Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ demonstrates how to extract useful data from the pagefile using strings, grep, and YARA
How to extract forensic artifacts from pagefile.sys? - Eric Zimmerman observed that the information about the Volume breakdown is a filetime timestamp as well as the Volume ID of the connected volume.
Check out @EricRZimmerman’s Tweet - Ron at Janky Robot demonstrates how NTFS Alternate Data Streams are shown as extended attributes on Mac systems when accessed via SMB
Alternate data streams … redux - SalvationData share a couple of mobile forensics case studies
- The first case study covers extracting data from a bricked Android phone
[Case Study] Mobile Forensics: what to do When Phone is bricked? - The second demonstrates recovering recalled WeChat messages from the databases’ journal
[Case Study] How to recover the Android WeChat retracted message?
- The first case study covers extracting data from a bricked Android phone
- Pieces0310 demonstrates how dual-apps on Android may result in only a partial data extraction of that apps user data
Where is the clone one and how to extract it? – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn goes deep on Lolbins and reversing this week
- He completes the reversing series from last week with caution to archive samples as you find them and the importance of learning IME. For more resources, Adam advises not letting foreign languages become a barrier to your knowledge and using MSDN and the Internet Archive.
Reversing w/o reversing – how to become Alex in practice, Part 3 - And then begins a series on Lolbins, starting with functions in Nullsoft plugins.
Signed Nullsoft Plug-ins – potential Lolbins - Next, in a bait and switch type example related to Lolbins, Adam discusses how installers might auto launch the purportedly just installed program from a location not controlled by UAC.
Installers – Interactive Lolbins, Part 2 - And also suggests that Portable Apps are another way to launch a Lolbin.
Installers – Interactive Lolbins
- He completes the reversing series from last week with caution to archive samples as you find them and the importance of learning IME. For more resources, Adam advises not letting foreign languages become a barrier to your knowledge and using MSDN and the Internet Archive.
- Joe Security discusses how to navigate the large amount of data produced from Joe Sandbox reports using three features: the report search tool, their collider nav, and Interactive Tours.
Deep Behavior Reports – how to find the needle in the haystack - During an investigation of Iranian APT “MuddyWater,” ClearSky identified emails with Word doc attachments related to POWERSTATS being sent to Kurdish targets.
Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey - Nik Seetharaman at Endur@nt suggests Event Tracing for Windows (ETW) as a way to more quickly identify “Patient Zero” in an intrusion. By starting with Controllers, Providers, and Consumers, then stepping through using Message Analyzer, Nik steps through a basic ETW exercise.
Exploration and Instrumentation of Per-Process Windows Telemetry via ETW - Tal Maor at Microsoft look at LDAP-based Kerberoast attacks and how Azure ATP alerts can help focus in on this attack.
Detecting LDAP based Kerberoasting with Azure ATP - Vibhav Dudeja shares a series of blog posts about iOS security analysis and potential security vulnerabilities.
- After jailbreaking, Vibhav uses the BigBoss repository on Cydia as a GUI file manager, and SSH to access files on the command line.
iOS Application Security | Part 2 | Preparing iPhone for Application Security - Vibhav profiles the iPhone starting with Info.plist files and permission requests, and using otool and jtool to get information about Mach-O binaries. Obsolete APIs and improper use of PRNG are some of the vulnerabilities covered.
iOS Application Security | Part 6 | Analyzing the IPA file of an application - Looking further into application .plist files and database files is the start of static analysis. Keyboard predictive text, access to the clipboard/Pasteboard, and application logging are opportunities for data to be leaked.
iOS Application Security | Part 7 | Analyzing the Local Data of an application - Next up for iOS analysis is Burp traffic monitoring using the Burp mobile assistant.
iOS Application Security | Part 8-A | Getting started with Traffic Analysis of iOS applications – Part 1 - Finding the communication protocol eg HTTP(S) using Burp and Wireshark is next.
iOS Application Security | Part 8-B | Getting started with Traffic Analysis of iOS applications – Part 2 - Using HTTP as an example, Vibhav looks at monitoring app traffic between the app and a server including request and response parameters.
iOS Application Security | Part 9 | Requests and Responses of an iOS Application - Vibhav ties all of the posts together to examine traffic using tools spanning service, server, and channel analysis.
iOS Application Security | Part 10 | Basic tools and techniques required for Traffic Analysis
- After jailbreaking, Vibhav uses the BigBoss repository on Cydia as a GUI file manager, and SSH to access files on the command line.
