Lodrina’s back!
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ wrote a couple of posts this week
- The winner of last week’s Sunday Funday was Tun Naung, who with a little convincing has started a blog where he posted his answer,
Daily Blog #642: Solution Saturday 3/9/19 - This week’s Sunday Funday relates to gathering the “available forensic data sources provided by Amazon AWS for EC2”
Daily Blog #643: Sunday Funday 3/10/19
- The winner of last week’s Sunday Funday was Tun Naung, who with a little convincing has started a blog where he posted his answer,
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’ describes the process of texting pictures and its effects on the files content and metadata.
Texting Pictures - Hideaki Ihara at port139 posted a couple of times this week
- He continues looking into ADTimeline, checking the effects of ACL changes.
Active Directory and ADTimeline(5) - Hideaki also looks at event log ID 4648
Windows ID 4648 “A logon was attempted using explicit credentials”
- He continues looking into ADTimeline, checking the effects of ACL changes.
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn posted a few times this week
- A discussion of tagging data with Mitre tags, tagging activity with your own classifications, and the need for context instead of simply tagging for identification.
The story of an underTAG that tried to wear a mitre… - Thinking back on the Ghidra release, Adam speculates on motivation behind NSA releasing Ghidra and GCHQ releasing CyberChef.
the art of staying ghidrated - The PE Compilation timestamp is Unix epoch time, but what timezone is it in? A simple test shows local time (Die, IDA, Efd, PE Studio) vs UTC time (Die, IDA, Efd, PE Studio) tools.
PE Compilation Timestamps vs. forensics - A Demoscene PE file is shown as an example that has no apparent DOS Stub and fails to load in various PE test beds.
PE files and the DemoScene
- A discussion of tagging data with Mitre tags, tagging activity with your own classifications, and the need for context instead of simply tagging for identification.
- Hexa at Brokesec looks at honeypot techniques to get new malware samples and what different honeypots exist including low vs medium interaction honeypots.
Basics Part II: Know Thy Honeypots - CERT Polska previews their incident 2018 report with categories like fraud (includes phishing and copyright issues) making up 50% of reported incidents, followed by malicious code at 23%, then abusive content (from harmful speech to spam) around 11%.
Incidents and incident reports in 2018 - Check Point Research have a post about developing Cuckoo extensions to manage AWS instances and more, allowing for parallel task performance without wasting resources.
Cuckoo SandBox on AWS - Richard Bejtlich at Corelight discusses how NSM professionals should consider the “first, do no harm” credo when recommending security monitoring solutions; unlike examples Bejtlich cites in the article, NSM should be passive and set up to not be a single failure point.
First, Do No Harm - Dani Wood at Cybereason released a white paper on how to combine “TTPs with adversary emulation plans [providing] the background to building threat hunting and red teaming programs based on the MITRE ATT&CK framework.”
Defensive Gap Assessment with MITRE ATT&CK - Matt Berninger at FireEye looks at how to cluster attacks using scoring and then building a data set to draw conclusions from.
Going ATOMIC: Clustering and Associating Attacker Activity at Scale - Colin at Insanitybit demonstrates how Grapl, “an open source platform for Detection and Response”, can be used in an incident
Grapl – A Graph Platform For Detection and Response - Hackers-arise continues a series about how to run Snort, here by using Kali and testing Snort on known intrusion files and generating alerts.
Snort Basics for Hackers, Part 5: Testing your Snort IDS Against Known Exploits - Sudharshan Kumar at Lucideus gives an example of SQL Injection using Double Queries including how to pull a database name and showing what happens when count() and Group by are used together.
SQL Injection – Understand Double Query Injection in depth | Lucideus - William Tsing at Malwarebytes Labs recaps the Lazarus group, a/k/a Hidden Cobra a/k/a Guardians of Peace whose best known attack may be the one on Sony Pictures in 2014.
The Advanced Persistent Threat files: Lazarus Group - Tony Cook at RSA goes “through how RSA NetWitness Network/Packets can be utilized to detect if BloodHound’s Data Collector (known as SharpHound) is being used in your environment to enumerate Group Membership.”
Keeping an eye on your Hounds… - Zachary Burnham steps through how to set up an endpoint with CentOS to send logs to ELK using Filebeat.
