Thanks to Lodrina for her contributions
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Richard Frawley at ADF posted a couple of articles this week
- He describes how to perform a RAM capture
Collect RAM on a Live Computer - And demonstrates how to use DEI to boot scan an unencrypted Mac
Digital Forensic Boot Scan a Mac with APFS
- He describes how to perform a RAM capture
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares the volatility command line to parse memory from VMware machines.
How to analyze a VMware memory image with Volatility - Brian Maloney posted a couple of times this week
- He documents some of the data stored in Symantec logs and quarantine files
All things Symantec - Brian also shows how to copy locked OST files if the provided esentutl command fails
Copying locked OST files
- He documents some of the data stored in Symantec logs and quarantine files
- Oleg Skulkin and Igor Mikhaylov at Cyber Forensicator tested Telegrams ability to delete messages from both devices involved in a conversation and demonstrate that the data may be recoverable from the database’s associated WAL file
Deleting Any Message from Both Ends in Telegram: How Will It Impact Mobile Forensics? - Justin Boncaldo looks into the underlying structure of the Instagram Windows store app
Instagram Forensics -Windows App Store - Ulf Frisk at “Security | DMA | Hacking” introduces LeechAgent, which is “a 100% free open source endpoint solution geared towards remote physical memory acquisition and analysis on Windows endpoints in Active Directory environments.”
Introducing the LeechAgent
THREAT INTELLIGENCE/HUNTING
- Chris Prall at Carbon Black discusses a mature threat hunting program and references their webinar with Red Canary.
Keys to Mature to a Level 4 Threat Hunting Program - Harlan Carvey at Crowdstrike shares examples of Mimikatz being used by attackers and the unusual case of deployment through WMIC.exe.
Mimikatz in the Wild: Bypassing Signature-Based Detections Using the “AK47 of Cyber” - Samuel Alonso reviews frameworks that can be used in cybersecurity hunting including OODA, the Pyramid of Pain, and the Detection Maturity Model.
Active Cyber Defence: deception and attacker control (2) - BlackBerry Cylance found backdoors from OceanLotus APT Group (aka APT32 or Cobalt Kitty) delivered by a .png file.
Report: OceanLotus APT Group Leveraging Steganography - David Dym at EasyMetaData demonstrates how to use PowerShell to identify DLLs without certs
Lets use PowerShell to review DLL’s without certs - Hexa at Brokesec writes about logs in Dionaea using grep, why to zero in on certutil, and why you should pay attention to wget and curl.
On The Virtues Of Log Checking - HolisticInfoSec looks at graphing data for DFIR with Beagle and shares nice animations of what correlated Procmon data and red team activity look like.
Beagle: Graph transforms for DFIR data & logs - Andy Gu at Spotify Labs shares how they have implemented GRR in their environment
Whacking a million moles: Automated Incident Response Infrastructure in GCP - MENASEC looks at how to detect browser credential dumping including examining Event 4663 entries.
Credential Access – Detecting Browser’s secrets stealing - Red teams take note, Rob Bone at Nettitude Labs has released an update to PoshC2 Python.
Introducing PoshC2 v4.8 – includes C# dropper, task management and more! – Part One - Red Canary had a few posts this week
- Brian Donohue discusses spearphishing (T1193), some well known examples of the technique, and how to detect it.
#5 Technique: Spearphishing Attachment (T1193) - Brian also writes about connection proxies (T1090) as a method for exfil and use by Duqu and APT10.
#4 Technique: Connection Proxy (T1090) - Casey Smith writes about testing PowerShell and Regsvr32 using Atomic Red Team.
Testing the Top MITRE ATT&CK Techniques: PowerShell, Scripting, Regsvr32
- Brian Donohue discusses spearphishing (T1193), some well known examples of the technique, and how to detect it.
- Chris Crowley at Risk, Failure, Survival revisits weird DNS requests and uses Process Monitor to examine what was going on.
Instrumenting OS for Per Process DNS Query Inspection - Xavier Mertens at the SANS Internet Storm Centre shares hits on a rule created to identify ShellShock activity.
New Waves of Scans Detected by an Old Rule, (Thu, Apr 4th)
UPCOMING WEBINARS/CONFERENCES
- The Cylance team will be presenting their 2019 threat report highlights on April 11, 2019, 8:00 AM PDT
Webinar: BlackBerry Cylance 2019 Threat Report Highlights - Eric Oldenburg at Griffeye will be presenting on facial recognition with Analyse Di Pro on April 25, 2019 at 3 pm CEST (9 am EST)
Webinar: Face Recognition in Analyze DI Pro - The 29th annual International Virus Bulletin Conference agenda has been announced for October 2019!
