Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ examines the SystemPanel2 Android app which “keeps timestamped system wide app usage statistics”
Android SystemPanel2 – App usage tracking - Dark Defender has documented their research into parsing the data stored by the Win10 Mail app
Windows 10 Mail App Forensics - Dr. Ali Hadi at ‘Binary Zone’ wrote a few interesting posts this week
- First, he demonstrates a method of executing a program in a way that creates a “hidden” prefetch file in an Alternate Data Stream. This prefetch file was not detected by forensic tools
Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis - Until the next day, when Eric updated PECmd to parse prefetch files found in Alternate Data Streams
Update: Hidden Prefetch Files Detection using New PECmd - Ali also shows how the InstallTime and InstallDate values in the registry show the same time in different formats
Windows InstallTime vs InstallDate Registry Values
- First, he demonstrates a method of executing a program in a way that creates a “hidden” prefetch file in an Alternate Data Stream. This prefetch file was not detected by forensic tools
- Oleg Afonin at Elcomsoft provides a step by step guide to jailbreaking iOS devices and performing logical and full file system acquisitions using their iOS Forensic Toolkit
Step by Step Guide to iOS Jailbreaking and Physical Acquisition - Joshua Hickman at ‘The Binary Hick’ takes a look at data left behind by the Snapchat v10.57.0.0 Android app
Two Snaps and a Twist – An In-Depth (and Updated) Look at Snapchat on Android - Volume 29 of the Journal of Digital Investigation was released.
- Salvador Sánchiz at Security Art Work walks through the first part of the “Lionel Hutz papers” CTF
UCAM CTF Forense — Like old school - The Trail of Bits blog demonstrates how to use osquery to detect some anti-forensics techniques.
Using osquery for remote forensics
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures looks at when command and control beacon timing varies (jitter) and how it normalizes once looked at over longer periods of time.
Detecting Beacons With Jitter - Adam at Hexacorn keeps dropping the mic this week:
- Adam credits Philip Tsukerman for having previously identified msiexec subbing for rundll32.
msiexec.exe as a LOLBIN
- The run key series continues with a potential use for Windows Installer registry entries.
Beyond good ol’ Run key, Part 105
- Adam digs deeper into events related to attacks, policy violations, and more.
Event, Event on the wall, who’s the fairest of them all? Part 2
- Adam looks at the resource section of an executable and signing files with default versioninfo “TODO” properties.
When your TODO list is always short of something…
- And shares a persistence trick affecting Windows XP systems with Input Method Editors enabled (not by default)
Beyond good ol’ Run key, Part 106
- Adam credits Philip Tsukerman for having previously identified msiexec subbing for rundll32.
- Richard Bejtlich looks at how TLS 1.3 clear-text HTTP traffic appears in Corelight.
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 1 - Eric John and Harlan Carvey look at increased TrickBot activity from GRIM SPIDER (a subgroup of WIZARD SPIDER).
Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER - Samuel Alonso points us to the CMU Cyber Intelligence in the US report (176 page PDF).
Cyber Intelligence Tradecraft Report by Carnegie Mellon University - There were a couple of posts by Fire Eye this week
- Alice Revelli and Lee Foster examine English language Twitter accounts of supposed US politicians supporting Iran.
Network of Social Media Accounts Impersonates U.S. Political Candidates,
Leverages U.S. and Israeli Media in Support of Iranian Interests - Luke McNamara look at entities across election systems, administration, and campaigns that are at risk for information and infrastructure hacks.
Framing the Problem: Cyber Threats and Elections
- Alice Revelli and Lee Foster examine English language Twitter accounts of supposed US politicians supporting Iran.
- There were a couple of posts on Fortinet this week
- They shares highlights from their report including the continued prevalence of ransomware and increased living off the land attacks.
4 Takeaways for CISOs from the Fortinet Global Threat Landscape Report - Anthony Giandomenico examines what sources to trust for threat intelligence.
