Week 18 – 2019

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

  • Sandor Tokesi at Forensics Exchange shares his testing on the effects of user actions on file system timestamps and has found some differing results to similar testing by SANS and Cyber Forensicator
    NTFS Timestamp changes on Windows 10 

THREAT INTELLIGENCE/HUNTING

  • Richard Bejtlich at Corelight goes back to the beginning of Network Security Monitoring, what NSM data looked like almost two decades ago, and how Richard defines it today: full context, extracted content, transaction data, and alert data.
    Do you know your NSM data types? 
  • Rachelle Boissard at Insinuator.net posted summaries of talks from the TROOPERS19 conference
    • Active Directory talks included From Workstation to Domain Admin: Why Secure Administration Isn’t Secure and How to Fix It; and CypherDog 2.1 – Attackers Think in Graphs, Management Needs Metrics.
      #TR19 Active Directory Security Summaries 
  • Marco Ramilli gives an overview of the APT34 Glimpse project and a comprehensive summary of findings to date.
    APT34: Glimpse project 

PRESENTATIONS/PODCASTS

  • On this week’s Digital Forensic Survival Podcast, Michael talked about the OWASP vulnerability category relating to XSS
    DFSP # 167 – OWASP: XSS 

MALWARE

  • Jason Reaves, Joshua Platt, and Allison Nixon at Flashpoint look back at activity by the Wipro threat actors and share latest IOCs from the recent compromise.
    Wipro Threat Actors Active Since 2015 
  • JPCERTCC releases MalConfScan, a Volatility plugin to extract configuration data of known malware including Ursnif, Emotet, Lokibot, njRAT, and more.
    MalConfScan Volatility plugin 
  • Marc Rivero Lopez at McAfee Labs shares how LockerGaga uses multiple processes to deploy ransomware (encrypted extension .locked), possibly to minimize the malware footprint or bypass sandboxing. An examination of behavior is provided and also a non-technical link for what to do if you’re a ransomware victim, McAfee site.
    LockerGoga Ransomware Family Used in Targeted Attacks 
  • MisterCh0c shares command and control data stealer panels operated via Telegram and how data is exfiltrated from victims.
    Threat: Fox Stealer 
  • Tamas Rudnai at Symantec writes about malware attacks from inside Intel SGX (Software Guard Extension) and the feasibility of this attack.
    Dispelling Myths Around SGX Malware 

MISCELLANEOUS

  • Ian Stevenson at Cyan Forensics uses triage in medicine as an analogy for the need for triage in digital forensics
    Balancing Risks 

SOFTWARE UPDATES

  • Airbus CERT released dnYara “a .Net wrapper library for the native Yara library.”
    dnYara 
  • The 2019.4 update for the Atola TaskForce was released, adding, among other things, the ability to image connected drives directly to a target, making the device a lot more portable.
    Atola TaskForce 2019.4 release is here! 
  • Eric Zimmerman updated SBE, EvtxECmd, LECmd, MFTECmd, Registry Explorer, and KAPE this week
    ChangeLog 
  • ExifTool 11.39 was released with new tags and bug fixes
    ExifTool 11.39 
  • Justin Boncaldo, along with Zach Burnham and Ben Estes have released a new tool called Mac_int. This tool “is an interpretive, modular DFIR intelligence and artifact correlation tool designed to automatically identify patterns and connections between parsed artifact data from the SQLite output of Yogesh Khatri’s open source tool, mac_apt.”
    mac_int: Automating the Forensic Review Process with Data Interpretation 
  • Maxim Suhanov released v1.0.0-beta11 of his his dfir_ntfs file system parser
    1.0.0-beta11 
  • Mark Woan released autorunner v0.0.14 with some minor tweaks
    v0.0.14 

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s