As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Brian Moran has updated the BriMor Live Response Collection to include many more Mac artifacts including logs and browser history; there’s a few Windows collection updates as well!
Live Response Collection – Cedarpelta - Danny Garcia at Cellebrite gives an overview of drone examination
Data in the Sky – Drone Extraction and Analytics - Gabriele Zambelli at ‘Forense nella Nebbia’ shares his “findings about an extension-less SQLite database named frame_database belonging to the Nest app for Android installed on the mobile device found at crime scene.”
Nest camera app (DFRWS2018 Challenge) - Hideaki Ihara at port139 posted a couple of times this week
- He tests event ID 4624 logon type 3 logging by Network Level Authentication (NLA)
RDP NLA and ID 4624 Logon Type3 - Hideaki also changes “the ACL of the object on AD and check ADTimline.”
AD ACL and ADTimeline
- He tests event ID 4624 logon type 3 logging by Network Level Authentication (NLA)
- Jack Farley provides an overview of JTAG, ISP, and Chip Off extractions
Basic Overview of JTAG, ISP, and Chip Off Extractions - Costas has updated his Windows Timeline paper to accommodate the addition of clipboard data in the Timeline as of the next version of Win10
Check out @sv2hui’s Tweet - Ryan Benson at dfir.blog takes a look at the beta of Chromium-Based Edge and finds that it’s very similar to the current version of Chrome
A First Look at Chromium-Based Edge - Volume 28 of the Journal of Digital Investigation was released
- Darldefender shares a list of MacOS artefacts, as well as their experience using X-Ways
Brief Introduction to MacOS Forensics
THREAT INTELLIGENCE/HUNTING
- Sam Yoon at Carbon Black provides an overview of Steganography including creation and detection tools
Steganography in the Modern Attack Landscape - Check Point Research covers Iranian APT MuddyWater and a recent spear-phishing campaign targeting Belarus, Turkey, and Ukraine.
The Muddy Waters of APT Attacks - Chronicle performs “cyber-paleontology” and examines data from old infections to draw new conclusions including associating GOSSIPGIRL with Stuxnet, insights into Duqu, and more accurately backdating Flame 2.0.
Who is GOSSIPGIRL? - Jason Meurer at Cofense shares details of recent email templates used by the Emotet gang
Emotet Gang Switches to Highly Customized Templates Utilizing Stolen Email Content from Victims - Steve Miller, Nathan Brubaker, Daniel Kapellmann Zafra, Dan Caban at Fire Eye update their research into the Triton threat actor
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and
ATT&CK Mapping - Ioana Rijnetu provides an overview of a new spearphishing campaign by the MuddyWaters threat actor
Security Alert: New Spear Phishing Campaign Operated by the MuddyWater Group - Intezer have released an endpoint analysis solution within their Intezer Analyze platform
Scan the Memory of Entire Endpoints using Genetic Malware Analysis - Jeffrey Esposito at Kaspersky Lab comments on the real world effect on IR firms providing attribution in their analysis
The complexities of public attribution - Wouter Stinkens at NVISO Labs describes the various logs available in Azure
Azure Security Logging – part I: defining your logging strategy - Olaf Hartong created ATT&CK datasource assessment for blue teams, born from data that helped clients take their data and figure out ATT&CK coverage. Olaf releases an Excel file and PowerShell module to help score the potential value of data.
Assess your data potential with ATT&CK Datamap - Jake Godgart at Rapid7 shares the three major findings from their quarterly threat report
Q4 Threat Report: Analyzing the Top 3 Advanced Threats and Detection Techniques - Red Canary takes an excerpt out of their 2019 Threat Detection report to look at adversaries including Ocean Lotus and APT19 using Regsvr32.
#3 Technique: Regsvr32 (T1117) - Cody Thomas at SpecterOps examines how to leverage JavaScript for Automation (JXA) for macOS red teaming.
Folder Actions for Persistence on macOS - Justin Vaicaro at TrustedSec covers basics about hunting including enrichment of IoCs and profiling threat actors.
