Thanks to Lodrina for her help. She’s away the next couple of weeks so I’ll probably be doing links only for her sections. Please encourage her to come back as she’s helped me immensely with my time.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his (not quite daily this week) blogging
- This weeks Sunday Funday relates to Deep Freeze and identifying “what determines newly written datas ability to be recovered after reboot”
Daily Blog #623: Sunday Funday 2/10/19 - Dave lists some checks to go through if Microsoft Defender ATA issues a “High Alert that a golden ticket was in use”
Daily Blog #624: Microsoft Defender ATA Golden Ticket False Positive
- This weeks Sunday Funday relates to Deep Freeze and identifying “what determines newly written datas ability to be recovered after reboot”
- The guys at Cyber Forensicator shared a tool “WinSearchDBAnalyzer by Jeonghyeon Kim [that] can parse normal records and recover deleted records in Windows.edb”
Recover Deleted Records in Windows.edb with WinSearchDBAnalyzer - Hideaki Ihara at the Port 139 blog continues testing Adtimeline
Active Directory and ADTimeline(2) - Maxim Suhanov has written a lengthy post on how the NTFS $LogFile works
How the $LogFile works? - Mike Cary at ‘DFIR on the Mountain’ shares the results of some RDP event log testing
RDP Event Log DFIR - Over on my ThinkDFIR blog, I took at look at the ‘position’ value in the Reading Locations registry key for Microsoft Word
Microsoft Office Reading Locations (Part 1) - Yasulib shares a write up of the 2018 Magnet User Summit and DEFCON CTF’s created by Dae Cowen and Matthew Seyer
Magnet User Summit CTF, Defcon DFIR CTF 2018 writeup
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn posted a few times this week
- According to Registry associations, what are common file extensions? For example, these are all extensions for Help files: .chm, .hlp, .hxa, .hxc, .hxd, .hxe, .hxf, .hxh, .hxi, .hxk, .hxq, .hxr, .hxs, .hxt, .hxv, .hxw
File extensions of interest - A short post about “PersistentAddinsRegistered” in the Registry.
Beyond good ol’ Run key, Part 102 - Event Viewer and mmc.exe, launching any program – which can be used for priv escalation.
Sysmon – ideas, and gotchas - Using Sysmon for threat hunting, how it can help with system monitoring, and more.
Beyond good ol’ Run key, Part 103
- According to Registry associations, what are common file extensions? For example, these are all extensions for Help files: .chm, .hlp, .hxa, .hxc, .hxd, .hxe, .hxf, .hxh, .hxi, .hxk, .hxq, .hxr, .hxs, .hxt, .hxv, .hxw
- Graneed writes about password cracking against Apache Tomcat from start of the attack through C2 comms.
Tomcatの管理機能に対するパスワードクラック後の攻撃を観察する - Raj Chandel at Hacking Articles writes about “protecting your system against MIMIKATZ that fetches password in clear text from wdigest”.
Red Team/Blue Team Practice on Wdigest - Jeff Warren at Insider Threat Security Blog looks at how to detect Pass the Hash attacks seen recently with current infections of SamSam and Ryuk.
How to Detect Pass-The-Hash Attacks - Wataru Takahashi at JPCERT/CC recaps four talks at the Japan Security Analyst Conference 2019: Analysis of Drive-by Downloads; A lesson that should be learned from the cyber-attack in Korea; Deep Dive Into The Cyber Enemy : Various Case Study; and Security Log Analysis Moving Towards the Endpoint – Battles behind Windows
Japan Security Analyst Conference 2019 -Part 1- - Katie Nickels at ‘Katie’s Five Cents’ started a new blog reviewing how she has gotten to where she is today in her career, stressing “Regardless of your path in infosec, I encourage you to stop holding back your amazing ideas because you’re fearful of failing.” Maybe you want to present or start a blog (hint hint) too? 😉
Hello World: On Finding My Voice - John Wunder at MITRE ATT&CK summarizes 2018, and what’s coming for 2019 including an update for the CAR data model.
ATT&CKing 2019 - Neil Desai at ‘Teaching An Old Dog New Tricks’ revisits an old post about BloodHound including setting up a lab, looking at network traffic, and setting up honey tokens.
Detecting BloodHound - Brian Donohue at Red Canary writes about how to stop Emotet lateral movement by detecting it at any of 5 stages before lateral movement occurs: An MS word command line; A command line contained obfuscated environmental variables; A PowerShell obfuscated command line; A PowerShell command with a URL; or when PowerShell downloads a file.
