2019 – v4.4.8.8184 - Magnet Axiom 2.9 was released with some improvements to acquisition, custom artefacts, and new and updated artefact support
Magnet AXIOM 2.9 Includes Enhanced Custom Artifact Support and New Android Acquisition Methods - TZWorks have released a new build of their tools, including a new tool to parse the backstage artefacts.
Jan 2019 build (package) - X-Ways Forensics 19.7 SR-5 with some bug fixes
X-Ways Forensics 19.7 SR-5 - X-Ways Forensics 19.8 Beta 5 with some changes to ext3/4 parsing, and other improvements
X-Ways Forensics 19.8 Beta 5
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
One thought on “Week 5 – 2019”