Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- On 4n6files the author documents the process of obtaining a full file system image from an iOS 12 device. Previous posts on iOS file system have either pointed to using commercial tools, or previous iOS versions so this is very valuable (provided you have authority and are comfortable jailbreaking devices)
Creating a File System Image of iOS12 (12.1/16B92) - Mattia Epifani, Heather Mahalik, and Cheeky4n6Monkey wrote a paper and scripts to parse Sysdiagnose data from iOS 12 devices
iOS_sysdiagnose_forensic_scripts - Brian Carrier at Cyber Triage describes the variety of tools available to examine an endpoint during an intrusion
How to Speed Up Incident Response: Faster Analysis (Part 2) - Alex Harmon released a PowerShell script that uses DumpIt & AzCopy to dump full Windows guest memory and upload it to Azure Storage for later.
AzureForensics - Korstiaan Stam has posted a few articles on Business Email Compromise; this one covers use cases and “how to identify suspicious behavior in the Office 365 audit logs”
Responding to a Business Email Compromise – Part 3
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn finds an old version of MS Visual C++ can be used as a LOLbin.
VS2005_vcredist_x86.exe as a LOLBIN - There were a couple of posts on the Carbon Black blog this week
- David Balcar writes a high level article about threat intelligence.
Threat Intelligence – What It Is and Why You Need It - Sam Bocetta writes about some basic misconceptions around threat hunting.
4 Common Misconceptions About Threat Hunting
- David Balcar writes a high level article about threat intelligence.
- Danny Adamitis, David Maynor, and Kendall McKay at Cisco Talos shares details of the “BlackWater” campaign believed to be associated with MuddyWater.
Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques - Richard Bejtlich at Corelight wrote a couple of posts this week
- He reviews MSP compromise and risk assessments related to MSPs.
Network Security Monitoring, a Requirement for Managed Service Providers? - Richard also discusses how to find and assess machines that may be susceptible to the recent RDP exploit.
How to Use Corelight and Zeek Logs to Mitigate RDS/RDP Vulnerabilities
- He reviews MSP compromise and risk assessments related to MSPs.
- Roberto and Jose Rodriguez released some additional Mordor datasets.
Check out @Cyb3rWard0g’s Tweet - Didier Stevens found a bug in Responder v2.3.3.9 and shares a fix.
WebDAV, NTLM & Responder - Dr. Ali Hadi at ‘Binary Zone’ shows how to create an ADS that allows for a reverse shell to a Windows host; the behavior of Windows Defender against this attack is also discussed.
Can We Say Farewell to Hiding Malicious EXEs in Stealth ADS - Frikkylikeme uses open source systems to create IR playbooks.
Automation for everyone with TheHive and WALKOFF - John Ferrell reports that spaces in the path of scheduled tasks “hide” that exe from Autoruns.
Scheduled Task command with space “hides” the file from Autoruns - Vidya Gopalakrishnan and Matt Mellen at Palo Alto Networks share a preview of their talk at Ignite ’19: how to search for and remediate persistent malware.
Tales From the SOC: Hunting for Persistent Malware - Eric Capuano at Recon InfoSec examines an intrusion via a vulnerable Confluence web app which drops China Chopper.
Analysis of Exploitation: CVE-2019-3396 - Del Armstrong at Red Canary searched Pastebin for basic shell exploits and uncovered a payload using dd to kick off delivery of additional payloads.
A Pastebin scraper, steganography, and a persistent Linux backdoor - Russ McRee at HolisticInfoSec writes about r-cyber: “R packages for use in cybersecurity research, DFIR, risk analysis, metadata collection, document/data processing and more.”
toolsmith snapshot: r-cyber with rud.is - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Guy Bruneau at SANS ISC writes about how logging network metadata to detect malice has changed over the years, from the utility of full packet capture to how UEBA and EDR may be sufficient.
Is Metadata Only Approach, Good Enough for Network Traffic Analysis?, (Sun, May 19th) - Todd Webb looks at the recent Sharepoint CVE dropping China Chopper.