Stopping Emotet Before it Moves Laterally - Jeff Atkinson at Salesforce Engineering looks at how to install Bro-Sysmon, Broker, Logstash, setting up a VM and Zeek to monitor traffic.
Test out Bro-Sysmon - Scott Piper at ‘Summit Route’ looks at AWS resource naming patterns and interesting patterns, including how an attacker might be able to block access to buckets.
AWS resource naming patterns
UPCOMING WEBINARS/CONFERENCES
- Derrick Donnelly and Drew Fahey at Blackbag Technologies will be hosting a webinar with Image Analyzer’s Nick Drew on their upcoming integration. The webinar will take place Feb 28, 2019 7:00 PM UTC
Picture and Video Triage Using Advanced Image Categorization - Andrew Torgan at Project VIC advised that they will be hosting two LE only webinars: Microsoft PhotoDNA for Video and VICS 2.0 Video Image Classification Standard on February 25th
- Red Canary, building on their Emotet blog post, has an upcoming webinar this week.
ATT&CK Lateral Movement - The CFP for the SANS DFIR Europe Summit 2019 held on 30 September 2019 is open and will close 29th March 2019.
SANS DFIR Europe Summit 2019 – Call for Presentations
PRESENTATIONS/PODCASTS
- Mathias at CyberFox gives an overview of prefetch files on Windows
DFIR120 – Prefetch - On this week’s Digital Forensic Survival Podcast, Michael discussed some things that people should consider when planning out their career
DFSP # 156 – B2B: Career Maintenance - Forensic Focus shared a couple presentations from DFRWS EU and US this week
- A new podcast launched last week; Digital Forensics Forecast (DFF) by Jerry Bui. During the podcast, the guy discussed iOS and cloud forensics.
S1:E1 Relics - Richard Davis at 13Cubed has uploaded a video on ProcDOT
Visual Analysis with ProcDOT - Craig Rowland at Sandfly Security uploaded a few videos this week on linux hunting
- SANS shared Josh Bryant’s presentation from the 2018 Threat Hunting Summit.
Hunting Webshells: Tracking TwoFace – SANS Threat Hunting Summit 2018 - Yulia Samoteykina at Atola shares a video demonstrating “how to image an NVMe drive to a file on your local network with Atola TaskForce.”
Screencast: Forensic imaging of an NVMe drive with Atola TaskForce
MALWARE
- Carbon Black shared a few ‘Threat Intelligence Notifications’
- Jaan Yeh Leong at Carbon Black looks at a shortcut file in use for the past month which performs web injections trying to get cryptocurrency from victims. The shortcut target opens PowerShell with an encoded C2 and creates persistence as a scheduled task.
TAU Threat Intelligence Notification – Fake Movie File Attack Targeting Cryptocurrency - Jaan Yeh Leong also looks at a similar campaign to what Matthew Rowen at Bromium detailed last week: a malspam campaign targeting users in Italy, using pixel values in a seemingly innocent image to decode malicious PowerShell commands.
TAU Threat Intelligence Notification: Spear Phishing Targeting Italy - Casey Parman at Carbon Black looks at how JAR files can be embedded inside MSI files can get around application whitelist and provides a proof of concept example delivering a Meterpreter payload using this exploit.
TAU Threat Intelligence Notification: Java Embedded MSI Files - Carbon Black’s TAU shares details about Shlayer a new, signed, macOS malware recently uncovered by Intego.
TAU Threat Intelligence Notification: New macOS Malware Variant of Shlayer (OSX) Discovered
- Jaan Yeh Leong at Carbon Black looks at a shortcut file in use for the past month which performs web injections trying to get cryptocurrency from victims. The shortcut target opens PowerShell with an encoded C2 and creates persistence as a scheduled task.
- Brendon Feeley and Bex Hartley at CrowdStrike look at a new TrickBot campaign delivered by BokBok, with components to exploit the local machine and move laterally.
“Sin”-ful SPIDERS: WIZARD SPIDER and LUNAR SPIDER Sharing the Same Web - Eli Salem at Cybereason* continues previous research from the Nocturnus team digging into campaigns in Brazil delivering the Astaroth trojan. Astaroth uses BITSAdmin to download a payload and uses legitimate processes such as injecting into Avast. *(disclaimer: Lodrina works here)
Astaroth Malware Uses Legitimate OS and Antivirus Processes to Steal Passwords and Personal Data - Cybereason followed up the technical article with a summary of Astaroth.