Monitoring CentOS Endpoints with Filebeat + ELK
UPCOMING WEBINARS/CONFERENCES
- Jessica Hyde and Warren Pamukoff at Magnet Forensics will be hosting a webinar on the newly released product Magnet Automate. The webinar will run in two sessions on April 16th; 11:00 EST and 13:00 EST
Complete investigations faster and eliminate your case backlog with Magnet AUTOMATE - Dr. Joe Sylve at Blackbag Technologies will be hosting a webinar on Mar 28, 2019 at 6:00 PM UTC about the upcoming update to Macquisition to image Macs with T2 chips
Physical Decrypted Images from Macs with the T2 Chip - Cellebrite and iNPUT-ACE will be hosting a webinar titled “Incorporating Time Sequenced Video and Mobile Data into Case Timelines”. The webinars will take place March 27, 2019 10AM (New York)/ 2PM (London) and March 28, 2019 | 11AM (Singapore)/2PM (Sydney)
The Power of Video and Images to Your Investigation - The CFP for the 1st International Workshop on Human-oriented Intelligent Defence Against Malware Threats (HIDAMT) has opened and closes Apr 12, 2019. The conference takes place Aug 10-12, 2019 in Macao, China
PRESENTATIONS/PODCASTS
- Dr Ali Hadi shared his Zeek presentation from the “2019 Northeast Collegiate Cyber Defense Competition (NECCDC)”
Check out @binaryz0ne’s Tweet - Cellebrite have shared a short video on how to take screen captured in UFED Physical Analyser
HOW TO take screen capture (images & video) in UFED Physical Analyzer - Michael Busselen at CrowdStrike shares the recording of the recent webcast on their 2019 Global Threat Report
Webcast Features Expert Insights and Analysis of the 2019 Global Threat Report - Cyber Forensicator shared a recent panel from the folks at SANS at the recent RSA titled “The Five Most Dangerous New Attack Techniques and How to Counter Them”
The Five Most Dangerous New Attack Techniques and How to Counter Them - Cysinfo shared the presentations from their quarterly meetup
13th Quarterly Meetup – 9th March 2019 - On this week’s Digital Forensic Survival Podcast, Michael discusses an open source tool called Serpico, which is designed to aid report writing
DFSP # 160 – Serpico - Forensic Focus shared Steve Watson’s presentation from DFRWS US 2018
Damaged Device Forensics - There were a couple interviews on the Paul’s Security Weekly YouTube channel from RSAC 2019
- SANS uploaded a couple of videos this week
- Check out an introduction to SOF ELK® from Phil Hagen (SANS, Red Canary)
SOF ELK® A Free, Scalable Analysis Platform for Forensic, Incident Response, and Security Operation
- Chad Tilbury gives an overview of WMI attacks
Investigating WMI Attacks
- Check out an introduction to SOF ELK® from Phil Hagen (SANS, Red Canary)
- GRC_Ninja uploaded their slides on threat hunting from the Tactical Edge conference in Bogota
Check out @GRC_Ninja’s Tweet!
MALWARE
- Credit card theft was a big trend this week from POS malware to form based data stealers. For those interested in POS credit card theft/carding, check out the recent Darnet Diaries podcast Ep 32, which is heavy on DFIR artifacts, here
- 0verfl0w_ at 0ffset gives a particularly detailed write-up on the ISFB (Ursnif/Gozi) banking trojan associated with Group 53. Using Ida, CyberChef, and Python scripts, the next stage payload is uncovered which will be discussed in a future post.
Post 0x18.1: Analyzing a strain of ISFB – The First Loader - Chris Prall at Carbon Black writes about how SOCs can use ATT&CK and mature their threat hunting process with recommendations like focusing on data early, being smart about suppression, and using an ATT&CK Scorecard to measure improvement and report gaps to managers.
How to Mature Your Threat Hunting Program with the ATT&CK™ Framework - Check Point Research posted a few times this week
- Ofer Caspi offers summaries of more than 40 Mac malware analyses including links to more detailed reports and research.
MacOS Malware Pedia - Arie Olshtein, Moshe Hayun, and Arnold Osipov discuss a new Mirai campaign targeting servers in Asia using Squiblydoo, download cradle, and WMI Event persistence techniques.
A New InfoStealer Campaign Targets APAC Windows Servers - Elena Root and Andrey Polkovnichenko found Android Adware malware dubbed “SimBad” in the RXDrioder SDK. Like the round of beauty app malware found earlier this year, SimBad became pervasive in a large number of apps (no longer available from the Play Store) and uses techniques to hide itself from being easily uninstalled.