CVE-2019-0604 Attack, (Mon, May 20th) - Todd also shows how to use Shodan Monitor including use of the built-in heat map.
Using Shodan Monitoring, (Tue, May 21st) - Johannes Ullrich shares some recent news about the recent RDP exploit.
An Update on the Microsoft Windows RDP “Bluekeep” Vulnerability (CVE-2019-0708) [now with pcaps], (Wed, May 22nd) - Johannes also examines an odd Iranian DNS query.
Investigating an Odd DNS Query, (Thu, May 23rd)
- Guy Bruneau at SANS ISC writes about how logging network metadata to detect malice has changed over the years, from the utility of full packet capture to how UEBA and EDR may be sufficient.
PRESENTATIONS/PODCASTS
- Richard Frawley at ADF shares a short video on how to scan an iOS device using MDI
Scan an iOS Device with Mobile Device Investigator - Blackbag Technologies shared Dr Vico Marizale and Matt McFadden’s recent webcast on finding insider threats
Finding Insider Threats: Digging Deeper - On this week’s Digital Forensic Survival Podcast, Michael talks about the crypto attack landscape
DFSP # 170 – The Crypto-Landscape - SANS shared Amy R. Bejtlich’s presentation from the 2019 CTI Summit
Analytic Tradecraft in the Real World – SANS CTI Summit 2019
MALWARE
- Osanda Malith Jayathissa breaks down a .bz file distributed over Facebook messenger which targets Chrome and Opera browsers.
Analyzing an AutoHotKey Malware - Ben Herzog at Check Point Research looks at the code behind malware and weighs static langs like C vs dynamic ones like Javascript.
Malware Against the C Monoculture - Nick Biasini and Edmund Brumaghin at Cisco Talos share how a new version of JasperLoader has targeted Italy with banking trojans and scheduled task persistence.
Sorpresa! JasperLoader targets Italy with a new bag of tricks - Ben Hunter at enSilo shares what may be new APT10 activity targeting the Philippines, PlugX and Quasar loaded by Javascript.
Uncovering New Activity By APT10 - Kurt Natvig at Forcepoint continues to share how exes can be embedded in OLE streams within MS Office documents.
Assessing risk in Office documents – Part 2: Hide my code or download it? - There were a couple of posts on the Fortinet blog this week
- David Maciejak and Floser Bacurio Jr. share new CVE exploits related to Satan ransomware and use of Ransomware-as-a-Service.
A Closer Look at Satan Ransomware’s Propagation Techniques - The Fortiguard SE Team also shares some research insights from their recent threat report.
Key Takeaways from Our Latest Global Threat Landscape Report
- David Maciejak and Floser Bacurio Jr. share new CVE exploits related to Satan ransomware and use of Ransomware-as-a-Service.
- Jérôme Segura at Malwarebytes Labs shares how credit card skimming can happen with online shopping sites via a rogue Magento iframe.
Skimmer acts as payment service provider via rogue iframe - Mark at Sneakymonkey performs an analysis of Trickbot using tools like FLOSS and strings.
TRICKBOT – Analysis - John Fokker at McAfee Labs looks at a cryptocurrency money laundering scheme ended by the takedown of Bestmixer.
Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement - Doug McLeod at Nettitude Labs examines the PoshC2 dropper and how the encryption key for that PoshC2 instance is checked.
Operational Security with PoshC2 Framework - Brad Duncan at Palo Alto Networks looks at trends in Shade ransomware (.crypted000007 extension) being delivered to English and Russian speaking targets.
Shade Ransomware Hits High-Tech, Wholesale, Education Sectors in U.S, Japan, India, Thailand, Canada - Megan Roddie at Security Intelligence looks at the history of malicious macros and how to detect them.
How to Fight Back Against Macro Malware - Andrew Brandt at Sophos News examines a SQL attack on a honeypot that delivered GandCrab.
Directed attacks against MySQL servers deliver ransomware - There were a couple of posts on the Trend Micro blog this week
- Miguel Ang shares an example of TrickBot delivered by URL redirection.