The Newest Variant of the Astaroth Trojan Evades Detection in the Sneakiest Way - Jérôme Segura at Malwarebytes gives an overview of recent exploit kits including Fallout, RIG, GrandSoft, Magnitude, Underminer, and GreenFlash Sundown; most of them using IE or Flash exploits.
Exploit kits: winter 2019 review - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens steps through an email with a password protected ZIP, containing the malware document (9 minutes).
Video: Maldoc Analysis of the Weekend, (Sun, Feb 10th) - Didier also tries to find patterns in the campaign sending out password protected ZIPs.
Have You Seen an Email Virus Recently?, (Mon, Feb 11th) - Didier lastly examines properties of Office docs using his oledump.py script.
Finding Property Values in Office Documents, (Sat, Feb 16th) - Xavier Mertens looks at a PDF which was purportedly legitimate but was reaching out to a remote SMB share.
Suspicious PDF Connecting to a Remote SMB Share, (Thu, Feb 14th) - Xavier also looks at VBScript code on GitHub which is the H-Worm (from 2013!).
Old H-Worm Delivered Through GitHub, (Thu, Feb 14th)
- Didier Stevens steps through an email with a password protected ZIP, containing the malware document (9 minutes).
- Antonio Sanz at Security Art Work continues a fictional series on an incident which launches Word, makes a network connection and executes an .hta file, continuing with additional malicious payloads and persistence.
Case study: “Imminent RATs” (III) - Arturo Navarro And Salvador Sánchiz Aranda continue their coverage of Shamoon
Evolution of Shamoon – Part 2 - A number of posts looked at malicious Shortcut (LNK) files this week:
- D3xt3r at ‘D3xt3r’s Malware Laboratory’ also looks at malware delivered by a shortcut, starting with LNK properties, digging into different layers of PowerShell commands, again delivering a ZIP disguised as an image file, and establishing persistence with a different LNK file in the Startup folder.
Analyzing the Windows LNK file attack method - Max Kersten looks at a malicious shortcut, explaining the commands in deobfuscated PowerShell, loading a .BMP file (see recent CB and Bromium posts), to deliver additional PS banking trojan commands.
LNK & ISESteroids Powershell dropper
- D3xt3r at ‘D3xt3r’s Malware Laboratory’ also looks at malware delivered by a shortcut, starting with LNK properties, digging into different layers of PowerShell commands, again delivering a ZIP disguised as an image file, and establishing persistence with a different LNK file in the Startup folder.
- Yuanjing Guo and Tommy Dong at Symantec look at Potentially Unwanted Applications, which appear to be cryptojackers, in the Microsoft Store.
Several Cryptojacking Apps Found on Microsoft Store - There were a couple of posts on the Trend Micro blog this week
- Don Ladores and Luis Magisa look at an EXE file that doesn’t just run on Windows but on macOS as well, bypassing Gatekeeper; using Little Snitch and other tools to examine what look to be trojan and adware components.
Windows App Runs on Mac, Downloads Info Stealer and Adware - Noel Anthony Llimos and Carl Maverick Pascual look at Trickbot which has new credential stealing capabilities. Tax related emails – we are getting close to tax time in the US – may entice the users to open the attachments.
Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire
- Don Ladores and Luis Magisa look at an EXE file that doesn’t just run on Windows but on macOS as well, bypassing Gatekeeper; using Little Snitch and other tools to examine what look to be trojan and adware components.
- Martijn Grooten with Adrian Luca and Ionuţ Răileanu at Virus Bulletin test email delivery of Emotet and Bushaloader malware.
The malspam security products miss: banking and email phishing, Emotet and Bushaloader - WeLiveSecurity interviews Lukas Stefanko at ESET about his recent white paper looking at Android malware, which is linked to from the article (20 page PDF).
Navigating the murky waters of Android banking malware
MISCELLANEOUS
- I was interviewed by Bret Peters at ADF about my work on my blogs
Meet Phill Moore Author of This Week in 4N6 and Think DFIR - AceLab released the new PC-3000 SAS 6 Gbit/s
New PC-3000 SAS 6 Gbit/s for Faster Data Recovery from SAS/SCSI HDDs - Brett Shavers shared a few things this week
- He expounds the benefits of the CTIN conference
Some CONS are good. Some cons are bad. - He tweeted out a cool resource on DFIR Training that lists a huge number of potentially useful registry keys
Check out @DFIRTraining’s - And also shares his gratitude for the tools and processes that we have available to us today.
