Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Marco Fontani at Amped demonstrate examining pictures using Authenticate’s hex viewer
Even the (Byte)Streams Can Tell More Than It Seems: Learn How to Spot Hidden Data in Images Using Amped Authenticate!
- Cellebrite shared a couple of examination case studies
- Dr. Ali Hadi at ‘Binary Zone’ shares some research on HFDS
Installing HDFS for Forensics Research
- Sandor Tokesi at Forensics Exchange shares his testing on the effects of user actions on file system timestamps and has found some differing results to similar testing by SANS and Cyber Forensicator
NTFS Timestamp changes on Windows 10
- Mike Williamson has posted twice this week
- The first demonstrates how to use his GKZipLib module to quickly export powerlog files from an iOS full file system extraction
Aggregating iOS PowerLog data using C# – Part 1
- Mike also interviews Shafik G. Punja about his work with the photos.sqlite database found on iOS
iOS Photos.sqlite Forensics
- The first demonstrates how to use his GKZipLib module to quickly export powerlog files from an iOS full file system extraction
THREAT INTELLIGENCE/HUNTING
- John Strand at Active Countermeasures continues the log series from last week, looking at lateral movement with LogonTracer and Bloodhound.
Log Analysis Part 3 – Lateral Movement
- Adam at Hexacorn talks more about old code injection techniques with SHLoadInProc. This post is among Adam’s posts tagged “archaeology” which are worth reviewing – it’s true that everything old is new again!
SHLoadInProc – The Non-Working Code Injection trick from the past
- Kevin Sheu at the Vectra Cognito Blog looks at the benefits and drawbacks of logging with NetFlow, PCAPs, and network metadata while citing a recent Gartner Research paper for use cases.
Why network metadata is just right for your data lake
- Richard Bejtlich at Corelight goes back to the beginning of Network Security Monitoring, what NSM data looked like almost two decades ago, and how Richard defines it today: full context, extracted content, transaction data, and alert data.
Do you know your NSM data types?
- Hideaki Ihara at port139 posted a couple of times
- He tests if “Remote Credential Guard was used with RDP connection”
Windows Defender Remote Credential Guard and RestrictedAdmin mode.
- And looks at the “Microsoft-Windows-Terminal Services-RDPClient / Operational” event log to help track lateral movement
Microsoft-Windows-TerminalServices-RDPClient and NLA
- He tests if “Remote Credential Guard was used with RDP connection”
- Rachelle Boissard at Insinuator.net posted summaries of talks from the TROOPERS19 conference
- Attack talks included VXLAN Security or Injection, and protection; and Fetch Exploit – attacks against source code downloaders (if you’ve been discussing supply chain attacks this is worth checking out).
#TR19 Attack & Research Summaries
- Active Directory talks included From Workstation to Domain Admin: Why Secure Administration Isn’t Secure and How to Fix It; and CypherDog 2.1 – Attackers Think in Graphs, Management Needs Metrics.
#TR19 Active Directory Security Summaries
- Attack talks included VXLAN Security or Injection, and protection; and Fetch Exploit – attacks against source code downloaders (if you’ve been discussing supply chain attacks this is worth checking out).
- Marco Ramilli gives an overview of the APT34 Glimpse project and a comprehensive summary of findings to date.
APT34: Glimpse project
- MITRE advised that they have recently updated the ATT&CK framework
Check out @MITREattack’s Tweet
- Frank Duff at MITRE ATT&CK shares that Round 2 of ATT&CK evaluations with new categories will be up this summer, based on APT29/COZY BEAR.
Round 2 of ATT&CK Evaluations is Now Open
- Florian Roth at Nextron Systems looks at threat hunting using YARA including deobfuscating code using CyberChef to detect hex encoded + base64 encoded text.
Spotlight: Threat Hunting YARA Rule Example
- Chad Tilbury at SANS updates his research on Sysinternals Autoruns and uses Arsenal Image Mounter to and extract data about locations where malware finds persistence.
“Offline Autoruns Revisited – Auditing Malware Persistence”
- Nick Buraglio at The Forwarding Plane shares the value of logging network latency, including use of this metric as potential indicator of network compromise.
The value of measurements: Network Latency
- Threat Recon shares information about threat actor group SectorB06 exploiting Microsoft’s Equation Editor using a Mongolian language Word document. Recall that last week we saw eqnedt32.exe with AVE_MARIA malware and RDP connections.
SectorB06 using Mongolian language in lure document
PRESENTATIONS/PODCASTS
- Dave Cowen was joined by Evan Anderson and Alex Levinson for a special Forensic Lunch episode AMA on the recent CCDC competition.
Forensic Lunch 5/3/19 CCDC AMA Live
- On this week’s Digital Forensic Survival Podcast, Michael talked about the OWASP vulnerability category relating to XSS
DFSP # 167 – OWASP: XSS
- Richard Davis at 13Cubed demonstrates a few of the free tools produced by Magnet Forensics
Free Tools From Magnet Forensics
- SANS shared Joe Slowik’s presentation from the 2019 CTI Summit
Meet Me in the Middle: Threat Indications and Warning in Principle & Practice – SANS CTI Summit 2019
- I posted my recap of April 2019
This Month In 4n6 – April – 2019
MALWARE
- Intezer announces integration with Demisto for malware analysis to be done with more automation via playbooks.