- Shelly Leveson at Morphisec covers basic terms used in the industry such as AV and EPP, then covers Moving Target Defense: changing memory space to be less susceptible to fileless attacks.
Analyzing the Acronyms: Moving Target Defense vs. AV, NGAV, EDR, EPP… - Casey Smith, Keith McCammon, Michael Haag, and Kyle Rainey discuss getting started with PowerShell attack (T1086) mitigations. Tools and resources recommended include DetectionLab, PoSh_ATTCK, ATT&CK Navigator, and Atomic Red Team.
Four tools to consider if you’re adopting ATT&CK - In an ISC Diary post from Johannes Ullrich shares some unusual DNS requests that appear suspicious but are really benign.
Odd DNS Requests that are Normal, (Tue, Apr 16th) - There were a couple of posts on the SpectreOps blog this week
- Justin Bui revisits manipulating filetimes on Windows by writing a PoC to set times on files/folders, discussing FILETIME vs SYSTEMTIME and what was learned examining the stomped filetimes in the MFT.
Revisiting TTPs: TimeStomper - Dwight Hohnstein looks at lateral movement using IKEEXT and SessionEnv DLL hijacks and provides PoC code.
Lateral Movement — SCM and Dll Hijacking Primer
- Justin Bui revisits manipulating filetimes on Windows by writing a PoC to set times on files/folders, discussing FILETIME vs SYSTEMTIME and what was learned examining the stomped filetimes in the MFT.
- Satnam Narang at Tenable chimes in on the Sea Turtle campaign targeting the Middle East and North Africa, and reviews activity over the last decade.
Sea Turtle DNS Hijacking Campaign Utilizes At Least Seven Patched Vulnerabilities - Macnica Networks Corp gives an overview of APT32 (aka OceanLotus) software, possibly based in Vietnam and according to FireEye, targeting automotive companies.
OceanLotusが使う検出回避テクニック
UPCOMING WEBINARS/CONFERENCES
- Ashley Hernandez at Blackbag Technologies will be hosting a webinar on using Blacklight effectively on April 25th at 2:00 PM EDT
Timesaving Forensic Techniques for your Next Case - DME Forensics will be hosting a webinar on DVR Examiner export formats on April 30, 2019 2:00 p.m. MST
DVR Examiner Export Formats - Red Canary discusses their 2019 report including PowerShell detections mention in this week’s Threat Hunting section.
Red Canary Discussion on the 2019 Threat Detection Report - Kevin Ripa will be hosting a webinar on his and Eric Zimmerman’s FOR498 Battlefield Forensics course.
From Seizure to Actionable Intelligence in 90 Minutes or Less
PRESENTATIONS/PODCASTS
- Cellebrite provided a brief overview of the results of their recent Industry survey
Cellebrite Survey Overview - Douglas Brush at Cyber Security Interviews spoke with Alissa Torres
#066 – Alissa Torres: A Well Balanced Approach - On this week’s Digital Forensic Survival Podcast, Michael discussed triaging Windows Core Processes
DFSP # 165 – Windows Core Processes - Forensic Focus shared a couple of presentations from DFRWS EU 2018.
- Martin Barrow at Magnet Forensics briefly describes the “accessible and inacessible” filters in Axiom.
Accessible and Inaccessible Filters – A Minute with Magnet - The videos from OffensiveCon 2019 were uploaded.
OffensiveCon - OpenText shared the SANS webcast by Matt Bromiley and JJ Cranford on continuous host monitoring.
The Foundation of Continuous Host Monitoring - On Enterprise Security Weekly, Matt Cauthorn from Extrahop was interviewed regarding various data sources for SOC analysts.