VB2019 conference programme announced
PRESENTATIONS/PODCASTS
- Andreas Sfakianakis shared his presentation from the 2019 FIRST CTI conference
Check out @asfakian’s Tweet - Brett Shavers shared his interview on “The Many Hats Club” podcast
Working in DFIR is glamorous, but mostly only to those not working in DFIR… - On this week’s Digital Forensic Survival Podcast, Michael covers some things to consider in interviews for DFIR positions
DFSP # 163 – DFIR Job Interviews - Forensic Focus shared Michael Thompson and Timothy Vidas’ presentation from DFRWS US 2018
CGC Monitor: A Vetting System For The DARPA Cyber Grand Challenge - Hasherezade demonstrates how to unpack a sample of Gozi
Unpacking ISFB (including the custom ‘PX’ format) - Jamey Tubbs shared his presentation from the 2019 Magnet User Summit on memory forensics
From Dead Box to Live Memory: Breathing Context into Forensic Investigations - Richard Davis at 13Cubed walks through the use of the EventFinder2 event log examination tool
EventFinder2 Demo - I posted my ‘This Month in 4n6’ podcast for March. Apologies for the sound quality, long story short it recorded with my PC laptop mic instead of the one that I had connected and I didn’t have time to re-record
This Month In 4n6 – March – 2019 - The presentations from Trooperscon 2019 were uploaded to Youtube
- Yogesh Khatri shared his presentation slides and tools from Magnet User Summit 2019
Check out @SwiftForensics’s Tweet
MALWARE
- Malware has hit the news this week. Check out some of the press coverage you may have missed
- Kim Zetter writes in the Washington Post about how a POC hospital malware injected images of malignant growths into CT and MRI scans. Alternately, malware could present a scan as benign when it really isn’t.
Hospital viruses: Fake cancerous nodes in CT scans, created by malware, trick radiologists - Numerous outlets including Malwareytes covered Yujing Zhang being detained at Mar-a-Lago carrying a thumb drive with unidentified “malicious malware” along with four cell phones, a laptop, and external hard drive.
Chinese woman carrying malware arrested at Mar-a-Lago - Nicole Wetsman at the Verge documents a WannaCry ransomware simulation at an Arizona hospital.
Health Care’s Huge Cybersecurity Problem
- Kim Zetter writes in the Washington Post about how a POC hospital malware injected images of malignant growths into CT and MRI scans. Alternately, malware could present a scan as benign when it really isn’t.
- Tick Group downloaders, backdoors, keyloggers associated with targeted Korean and Japanese malware.
The reality of the targeted attacks deployed in both Korea and Japan - Jaime Blasco and Chris Doman at AT&T Cybersecurity/AlienVault break down Xwo, a Python-based bot scanner and credential stealer which appears to be related to Xbash and MongoLock.
Xwo – A Python-based bot scanner - Carbon Black had a number of posts this week
- Swee Lai Lee shares GandCrab 5.2 analysis along with the ransom note and desktop seen by the user.
CB TAU Threat Intelligence Notification: GandCrab 5.2 Ransomware Attempts to Delete Volume Shadow Copies - Tom Kellermann introduces the next Global Incident Response Threat Report (16 page PDF), leading with “island hopping” to leverage their foothold in related networks.
Carbon Black’s Global Incident Response Threat Report: The Ominous Rise of “Island Hopping” & Counter Incident Response Continues - Jared Myers, Taree Reardon, and Kevin Knowles review two recent Emotet campaigns including the JS dropper variant.
CB TAU Threat Intelligence Notification – Recent Emotet Campaign Leverages Phishing, PDFs & Droppers Impersonating Legitimate Applications - Swee Lai Lee shares how a .zip archive, containing a VBS downloader, delivers TrickBot.
CB TAU Threat Intelligence Notification: Email VBS Downloader Connects to C2 Server, Downloads Trickbot Payload - Takahiro Haruyama provides details about APT28 downloaders SedUploader and Zebrocy.
CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders
- Swee Lai Lee shares GandCrab 5.2 analysis along with the ransom note and desktop seen by the user.
- Max Gannon at Cofense shows how an exe missing an MZ file header became weaponized by adding the header after initial delivery of everything else in the file.
This ‘Broken’ File Hides Malware Designed to Break Its Targets - Alex Davies at Countercept looks at Microsoft Office macros, the VBScript payloads, and what this looks like with EDR.
Dechaining Macros and Evading EDR - There were a couple of posts on the Cybereason blog this week
- Noa Pinkas, Lior Rochberger, and Matan Zatz describe how Emotet is not only a banking trojan but can also deliver TrickBot, and ultimately Ryuk ransomware.
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk - The team also released a summary of the Emotet dropper, TrickBot information stealer, and Ryuk ransomware attacks.