Indicators of Compromise – Hunting for Meaning (Part 1) - Justin continues the blog series with how to use threat intel and pivoting on that data.
Indicators of Compromise – Hunting for Meaning (Part 2) - Zachary Burnham builds on a prior post about Monitoring CentOS Endpoints with Filebeat + ELK by using Filebeat Elasticsearch index templates.
Using Default Filebeat Index Templates with Logstash
UPCOMING WEBINARS/CONFERENCES
- Ashley Hernandez at Blackbag Technologies will be hosting a webinar on tips and tricks for Blacklight on Thu, Apr 25, 2019 6:00 PM – 7:00 PM GMT
Timesaving Forensic Techniques for your Next Case - Ben Armon, Keren Carmeli, and Muna Assi at Cellebrite will be hosting a webinar on the results of their industry survey on April 24, 2019 at 10AM (New York)/3PM (London) and April 25, 2019 at 11AM (Singapore)/1PM (Sydney)
Getting Ready for the Future of Digital Investigations: From Evidence to Intelligence - Registration is open for HTCIA 2019 held September 22-25 2019 in Chicago, USA
2019 HTCIA International Conference and Expo - The SANS Threat Hunting and Incident Response Summit 2019 CFP closes May 6, 2019 at 5 p.m. CST
“SANS Threat Hunting and Incident Response Summit 2019 Call for Speakers – Deadline 5\/6”
PRESENTATIONS/PODCASTS
- Vladimir Katalov’s SecTor 2019 presentation on Alexa was posted
Here’s How We Know Exactly What Alexa Is Hearing - Michael Cohen shared his presentation on Velociraptor from Crikeycon 2019
- On this week’s Digital Forensic Survival Podcast, Michael talks “about the investigative value of creating a mobile compromise assessment strategy.”
DFSP # 164 – Mobile Device Compromise Assessment - The videos from 2019 Insomni’hack
- Alex Parsons shares his updated slides from Bsides Orlando on o365 incident response
Check out @ParsonsProject’s Tweet - SANS shared David J. Bianco’s presentation from the SANS CTI Summit 2019
Quality Over Quantity: Determining Your CTI Detection Efficacy – SANS CTI Summit 2019
MALWARE
- From malware safety basics (inserting an unknown thumb drive into your machine) to cutting edge analysis, there was a lot of malware in the news this week.
- News articles about the USB inserted by a Secret Service agent into a computer which started installing malware and the analyst “had to immediately stop the analysis and shut off” the computer.
Examination of the Mar-a-Lago USB - The Kaspersky SAS was held in Singapore last week, recap the latest buzz with #THESAS2019
Kaspersky Security Analyst Summit
- News articles about the USB inserted by a Secret Service agent into a computer which started installing malware and the analyst “had to immediately stop the analysis and shut off” the computer.
- Cylance recaps the Upatre infostealer/dropper first seen in 2013, peaking in 2015, including the encryption and obfuscation techniques employed.
BlackBerry Cylance vs. Upatre Downloader and Infostealer - z3roTrust also writes about new Flame analysis.
Burned Again by Flame 2.0 - Adam at Hexacorn reviewed reversing techniques including gathering data with Google and FTP to collect libraries and SDKs.
Reversing w/o reversing – how to become Alex in practice - Adam follows up the reversing post by looking at early malware including 32-bit code and PAD files.
Reversing w/o reversing – how to become Alex in practice, Part 2 - Alexander Adamov at ‘Malware Research Academy’ shows “the techniques that you can use to analyze malicious docs coming as attachments to spear-phishing emails.”
Maldocs Analysis - There were a couple of posts on the Kryptos Logic blog this week
- They shared their “observations from the latest phishing campaigns from Emotet”
Emotet scales use of stolen email content for context-aware phishing - As well as their findings surrounding the “involvement of Emotet as the delivery mechanism for the latest wave of Ryuk ransomware attacks being dubbed as North Korean state-sponsored cyber-attacks.”
