Thanks to Lodrina for her work.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Arman Gungor at Metaspike explains the Content-Length header field found in e-mails, as well as how to preserve and use it in an investigation
Using the Content-Length Header Field in Email Forensics - Cyrill Brunschwiler at Compass Security describes Plaso’s ability to analyse certain artefacts for different activity types
Windows Forensics with Plaso - Jim Hoerricks at Forensic Photoshop compares Input-Ace and Amped Five for video file triage.
Quick File Triage
THREAT INTELLIGENCE/HUNTING
- Marcus Bakker shared Blue ATT&CK, which is built atop MITRE ATT&CK “to help blue teams in scoring and comparing data source quality, visibility, detections and threat actors.”
Check out @bakk3rm’s Tweet - Adam at Hexacorn posted a couple times this week
- He shares work from John Hubbard using PowerShell to look at event id monitoring; check it out for event id’s you may not even know existed (example: 5039 A registry key was virtualized)
Event, Event on the wall, who’s the fairest of them all? - Adam also also gives an example of how Slack’s update.exe (and other Electron apps) can be used as a lolbin.
Squirrel packages’ manager as a lolbin (a.k.a. many Electron apps are lolbins by default)
- He shares work from John Hubbard using PowerShell to look at event id monitoring; check it out for event id’s you may not even know existed (example: 5039 A registry key was virtualized)
- Ben Bornholm at HoldMyBeer has a couple of posts this week
- The first is on how to Install/Setup Graylog 3 on Ubuntu 18.04
Install/Setup Graylog 3 on Ubuntu 18.04 – Zeeks logs + threat intel pipeline - The second demonstrates “how to ingest OSquery logs with Rsyslog v8”
Logging OSquery with Rsyslog v8 – Love at first sight
- The first is on how to Install/Setup Graylog 3 on Ubuntu 18.04
- Chris Prall at Carbon Black examines a variety of scenarios that should be accounted for in a mature threat hunting program. Scenarios include risks in M&A, physical attacks on non-traditional endpoints, and unmasking coin mining using PS.
Real World Examples Demonstrating the Need for Mature Threat Hunting - Michael Busselen at CrowdStrike summarizes their 2019 global threat report including nation-state activities related to DPRK, Iran, China, and Russia. The report itself (75 page PDF) also looks at eCrime trends like ransomware, cryptocurrency mining, and BEC attacks.
Key Trends From the CrowdStrike 2019 Global Threat Report - Sam Curry at Cybereason talks about how to use SIEM, EDR, SOAR for efficient threat hunting and detection. Sam starts by looking at where security evolved from in the early 2000’s, how regulation changed monitoring, and current strategies around automation and preventing alert fatigue.
Use SIEM and EDR Together to Improve Defenses and Save Money - Cylance breaks down the AutoIt Njw0rm RAT which looks for stored credentials and propagates through available removable devices. In the wild since 2015, IOCs include communication over port 4040 however due to the easy customization in the builder, many IOCs can vary (eg the default port is 1888).
BlackBerry Cylance vs. Njw0rm Remote Access Trojan - Jacob Barteaux, Blaine Stancill, and Nhan Huynh at Fire Eye write about the release of their Commando VM, the Complete Mandiant Offensive VM which can be used for Windows both red teaming / pen testing and blue teaming. The full list of tools can be found at the GitHub repo.
Commando VM: The First of Its Kind Windows Offensive Distribution - Fox-IT releases mkYARA to help automate writing YARA rules for malware, including an IDA Pro plugin.
mkYARA – Writing YARA rules for the lazy analyst - Raj Chandel talks about creating a honeypot to catch attackers using KFSensor.
Threat Detection for your Network using Kfsensor Honeypot - Marco Ramilli discusses spotting APTs through malware streams in a time consuming fashion with YARA rules, and releases an engine to perform that same analysis automatically!
Free Tools: Spotting APTs - Scott Kinghorn at Microsoft introduces Azure Monitor for VMs as a way to examine network traffic of VMs on a per process level.
Analysis of network connection data with Azure Monitor for virtual machines - Mike R examines endpoint artifacts left by different attacker TTPs, in this case a malicious document launching PowerShell. Mike uses Red Canary atomic tests to attack, and Comodo’s cWatch with Sysmon sent to Splunk + PS logging on the host.
Containing The Fallout… Testing The Endpoint With Chain Reactions - Brad Duncan at Palo Alto Networks shows how to review pcaps from an infected host and looks at DHCP, NetBIOS Name Service, HTTP, and Kerberos traffic.
Using Wireshark: Identifying Hosts and Users - Tony Lambert at Red Canary covers threat actor Rocke (aka Iron), associated with cryptocurrency mining. Known TTPs include moving laterally using obfuscated code hosted on Pastebin, killing competing cryptocurrency miners, and timestomping by touching various files to hide activity.