SimBad: A Rogue Adware Campaign On Google Play - Feixiang He and Andrey Polkovnichenko identify “Operation Sheep” which uses the Android SWAnalytics SDK and a mobile MITM attack to steal data. (also: the naming conventions explained at the bottom of the post and Chinese idiom/slang derivatives are interesting. If you want to know about “shaving a sheep in a subtle way that it won’t be noticed” in a totally SFW post, check it out!)
Operation Sheep: Pilfer-Analytics SDK in Action
- Ofer Caspi offers summaries of more than 40 Mac malware analyses including links to more detailed reports and research.
- There were a couple of posts on the Cybereason blog this week
- The Nocturnus team gives a high level overview of a new Ursnif campaign localized to Japan which instead of stealing from banking websites attempts to steal from cryptocurrency wallets.
New Ursnif Variant Comes with Enhanced Information Stealing Features - A detailed technical report by Assaf Dahan details the Japan Ursnif attack through an initial phish, PS downloader, and Ursnif payload, including the anti-analysis techniques found in the new variant.
New Ursnif Variant Targets Japan Packed with New Features
- The Nocturnus team gives a high level overview of a new Ursnif campaign localized to Japan which instead of stealing from banking websites attempts to steal from cryptocurrency wallets.
- The Blackberry Cylance Versus series continues with a look back at banking trojan Tinba first seen in 2012 and break down newer variants from the past year named Dealhoya; invasion, injection, and C2 activity are discussed.
BlackBerry Cylance vs. Tinba Banking Trojan - Didier Stevens looks at an Excel 4.0 (non VBA) macro using oledump Python scripts. A video walkthrough (6 mins) accompanies the post.
Maldoc: Excel 4.0 Macro - Sumith Maniath and Prashanth Krushna Kadam at FireEye look at fileless malware delivered using Google Drive which uses Paste.ee (similar to Pastebin) to deliver additional payloads and delivery of a NETWIRE backdoor.
Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing - At Flashpoint, Jason Reaves and Joshua Platt discuss Point of Sale (POS) malware DMSniff which uses DGA to exfil credit card numbers. They provide details of DMSniff which they believe to have been in the wild for at least 4 years.
‘DMSniff’ POS Malware Actively Leveraged to Target Small-, Medium-Sized Businesses - Xiaopeng Zhang at FortiGuard Labs follows up on a new version of Emotet, analyzing modules from the command and control server that provide lateral movement, read Outlook profile information, and drop a new TrickBot variant.
Analysis of the New Modules that Emotet Spreads - Amirreza Niakanlahiji and Josiah Smith at InQuest look at a PowerShell script targeting users in Japan delivered via steganography in an image, to deliver a new version of Ursnif.
Analyzing Sophisticated PowerShell Targeting Japan - Abdullah Joseph has shared a write up of the VikingHorde Android botnet
Check out @malwarecheese’s Tweet - Pieter Arntz at Malwarebytes Labs looks at high level trends in Emotet, from a start as a single system infecting banking trojan to a botnet variant.
Emotet revisited: pervasive threat still a danger to businesses - Following up on a previous post about using radare2 Anuj Soni at malwology continues with discussing the GUI version, Cutter. Anuj starts with installing Cutter then analyzes a GandCrab variant step by step. (Learn more about malware RE from him at one of his classes https://www.sans.org/instructors/anuj-soni)
Intro to Cutter for Malware Analysis - Michael Gillespie shares a .NET ransomware walkthrough on YouTube (36 minutes).
Analyzing Ransomware – Finding Bugs - Palo Alto Networks Unit 42 discuss a credit card capturing malware they call “CapturaTela” targeting users mostly in Brazil. Similar to a banking trojan that looks for submitted from data, CapturaTela looks for a victim CCN during an online purchase.
Operation Comando: How to Run a Cheap and Effective Credit Card Business - Alex Hinchliffe at Palo Alto gives an overview of DNS Tunneling techniques and includes what ATT&CK techniques may apply, and also provides toolkit and malware lists as examples.
DNS Tunneling: how DNS can be (ab)used by malicious actors - Ahmet Bilal Can at the Pentest blog looks at how to unpack Android malware samples and how to use Frida to trace program calls using Anubis as an example, and releases a script to obtain the C2 and key from different versions of Anubis.
N Ways to Unpack Mobile Malware - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens performs analysis of a .hta file submitted by reader Ahmed Elshaer.
Malicious HTA Analysis by a Reader, (Sun, Mar 10th) - Next, Didier posts a follow up from Ahmed who revisits the subsequent de-obfuscated PS.