North Korean APT(?) and recent Ryuk Ransomware attacks
- They shared their “observations from the latest phishing campaigns from Emotet”
- Jason Silberman at Illusive Networks describes the LockerGoga ransomware
Time for Spring Cleaning? LockerGoga Underscores the Need for Cyber Hygiene - There were a couple of posts on the Fortinet blog this week
- Jasper Manuel and Joie Salvio review the LockerGoga ransomware
LockerGoga: Ransomware Targeting Critical Infrastructure - Raul Alvarez examines the Anatova ransomware
Looking Into Anatova Ransomware
- Jasper Manuel and Joie Salvio review the LockerGoga ransomware
- There were a couple of posts on the Malwarebytes Labs blog this week
- William Tsing, Vasilios Hioureas, and Jérôme Segura examine a new stealer called Baldr
Say hello to Baldr, a new stealer on the market - Nathan Collier takes a look at fake Instagram assistance apps targeting Iranian users
Fake Instagram assistance apps found on Google Play are stealing passwords
- William Tsing, Vasilios Hioureas, and Jérôme Segura examine a new stealer called Baldr
- Ruchna Nigam at Palo Alto Networks documents some samples of Mirai compiled for new processors
Mirai Compiled for New Processors Surfaces in the Wild - Brad Duncan at the SANS Internet Storm Centre Handler Diaries shares a Purple teaming pyramid model
Blue + Red: An Infosec Purple Pyramid, (Wed, Apr 10th) - Jim Clausing at the SANS Internet Storm Centre Handler Diaries provides some Ghidra tips for IDA users
A few Ghidra tips for IDA users, part 1 – the decompiler/unreachable code, (Mon, Apr 8th) - There were a couple of posts on the Securelist blog this week
- They document the activities of the Gaza Cybergang Group1
Gaza Cybergang Group1, operation SneakyPastes - and share some details of Project TajMahal, “a previously unknown and technically sophisticated APT framework”
Project TajMahal – a sophisticated new APT framework
- They document the activities of the Gaza Cybergang Group1
- Vitor Ventura at Cisco’s Talos blog documents the Gustuff banking trojan targeting Australian financial institutions
Gustuff banking botnet targets Australia - Augusto Remillano II and Arvin Macaraeg at Trend Micro share details of some malware they detect as Ludicrouz
Miner Malware Spreads Beyond China, Uses Multiple Propagation Methods Including EternalBlue, Powershell Abuse - Vitali Kremez reverse engineers and provides “a quick overview of the newer version of the “shifr” ransomware written in Golang.”
Let’s Learn: Deeper Dive into Golang Constructs of Ransomware Called “shifr” - Rohan Viegas describes the VMRay Detector introduced at RSA
Introducing VMRay Detector: High-Precision Threat Detection at Scale - Romain Dumont at We Live Security “describes the inner workings of a recently found addition to OceanLotus’s toolset for targeting Mac users”
OceanLotus: macOS malware update - There were a few posts on the Yoroi blog this week
- They document the infection chain of the LimeRAT malware
LimeRAT spreads in the wild - And examine a maldoc with potential ties to APT28
APT28 and Upcoming Elections: Possible Interference Signals - They also announced that they have opened the “Yomi” sandox to the public
Yoroi Welcomes “Yomi: The Malware Hunter”
- They document the infection chain of the LimeRAT malware
MISCELLANEOUS
- For this week’s Sunday Funday, Dave Cowen asks about Dropbox Audit logs
Daily Blog #659: Sunday Funday 4/7/19 - Jessica Hyde at Magnet Forensics shared her picks for the Forensic 4Cast Awards. Thanks for the nominations!
Who We’re Nominating for this Year’s Forensic 4:cast Awards: Part 1 - Richard Frawley at ADF describes how to add a custom file type to an ADF search profile
How to Add a Custom File Type to an ADF Search Profile - Brett Shavers posted a few times this week
- He cautions people from plugging in random USBs, even if you’re a well meaning Secret Service agent
If USB flash drives were shaped like spiders, we wouldn’t have these problems - And shares his thoughts on being quoted/misquoted based on a social media posting.
