With contributions by Lodrina!
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- This week’s Sunday Funday is on execution methods that aren’t recorded in the amcache. Oleg Skulkin shared his winning answer
Daily Blog #617: Sunday Funday 2/3/19 - The CTF for the Magnet User Summit is full! Last year’s was great fun, so I imagine this year will be even better! Dave will also be pulling down last years CTFD page soon
Daily Blog #618: Magnet User Summit 2019 CTF is Full - And also reminded everyone that the SANS DFIR Summit CFP is still open
Daily Blog #619: SANS DFIR Summit 2019 CFP is open! - Dave points out that user accounts that authenticate against Azure AD “will store the full account name with domain that the user authenticated with” in the InternetUserName key value, and have a login count of 0.
Daily Blog #621: ADFS accounts in SAM hives
- This week’s Sunday Funday is on execution methods that aren’t recorded in the amcache. Oleg Skulkin shared his winning answer
- Julie Urban at Blackbag Technologies demonstrates how to search for and confirm Apple Live Photos
How to Confirm Apple Live Photos - Oleg Skulkin at Cyber Forensicator shared his answer from last week’s Sunday Funday challenge on shellbags.
Shellbags Forensics: Directory Viewing Preferences - Vladimir Katalov at Elcomsoft advises that there are two new jailbreaks for later versions of iOS 11 that allow for file system extraction
iPhone Physical Acquisition: iOS 11.4 and 11.4.1 - Hideaki Ihara at the Port 139 blog posted a couple of times this week
- He continued to look into the ‘When-Changed’ time in Active Directory
Active Directory and When-Changed (2) - As well as exploring ADtimeline
Active Directory and ADtimeline(1)
- He continued to look into the ‘When-Changed’ time in Active Directory
- Justin Boncaldo shares a script for parsing the system.log file found on HFS+ Mac systems
Mac HFS+ System.log Parser - Ulf Frisk at “Security | DMA | Hacking” demonstrates “The Memory Process File System and show how easy it is to do high-performant memory analysis even from live remote systems over the network”. Ulf also announced the release of MemProcFS v2.0
Remote LIVE Memory Analysis with The Memory Process File System v2.0
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures boils threat hunting basics down into steps including: identifying persistent outbound communications and their protocol, looking at the originating host and the reputation of the destination system, and ending with incident disposition including whitelisting or further investigation.
How to Threat Hunt Your Network - Adam at Hexacorn, with inspiration from Samir Bousseaden, takes on the heroic task of surveying *every* Windows Event Log! A few mentions I found particularly interesting include: DriverFrameworks-UserMode\Operational (USB devices), Shell-Core\* (Shell related activity), as well as OfflineFiles\Operational and User Profile Service\Operational (user logon).
Event Logs++ - Cylance looks at how a SOC can put a sea of EDR events into context.
Endpoint Detection and Response (EDR): The Case for Context - The Digital Shadows Security Engineering Team attended the 2019 SANS DFIR Cyber Threat Intelligence (CTI) Summit and sum up takeaways on metrics, models and frameworks, and how to use ATT&CK.
SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program - The European Union Agency for Network and Information Security (ENISA) released a substantial report (34 page PDF) on “CSIRTs and Incident Response (IR) capabilities in Europe towards 2025 at a strategic and policy level”. The report reviews different industry sectors (private, military, etc) and surveys laws in the EU and beyond.
Study on CSIRT landscape and IR capabilities in Europe 2025 - John Ferrell at Huntress Labs discusses Windows administrative shares, particularly as they relate to malware like Emotet or TrickBot moving laterally on a network.
Deep Dive: Windows Administrative Shares - Wataru Takahashi at JPCERT/CC uses the free Sysmon log tool SysmonSearch – available at the JPCERTCC GitHub – to investigate a suspicious process.
Investigate Suspicious Account Behaviour Using SysmonSearch - Katie Nickels at MITRE ATT&CK announces that Round 2 of ATT&CK Evaluations will be on the APT29/COZY BEAR/The Dukes group. Katie asks that anyone with knowledge about APT29 share information so that the MITRE emulation plan is realistic.
