Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Brian Moran at BriMor Labs shares the process that he uses “to rearrange and correlate RDP Bitmap Cache data in Photoshop”
Phinally Using Photoshop to Phacilitate Phorensic Analysis
- DME Forensics have a post demonstrating how DVR Examiner deals with data that is inaccessible to the DVR
Inaccessible Data Recovery with DVR Examiner
- Dr. Ali Hadi at ‘Binary Zone’ walks through the process of acquiring memory on an Ubuntu machine using AVML and then building the requisite Volatility profile to process it
Acquiring Linux Memory using AVML and Using it with Volatility
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’ continues his investigation into the photo manipulation by the AvtoVAZ group
Fraud and Deception (Part 4): Photo Stamping
- Vladimir Katalov at Elcomsoft posted a couple of times this week
- He provides some considerations when creating and dealing with iPhone backups
The Most Unusual Things about iPhone Backups
- As well as an acquisition guide for Apple TV and Apple Watch
Apple TV and Apple Watch Forensics 01: Acquisition
- He provides some considerations when creating and dealing with iPhone backups
- Magnet Forensics posted a new whitepaper on MacOS/APFS
White Paper: Magnet AXIOM and macOS/APFS
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn posted twice:
- Adam posts about massaging threat intel data in Excel using Levenshtein distance.
The Missing Excel Move
- And how to make a process “disappear” to process monitoring.
DefineDosDevice symbolic link trick
- Adam posts about massaging threat intel data in Excel using Levenshtein distance.
- Jaime Blasco at AlienVault / AT&T looks at injection in Linux systems and how to hunt for this activity.
Hunting for Linux library injection with Osquery
- Chris Morales at AMS Vectra Blog also posted twice this week:
- He looks at healthcare incidents within the latest Verizon Vectra 2019 reports including erroneously reported incidents.
Comparing Vectra and Verizon threat research
- Chris also covers the basics of the attack lifecycle.
THREAT BEHAVIORS IN THE ATTACK LIFECYCLE
- He looks at healthcare incidents within the latest Verizon Vectra 2019 reports including erroneously reported incidents.
- Cyber Forensicator shares the release of memhunter from Marcos Oviedo an “endpoint sensor tool that is specialized in detecting resident malware.”
Automated Hunting of Memory Resident Malware at Scale
- Brian Carrier at Cyber Triage resumes a series on “Intro to IR,” sharing questions to ask and how to address user activity investigations.
Intro to Incident Response Triage (Part 3): User Enumeration
- Jimmy Wylie at Dragos verifies the new DoS vuln with information Project Zero and a test.
Examining the SymCrypt DoS Vulnerability
- Koen Van Impe at vanimpe.eu looks at honeypot data with MISP feeds.
Feed honeypot data to MISP for blocklist and RPZ creation
- John Wunder at MITRE ATT&CK shares different ways to use ATT&CK detections for new to mature investigators and organizations. John suggests for example starting with process and command line monitoring before putting together a purple team.
Getting Started with ATT&CK: Detection and Analytics
- Neil Thacker at Netskope shares a case study of a malicious DNS redirection issue that was seen and solved inhouse.
Customer Zero: a case study
- Terrance DeJesus at NTTSecurity shares examples of LOLBins, benign tools used in malicious ways, and their ATT&CK mappings.
Living-off-the-Land blog series
- Quentin Jerome at rawsec examines Symon Network Connection logs and the validity of DestinationHostname data with the latest Windows Host IDS (WHIDS).
Overcoming Domain Name Resolution Issue in Sysmon
- Whitney Champion at Recon InfoSec discusses fine tuning threat signatures in Graylog using Python and Ansibl
Automating Graylog Pipelines
- Brian Donohue at Red Canary shines a spotlight on their new director of intelligence, Jeff Felling.
From the cryptoquip to threat hunting: meet Jeff Felling
- The Symantec DeepSight Adversary Intelligence Team examines Waterbug (Turla) attacks evolving form the Neptun backdoor, to a Meterpreter campaign, to remote procedure call backdoor.
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
- Lamine Aouad at Tenable shares how to start with vulnerabilities then consider attackers and the threat landscape when looking at threat modeling.
Threat Modeling: What You Need to Know About Prioritizing Attacks and Vulnerabilities
- ZecOps Blog looks at what they call the “DoubleNull” bug allowing privilege elevation in sub- iOS 12.3 MDM/EMM environments.