Trickbot Watch: Arrival via Redirection URL in Spam - Augusto Remillano II and Jakub Urbanec share news about a new version of Mirai which uses a variety of exploits.
New Mirai Variant Uses Multiple Exploits to Target Routers and Other Devices
- Miguel Ang shares an example of TrickBot delivered by URL redirection.
- WeLiveSecurity looks at the Zebrocy Delphi backdoor deployed by APT28/Fancy Bear.
A journey to Zebrocy land - Yoroi Blog looks at detection evasion techniques like “broken” Doc files, hiding payloads with Office developer mode, and spoofed signatures.
Playing Cat and Mouse: Three Techniques Abused to Avoid Detection
MISCELLANEOUS
- Bryan Ambrose at Data Digitally posted a few times this week
- He lists some registry keys found on Windows 10
WIndows 10 Specific Registry Keys - He answers the questions from the CFREDS data leakage case in Magnet Axiom
NIST data sets on Magnet AXIOM – Examine - And shares some details of the Win10 May 2019 update
Windows 10 – May 2019 Update (version 1903)
- He lists some registry keys found on Windows 10
- @m4khno_ released a MacOS memory dump challenge on Root Me
Check out @m4khno_’s Tweet - Christian at IT-Dad provides an overview of the Digital Forensics online course by Charles Sturt University
Kostenlose IT-Forensik Kurse Teil IX – IT Masters - There were a few posts on Forensic Focus this week
- Scar shares her top articles of the month
Digital Forensics News May 2019 - They interviewed Blake Sawyer from Amped Software
Interview With Blake Sawyer, Amped Software - They shared a tutorial for imaging to a network repository with the Logicube Falcon Neo
How To Image To A Network Repository With Logicube’s Forensic Falcon-NEO - Jade James reviews Griffeye Analyze DI Pro
Review Of Griffeye Analyze DI Pro
- Scar shares her top articles of the month
- Jesse Spangenberger at Cyber Fēnix Tech describes how to get the Sift Workstation working in a Qubes OS VM
Problems with Sift Workstation on Qubes OS 4.0 - Katie Nickels at ‘Katie’s Five Cents’ shares some advice for writing conference presentation proposals
Writing Infosec Conference Proposals: A Step-by-Step Guide - Kristian Lars Larsen at Data Narro describes how SSDs can impact digital forensics work
The Impact of SSDs on Digital Forensics - Marcos at ‘Un minion curioso’ examines the process of creating resident and non-resident files in the MFT
#DFIR: One byte makes the difference: MFT Resident File - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
- SANS have announced a competition to design a pair of DFIR-related Vans for free ticket to the DFIR Summit in Austin, Texas
“Design it. DFIR it. Win it. Wear it!” - Craig Carpenter at X1 has a post on reasons why over-collecting data in an E-Discovery matter can be unnecessarily costly
Want Legal to Add A LOT More Value? Stop Over-Collecting Data
SOFTWARE UPDATES
- Plaso 20190429 was released
Plaso 20190429 released - Cellebrite released UFED InField 7.18. There was also a hotfix for UFED 7.18 to fix some bugs
Faster performance and better visibility to device data with UFED InField 7.18 - Eric Zimmerman updated LECmd, Ezviewer, and PECmd
ChangeLog - ExifTool 11.44 was released with new tags and bug fixes
ExifTool 11.44 - GetData released Forensic Explorer v4.6.8.8566
25 May 2019 – v4.6.8.8566 - JPCERT updated LogonTracer to v1.3.0
v1.3.0 - Metaspike released Forensic Email Collector v3.8.3.0
Forensic Email Collector (FEC) Changelog - MSAB updated XRY to v7.12.2
XRY 7.12.2 now released - SalvationData released SPF Pro V6.90.27
[Software Update] Mobile Forensics: SPF Pro V6.90.27 New Version Release for Better User Experience! - Ulf Frisk released MemProcFS version 2.5
Version 2.5 - Velociraptor 0.3.0 was released with a major rework to the UI and other improvements
Release 0.3.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 