SOC Intel: Wire, Logs, & Endpoint – Enterprise Security Weekly #133 - SANS shared Sarah Jones’ presentation from the 2019 CTI Summit titled “A Brief History of Attribution Mistakes”
A Brief History of Attribution Mistakes – SANS CTI Summit 2019
MALWARE
- Brian Krebs covered some of the biggest malware news stories this week, from Marcus “MalwareTech” Hutchins pleading guilty to the Wipro breach and Wipro IOCs.
- The APT34 Oil Rig Leak was covered by multiple blogs:
- Robert Falcone at Palo Alto Networks also posts about the Oil Rig group and how their tools use DNS queries to communicate with a C2 server.
DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling - Sean Lyngaas at CYBERSCOOP discusses the Telegram dump of APT34 (aka Oil Rig or HelixKitten) data appearing to indicate the Iranian intelligence community. Links to tools, servers, and web shells identified are included.
How companies – and the hackers themselves – could respond to the OilRig leak - MisterCh0c looks at information from the APT34 (Oil Rig) leak, sharing information about “Poison Frog” and “HighShell”/”HyperShell”.
APT34 / OILRIG Leak, Quick Analysis
- Robert Falcone at Palo Alto Networks also posts about the Oil Rig group and how their tools use DNS queries to communicate with a C2 server.
- Alexander Adamov at NioGuard Security Lab walks through reversing LockerGaga in a video (13m).
Reversing LockerGoga – Part 1 - Bitdefender introduces their white paper about Scranos, a password and data stealer previously confined to Chinese targets and now seen worldwide.
Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation - Sam Bocetta writes a guest post for Carbon Black on the Mirai Botnet and IOT and stresses the importance of being proactive and turning off compromised hardware if infected.
Mirai Rebirth Highlights Importance of Defending IoT - AC at Carbon Black writes about the Danabot banking trojan which uses phishing and Lolbins to infect hosts.
CB TAU Threat Intelligence Notification: Danabot Trojan Targets Financial Services Industry via Stolen Credentials - Avigayil Mechtinger and Andrey Polkovnichenko at Checkpoint look at ad fraud malware dubbed PreAMo.
PreAMo – A Clicker Campaign found on Google Play - Darrel Rendell at Cofense details a change in Emotet to target Japanese language speakers including academic institutions.
Flash Update: Emotet Gang Distributes First Japanese Campaign - Didier Stevens shows how to exact strings from binary shellcode using a single tool.
Extracting “Stack Strings” from Shellcode - There were a couple of posts on the Fire Eye blog this week
- John Hultquist, Ben Read, Oleg Bondarenko, and Chi-en Shen discuss an evolution of malicious .Lnk (shortcut) files with a PowerShell script still targeted at the Ukrainian Government, potentially originating from the “Luhansk People’s Republic.”
Spear Phishing Campaign Targets Ukraine Government and Military;
Infrastructure Reveals Potential Link to So-Called Luhansk People’s Republic - Carlos Garcia Prado shares the release of FLASHMINGO to assist analysts examining SWF files; users can build on FLASHMINGO with Python plug-ins.
FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash
- John Hultquist, Ben Read, Oleg Bondarenko, and Chi-en Shen discuss an evolution of malicious .Lnk (shortcut) files with a PowerShell script still targeted at the Ukrainian Government, potentially originating from the “Luhansk People’s Republic.”
- There were a couple of posts on the Fortinet blog this week
- They review the Silence Group which targets the payment card industry and banks via spear phishing.
Silence Group Playbook - Fo Yueh-Ting Chen and Evgeny Ananin look at Predator the Thief and examine how a sample uses the WinRAR exploit and recent changes to make the malware fileless.
Predator the Thief: New Routes of Delivery
- They review the Silence Group which targets the payment card industry and banks via spear phishing.
- Ioana Rijnetu at Heimdal Security Blog looks at rootkit-based information stealer Scranos and provides a link to more information at the Bitdefender blog.
Scranos: The Persistent Rootkit-Enabled Malware is Targeting Home Users and Organizations Worldwide - Karsten Hahn at Malware Analysis For Hedgehogs looks at PE file anomalies like deformations, loops, unusual ordering/locations, and more (18 min).
Malware Theory – PE Malformations and Anomalies - Matt Durrin at LMG Security shows some “easter egg” comments in the Mirai source code.