Quick and Dirty Malicious HTA Analysis, (Sun, Mar 10th) - Didier also does a test with Ghidra to show that .doc style compound files can not be analyzed but .docx or .zip type files can be imported unless they are password protected.
Tip: Ghidra & ZIP Files, (Thu, Mar 14th) - Brad Duncan write about recent Emotet secondary payloads: typically Trickbot, though Qakbot is also being recently delivered. Brad also links to sample files and packet captures.
Malspam pushes Emotet with Qakbot as the follow-up malware, (Wed, Mar 13th) - Remco Verhoef looks at combining Jupyter, common in data science communities, and Radare2 to create a notebook (think: cookbook or playbook) to help automate analysis.
Binary Analysis with Jupyter and Radare2, (Fri, Mar 15th)
- Didier Stevens performs analysis of a .hta file submitted by reader Ahmed Elshaer.
- Steve Trilling at Symantec discusses how to detect credential dumping including suggestions to alert on access to the SAM or Windows Credential Manager, and queries to LSASS.
Disrupting the Attack Chain Through Detecting Credential Dumping - Warren Mercer and Paul Rascagneres with Ben Baker at Cisco Talos look at commodity POS malware for sale online known as “GlitchPOS.” This recent CC stealer was first mentioned online in February 2019 and tries to grab Track 1 and Track 2 data.
GlitchPOS: New PoS malware for sale - There were a couple of posts on the TrendMicro blog this week
- They have a post looking at a ML model for malware detection based on a study in conjunction with the Federation University Australia and detailed in their paper “Generative Malware Outbreak Detection.”
From Fileless Techniques to Using Steganography: Examining Powload’s Evolution - Augusto Remillano and Kiyoshi Obuchi look at the rise of Powload, from malspam delivery to more sophisticated email hijacking and fileless infection techniques.
A Machine Learning Model to Detect Malware Variants
- They have a post looking at a ML model for malware detection based on a study in conjunction with the Federation University Australia and detailed in their paper “Generative Malware Outbreak Detection.”
- In news via Twitter, Rob Joyce highlights Rolf Rolles work on deobfuscating control flows and Rolf’s release of the Ghidra Program Analysis Library on GitHub.
Ghidra Program Analysis Library on GitHub
MISCELLANEOUS
- There were a few posts on the ADF blog this week
- Richard Frawley demonstrates how to perform a boot scan with DEI on a Microsoft Surface Pro
Learn How to Boot Scan a Microsoft Surface Pro - Richard also has uploaded a video showing how “to add Project Vic datasets or hashes to a Search Profile.”
Adding Project Vic Hashes to a Search Profile - Bradford Oliver describes the role of a digital media investigator
What is the Role of a Digital Media Investigator?
- Richard Frawley demonstrates how to perform a boot scan with DEI on a Microsoft Surface Pro
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ has written a post on Windows Memory Management, as well as published his notes on Windows Memory Analysis
- Andrea Lazzarotto provided an overview of Forensics Europe Expo 2019
Forensics Europe Expo 2019: due giorni di fiera e seminari sulle scienze forensi - Julie Urban at Blackbag Technologies advises that the upcoming release of Macquisition will allow examines to obtain physical images of Apple devices with T2 chips. Previous solutions only allow for logical imaging.
Macquisition Will Decrypt Physical Images from Macs with T2 Chip - Cellebrite have listed the Forensic 4Cast Award categories that they would like to be nominated for.
4 Reasons to Nominate Cellebrite for the Forensic 4:cast Awards - Christian at IT-Dad posted a few times this week
- He demonstrates the use of the Linux versions of FTK Imager and Autopsy
FTK Imager und Autopsy unter Linux nutzen - He reviews a course by eh academy. this course teaches tools like prodiscover and dff, both of which appear to have fallen off the radar. I’m not sure of the quality of the course but teaching outdated and unsupported tools is less than ideal.
Kostenlose IT-Forensik Kurse Teil III – EH Academy - Christian also demonstrates the “Mobile Revelator” mobile forensics freeware tool
Der „Mobile Revelator“ – Mobilforensik-Freeware
- He demonstrates the use of the Linux versions of FTK Imager and Autopsy
- Jason Silberman at Illusive Networks interviews Ido Shoham about DFIR
Why Digital Forensics are Instrumental to Rapid Incident Response - DME Forensics share a short case study of where DVR Examiner can be useful in examining a DVR hard drive directly.