Open Invitation to Share Cyber Threat Intelligence on APT29 for Adversary Emulation Plan and… - Nextron releases an updated Antivirus Event Analysis Cheat Sheet (2 page PDF) by Florian Roth.
Antivirus Event Analysis Cheat Sheet v1.7 - Lee Christensen at SpecterOps looks at extensions (.devicemanifest-ms and .devicemetadata-ms) which can be used for arbitrary RCE using Windows Driver Kit and provides a Proof of Concept exercise to perform using the command line, makecab.exe, and a hex editor.
Remote Code Execution via Path Traversal in the Device Metadata Authoring Wizard - Richard Bejtlich at TaoSecurity further examines a story by Christopher Burgess about an insider intellectual property theft case involving downloading “restricted files to a personal thumb drive” and how Richard dealt with issues like this at GE-CIRT.
Forcing the Adversary to Pursue Insider Theft - Chad Tilbury at SANS looks into Windows Management Instrumentation (WMI) attacks using a variety of different tools and techniques including Sysmon and the WMI-Activity Operational event log. More on WMI will be covered in Chad’s upcoming webinar, with a link to signup in the post.
“Investigating WMI Attacks” - Scott Piper at Summit Route breaks down AWS trust relationships including IAM role trust relationships, resource policies, S3 ACLs, and Resource Access Manager resource sharing, and how an attacker can abuse these.
Lateral movement between AWS accounts – Abusing trust relationships
UPCOMING WEBINARS/CONFERENCES
- “The CFP for BloomCON 0x04 which will be held March 29-30th at Bloomsburg University in Bloomsburg, PA is open through March 1st”
BloomCON – Call for Papers - Eric Oldenburg at Griffeye will be hosting a webinar on “how to use the VICS OData* Export function within Analyze DI Pro to seamlessly share case data between users.” The webinar will take place Feb 13, 2019 at 3 pm CET (9 am EST).
Griffeye Webinar: Collaboration Workflows In Analyze DI Pro Using VICS OData - The CFP for Techno Security San Antonio has opened and will close March 28, 2019.
The 2019 Call for Speakers Submission Period is Open!
PRESENTATIONS/PODCASTS
- Cellebrite have uploaded a couple of short videos
- On this week’s Digital Forensic Survival Podcast, Michael provided an overview of YARA
DFSP # 155 – YARA Almighty - Forensic Focus shared the presentation and transcript by James Nettesheim and Gary Brown from DFRWS EU 2018 titled “Using Santa To Augment Forensic Investigations”
Using Santa To Augment Forensic Investigations - OpenText shared the recording of a recent presentation on the Tableau TX1
Valuable New Features of the Tableau TX1 Forensic Imager - Craig Rowland at Sandfly Security has started a short web series on various infosec topics. This first video covers intrusion detection on linux
1000 to 1 Rule of Intrusion Detection - SANS shared David Evenden’s presentation from the 2018 Threat Hunting Summit
Leveraging Data Science to Discover Persistent Threats – SANS Threat Hunting Summit 2018
MALWARE
- 0verfl0w_ at 0ffset examines second stage Hancitor torjan downloader dropped by Word or Excel. 0verfl0w_ unpacks and steps through the code and how to examine protected memory regions.
Post 0x17: Revisiting Hancitor in Depth - Automated Malware Analysis looks at deobfuscating Javascript using the Microsoft Antimalware Scan Interface (AMSI) which hooks into the Windows interface used by Defender. AMSI is used in Joe Sandbox v25 Tiger’s Eye and is useful because “37% of all malicious e-mail attachments are Javascript files.”
Generic Unpacking of Javascript with Microsoft AMSI - Liviu Arsene at Bitdefender Labs discusses the comeback of Triout Android spyware bundled with the “com.psiphon3” package which uses proxies to bypass blocked websites.