Threat Intelligence and the Evolving Threat Landscape
- They shares highlights from their report including the continued prevalence of ransomware and increased living off the land attacks.
- Raj Chandel at Hacking Articles uses PS empire for exfil via Dropbox.
Data Exfiltration using PowerShell Empire - John Ferrell at Huntress Labs shares a shortcut (LNK) file lauching PowerShell and reading obfuscated commands out of that LNK.
Deep Dive: A LNK in the Chain - Daniel Berman at Logz.io shows how to use Filebeat, Kafka, Logstash, Elasticsearch, and Kibana to analyze data.
Deploying Kafka with the ELK Stack - Matt Bromiley with Aaron Soto look at how – in the absence of a public PoC – to identify BlueKeep scanners and how to protect against BlueKeep exploitation.
What Happens Before Hello? - Matthew Green discusses static detection for binary renaming including use of Yara and PowerShell.
Binary Rename 2 - Frank Duff at MITRE ATT&CK shares more about Round 2/APT29 testing including new detection categories including an “innovative” modifier category and more technique scope information.
ATT&CK Evaluations Site Update: Round 2 Methodology and Technique Comparison Tool - Michelle Martinez at Rapid7 summaries findings from the recent quarterly report including incoming remote connections and credential compromise.
Rapid7 Quarterly Threat Report: 2019 Q1 - Richard Bejtlich at TaoSecurity laments about who you can trust with you data, reiterating “if you are unable to securely operate information technology that matters, then you should not be supporting that IT.”
Know Your Limitations - Rootsecdev writes about the ETERNALCHAMPION (likely not ETERNALBLUE) ransomware attack on Baltimore city systems and shows how to run that exploit on a 2008 R2 DC.
ETERNALBLUE, conducting a history lesson in exploitation - Sandor Tokesi at Forensics Exchange releases a script (processAnalyzer.py) to look at parent-child relationships and more with osquery.
Malicious process analyzer - There were a few posts on the SpecterOps blog this week
- Roberto Rodriguez has released four parts of a series on threat hunting with Jupyter Notebooks including data analysis with Pandas, querying data.
Threat Hunting with Jupyter Notebooks— Part 1: Your First Notebook - Jared Atkinson shares an example of Remote Services abuse and narrowing down Network (Type 3) logons.
Diving into the Security Analyst’s Mind
- Roberto Rodriguez has released four parts of a series on threat hunting with Jupyter Notebooks including data analysis with Pandas, querying data.
- ThreatRecon Team at NSHC shares various threat actor group activity from March-April 2019 including groups they designate SectorA through SectorF.
Monthly Threat Actor Group Intelligence Report, April 2019
PRESENTATIONS/PODCASTS
- Adrian Crenshaw uploaded the presentations from Circle City Con 2019
- Veronica Schmitt has started a new show, Behind the Incident. The first episode covers the non-technical but still important topic of taking care of yourself.
Behind The Incident: Episode 1 – Just Take Five Minutes For Yourself. - John Strand, Jordan Drysdale, and Kent Ickler at Black Hills Information Security demonstrate how to defend against a number of attacks previously covered
Webcast: Attack Tactics 6! Return of the Blue Team - On this week’s Digital Forensic Survival Podcast, Michael talks about insecure deserialization.
DFSP # 171 – OWASP: Breakfast Cereal - Rob Batzloff and JJ Cranford at OpenText talk about what’s new in EnCase Endpoint Security
What’s New in EnCase Endpoint Security - Richard Davis at 13Cubed reviews a storage option for a DFIR Home lab
DFIR Home Labs – Storage Review - SANS shared Whitney B. Merrill’s keynote from the 2019 CTI Summit
Privacy vs. Security: It’s a Log Story – SANS CTI 2019 Keynote - I recorded my podcast for May
This Month In 4n6 – May – 2019
MALWARE
- 0verfl0w_ at 0ffset continues a lengthy analysis of ISFB (aka Ursnif or Gozi) code in the second loader.