Rocke Cryptominer - Ryan Campbell at ‘Security Soup’ continues the series on malware analysis basics using the C&C links for an Emotet banking trojan sample. In a VM, using Developer options in Microsoft Word and Notepad++, the five payload URLs are decoded.
How To: Extract Network Indicators of Compromise (IOCs) from Maldoc Macros — Part 3
UPCOMING WEBINARS/CONFERENCES
- Yuri Gubanov at Belkasoft will be hosting a webinar on the upcoming release of their Belkasoft Evidence Centre v9.5. The webinar will take place at April the 2nd, 8:00 PDT / 11:00 EDT / 17:00 CEST.
Belkasoft Evidence Center 9.5 Sneak Peek Webinar - Oleg Skulkin at Group-IB will be hosting a webinar on April 9th on “how to use host-based forensics to get indicators of compromise for successful intelligence-driven incident response”
Using host-based forensics to get indicators of compromise for successful intelligence-driven incident response - Danny Garcia and John Kennedy will be hosting a webinar on examining drones using Cellebrite’s tools on Thursday, April 11, at 11 AM Eastern/8 AM Pacific Time.
Data in the Sky – Drone Data Extraction and Analysis
PRESENTATIONS/PODCASTS
- The presentations from A Conference for Defense 2019 were uploaded to YouTube
- Sharon Nelson and John Simek at Digital Detectives discussed mobile examination with Brett Burney. I wasn’t a huge fan of the recommendations for self-collection, only because they are interacting with the device and may cause issues. I would probably suggest purchasing something like the IPEVO camera and you can easily photograph screens and interactions, which reduces the probability of destroying data.
Digital Forensics on Mobile Devices - On this week’s Digital Forensic Survival Podcast, Michael talks about “OWASP’s Number 6 vulnerability category from their top 10 list, Security Misconfiguration” from a DFIR perspective
DFSP # 162 – OWASP: Security Misconfigurations - This week’s Down The Security Rabbithole podcast covered cyber insurance and acts of cyber war. One of the interesting points raised was that an insurer might pressure the IR team to attribute an attack, and similarly the victim may pressure the team to only identify what was affected and remediate rather than attribute. The reason being that if the attack can be attributed to a nation state then insurance may not pay out.
DtSR Episode 339 – Insuring Against Acts of Cyber War - Forensic Focus shared Timothy Bollé’s presentation from DFRWS EU 2018.
Using Distinctive Digital Traces To Evaluate Non-Obvious Links And Repetitions - Magnet Forensics shared a number of videos relating to their recent major Axiom release
MALWARE
- The ASUS supply chain attack was covered by many blogs this week.
- First uncovered by Kaspersky, the ASUS supply chain attack was seen during late 2018, more details of which will come out at their SAS 2019 conference. Kaspersky also came out with a tool to check if your system was targeted by ShadowHammer and shares that similarities to the ShadowPad incident involving BARUIM were seen.
Operation ShadowHammer - Mathias Fuchs at Cyberfox with Stefan Rothenbuehler looks at ShadowHammer malware purporting to be an ASUS security update, starting with finding the malicious code (which executes only after benign code), querying the local machine mac address, and comparing a hash of this MAC address to a hardcoded hash.
Dissecting ShadowHammer - Alex Davies and Matt Hillman at Countercept look at the code in ShadowHammer and provide IOCs.
Analysis of ShadowHammer ASUS Attack First Stage Payload - Matt Weeks at root9b also looks at the ShadowHammer attack, cracking what the targeted MAC addresses are and noting addresses on the list (at the bottom of the post) “are present on many different physical or virtual adapters, and simply having the MAC does not imply you are a target.”
R9B Cracks Shadowhammer’s Targets - Vitali Kremez reverses the ShadowHammer malware and shares the encoded targeted MAC address list.
Let’s Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
- First uncovered by Kaspersky, the ASUS supply chain attack was seen during late 2018, more details of which will come out at their SAS 2019 conference. Kaspersky also came out with a tool to check if your system was targeted by ShadowHammer and shares that similarities to the ShadowPad incident involving BARUIM were seen.
- James Quinn begins a series hosted at AT&T (AlienVault) about reversing Gh0stRAT used by Chinese actors. Gh0stRAT is a dropper, keylogger, and Event log cleaner which spreads using SMB.
The odd case of a Gh0stRAT variant - Swee Lai Lee at Carbon Black posted a couple of times this week
- Swee shares Mitre ATT&CK TIDs and IOCs related to the Vidar into stealer trojan which looks to exfil a variety of credentials, documents, and digital wallet files.
CB Threat Intelligence Notification: Vidar InfoStealer Trojan Aims to Steal Data Before Erasing Itself - Swee also looks at the signed, verified CryptoMix Clop ransomware binary which adds .clop or .ciop extensions to encrypted files and resizes then deletes VSCs.