DoubleNull Part II: Rare MacOS / iOS DFIR Opportunity: Evidence of *Local* Privilege Escalation in *Network* Traffic!
UPCOMING WEBINARS/CONFERENCES
- Yuri Gubanov at Belkasoft will be hosting a webinar on Telegram Messenger on July the 3rd at 17:00 pm CEST / 8:00 am PDT / 11:00 am EDT
Webinar on Telegram Messenger Investigation on Mobile Devices
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded the presentations from Bsides Cleveland 2019
- Belkasoft shared their presentations from Techno Security Myrtle Beach
- Veronica Schmitt interviewed O’Shea Bowens for her “Behind the Incident” podcast/Youtube series
Behind The Incident O’Shea Bowens
- On this week’s Digital Forensic Survival Podcast, Michael spoke about the challenges when dealing with VMEM files from Virtual Machines
DFSP # 174 – The VMEM Experience
- Hasherezade demonstrated some of the new features in PE-sieve (v0.2.1)
PE-sieve v0.2.1 release notes – import recovery & unpacking UPX (part 1)
- OALabs have posted a tutorial on “how to identify, verify, and decrypt RC4 encryption in malware using IDA Pro and the x64dbg debugger.”
Reverse Engineering RC4 Crypto For Malware Analysis
- Richard Davis at 13Cubed has uploaded a tutorial on searching for “Auto-Start Extensibility Points (ASEPs) directly from memory” with Volatility
Detecting Persistence in Memory
- Sarah Edwards at Mac4n6 shares a presentation from MacDevOpsYVR 2019 on her APOLLO framework (which you can vote for in the 4Cast Awards here)
New Presentation from MacDevOpsYVR 2019 – Launching APOLLO: Creating a Simple Tool for Advanced Forensic Analysis
MALWARE
- Kate Brew at AlienVault / AT&T shares a transcript from in AT&T show ThreatTraq discussing ransomware.
GandCrab Ransomware Shuts Its Doors | AT&T ThreatTraq
- Bogdan Botezatu at Bitdefender Labs looks back on the trajectory and reach of GandCrab and shares a decryption tool.
Good riddance, GandCrab! We’re still fixing the mess you left behind.
- Erik Pistelli at Cerbero Suite shares new features in the Carbon disassembler including support for ELF files.
Cerbero Suite 3.1 is out!
- Yaroslav Harakhavik and Aliaksandr Chailytko at Check Point Research look at how DanaBot has evolved from a malware that could spread spam and install a RAT to more recently dropping ransomware.
DanaBot Demands a Ransom Payment
- Ofir Almkias at Cybereason shares how the Adobe Worm Faker uses multiple layers of obfuscation and LOLBins to propagate and gain persistence.
Adobe Worm Faker Uses LOLbins And Dynamic Techniques To Deliver Customized Payloads
- Xiaopeng Zhang at Fortinet looks at the HawkEye keylogger spread via phishing email as well as the collection capabilities observed.
Analysis of a New HawkEye Variant
- Thomas Reed at Malwarebytes Labs shares how a cryptominer masquerading as DJ software runs on a Mac via Linux emulation.
New Mac cryptominer Malwarebytes detects as Bird Miner runs by emulating Linux
- Marco Ramilli thinks about the idea of targeted attacks as well as an examination of an “untargeted” attack.
From Targeted Attack to Untargeted Attack
- Raj Samani at McAfee Labs summarizes the lengthy paper In NTDLL I Trust by Eoin Carroll, Cedric Cochin, Steve Povolny, and Steve Hearnden released by Mcafee this week on process reimaging: a post exploitation technique to bypass endpoint security solutions.
Why Process Reimaging Matters
- Tarun Dewan and Lenart Brave at Zscaler look at new malware targeting individual (non POS) debit and credit card information.
Felipe, a new infostealer Trojan
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Brad Duncan looks at network traffic seen related to the Rig exploit kit.
An infection from Rig exploit kit, (Mon, Jun 17th)
- Didier Stevens looks at how to turn on Sysmon DNS logging as seen in the Windows event log.
Sysmon Version 10: DNS Logging, (Sun, Jun 16th)
- Brad Duncan also looks at banking trojan Dridex and also shares an example and pcap traffic.
Malspam with password-protected Word docs pushing Dridex, (Tue, Jun 18th)
- Johannes Ullrich shares logs related to unpatched Exim servers vulnerable to CVE-2019-10149.