A Dozen Mirai Botnet Easter Eggs—Revealing the Lighter Side of Malicious Code - There were a couple of posts on the Malwarebytes blog this week
- Adam Thomas and Jérôme Segura, with Vasilios Hioueras and S!Ri look at exploits against the Electrum cryptocurrency servers.
Electrum Bitcoin wallets under siege - Pieter Arntz gives an overview of the dangers related to malware in manufacturing environments.
Malware targeting industrial plants: a threat to physical security - Hasherezade talks more about APT32/ OceanLotus as an example of an unusual file format that can hamper analysis. Hasherezade goes on to share a lengthy analysis despite the BLOB and CAB being custom formats.
“Funky malware format” found in Ocean Lotus sample
- Adam Thomas and Jérôme Segura, with Vasilios Hioueras and S!Ri look at exploits against the Electrum cryptocurrency servers.
- Matthieu Suiche shares how Cybaze-Yoroi ZLAB found Qrypter, which hides payloads and is commonly used with AdWind.
The Qrypter Payload Malware Has Been Finally Decrypted - OALabs created a quick (3 min) YouTube video using x64dbg with a single breakpoint on WriteProcessMemory.
Reverse Engineering Quick Tip – Unpacking Process Injection With a Single Breakpoint - Robert Falcone and Brittany Ash at Palo Alto Networks looked at a document delivering the RevengeRAT which appeared to be associated with the Gorgon Group, however they instead attribute the activity to a group they call the Aggah Campaign.
Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign - Petter Potts at PepperMalware looks at the alphaircbot including deobfuscating the loader.
Analysis of .Net Deucalion IrcBot Sample Obfuscated with ConfuserEx+KoiVM - There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Jim Clausing published more Ghidra tips for IDA users.
A few Ghidra tips for IDA users, part 2 – strings and parameters, (Wed, Apr 17th) - Xavier Mertens examines a Universal Disk Format (UDF) .img email attachment, which turns out to be AutoIT malware.
Malware Sample Delivered Through UDF Image, (Wed, Apr 17th) - Didier Stevens follows up on Xavier’s post about UDF files using isoparser for analysis.
Analyzing UDF Files with Python, (Fri, Apr 19th)
- Jim Clausing published more Ghidra tips for IDA users.
- Edmund Brumaghin and Holger Unterbrink at Cisco’s Talos Blog looks at the commodity malware HawkEye, an information stealer/keylogger.
New HawkEye Reborn Variant Emerges Following Ownership Change - Trend Micro had a few posts this week:
- Gilbert Sison and Ryan Maglaque look at targeted ransomware attacks like BitPaymer being installed after a machine was compromised using PS Empire.
Account With Admin Privileges Abused to Install BitPaymer Ransomware via PsExec - Hiroyuki Kakara and Kazuki Fujisawa look at an xlsm file using AutoHotkey, ultimately installing TeamViewer for remote access to a system.
Potential Targeted Attack Uses AutoHotkey and Malicious Script Embedded in Excel File to Avoid Detection - Ranga Duraisamy and Kassiane Westell examine the IE vulnerability triggered by certain MHTML (.mht) files being opened.
Zero-day XML External Entity (XXE) Injection Vulnerability in Internet Explorer Can Let Attackers Steal Files, System Info
- Gilbert Sison and Ryan Maglaque look at targeted ransomware attacks like BitPaymer being installed after a machine was compromised using PS Empire.
- Adam Chester at XPN InfoSec Blog looks at what red teamers may want to know about CylancePROTECT EDR and links to <mdsec’s blog=”” https:=”” http://www.mdsec.co.uk=”” 2019=”” 03=”” silencing-cylance-a-case-study-in-modern-edrs=””> for Adam’s full post.</mdsec’s>
Silencing Cylance: A Case Study in Modern EDRs - There were a couple of posts on the Yoroi blog this week
- They write about an attack targeting users in Italy with .html attachments delivering an sLoad backdoor.
Nuova Campagna di Attacco sLoad - They also look some more at Sofacy’s phishing techniques in an attempt to determine a Russian connection to Ukrainian election meddling.