CB TAU Threat Intelligence Notification: CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies
- Swee shares Mitre ATT&CK TIDs and IOCs related to the Vidar into stealer trojan which looks to exfil a variety of credentials, documents, and digital wallet files.
- Darrel Rendell at Cofense describes the new Geodo-Emotet variant, dropped by Javascript files rather than Word documents.
Emotet Update: New C2 Communication Followed by New Infection Chain - Dileep Kumar Jallepalli at Fire Eye writes about exploitation of the WinRAR vulnerability including RAR files delivering malicious VBScript; a second example sees a .lnk file whose icon is remotely hosted on a C2 server; another example delivers the Empire backdoor.
WinRAR Zero-day Abused in Multiple Campaigns - Stefano Antenucci and Antonio Parata at Fox-IT look at new evolutions of the PsiXBot banking trojan which include keystroke logging and Outlook credential stealing.
PsiXBot: The Evolution Of A Modular .NET Bot - Nathan at Malwarebytes discusses Android BatMobi adware where unwanted ad redirects began occurring in late January 2019.
Awakening the beast: BatMobi adware - Mike Harbison at Palo Alto Networks writes about LockerGaga which encrypts files and spreads via SMB. Mike has yet to hear if any victims paying the ransom were able to successfully decrypt their files.
Born This Way? Origins of LockerGoga - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens follows up on a post from last week where he shared encrypted Excel files can be opened without entering a password, if their password is “VelvetSweatshop”. An examination of the shellcode streams shows this sample delivers a sample of Lokibot.
“VelvetSweatshop” Maldocs: Shellcode Analysis, (Mon, Mar 25th) - Didier also looks at a PowerShell log where a 404 page got scored in VT as malware.
“404” is not Malware, (Sat, Mar 30th) - Remco Verhoef discusses how to perform analysis of Golang binaries.
Annotating Golang binaries with Cutter and Jupyter, (Fri, Mar 29th)
- Didier Stevens follows up on a post from last week where he shared encrypted Excel files can be opened without entering a password, if their password is “VelvetSweatshop”. An examination of the shellcode streams shows this sample delivers a sample of Lokibot.
- Symantec shares information about APT33 (Elfin) which has been targeting mainly Saudi Arabia and the USA across multiple sectors including government, scientific, and manufacturing sectors. The recent WinRAR vulnerability has been used, and both custom malware (Notestuk and Stonedrill backdoors) and commodity malware (Remcos and DarkComet backdoors) have been seen.
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. - The ASERT team at Netscout shares information about the LUCKY ELEPHANT group which fakes website login pages in an attempt to steal credentials and has ties to Indian and Chinese APT groups.
LUCKY ELEPHANT Campaign Masquerading - There were a couple of posts on the Trend Micro blog this week
- Joseph C Chen uncovers the Soula campaign compromising popular South Korean websites to steal user credentials.
Desktop, Mobile Phishing Campaign Targets South Korean Websites, Steals Credentials Via Watering Hole - Erika Mendoza, Jay Yaneza, Gilbert Sison, Anjali Patil, Julie Cabuhat, and Joelson Soares share a new Emotet variant spreading laterally and distributing Nymaim, then delivering Nozelesn ransomware.
Emotet-Distributed Ransomware Loader for Nozelesn Found via Managed Detection and Response
- Joseph C Chen uncovers the Soula campaign compromising popular South Korean websites to steal user credentials.
- Rohan Viegas recaps the recent VMRay webinar with Tamas Boczan and Jake Williams discussing malware evasion techniques.
SANS Webcast Recap: Dissecting Popular Malware Evasion Techniques - There were a couple of posts on the Cybaze-Yoroi Z-LAB blog this week
- Luigi Martire, Davide Testa and Luca Mella look at Ursnif attacks where a document hosted on Google Drive downloads an image and malicious obfuscated VBScript.
The Ursnif Gangs keep Threatening Italy - Antonio Farina and Luca Mella document the Qrypter malware-as-a-service JavaScript RAT which delivers AdWind.
Decrypting the Qrypter Payload
- Luigi Martire, Davide Testa and Luca Mella look at Ursnif attacks where a document hosted on Google Drive downloads an image and malicious obfuscated VBScript.
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted a few times this week
- This week’s Sunday Funday relates to evidence sources on the Google Cloud platform
Daily Blog #651: Sunday Funday 3/24/19 - Dave is seeking sponsors for the upcoming Unofficial DEFCON DFIR CTF. This was a lot of fun last year and the prizes were great
Daily Blog #652: Seeking Sponsor for the Unofficial Defcon DFIR CTF 2019 - Dave also tried to run a test kitchen broadcast to test SRUM but it appears that there’s no sound.