Quick Detect: Exim “Return of the Wizard” Attack, (Wed, Jun 19th)
- Johannes also looks at Linux/FreeBSD vulnerabilities related to Selective TCP Acknowledgment.
What You Need To Know About TCP “SACK Panic”, (Tue, Jun 18th)
- Rob VandenBrink looks at how to get port information out of a netstat dump.
Netstat Local and Remote -new and improved, now with more PowerShell!, (Fri, Jun 21st)
- Brad Duncan looks at network traffic seen related to the Rig exploit kit.
- Anton Kuzmenko at Securelist examines the plugins available in the Plurox backdoor.
Plurox: Modular backdoor
- TrendMicro had a few posts
- Ecular Xu and Grey Guo look at GolfSpy malware in various apps from Google Play targeting Middle Eastern countries.
Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East
- Jindrich Karasek looks at mobile cryptocurrency miners delivered over ADB and spread via SSH.
Cryptocurrency-Mining Botnet Malware Arrives Through ADB and Spreads Through SSH
- Ecular Xu and Grey Guo look at GolfSpy malware in various apps from Google Play targeting Middle Eastern countries.
- Moony Li and Lilang Wu share a macOS vulnerability related to memory corruption fixed in a patch last month from Apple.
CVE-2019-8635: Double Free Vulnerability in Apple macOS Lets Attackers Escalate System Privileges and Execute Arbitrary Code
- Michal Malik at WeLiveSecurity/ESET examines a Linux cryptocurrency miner delivered via pirated Visual Studio software.
LoudMiner: Cross-platform mining in cracked VST software
MISCELLANEOUS
- Paul Sanderson has announced that his tools are now being actively distributed by Teel Technologies
- Sam Holt at AccessData describes a system for soliciting data from the public during a major incident
Could we be more proactive with the cloud for a ‘Hot’ crime scene?
- Brett Shavers at DFIR.Training has a post about meeting people in the field through associations and organisations, and the various considerations when choosing one
DFIR Folks are EVERYWHERE (if you know where to look)!
- There were a few posts on Forensic Focus this week
- Patrick Doody shared his path into digital forensics
My Digital Forensics Career Pathway
- BlackBag Technologies announced a partnership With Semantics 21
BlackBag Technologies Announces Partnership With Semantics 21
- They interviewed Richard Frawley from ADF
Interview With Richard Frawley, Digital Forensic Specialist, ADF Solutions
- As well as Keith Lockhart from Oxygen Forensics
Interview With Keith Lockhart, Director Of Training, Oxygen Forensics
- Patrick Doody shared his path into digital forensics
- Forensic Focus also continued their ‘What’s Happening In Forensics’ series
- Joshua Hickman at ‘The Binary Hick’ has a lengthy post on looking after your mental health when working DFIR, as well as how he looks after his teammates mental health at work
Me(n)tal Health in DFIR – It’s Kind of a Big Deal
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
- Xavier Mertens at the SANS Internet Storm Centre demonstrates how he uses a travel packing app to organise his Go Bag
Using a Travel Packing App for Infosec Purpose, (Thu, Jun 20th)
- Michael Hale Ligh at Volatility Labs announced the annual Volatility Plugin, and Analysis contests
The 7th Annual Volatility Plugin Contest & the 2nd Annual Volatility Analysis Contest!
- Olga Milishenko at Atola demonstrates how to wipe up to 18 drives simultaneously with the TaskForce
Wiping 18 drives simultaneously with TaskForce
SOFTWARE UPDATES
- Amped Five update 13609 was released
Amped FIVE Update 13609: Introducing the Copy and Verify Tool and More Updated Features
- Eric Zimmerman updated PECmd, Registry Explorer, RECmd, and TLE
ChangeLog
- Evimetry v3.2.2 was released with a number of improvements and bug fixes
Release 3.2.2
- ExifTool 11.52 was released with new tags and bug fixes
ExifTool 11.52
- Hex Rays updated IDA to v7.3
IDA: What’s new in 7.3
- Metadata Interrogator v0.7 was released
v0.7 released!
- MSAB released XRY 7.12.3
XRY 7.12.3 now released
- OpenText™ EnCase™ Forensic 8.09 is now available, but release notes are behind a login page
- Passware Kit 2019 v3 was released
Passware Kit 2019 v3
- IsoBuster 4.4 was released with a number of improvements and bug fixes
IsoBuster 4.4 released
- X-Ways Forensics 19.8 SR-6 was released with some bug fixes
X-Ways Forensics 19.8 SR-6
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 