Analyzing ISFB – The Second Loader - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ reviews Kerberos, NTLM, and use of a Golden Ticket attacks to discuss a Silver Ticket attack.
Some thoughts about Kerberos Golden Tickets - Erik Pistelli at Cerbero Suite looks at how to decrypt strings with the latest Carbon Python SDK.
String decryption with Carbon - Cisco’s Talos blog shares an history of the different types of ATM malware including common types like Ploutus.
10 years of virtual dynamite: A high-level retrospective of ATM malware - Brandon Stultz at Cisco’s Talos blog discusses reversing the recent RDP exploit.
Using Firepower to defend against encrypted RDP attacks like BlueKeep - Deron Dasilva and Milo Salvia at Cofense share PDFs linking to fake Microsoft support pages in an attempt to steal user credentials.
New Phishing Attacks Use PDF Docs to Slither Past the Gateway - Philip Tully, Matthew Haigh, Jay Gibble, and Michael Sikorski at FireEye Threat Research look at exacting relevant strings from binaries – typically a human intensive process – using machine learning.
Learning to Rank Strings Output for Speedier Malware Analysis - Joie Salvio at Fortinet looks at cryptominer malware Rocke which exploits Jenkins automation servers, including malicious scripts hosted on Pastebin.
New Rocke Variant Ready to Box Any Mining Challengers - Ignacio Sanmillan at Intezer introduces HiddenWasp Linux remote control malware, with similarities to Mirai and Azazel code.
HiddenWasp Malware Stings Targeted Linux Systems - Shaul Holtzman at Intezer looks at developments with Chinese APTs including APT3 and ChinaZ.
Chinese APTs Rising: Key Takeaways from the Intezer Analyze Community in May - Shusei Tomonaga at JPCERT/CC shares how the TSCookie malware patched a bug previously described at JPCERT and gives updated IOCs for the patched malware.
Bug in Malware “TSCookie” – Fails to Read Configuration – (Update) - Leonid Grustniy at Kaspersky Lab gives a high level overview of the Baltimore RobinHood ransomware attack.
Baltimore encrypted - Kindred Security shares cryptomining and RAT tools found on a personal honeypot including what Kindred dubs the Dota campaign.
Dota Campaign: Analyzing a Coin Mining and Remote Access Hybrid Campaign - Hasherezade at Malwarebytes Labs shares a new sample of Chinese miner Hidden Bee.
Hidden Bee: Let’s go down the rabbit hole - MalwareTech releases an analysis of PoC binaries related to BlueKeep.
Analysis of CVE-2019-0708 (BlueKeep) - Mark Baggett at ‘In Depth Defense’ shares a Python script for identifying useful strings within an executable
New tool Freq_sort.py - Sam Quinn at McAfee Labs updates what may be one of the most important vulnerabilities in this week’s summary, one that could mess with your morning coffee if you’re a Mr. Coffee user.
Mr. Coffee with WeMo: Double Roast - Mike at “CyberSec & Ramen” examines an emotet sample that executes its PowerShell slightly differently to the usual Word doc to VBA code
Japan Themed Emotet Utilizes WMI to Execute Obfuscated PowerShell - Didier Stevens at NVISO Labs shares how Word documents with online video content could, using JavaScript, launch arbitrary code.
Detecting and Analyzing Microsoft Office Online Video - Robert Falcone and Tom Lancaster at Palo Alto Networks examine APT27 and SharePoint server compromise.
Emissary Panda Attacks Middle East Government Sharepoint Servers - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Didier Stevens demonstrates “how to interpret nmap’s service fingerprint data for unknown services”
nmap Service Fingerprint, (Mon, May 27th) - Xavier Mertens describes Microsoft’s Attack Surface Analyzer
Behavioural Malware Analysis with Microsoft ASA, (Wed, May 29th) - Didier Stevens examine a maldoc
Office Document & BASE64? PowerShell!, (Tue, May 28th) - Didier also examines some first stage shellcode
Analyzing First Stage Shellcode, (Thu, May 30th) - And the second stage payload using Ncat
Retrieving Second Stage Payload with Ncat, (Fri, May 31st)
- Didier Stevens demonstrates “how to interpret nmap’s service fingerprint data for unknown services”
- Ratnesh Pandey at Security Boulevard continues their Emotet banking trojan series by looking at the main payload.