Daily Blog #653: Forensic Lunch Test Kitchen 3/26/19
- This week’s Sunday Funday relates to evidence sources on the Google Cloud platform
- Belkasoft shared details of the upcoming release of their Belkasoft Evidence Centre v9.5
Sneak Peek of Belkasoft Evidence Center 2019 v.9.5 - Christian at IT-Dad posted a couple of times this week
- Christian shares some information about the CEPOL (Collège Européen de Police – dt. European Police College) online training modules
Kostenlose IT-Forensik Kurse Teil V – CEPOL - Christian also walks through the use of the AFLogical app on Santoku Linux to download an Android device
Android Sicherung mit Santoku Linux
- Christian shares some information about the CEPOL (Collège Européen de Police – dt. European Police College) online training modules
- There were a couple of posts on Forensic Focus this week
- They recapped their tops articles on the month
Digital Forensics News March 2019 - They interviewed the creator of Metadata Interrogator, Benjamin
Interview With Benjamin, Creator Of Metadata Interrogator
- They recapped their tops articles on the month
- Github user jerseyjuntollc shared their script for examining the resume.dat from uTorrent
jerseyjuntollc/datviewer: Python script for viewing and outputting the contents of the resume.day - Katie Nickels at ‘Katie’s Five Cents’ talks about self-promotion. This is something that I think is really valuable, but also really difficult to do. Personally, I think it’s worth everyone creating a website to document what they’ve done, what they’re doing, what they want to do. Twitter/LinkedIn etc are fine, but I think it’s so easy to create a website these days that it’s worth taking an hour to do it.
The Struggle between Self-Promotion and Humility - Kristian Lars Larsen at Data Narro describes file carving and how it was used to recover some lost photographs
How ‘File Carving’ Saved My Scuba Vacation - Marcos at ‘Un minion curioso’ comments on a recent Twitter interaction regarding determining whether a person is a qualified DFIR professional. Personally I’m not sure where I fall with regards to always having to call a DFIR professional; generally speaking I think that collection can be taught to non-professionals. However, if something needs to be analysed and presented, then the person that does it should have something to backup their claims (for example training, certification, experience. Just no Joe from IT who may or may not have proof to get a student expelled).
#DFIR: Nobody asked you! - Mark Mckinnon has released and updated some of his Autopsy plugins
New Release of Autopsy Plugins - Maxim Suhanov describes some instances where memory data can leak to disk
Forensic analysis of disclosed uninitialized kernel memory - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — March 17 to 23 - Seth Enoka has started a series on building a personal forensics lab in the cloud
Create a Personal Forensics Lab Part 1: The Primary Domain Controller - Ted Smith at ‘X-Ways Forensics Video Clips’ will be releasing a couple of posts on the X-Ways Forensic API for beginners
Coming soon – The X-Ways Forensic API for beginners - The Wearable Forensics Team at Champlain College provided an update on their project
Wearable Forensics Team Blog 3 - Yulia Samoteykina at Atola demonstrates how to view SMART data on the Atola TaskForce
Tracking a drive’s SMART table status before and after imaging
SOFTWARE UPDATES
- Cellebrite released UFED Cloud Analyzer Version 7.7, adding support for some more cloud data sources
Slack and Lyft Now Supported, More Data from Google My Activities - CyLR 2.1.2 Beta was released
2.1.2_beta - Didier Stevens updated his pecheck Python script to version 0.7.6
Update: pecheck.py Version 0.7.6 - Eric Zimmerman updated AmcacheParser, LECmd, JLECmd, and JumpList Explorer
ChangeLog - ExifTool 11.33 was released with a number of new tags and bug fixes
ExifTool 11.33 - GetData released Forensic Explorer v4.6.8.8432
28 Mar 2019 – v4.6.8.8432 - Magnet Forensics released Axiom V3.0 with a variety of updates including APFS and MacOS artefacts, an updated timeline generator, and much more.
Find More Evidence That Matters with Magnet AXIOM 3.0 - Maxim Suhanov released his dfir_ntfs file system parser to v1.0.0-beta8
1.0.0-beta8 - “A new version of MISP (2.4.105) has been released to fix a security vulnerability (CVE-2019-10254) in addition to some minor improvements and a fix for the STIX 1.1 import, enabling the import of files with additional namespaces (such as CISCP).”
MISP 2.4.105 released (aka security fix for CVE-2019-10254) - Forensic Express 6.1 Beta was released
Forensic Express 6.1 Beta Released - Skadi 2019.2 was released with a number of new features and tool updates
Skadi 2019.2 - Omer Yampel released Beagle, “an incident response and digital forensics tool which transforms data sources and logs into graphs.”
Beagle - Event Log Explorer v4.8 was released
Check out @eventlogxp’s Tweet
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 