Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ examines chats from the Badoo Android app after identifying them with Magnet’s App Simulator
Finding Badoo chats in Android using SQL queries and the MAGNET App Simulator - Bryan Ambrose at Data Digitally looks at the Sticky Notes app on Win10, and how to recover previously held data using VSS
- Dr. Ali Hadi at ‘Binary Zone’ demonstrates how to acquire a remote volume using Netcat.
Forensic Acquisitions over Netcat - Dr. Neal Krawetz at ‘The Hacker Factor Blog’ dissects some digital photo forgeries.
- Jack Farley examines the OpenVPN iOS app
Forensic Analysis of OpenVPN on iOS - Jeffrey Wassenaar at Fox-IT advises on an issue with accurate timestamps when exporting Windows Event logs. Jeffrey also lists which timestamps are presented by various tools
Export corrupts Windows Event Log files - Amber Schroader at Paraben looks at the Calculator+ Photo Vault v.8.8.0 (Android) and Fake Calculator v.1.2 by Secret Calculator+ Photo Lock (iOS) hidden photo storage apps.
App Review of Calculator Photo Vault - Passware provide a primer on BitLocker decryption
BitLocker Decryption Explained - Sandfly Security demonstrate how to recover a deleted binary as long as the process is still in memory
How To Recover A Deleted Binary From Active Linux Malware - Salvador Sánchiz at Security Art Work continues walking through the UCAM Forensic CTF
UCAM CTF Forense — Like old school II
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures shares Active Countermeasures Tutorials.
Free Threat Hunter Training - Adam at Hexacorn posted every day this week!
- Obfuscation and rickrolling with .pdbs?
Playing with Program database paths… - An inelegant yet working way to use Installshield installers to download exe’s.
Using signed Installshield installers as downloaders - Fixing an issue with Adam’s PESectionExtractor.pl.
Playing with section names… - Exploiting delay-loaded DLLs.
Playing with Delay-Loaded DLLs… - tl;dr “Programs that load signed libraries only cannot be bad, right?” 😉
Re-usigned binaries: Java’s nio.dll as a proxy for Windows API - Persistence related to NVIDIA CUDA Toolkit.
Beyond good ol’ Run key, Part 107 - And more with NVIDIA, this time related to screen capture.
Re-usigned binaries: NVFBC Screen & Video Capture library
- Obfuscation and rickrolling with .pdbs?
- Livio Arsene at Bitdefender Labs looks at the timeline in a Carbanak group attack.
An APT Blueprint: Gaining New Visibility into Financial Threats - Joff Thyer at Black Hills Information Security shares the power of using DNSTAP.
Tap Into Your Valuable DNS Data - There were a couple of posts on the Carbon Black blog this week
- Katie Dematteis and Jack Gregory look at LoLBins and scripts (collectively LOLBas).
How Carbon Black is Prioritizing Living Off the Land Attacks - Peter Silberman and Mary Singh from Expel collaborate on a post with basics about threat hunting.
Partner Perspectives: 3 Tips for Starting a Threat Hunting Program
- Katie Dematteis and Jack Gregory look at LoLBins and scripts (collectively LOLBas).
- Clearsky digs further into Iranian APT MuddyWater, detailing the technical and social engineering actions seen.
Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal - Richard Bejtlich at Corelight continues with the next part of the series examining TLS.
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 2 - Brian Carrier discusses scoping during an incident
How to Speed Up Incident Response: Faster Scoping - Cylance examines recent findings related to AZORult.
Threat Spotlight: Analyzing AZORult Infostealer Malware - There’s a post on the ‘Deriving Cyber Threat Intelligence and Threat Hunting’ blog for identifying suspicious strings in memory
Suspicious Strings In Memory - Charles Hamilton at Fire Eye Threat Research shares how pen testers can use Microsoft’s Component Object Model objects.
Hunting COM Objects - Luke Rodeheffer at Flashpoint shares some of the ways online gamblers try to defraud their targets.
Cybercriminals Continue to Target Online Gambling Platforms - Monika Gupta at Huntress Labs looks at how to determine hosts vulnerable to BlueKeep.
Keeping up with BlueKeep - Carly Schneider and Fredrik Gustafsson at Spotify Labs share how their Google Cloud backend is set up for security.
Painting a Picture of Your Infrastructure in Minutes - Mathius Fuchs at CyberFox shares why process trees are not a complete picture of attacks.
Pitfalls of Process Monitoring - Debbie Seres at Microsoft Security shares one last tip to secure an environment using Azure ATP.
Step 10. Detect and investigate security incidents: top 10 actions to secure your environment - Olaf Hartong uses Azure Sentinel for hunting.
Using Sysmon in Azure Sentinel - Perched shares how to leverage HELK (Hunting ELK) to parse Windows event logs.
Importing “.evtx” files into HELK or Elastic - Meaghan Donlon at Rapid7 shares more of the 2019 Q1 report that was introduced last week.