Triout Android Spyware Framework Makes a Comeback, Abusing App with 50 Million Downloads - Matthew Rowen at Bromium looks at malware targeting machines in Italy, downloading a Super Mario picture (It’s Mario! Is nothing sacred?!), within whose pixels are encoded PowerShell to download GandCrab ransomware.
Super Mario Oddity - Michał Praszmo at CERT Polska examines the banking trojan TrickBot/TrickLoader, stepping through analysis (“detricking”) including making sense of the xor cipher and MiniLZO compression and working with wrapped functions.
Detricking TrickBot Loader - There were a couple of posts on the Check Point Research blog this week
- Check Point Researchers identified a new Linux backdoor trojan which also can infect Macs dubbed “SpeakUp” which targets servers, moves through subnets using any number of vulnerabilities (JBoss/Oracle/Hadoop/Apache) to spread.
SpeakUp: A New Undetected Backdoor Linux Trojan - Eyal Itkin looks for RDP vulnerabilities in rdesktop and FreeRDP where “16 major vulnerabilities and a total of 25 security vulnerabilities were found overall.”
Reverse RDP Attack: Code Execution on RDP Clients
- Check Point Researchers identified a new Linux backdoor trojan which also can infect Macs dubbed “SpeakUp” which targets servers, moves through subnets using any number of vulnerabilities (JBoss/Oracle/Hadoop/Apache) to spread.
- Max Gannon, Mollie MacDougall, Darrel Rendell, and Aaron Riley at Cofense discuss broadly distributed as well as targeted Geodo campaign activity, delivering the Qakbot banking trojan.
Emo..Qak? Geodo/Emotet Botnet Delivers Qakbot Malware as First-Stage Payload - Peyton Smith and Tim Parisi at Crowdstrike discuss Magecart eCommerce skimming TTPs including PHP Object Injection payloads and overwriting core JS libraries, targeting unpatched Magento databases using Magpleasure, and more.
Threat Actor “Magecart”: Coming to an eCommerce Store Near You - Fileless malware was a hot topic this week at ReaQta and Trend Micro
- ReaQta recaps fileless malware starting with some history about the utility of getting past application whitelisting, and early examples starting with The Moth and Code Red, and continuing with Poshspy using WMI, and evolving to LOLBins.
Hunting Fileless Malware: Invisible but not Undetected - Trend Micro also recaps activity with fileless malware, including the proliferation of about a third of malware attacks being fileless, and giving a high level overview on technical details like DLL injection and process hollowing.
The Fileless, Non-Malware Menace
- ReaQta recaps fileless malware starting with some history about the utility of getting past application whitelisting, and early examples starting with The Moth and Code Red, and continuing with Poshspy using WMI, and evolving to LOLBins.
- Abel Toro at Forcepoint uncovers Telegram C2 traffic using .NET malware “GoodSender” as an example. Abel replays messages to profile the writer, trace victims (predominantly in the USA), and uncover a history of activity throughout 2018.
Tapping Telegram Bots - Marco Ramilli introduces a new tool base to perform massive malware analysis research. Feeds are run against hundreds of YARA rules and while the engine is slow, Marco hopes the tool will be as useful.
Free Tool: Malware Hunter - Jaewon Min and Yukihiro Okutomi at McAfee look at Android malware in the Google Play Store appearing to be an app for South Korean bus schedules. A downloaded trojan tries to trick users into giving up their Google account password before taking control of their device.
MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development - Michael Gillespie has created a 48 minute video performing a full analysis of a C/C++ ransomware exe from the starting point through decrypting code and reading bytes into registers.
Analyzing Ransomware – Completing a FULL Analysis - Samip Pokharel at mas_kop9 deobfuscates Java code and looks at the payload loaded into a registry Run key which runs the Jacksbot RAT.
Analysis of multiplatform Java Jacksbot Backdoor - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens walks through another malicious Office document containing a VBA macro to launch a PS script.
Maldoc Analysis of the Weekend, (Sat, Feb 9th) - Didier also comes to us with a video (6 mins) walking through analysis of an OLE file using oledump.py and plugins to look at attachment streams.