The #1 Reason that DFIR practitioners don’t post opinions - Over on DFIR.Training Brett shares his thoughts on what DFIR Review hopes to achieve and who can benefit. DFIR Review published in firsts articles last week, go check them out at dfirreview.com
DFIR Review is for the researcher, the student, and the practitioner
- He cautions people from plugging in random USBs, even if you’re a well meaning Secret Service agent
- Brian Carrier at Cyber Triage discusses the benefits of a timely response to an incident
Incident Response KPIs: TIME Is Critical. Here Are Five Reasons Why. - Zeljka Zorz at Help Net Security describes a toolkit put together by researchers at Purdue University called FileTSAR. “FileTSAR, which stands for Toolkit for Selective Analysis & Reconstruction of Files, combines open source tools and code wrappers to provide a tool for network forensic investigators to capture, selectively analyze, and reconstruct files from network traffic.”
FileTSAR: Free digital forensic investigations toolkit for law enforcement - Joshua Hickman at ‘The Binary Hick’ has released an Android Pie (9.0) test image
Android Pie (9.0) Image Is Available. Come Get A Piece! - Kevin Pagano at Stark 4N6 recaps the 2019 Magnet User Summit
Magnet User Summit (2019) Recap - Trey Amick at Magnet Forensics explains a number of MacOS artefacts that are going to be added to future versions of Axiom
What Upcoming Mac Artifacts and Features You Can Expect - Kevin Pagano, Antonio Sanz, and Zach Stanford all posted walkthroughs for the Magnet User Summit CTF
- CTF on a Budget – Magnet User Summit 2019 (Part 1) – Desktop
- CTF on a Budget – Magnet User Summit 2019 (Part 2) – Mobile
- CTF on a Budget – Magnet User Summit 2019 (Part 3) – Activity
- MUS CTF DFIR – MOBILE (Nivel 1)
- MUS CTF DFIR – Secret Project (Nivel 2)
- MUS CTF DFIR – Activity (Nivel 3)
- MUS CTF DFIR – Desktop (Nivel 4)
- Writeup: Magnet User Summit DFIR CTF 2019-Activity
- Writeup: Magnet User Summit DFIR CTF 2019-Basic Desktop
- Writeup: Magnet User Summit DFIR CTF 2019-Secret Project
- Matthew Toussain at OpenSec shares a strategy for preparing for GIAC certifications
Wargaming GIAC Certifications - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — March 31 to April 6 - Seth Enoka adds a Win10 workstation to his personal forensics test network
Create a Personal Forensics Lab Part 3: The Windows 10 Workstation
SOFTWARE UPDATES
- UFED Physical Analyzer 7.17 was released, improving report generation times, increasing location data, and more
Improved performance and enhanced locations data with UFED Physical Analyzer 7.17 - Eric Zimmerman updated MFTECmd
ChangeLog - ExifTool 11.35 was released with a number of new tags and bug fixes
ExifTool 11.35 - F-Response v8 has been released
F-Response v8 – Now Available - Foxton Forensics released Browser History Examiner v1.9.1.
- Jack Farley has released a Python script for parsing iTunes Backups (as well as an associated KAPE module)
Release: iTunes_Backup_Analyzer (With KAPE Module!) - Magnet Forensics released a new free utility called the Magnet App Simulator. Tarah Melton demonstrates how to use the tool to virtualise Android apps
MAGNET App Simulator - Matthew Green releases an update to his Invoke-LiveResponse PowerShell module with more customization to collect artifacts (including from VSS) or memory.
Live Response Script Builder - Maxim Suhanov released v1.0.0-beta9 of his dfir_ntfs file system parser
1.0.0-beta9 - MSAB released XRY 7.12, XAMN 4.2 and XEC Director 5.0 with a variety of improvements
Now released: XRY 7.12, XAMN 4.2 and XEC Director 5.0 - Passmark Software released OSFMount v3.0.1000 with a number of new features
v3.0.1000, 5 Apr 2019 - Martin Korman released regipy v1.1.0
1.1.0 - X-Ways Forensics 19.8 SR-4 was released with bug fixes and minor improvements
X-Ways Forensics 19.8 SR-4
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 