I can do what now with forensic software? Seriously? Wow..
- He expounds the benefits of the CTIN conference
- Ariel Watson at Cellebrite posted a couple of articles this week
- He explains what Samsung utilises the Exynos chipset, which Cellebrite have recently released a generic solution for.
Why Evidence Extraction from Exynos-Powered Devices is a Major Advantage - And lists a number of reasons to utilise their Virtual Analyzer tool
7 Digital Forensic Challenges Virtual Analyzer Overcomes
- He explains what Samsung utilises the Exynos chipset, which Cellebrite have recently released a generic solution for.
- Robert Merriott at ‘Computer Forensics World’ shares a review of Harlan Carvey’s “Investigating Windows Systems”
Investigating Windows Systems – Book Review - There were a few posts on Forensic Focus this week
- Blackbag Technologies introduced their new “Digital Forensics Basics” course
BlackBag Technologies Launches Introduction To Forensics Course - Scar shared a roundup of forum topics
Forensic Focus Forum Round-Up - Chirath De Alwis provides an email forensic investigation techniques
Email Forensics: Investigation Techniques
- Blackbag Technologies introduced their new “Digital Forensics Basics” course
- Justin Boncaldo provides an overview of metadata
DFS #8: MetaData in forensics - Kristian Lars Larsen at Data Narro provides an introduction to forensic copies and hashing. I disagree with the claim that only those in DFIR have the right tools to create forensic images; various imaging tools are free and the processes are fairly well documented online.
Understanding Forensic Copies & Hash Functions - Marcos at ‘Un minion curioso’ performed a comparison of a variety of free memory acquisition tools.
#DFIR: Choose your weapon well. Calculate the impact. - The students at Champlain have begun announcing their projects, with the Wearables team picking four of the latest smartwatches
Wearable Forensics Team 1 - There were a few posts on the Velociraptor blog this week
- On the use of the API
Velociraptor Python API - And the tools performance on a recent engagement with Nick Klein’s team
Velociraptor Performance - As well as alerting on event patterns
Alerting on event patterns
- On the use of the API
SOFTWARE UPDATES
- Amped Five Update 12727 was released with a number of new features
Amped FIVE Update 12727: Timeline, Multiview, HEIC support and more - Cellebrite released UFED 7.15 with a variety of new features and improvements including additional acquisition, unlock, and parsing methods
Supporting new extraction methods and devices - Didier Stevens updated cut-bytes.py to v0.0.9
Update: cut-bytes.py Version 0.0.9 - Elcomsoft released “Advanced Intuit Password Recovery 3.10 [which] is an incremental update, adding support for the last year and current versions of Quicken and QuickBooks.”
Advanced Intuit Password Recovery supports Quicken/QuickBooks 2018-2019 - Eric Zimmerman released KAPE, the Kroll Artifact Parser and Extractor! This is a fantastic tool that Eric’s been working on that allows for lightning fast collection and processing (live and mounted image, including VSS). I’d highly recommend playing with both the command line and GUI versions (GUI is quicker to get the command line script, but command line is more extensible). Eric has also since updated it to v.0.8.1.0
Introducing KAPE! - Eric also updated Recmd
ChangeLog - Evimetry 3.2.0-RC1 was released with some improvements and fixes
Release 3.2.0-RC1 - Phil Harvey released ExifTool 11.27 with a number of new tags and bug fixes
ExifTool 11.27 - Oxygen Forensic have released a new version of Detective adding “advanced features to support Parrot drone flight logs extracted from either an installed mobile app and even a physical dump along with the exclusive ability to extract and parse BlaBlaCar and CoverMe data.”
Oxygen Forensic Detective Supports Parrot Drones And Uncovers BlaBlaCar Trips - GetData released Forensic Explorer v4.4.8.8254 with improvements and fixes
15 Feb 2019 – v4.4.8.8254 - Maxim Suhanov has released v1.0.0-beta3 of his Python-based NTFS file system parser, as well as v1.0.28 of yarp
1.0.0-beta3 - Usb Detective 1.4.0 was released with a number of new improvements including live system support.
Version 1.4.0 (02/12/2019) - X-Ways Forensics 19.7 SR-6 and X-Ways Forensics 19.8 Beta 6 were released with bug fixes and improvements
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 