Video: Analyzing a Simple HTML Phishing Attachment, (Sun, Feb 3rd) - Brad Duncan looks at Hancitor activity with the “HelloFax” theme, loading Pony/Evil Pony into memory and dropping Ursnif onto disk.
Hancitor malspam and infection traffic from Tuesday 2019-02-05, (Wed, Feb 6th) - Rob VandenBrink looks at how to defend against Mimikatz and gives a guide useful for system administrators on hardening their systems.
Mitigations against Mimikatz Style Attacks, (Tue, Feb 5th)
- Didier Stevens walks through another malicious Office document containing a VBA macro to launch a PS script.
- Graphics and data nerds will enjoy StillzTech post, who graphs useful and pretty relationships between malware using Neo4j.
Revealing malware relationships with GraphDB: Part 1 - Augusto Remillano II and Jakub Urbanec at Trend Micro look at one Linux coin miner to rule them all, similar to KORKERDS, that kills all other malware and coin miners already running on a system.
Linux Coin Miner Copied Scripts From KORKERDS, Removes All Other Malware and Miners - ESET Research reviews the latest DanaBot Trojan which upgrades to encrypted traffic and the IDs for different campaigns targeting different geographic areas including Australia and Poland.
DanaBot updated with new C&C communication
MISCELLANEOUS
- Jessica Carter at AccessData advised of 10 things to look for from AccessData this year.
10 Things to Look for from AccessData in 2019 - Scott Vaughan at Berla advised that they will be having a monthly hangout to engage with customers
Wrap-Up of Berla’s First Live Community Hangout - Brett Shavers at DFIR Training discusses the “hiring shortage” in infosec and provides some tips to those looking to get into the field
That “cyber” hiring problem is a problem - There were a couple of posts on Forensic Focus this week
- Scar interviewed Matt McFadden, the Director of Training at BlackBag Technologies
Interview With Matt McFadden, Director of Training, BlackBag Technologies - And they shared an article about how child abuse images have been found hidden in a blockchain.
Child Abuse Images Hidden In Crypto-Currency Blockchain
- Scar interviewed Matt McFadden, the Director of Training at BlackBag Technologies
- Glen at IronMoon shares their note taking methodology
My Forensic and Incident Response Note Taking Methodology - Joshua Hickman at ‘The Binary Hick’ has uploaded a new test image of an Android Oreo device
Grab Your Glass of Milk! Android Oreo Image Now Available (8.x) - Yulia Samoteykina at Atola demonstrates how to acquire a Macbook via Target Disk Mode on the TaskForce
Working with MacBooks via Thunderbolt extension module
SOFTWARE UPDATES
- Elcomsoft updated their iOS Forensic Toolkit, as well as their Advanced PDF Password Recovery (APDFPR) and Advanced Office Password Recovery (AOPR)
- Eric Zimmerman updated Timeline Explorer, Jumplist Explorer, JLECmd, and LECmd. Eric also released a file viewer for log/document files called EZViewer.
ChangeLog - Evimetry 3.2.0-RC1 was released with some improvements and fixes
Release 3.2.0-RC1 - Matt Seyer released a tool to monitor Event Trace Logs
Check out @forensic_matt’s Tweet! - Mark Baggett updated Srum Dump to Python3.
Check out @MarkBaggett’s Tweet - Metadata Interrogator v05 was released. I previously hadn’t heard of this tool, but it looks like an interesting alternative to ExifTool
v0.5 – Murtaugh - Metaspike released Forensic Email Collector v3.6.1.0 with a number of improvements and fixes
Forensic Email Collector (FEC) Changelog - “A new version of MISP (2.4.102) has been released with several fixes, various UI improvements, new types and a praise to the open source community.”
MISP 2.4.102 released (aka bug fixes and FOSDEM release) - Sandfly 1.6.1 was released
Sandfly 1.6.1 – Host ID Updates and Other Fixes - Timesketch 20190207 was released with “updated analyzers, py3 support and bugfixes.”
20190207
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 