Intezer and Demisto: Automated Malware Analysis and Response
- Jason Reaves, Joshua Platt, and Allison Nixon at Flashpoint look back at activity by the Wipro threat actors and share latest IOCs from the recent compromise.
Wipro Threat Actors Active Since 2015
- Robert Neumann at Forcepoint recaps data first presented in October 2018: a review of TinyPOS which collects swipe-and-sign data.
Should non-EMV transactions be phased out completely? An analysis of TinyPOS
- Xiaopeng Zhang at FortiGuard examines a recent TrickBot campaign delivered as a VBS file inside a Zip archive.
Quick Analysis of New Method for Spreading TrickBot
- JEB Decompiler in Action shares what’s different in decompiling Android Pie (API 28) applications and considerations in debugging malware.
Debugging Android apps on Android Pie and above
- JPCERTCC releases MalConfScan, a Volatility plugin to extract configuration data of known malware including Ursnif, Emotet, Lokibot, njRAT, and more.
MalConfScan Volatility plugin
- Maddie Stone released her Android app reverse engineering course
Check out @maddiestone’s Tweet!
- Jérôme Segura shares that even with Coinhive shutting down, many compromised routers are still reaching out.
Cryptojacking in the post-Coinhive era
- Marc Rivero Lopez at McAfee Labs shares how LockerGaga uses multiple processes to deploy ransomware (encrypted extension .locked), possibly to minimize the malware footprint or bypass sandboxing. An examination of behavior is provided and also a non-technical link for what to do if you’re a ransomware victim, McAfee site.
LockerGoga Ransomware Family Used in Targeted Attacks
- Mike R. steps through challenge data related to Ursnif and AZORult malware with Wireshark.
Stingrayahoy — Traffic Analysis Exercise Write-up
- MisterCh0c shares command and control data stealer panels operated via Telegram and how data is exfiltrated from victims.
Threat: Fox Stealer
- There were a few posts on the Palo Alto Networks blog this week
- The OilRig campaign appears to not just have targeted the Middle East, but China appears to be the 4th most targeted country by the attackers.
OilRig Data Analysis Shows Breadth of Hacking Campaign
- Bryan Lee and Robert Falcone share a longer overview about what is known about OilRig including data about Glimpse and Poison Frog.
Behind the Scenes with OilRig
- Cong Zheng and Yanhui Jia write about the Linux botnet Muhstik exploiting WebLogic server vulnerability.
Muhstik Botnet Exploits the Latest WebLogic Vulnerability for Cryptomining and DDoS Attacks
- Ken Hsu, Matt Tennis, Yanhui Jia, Zhibin Zhang, and Durgesh Sangvikar dig further in Muhstik and the WebLogic vulnerability, tying Muhstik to Sodinokibi ransomware. See more on Sodinokibi ransomware at the Talos Blog.
Attackers Increasingly Targeting Oracle WebLogic Server Vulnerability for XMRig and Ransomware
- The OilRig campaign appears to not just have targeted the Middle East, but China appears to be the 4th most targeted country by the attackers.
- Tony Lambert at Red Canary reviews the FrameworkPOS point of sale malware process tree and enriches behavior with research from Morphisec, FireEye, and Adam at Hexacorn. To dig deeper into POS malware, check out This Week in 4n6 Week 11.
FrameworkPOS and the adequate persistent threat
- There were a few posts on the SANS Internet Storm Centre Handler Diaries
- Xavier Mertens hunts for more UDF images, mounting via UltraISO and extracting the malicious PE file.
Another Day, Another Suspicious UDF File, (Wed, May 1st)
- Didier Stevens looks at VBA macro versions.
VBA Office Document: Which Version?, (Wed, May 1st)
- Jim Clausing looks at more basics in Ghidra like hex to ASCII character conversion and renaming variables/functions.
A few Ghidra tips for IDA users, part 3 – conversion, labels, and comments, (Fri, May 3rd)
- Xavier Mertens hunts for more UDF images, mounting via UltraISO and extracting the malicious PE file.
- Sebdraven looks at the RTF exploit delivering the newcoreRAT to Vietnamese targets.
Goblin Panda continues to target Vietnam
- Mitch Edwards gives an overview of Chinese actors, including hacktivists, APTs, and criminal groups.
Chinese Threat Intelligence: Part 1
- There were a couple of posts on Kaspersky Securelist this week
- They examine tools used by APT MuddyWater after an initial infection.
I know what you did last summer, MuddyWater blending in the crowd
- They also look at Q1 of 2019 including trends in supply-chain attacks and activity by Russian- and Chinese-speaking groups, to mobile spyware.
APT trends report Q1 2019
- They examine tools used by APT MuddyWater after an initial infection.
- Tamas Rudnai at Symantec writes about malware attacks from inside Intel SGX (Software Guard Extension) and the feasibility of this attack.
Dispelling Myths Around SGX Malware
- Ashlee Benge and Nick Randolph write at Cisco Talos about the Qakbot banking trojan and new persistence activity around scheduled tasks.