APT28 and Upcoming Elections: Possible Interference Signals (Part II)
- They write about an attack targeting users in Italy with .html attachments delivering an sLoad backdoor.
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ shared the winning solution to last week’s challenge.
Daily Blog #660: Solution Saturday 4/13/19 - Tsunami Pirate shared their experience of taking SANS SEC555 at SANS Orlando.
Through the eyes of a SANS Newbie - Devon at AboutDFIR briefly describes the latest updates to the site including a new iOS test image being developed by Jessica Hyde and Jonathan Wiley
Site Updates - Brett Shavers comments on the nervousness that presenters feel when putting themselves out to be judged on stage
Puking in DFIR - Christian at IT-Dad reviews Dr. Polstra’s USB write blocker course on Pluralsight
Kostenlose IT-Forensik Kurse Teil VII – Pluralsight - Brian Carrier at Cyber Triage shares some strategies for reducing the time between alert and action during an incident
How to Speed Up Incident Response: Alert to Data Collection - Monty St John at CyberDefenses gives a high level overview of digital forensics
What Is Digital Forensics? - Forensic Focus shared their roundup of forum posts of the month
Forensic Focus Forum Round-Up - Kevin Pagano at Stark 4N6 continues working the MUS CTF
CTF on a Budget – Magnet User Summit 2019 (Part 4) – Secret Project - Quentin Fois at Lastline Labs shared his experience at the 2019 Security Analyst Summit.
Reporting from Security Analyst Summit 2019 - Gary Hook at Lomax Security describes the LSASS process
What is LSASS? - Jamie Mcquaid at Magnet Forensics shares his nominations for the Forensic 4Cast Awards. Thanks for the nomination!
Who We’re Nominating for This Year’s Forensic 4:cast Awards: Part 2 - MailXaminer provide a broad overview of the dimensions and challenges in forensics of computers hosted in the Cloud
Cloud Forensic Investigation: Dimensions, Challenges & Solutions - Matt Seyer has created a “Python library for parsing Shell Items/Extension Blocks/Property Stores.”
Check out @forensic_matt’s Tweet - Mike Cary has released a PowerShell script to download the relevant binaries that KAPE requires to run modules
Get-KapeModuleBinaries - Jasper at Packet Foo shares details on monitoring wireless traffic on Windows.
Wireless Capture on Windows - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last two weeks
- Seth Enoka adds a win8.1 box to his test forensic lab
Create a Personal Forensics Lab Part 4: The Windows 8.1 Workstation - Dave Herrald and Ryan Kovar at Splunk have open sourced the SOC 2.0 dataset, scoring apps and questions
Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download - The wearables team at Champlain College shared an update on their project.
Wearable Forensics Blog 4 - Yulia Samoteykina at Atola demonstrates how to limit a drive size by modifying the HPA. This is useful when cloning a drive when the target is larger than the source but you would still like the hashes to match.
Clip target drive to source evidence size
SOFTWARE UPDATES
- ADF released Mobile Device Investigator which allows examiners to perform logical extractions of iOS and Android devices
New Mobile Device Investigator™ iOS and Android Smartphones - Airbus CERT released a Go port of the old mactime tool
Timeliner - Belkasoft released Belkasoft Evidence Centre v9.5 with a number of new features
What’s new in BEC v.9.5 - Cellebrite released a critical updated for UFED Physical Analyzer (v7.17.1) “to resolve an issue when attempting to save a session file (.pas) in Cellebrite Reader.”
- Didier Stevens updated his translate Python script to version 2.5.6
Update: translate.py Version 2.5.6 - ExifTool 11.37 was released with new tags and bug fixes
ExifTool 11.37 - Jack Farley updated his iTunes Backup Analyzer to v2.1
iTunes_Backup_Analyzer_v2.1 - MOBILedit Forensic Express was updated to v6.1.1.
MOBILedit Forensic Express 6.1.1 Released! - OSFMount v3.0.1001 was updated to fix some bugs
v3.0.1001, 17 Apr 2019 - Regipy v1.1.1 was released
Version 1.1.1 - Skadi 2019.3 was released
Skadi 2019.3 - USB Detective v1.4.1 was released
Version 1.4.1 (04/14/2019)
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 