Field Recovery of CCTV/DVR Video Surveillance - Eric Huber at ‘A Fistful of Dongles’ shares his thoughts on the current state of incident response billing practices
The End of the Golden Age of Incident Response Billing - There were a few posts on Forensic Focus this week
- Christa Miller comments on burnout in the DFIR field. Burnout is definitely a problem that people need to pay more attention to
Burnout in DFIR (And Beyond) - They shared their roundup of forum posts for the month
Forensic Focus Forum Round-Up - “Amped Software has launched Amped Replay, a new tool which allows frontline police officers and investigators to quickly and easily view, analyze and present video evidence”
Amped Software Launches Amped Replay: An Enhanced Video Player for Investigators
- Christa Miller comments on burnout in the DFIR field. Burnout is definitely a problem that people need to pay more attention to
- Jim Hoerricks at the Forensic Photoshop blog comments on the convergence of digital and DVR forensics, specifically surrounding hashing of proxy files
A few quick comments about hash values and DVR files - Griffeye have a post explaining why using tools that reduce exposure to harmful material such as child abuse content is beneficial for staff retention.
Building solutions to keep investigators in the job longer - Justin Boncaldo addresses the misconception that a forensic analysis involves combing through every part of a device, and is generally a scope examination to answer specific questions
Needle in the Haystack -DF MISCONCEPTIONS PART 1 - Matt Bromiley is back to blogging!
- He demonstrates how to use KAPE’s upcoming SFTP feature with terraform
Automating SFTP Creation for KAPE’s Sake! - Matt also demonstrates how to do a task list import into TheHive
TheHive Scripting: Task Imports
- He demonstrates how to use KAPE’s upcoming SFTP feature with terraform
- Matt Seyer shares his thoughts on dedicating time to his projects. It’s a good idea to take stock of your workload and identify how best to spend your time. it’s easy to keep getting sidetracked or starting new projects, where it’s probably better to start and finish one or two really good ones. Also thanks Matt for the nomination!
More DFIR With Less Time - Matt Shannon at F-Response explains a new feature in v8 that bypasses the safety overlay called pmem-unsafe
F-Response v8, and the new physical memory unsafe target - Amber Schroader at Paraben Corporation comments on the principles of maintaining evidence, knowing your tools, and documenting your processes.
Court Approved Debate Is my tool valid? - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — March 3 to 9 - Seth Enoka lists out what he keeps in his forensics go-bag
Build Your Own Forensics Go-Bag - The Digital Sherlock responds to Macros’ post on using Kali for forensics, and advises that they will describe some distros specifically useful for DFIR
Kali Linux e Digital Forensics - Yulia Samoteykina at Atola describes how to use jumbo frames on the TaskForce to image faster to network drives.
Imaging to server faster using Jumbo frames in TaskForce
SOFTWARE UPDATES
- Arsenal released “HbinRecon v1.0.0.39 Alpha with a GUI & other updates.”
HbinRecon v1.0.0.39 - Berla have released iVe v2.3 adding support for Lexus, Peugeot, Citroën and Lamborghini systems, as well as other features and enhancements. They also shared feature spotlights on time offsets and offline mapping
iVe Software v2.3 Release - Cellebrite released UFED4PC v7.16 with some new features, including a new APK downgrade method
Exclusive access to WhatsApp data and another 40 apps on Android devices - Didier Stevens updated a couple of his tools this week
- Eric Zimmerman updated MFTECmd, AmcacheParser, AppCompatCacheParser, Registry Explorer, Shellbag Explorer, PECmd (Prefetch formatting changes in the next version of Win10) and Bstrings. Eric also released KAPE 0.8.3.0 with a number of new features including SFTP support and a method of running multiple KAPE instances at once
ChangeLog - ExifTool 11.32 was released with a number of new tags and bug fixes
ExifTool 11.32 - GetData released Forensic Explorer v4.6.8.8396 with a number of improvements and bug fixes
v4.6.8.8396 - Ryan Benson released Hindsight v2.3.0, supporting up to Chrome v73, allowing you to search all profiles in a directory, and supporting the LevelDB local storage. Ryan has shared some additional details on his blog.
Hindsight v2.3.0 - Magnet Forensics announced their new tool Automate, which allows examiners and organisations to create workflows using any tool with a commandline interface
Announcing Magnet AUTOMATE, a New Solution to Help Labs to Complete Investigations Faster - Maxim Suhanov released v1.0.0-beta7 of his dfir_ntfs file system parser
1.0.0-beta7
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
One thought on “Week 11 – 2019”