A One-two Punch of Emotet, TrickBot, & Ryuk Stealing & Ransoming Data
- Noa Pinkas, Lior Rochberger, and Matan Zatz describe how Emotet is not only a banking trojan but can also deliver TrickBot, and ultimately Ryuk ransomware.
- Dan at ‘Laser Kittens’ reversed the binary for Clop ransomware, writing a deobfuscator for the resource that deletes Volume Shadow Copies.
Deobfuscating Clop ransomware resources - Didier Stevens shows using Python scripts (5 mins) how to perform analysis of PDFs created with OpenOffice.
Analysis of PDFs Created with OpenOffice/LibreOffice - Didier also performs a walkthrough (10 mins) of an Excel 4.0 macro.
Maldoc Analysis: Excel 4.0 Macro - Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock at FireEye review a FIN6 intrusion at an engineering customer, finding LockerGaga and Ryuk ransomware both at play.
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware - Wireshark, how does it work? Hats Off Security explains how to follow a stream.
Wireshark – More Basics - Leonid Grustniy at Kaspersky shares a case of macOS users who may be at risk by using pirated versions of the Little Snitch firewall. Attackers then exploit the Mono framework, allowing macOS systems to run .exe files.
An EXE infection for your Mac - Vibhav Dudeja at Lucideus posted a couple articles of iOS app internals which may be useful for those trying to reverse engineer them
- MalwareTech blog shows how using RegEx can lead to a remote code execution heap overflow.
Analysis of a VB Script Heap Overflow (CVE-2019-0666) - Marco Ramilli looks at a Microsoft Office payload, including use of the “autoopen()” macro and Movfuscator to deliver Emotet.
Step By Step Office Dropper Dissection - Ryan Campbell at ‘Security Soup’ notes the shift in Emotet now using a .zip file with JavaScript inside.
A Quick Look at Emotet’s Updated JavaScript Dropper - Jim Clausing at the SANS Internet Storm Centre Handler Diaries shares Ghidra tips for users more familiar with IDA.
A few Ghidra tips for IDA users, part 0 – automatic comments for API call parameters, (Wed, Apr 3rd) - There were a couple of posts from Securelist this week
- They looks at the latest Roaming Mantis campaign with phishing attacks on iOS and Android.
Roaming Mantis, part IV - They also share information about the BasBanke Brazilian banking trojan for Android.
BasBanke: Trend-setting Brazilian banking Trojan
- They looks at the latest Roaming Mantis campaign with phishing attacks on iOS and Android.
- Security Art Work shares analysis of an .xlsm spreadsheet claiming to be from the US Department of State.
Military Financing Maldoc: análisis - Aesol Kim at Threat Recon writes about an APT group using .cab files to get past UAC.
Threat Actor Group using UAC Bypass Module to run BAT File - There were a number of posts from TrendMicro this week
- Matsukawa Bakuei, Ryan Flores, Vladimir Kropotov, and Fyodor Yarochkin discuss malware in the age of the industrial internet of things (IIoT), discussing threats in ICS and manufacturing.
Malware in Smart Factories: Top Security Threats to Manufacturing Environments - Mark Vicente, Byron Galera, and Augusto Remillano share new developments with Bashlite (aka Gafgyt / Lizkebab / Qbot / Torlus / LizardStresser) IoT malware targeting WeMo UPnP enabled devices.
Bashlite IoT Malware Updated with Mining and Backdoor Commands, Targets WeMo Devices - Hara Hiroaki, Lilang Wu, and Lorin Wu look at XLoader C2 malware for iOS and Android.
New Version of XLoader That Disguises as Android Apps and an iOS Profile Holds New Links to FakeSpy - Samuel P Wang shows how a utility used to save web pages is being exploited by phishing actors who trick users into entering credentials on what appear to be legitimate sites.
Phishing Attack Uses Browser Extension Tool SingleFile to Obfuscate Malicious Log-in Pages
- Matsukawa Bakuei, Ryan Flores, Vladimir Kropotov, and Fyodor Yarochkin discuss malware in the age of the industrial internet of things (IIoT), discussing threats in ICS and manufacturing.
- There were a couple of posts on the Yoroi blog this week
- They tests analysis with Ghidra using AZORult.
Ghidra SRE: The AZORult Field Test - They also look at ATT&CK codes associated with different versions of Emotet campaigns since the beginning of 2018.
Ursnif: The Latest Evolution of the Most Popular Banking Malware
- They tests analysis with Ghidra using AZORult.