Qakbot levels up with new obfuscation techniques
- There were a couple of posts on the TrendMicro blog this week
- Samuel Wang examines a tech support scam where a fake Microsoft support page loads iframes in an endless loop likely to freeze a browser, forcing users to call “tech support.”
Tech Support Scam Employs New Trick by Using Iframe to Freeze Browsers
- Joseph Chen shares credit card skimming exploits related to Magecart, including injection into .js store payment libraries.
Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada
- Samuel Wang examines a tech support scam where a fake Microsoft support page loads iframes in an endless loop likely to freeze a browser, forcing users to call “tech support.”
- WeLiveSecurity looks at Buhtrap and other banking trojan related malware, including Android malware, targeting Russian organizations and accountants.
Buhtrap backdoor and ransomware distributed via major advertising platform
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’ posted the debrief from the 2019 CCDC Red Team
National CCDC 2019 Red Team Debrief
- There were a few more Forensic 4Cast Nominations posts this week, including one by me!
- Kevin Pagano – My 2019 Forensic 4cast Awards Nominations
- Lori Tyler at AccessData shares some preparations steps to follow prior to an incident
How to Protect Yourself from Being Named as a Defendant in Data Breach Litigation
- Brett Shavers at DFIR.Training gives some presentation advice for those fearing the worst
Three Fears in Presenting in DFIR
- Daniel Pistelli at Cerbero announced some new features in their product around examining hibernation files and crash dumps
Windows DMP and Hibernation Files
- Ian Stevenson at Cyan Forensics uses triage in medicine as an analogy for the need for triage in digital forensics
Balancing Risks
- Dark Defender provides a list “technical resources for VMs, CTFs, and Online Challenges”
InfoSec 101 — Part Three (b): Technical Resources for VMs, CTFs, and Online Challenges
- There were a few posts on Forensic Focus this week
- Scar shares her top news articles from the last month
Digital Forensics News April 2019
- Jade James reviewed Amped Replay
Review Of Amped Replay From Amped Software
- Yuri Gubanov, Danil Nikolaev & Igor Mikhailov demonstrate how to carve with Belkasoft Evidence Centre
Walkthrough: Carving With Belkasoft Evidence Center
- Scar shares her top news articles from the last month
- Kristian Lars Larsen at Data Narro shares a free ebook for digital forensics for legal professionals.
E-Book Available: The 2019 Attorney’s Guide to Digital Forensics
- Magnet Forensics have launched a “new self-service Customer Portal and knowledge base”
Welcome to the New Self-Service Customer Portal!
- John Patzakis at X1 Discovery shared some statistics on social media evidence in litigation.
90 Percent of Law Firms Managed Social Media Evidence Collections in 2018
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — April 28 to May 4
- Basil Alawi S.Taher at the SANS Internet Storm Centre provides a brief overview of KAPE
Introduction to KAPE, (Tue, Apr 30th)
- Seth Enoka adds a CentOS workstation to his test forensics network.
Create a Personal Forensics Lab Part 6: The CentOS Workstation
SOFTWARE UPDATES
- Airbus CERT released dnYara “a .Net wrapper library for the native Yara library.”
dnYara
- The 2019.4 update for the Atola TaskForce was released, adding, among other things, the ability to image connected drives directly to a target, making the device a lot more portable.
Atola TaskForce 2019.4 release is here!
- Cellebrite released v8.0 of their Analytics Desktop tool
8 Reasons to Upgrade to Cellebrite Analytics Desktop 8.0
- Eric Zimmerman updated SBE, EvtxECmd, LECmd, MFTECmd, Registry Explorer, and KAPE this week
ChangeLog
- ExifTool 11.39 was released with new tags and bug fixes
ExifTool 11.39
- There is an update to F-Response v8 to improve imaging, Google Docs collection, and security
F-Response v8 – Update Available
- Metaspike released v3.8.1.0 of their Forensic Email Collector with a number of new features
Forensic Email Collector (FEC) Changelog
- Susteen advised that their Datapilot 10 recently was updated to improve acquisition times
Susteen Launches Major Updates For Lab And Field Acquisitions
- AccessData released FTK v7.1.0. The release notes can be found here
AccessData Forensic Toolkit
- GetData released Forensic Explorer v4.6.8.8490 with some bug fixes
01 May 2019 – v4.6.8.8490
- Justin Boncaldo, along with Zach Burnham and Ben Estes have released a new tool called Mac_int. This tool “is an interpretive, modular DFIR intelligence and artifact correlation tool designed to automatically identify patterns and connections between parsed artifact data from the SQLite output of Yogesh Khatri’s open source tool, mac_apt.”
mac_int: Automating the Forensic Review Process with Data Interpretation
- Maxim Suhanov released v1.0.0-beta11 of his his dfir_ntfs file system parser
1.0.0-beta11
- Mark Woan released autorunner v0.0.14 with some minor tweaks
v0.0.14
- X-Ways Forensics 19.8 SR-5 was released with bug fixes and minor improvements
X-Ways Forensics 19.8 SR-5
- YARA v3.10.0 was released
YARA v3.10.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 