The Emotet-ion Game (Part 3) - Andrew Brandt and Vikas Singh at Sophos News examine a Apache Tomcat vulnerability turning the machines into cryptominers.
Worms deliver cryptomining malware to web servers - Alfredo Oliveira at TrendMicro set up a Docker honeypot and found the zoolu2 Monero cryptocurrency repository.
Infected Cryptocurrency-Mining Containers Target Docker Hosts With Exposed APIs, Use Shodan to Find Additional Victims - Trustlook blog looks at fake Android antivirus malware.
安全应用程序审核 — Lionmobi - Matthieu Faou and Romain Dumont at WeLiveSecurity look at PowerShell fileless malware attributed to the Turla group.
A dive into Turla PowerShell usage - Yoroi Blog shares an Excel dropper used against an Italian organization, possibly from TA505.
TA505 is Expanding its Operations
MISCELLANEOUS
- Richard Frawley at ADF demonstrates how to use a custom search profile in DEI to process non OS volumes
How to Scan a non OS Drive or Partition - Brett Shavers at DFIR.Training announces the latest iteration of the forensic artifact database that he’s been compiling.
Forensic Artifact Database - Chris Sanders discusses mental models that can be used in investigations.
Information Security Mental Models - Brian Carrier describes some of the new features in the team version of Cyber Triage v2.7
Queue Incident Response Collections to Triage and Prioritize - A couple of the previous DFRWS Rodeo challenges have been uploaded
- There were a few posts on Forensic Focus this week; they’ve started a “what’s happening in forensics” series (they’re different even though they’re all named the same)
- What’s Happening In Forensics
- What’s Happening In Forensics
- What’s Happening In Forensics
- They interviewed Kim Hyun-soo, CEO of HancomGMD
Interview With Kim Hyun-soo, CEO, HancomGMD - And Christa Miller compiles some information about the dangers of threats to Industrial Control Systems and the role of digital forensics, incident response, and threat hunting
The Opportunity In The Crisis: ICS Malware Digital Forensics
- Koen Van Impe demonstrates how to sync sightings between instances of MISP
Sync sightings between MISP instances - Matt Seyer releases Python bindings for his Rust-based USN parser
Check out @forensic_matt’s Tweet! - Patrick Siewert at Pro Digital Forensic Consulting shares some tips on report writing based on a recent case
Four Tips for Effective Forensic Report Writing - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — May 26 to June 1
SOFTWARE UPDATES
- Cellebrite released UFED PA 7.19, adding support for additional data in iOS full file systems
Surface key evidence from Apple devices and popular applications - Didier Stevens updated a couple of his tools
- Eric Zimmerman updated PECmd, EvtxECmd, MFTECmd, Timeline Explorer, and his Get-ZimmermanTools script
ChangeLog - ExifTool 11.48 was released with new tags and bug fixes
ExifTool 11.48 - AccessData announced new versions of AD Enterprise, AD Lab, and FTK
AccessData’s AD Enterprise Automates Early Data Collection - GetData released Forensic Explorer v4.6.8.8566
25 May 2019 – v4.6.8.8566 - Joe Security released Joe Sandbox 26
Joe Sandbox 26.0.0 – Aquamarine is ready! - Matt Bromiley has updated Pollen to v1.1
pollen version 1.1 — Codename Tsim Sha Tsui - Netresec released CapLoader v1.8
CapLoader 1.8 Released - Regipy v1.2.0 was released
1.2.0 - USB Detective v1.5.0 was released, adding support for LNK files and Jumplists, as well as other improvements
Version 1.5.0 (05/29/2019) - Oxygen Forensics released v11.4 of their Detective product
Oxygen Forensics Detective v11.4 Release Notes
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 