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ continued his daily blogging
- Since no one answered last week’s Sunday Funday, Dave has posted it again this week
Daily Blog #654: Sunday Funday 3/31/19 - The winners of the Magnet User Summit CTF were announced
Daily Blog #655: Magnet User Summit DFIR CTF 2019 Results - There was a Forensic Lunch where Dave, Matt, Jess, and Jad recapped the CTF with the winner, Kevin Pagano, as well as an overview of what Magnet has been up to with their latest releases
Daily Blog #656: Forensic Lunch 4/3/19 Live from MUS2019 - And the CTF was opened to the public
Daily Blog #657: MUS2019 DFIR CTF open to the public - It wasn’t long before the perfect score was achieved
Daily Blog #658: MUS 2019 DFIR CTF Perfect Score Achieved
- Since no one answered last week’s Sunday Funday, Dave has posted it again this week
- Zach Stanford has written up how he answered the questions in the Mobile section
Writeup: Magnet User Summit DFIR CTF 2019-Mobile - And Tony at AboutDFIR shared his impressions of the entire Magnet User Summit
Magnet User Summit 2019 Impressions - Justin Matsuhara at Blackbag Technologies explains how Mobilyze can be used to assist investigators acquire mobile data, freeing up an examiners time. Something important to mention, and I think Blackbag does this, is that if vendors are pushing a tool to non-forensics folks then they need to be including the training as well. In Australia at least, we had a case where a non-trained officer used a forensics tool to present data in court and it was thrown out because they weren’t qualified to interpret the data.
What’s In Your Toolbox For Mobile Devices? - Brett Shavers at DFIR.Training responds to a tweet asking where to start your investigation. Generally speaking, the first thing you should be doing is identifying what you’ve got and what you need to do.
Coffee first, then the analysis - Cellebrite released their LE industry survey.
Industry Survey - Christian at IT-Dad looks at the LinkedIn Learning courses related to Computer Forensics
Kostenlose IT-Forensik Kurse Teil VI – LinkedIn Learning - David Dym at EasyMetaData shows how to create an entry in the registry to open a file into MDViewer directly from the right click menu.
Opening files in MDViewer from the explorer context menu - There were a few posts on Forensic Focus this week
- Christa Miller shares some advice for those that want a career in digital forensics
Career Paths In Digital Forensics - Mattia Epifani recaps Techno Security CA 2019
Techno Security And Digital Forensics Conference CA 2019 – Recap - Chirath De Alwis provides an overview of the Windows registry
Windows Registry Analysis 101
- Christa Miller shares some advice for those that want a career in digital forensics
- Hadar Yudovich comments on his experience trying to solve the Defcon DFIR CTF using only KAPE. Hadar also went a step further and has pushed back a lot of good stuff to the repo so that we all can benefit from his testing
KAPEing for fun and profit - Kevin Pagano at Stark 4N6 shares his experience at BloomCON 0x04
BloomCON 0x04 Recap - Jad Saliba at Magnet Forensics announces that the folks at Magnet will be posting their nominations for the upcoming Forensic 4Cast Awards
Our Nominations for This Year’s Forensic 4:cast Awards - Chris Crowley advises of the future plans for his SOC Management (formerly SANS MGT517: Managing Security Operations: Detection, Response, and Intelligence)
Security Operations Class Status - Seth Enoka continues building a personal forensics lab by adding a secondary domain controller
Create a Personal Forensics Lab Part 2: The Secondary Domain Controller - Yulia Samoteykina at Atola demonstrates how to image a source drive to E01 format with SHA1 and MD5 hashing
Imaging to an E01 file with dual hash
SOFTWARE UPDATES
- Plaso was updated to v20190331. “Most of the changes in this release are under-the-hood improvements”
Plaso 20190331 released - Cyber Triage 2.6 was released, improving collection speeds with custom scans, improved volatility integration and move
Collect Faster by Collecting Less - MDViewer 1.1 was released with a new simple view display option and bug fixes.
MDViewer 1.1 released #dfir #metadata - Eric Zimmerman updated Registry Explorer
ChangeLog - ExifTool 11.34 was released with a number of new tags and bug fixes
ExifTool 11.34 - Oxygen Forensic released Detective v11.3, adding new support for MyParrot Cloud
Oxygen Forensics Launches Industry Exclusive Drone Update - Omer Ben-Amram shared a Rust-based “parser for the Windows XML Event Log (EVTX) format”
Check out @OBenamram’s Tweet - Passware Kit 2019 v2 was released and “extracts passwords and other data from macOS iCloud keychains, decrypts VeraCrypt volumes for Linux, and supports an additional LUKS encryption type”, as well as other new features.
Passware Kit 2019 v2 - Radare2 v3.4.1 was released with a number of changes and fixes
3.4.1 - Regipy v1.0.4 was released with some bug fixes
Serialization bugfixes - Velociraptor v0.2.9 was released with a number of new features
Release 0.2.9
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 