Rapid7 Threat Report Meets MITRE ATT&CK: What We Saw in 2019 Q1 - Erin Groce at Red Canary shares an incident where malware was laterally moving through a network.
How an IT Service Provider and Red Canary Stopped a Malware Outbreak - Samuel Alonso at Cyber IR examines layering other frameworks with ATT&CK.
Enterprise Threat Modeling and ATT&CK - z3rotrust looks at the SE Asia APT group PLATINUM.
PLATINUM APT Found Using Text-based Steganography to Hide Backdoor
UPCOMING WEBINARS/CONFERENCES
- Brendan Morgan, Tom McNelia, and Elad Golan at Cellebrite will be hosting a webinar on the 2019 Industry Trends Survey on June 27, 2019 11AM (New York) / 4PM (London) and June 28, 2019 11AM (Singapore) / 1PM (Sydney)
2019 Industry Trends Survey: Law Enforcement Webinar
PRESENTATIONS/PODCASTS
- Veronica Schmitt interviewed Jake Williams for her “Behind the Incident” podcast/Youtube series
Behind The Incident Episode 01 : Jake Williams aka MalwareJake - Dave at Demux shared the recording of the recent webinar on DVR examiner
Recording of Webinar – Feature Focus – How DVR Examiner extracts inaccessible data! - On this week’s Digital Forensic Survival Podcast, Michael talks about the potential effects of Intel’s Optane technology on DFIR
DFSP # 172 – High Optane - Rafal and James at ‘Down the Security Rabbithole’ continue their discussion with Gabe Bassett on the 2019 Verizon DBIR.
DtSR Episode 349 – Verizon 2019 DBIR Double-Live Part 2 - Jamey Tubbs shared his presentation on RAM forensics with Axiom from Techno Security Myrtle Beach.
Check out @jameytubbs’ Tweet! - MSAB released a short video advertising that XRY 8.0 is coming soon
All new XRY 8.0 is coming soon - OpenText shared a presentation from Harp Thukral and Simon Key on Enscripting
Customize your EnCase Investigations with EnScript Plug-ins - Sarah Edwards at Mac4n6 shared her presentation from Objective by the Sea 2.0
New Presentation from Objective by the Sea 2.0 – Watching the Watchers
MALWARE
- Jonathan Tanner at Barracuda looks at some basics around modular malware delivered by campaigns like phishing attacks.
Threat Spotlight: Modular Malware - Danny Adamitis, David Maynor, and Kendall McKay at Cisco Talos looks at various open-source attacks bundled together and carried out in early 2019.
It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign - Mila at contagio gives a download for HiddenWasp samples.
HiddenWasp Linux malware backdoor samples - Swapnil Patil at Fire Eye Threat Research looks at the HAWKBALL backdoor exploiting MS office vulns CVE-2017-11882 and CVE-2018-0802.
Government Sector in Central Asia Targeted With New HAWKBALL Backdoor
Delivered via Microsoft Office Vulnerabilities - Kai Lu at Fortinet goes into an Emotet dropper, first payload, and persistent payload.
A Deep Dive into the Emotet Malware - G Data SecurityBlog shares a little bit about three different types of malware.
Sodinokibi Spam, CinaRAT, and Fake G DATA - Shusei Tomonaga at JPCERT/CC analyzes a shortcut (LNK) file and the downloader delivered by it.
Attack Convincing Users to Download a Malware-Containing Shortcut File - Kindred Security shares a lengthy post on cryptominer malware, including the dropper and C2.
Code Analysis of Basic Cryptomining Malware - lasq at MalFind shares how to set up at MITM proxy to do malware analysis.
Tips & tricks #1: MITM proxy with fakenet and realnet mode - Jérôme Segura at Malwarebytes Labs looks at tampered JavaScript libs in Amazon’s CloudFront CDN.
Magecart skimmers found on Amazon CloudFront CDN - Marco Ramilli shares “the APT34 Jason – Exchange Mail BF project to be leaked by Lab Dookhtegan on June 3 2019.”
APT34: Jason project - Sergei Frankoff at OA LABS shares C++ concepts and what that code looks like in IDA Pro.
Reverse Engineering C++ Malware With IDA Pro: Classes, Constructors, and Structs - Ruchna Nigam at Palo Alto Networks Unit 42 found a new variant of Mirai targeting embedded devices.
New Mirai Variant Adds 8 New Exploits, Targets Additional IoT Devices - Sandfly Security shares the Linux rootkit recently discovered, HiddenWasp.
Detecting and De-Cloaking HiddenWasp Linux Stealth Malware - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Xme shares how an attacker profiles systems with “a malicious Powershell script that uses WMI to extract the name of the installed antivirus and later exfiltrate it”.
Keep an Eye on Your WMI Logs - Didier Stevens sheds light on why BASE64 encoded text has so many “A”s.
Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As, (Mon, Jun 3rd)
- Xme shares how an attacker profiles systems with “a malicious Powershell script that uses WMI to extract the name of the installed antivirus and later exfiltrate it”.
- Securelist continues updating information about Zebrocy which they first documented in 2015.
Zebrocy’s Multilanguage Malware Salad - There were a couple of posts on the TrendMicro blog this week
- Johnlery Triunfante shares how EternalBlue, DoublePulsar, and other exploits factor into BlackSquid malware.
BlackSquid Slithers Into Servers and Drives With 8 Notorious Exploits to Drop XMRig Miner - Janus Agcaoili looks at fileless Monero attacks targeting mainly China.
Monero-Mining Malware PCASTLE Zeroes Back In on China, Now Uses Multilayered Fileless Arrival Techniques
- Johnlery Triunfante shares how EternalBlue, DoublePulsar, and other exploits factor into BlackSquid malware.
- Virus Bulletin shares the paper and talk by Peter Kálnai and Michal Poslušný on the Lazarus Group.
VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles - ESET WeLiveSecurity look at the Canadian based social search engine which they classify as adware.
Wajam: From start-up to massively-spread adware - There were a couple of posts on the Yoroi blog this week
- They continue looking at Gamaredon attacks targeted against Ukraine.
The Russian Shadow in Eastern Europe: A Month Later - They also share indicators of an Italian Sodinokibi campaign.
Nuova Campagna di Attacco Ransomware/Sodinokibi
- They continue looking at Gamaredon attacks targeted against Ukraine.
MISCELLANEOUS
- Scott Vaughan at Berla advised that their new hardware case has begun shipping, as well as sharing a couple of feature spotlights for their latest release
- Brett Shavers shares a motivational post on learning DFIR. There’s no really easy way to do it, but the barrier to entry can be quite low overall. There’s free information online, there’s free tools and datasets available, you just have to pick something and dedicate some time to it, documenting and building off your existing understanding.
The Easy Way To Learn DFIR - Ariel Watson at Cellebrite shares a number of real world case studies where UFED assisted in solving the case
5 Real World Investigations Where UFED Ultimate Helped Solve the Case - Teri Radichel describes her experience passing the GSE exam.
The SANS GSE - There were a couple of posts on Forensic Focus this week
- Oxygen Forensics have announced a partnership with Rank One Computing to integrate facial recognition
Oxygen Forensics Announces Facial Recognition - Hans Henseler reviews the K Crown Prosecution Service (CPS) Disclosure Manual and provides “seven principles that will help streamline the review of digital material so that it better fits within the context of UK Disclosure requirements.”
From Crime To Court: Review Principles For UK Disclosure - They also continued their ‘What’s Happening In Forensics’ series
- Oxygen Forensics have announced a partnership with Rank One Computing to integrate facial recognition
- Infosec Samurai reviews City Circle Con 2019
Circle City Con 2019 Review - Jake Williams at Rendition Infosec has announced that he is leaving SANS and will no longer be teaching there as of 2020.
Leaving SANS – The end of an era - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — June 2 to June 8 - SANS lists some reasons to attend the DFIR Summit in Austin. I’ve been a few times and it’s always a good time. Sadly I won’t be making it this year though!
Six Reasons You Don’t Want to Miss SANS DFIR Summit & Training 2019 - SANS have also opened up an online store for some of their gear, with the proceeds going to Girls Who Code
DFIR Gear
SOFTWARE UPDATES
- Plaso 20190531 was released
Plaso 20190531 released - Berla released iVe v2.4
iVe Software v2.4 Release - The DVR Examiner Filesystem Database was updated to version 3.0.5642
DVR Examiner Filesystem Database Version 3.0.5642 released - ElcomSoft Phone Breaker 9.10 was released, adding support for iCloud backup extractions protected by 2FA up to v12.4.
ElcomSoft Phone Breaker 9.10 fixes iCloud backups downloading for iOS 11.2-12.4 - KAPE 0.8.4.2 was released
Kape Changelog - ExifTool 11.49 was released with new tags and bug fixes
ExifTool 11.49 - GetData released Forensic Explorer v4.6.8.8580
03 June 2019 – 4.6.8.8580 - Magnet Forensics released Axiom v3.2 with a variety of improvements, including additional artefacts, improved data recovery, and an update sqlite viewer
Magnet AXIOM 3.2 Now Supports Instagram Warrant Returns and Gets More Data from Macs - “A new version of MISP (2.4.108) has been released with a host of new features, improvements and bugs fixed”
MISP 2.4.108 released (aka copy-paste-and-sync feature) - IsoBuster 4.4 Beta was released, adding support for a variety of HDD video recorders
IsoBuster 4.4 Beta released - Ulf Frisk released MemProcFS version v2.6
Version 2.6
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 