Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Marco Fontani at Amped demonstrates how to use Authenticate to examine photos downloaded from social media
Sharing the Smoking Gun: Did You Know Amped Authenticate’s Camera Identification Can Work With Images From Facebook? - Bryan Ambrose at Data Digitally uses bulk extractor to extract a PCAP from a memory image
Extracting Pcap from a Memory Image - CCL open sourced some Python scripts for “reading data and metadata from (potentially damaged) VHDX files.”
CCL Group open sources Python modules on GitHub - Vladimir Katalov at Elcomsoft has written a comprehensive article on iOS acquisition, including initial collection steps to ensure the best chance of obtaining data
The Art of iPhone Acquisition - Michael Karsyan demonstrates how to identify print server events with Event Log Explorer
How to track printer usage with event logs - Jorge García at ‘Security Art Work’ examines an attempt to load malicious code into a web server
La importancia del bastionado de servidores – Parte 3. El incidente - John Ball demonstrates a method of extracting Signal messages from the desktop application
Pulling encrypted Signal messages off of desktop OS’ for forensics
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn posted some good ones this week
- First up on, a persistence trick under Wow64 that is Adam’s “favorite persistence trick of 2019 so far” – no spoilers here, check it out.
Beyond good ol’ Run key, Part 108 - Loading DLLs into Metro apps is awkward though doable – and documented here.
Beyond good ol’ Run key, Part 109 - Using a qt.conf INI file.
Beyond good ol’ Run key, Part 110 - Another persistence method involving Wow64 similar to the Part 108 post earlier this week.
Beyond good ol’ Run key, Part 111
- First up on, a persistence trick under Wow64 that is Adam’s “favorite persistence trick of 2019 so far” – no spoilers here, check it out.
- Atul Kabra covers searching for unusual things in endpoint telemetry.
Detecting the ‘unknown unknowns’ - Cyber Forensicator have shared an article on detecting the WMI Event Subscription persistence mechanism.
Using MITRE ATT&CK for Forensics: WMI Event Subscription (T1084) - Whether your security interest is IoT, AI, or outsourcing your hunting, Cyberbit shares the 2019 SANS SOC Survey findings.
SANS Survey Highlights – 2019 Security Operations Center Survey - Cylance breaks down the APT28 traffic proxy shared by CyberCom Cyber National Mission Force earlier this year.
Flirting With IDA and APT28 - Eric Lackey at Flashpoint looks at how to identify insider threats.
The Insider Threat Intelligence Cycle - HolisticInfoSec reviews Commando VM from Mandiant including how it can benefit both red and blue teams.
Commando VM: The Complete Mandiant Offensive VM - Huy Kha looks at hiding Domain Admin activity.
Hiding in the shadows - Tomoaki Tani at JPCERT/CC looks at a VBScript downloader delivered through a Shortcut file inside a Zip archive.
Spear Phishing against Cryptocurrency Businesses - Katie Nickels at ‘Katie’s Five Cents’ adds to your summer reading list CTI titles.
A Top 10 Reading List if You’re Getting Started in Cyber Threat Intelligence - Logz.io shares a list of open source tools including Grafana, Prometheus, and Graphite.
A Guide to Open Source Monitoring Tools - Mark Mo plays with Mimikatz and Win Defender.
NetKatz, Mimikatz to Hex and Defender groans but shrugs - John Strand and Matt Alderman debate what threat hunting is and discuss staffing problems including how to address them through training.
Threat Hunting – Enterprise Security Weekly #144 - Frank McClain at Red Canary covers DLL Hijacking and how it’s seen in EDR.
Hijack My, Hijack My, Hijack My DLL - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Machine Code? No!, (Mon, Jul 8th)
- Recent AZORult activity, (Thu, Jul 11th)
- Samba Project tells us “What’s New” – SMBv1 Disabled by Default (finally), (Wed, Jul 10th)
- Dumping File Contents in Hex (in PowerShell), (Wed, Jul 10th)
- Russian Dolls Malicious Script Delivering Ursnif, (Thu, Jul 11th)
- Guidance to Protect DNS Against Hijacking & Scanning for Version.BIND Still a Thing, (Sat, Jul 13th)
- Jean-Ian Boutin at WeLiveSecurity looks at the Buhtrap group exploiting privilege escalation.
Buhtrap group uses zero‑day in latest espionage campaigns - John Strand at Active Countermeasures looks at commonly used port attacks, providing a pcap so you can follow along with analysis.
Bypassing Beaconing Detection with Metasploit
UPCOMING WEBINARS/CONFERENCES
- Cellebrite has scheduled a few webinars for the near future
- Yohai West and Anastacia Ezrets will be hosting a webinar on identifying digital data on July 24, 2019 at 11AM (New York)/4PM (London) and July 25, 2019 at 11AM (Singapore)/1PM (Sydney)
Digital Data: Finding the Critical Connections in an Investigation - Yohai West, Ben Armon and Andrew Fredericks from Cellebrite and Input-Ace will be hosting a webinar on video evidence on Aug. 28, 2019 at 11AM (New York)/4PM (London) and Aug. 29, 2019 11AM (Singapore)/1PM (Sydney)
Digital Data: New Innovations in the use of Video as an Evidence Source - Jason Howell, Dan Embury, Paul Lorentz, and Muna Assi will be hosting a webinar on Cellebrite’s Advanced Services offering on Sept. 25, 2019 at 11AM (New York)/4PM (London) and Sept. 26, 2019 11AM (Singapore)/1PM (Sydney)
Digital Data: Accessing the Latest iOS & Android Devices for Investigations
- Yohai West and Anastacia Ezrets will be hosting a webinar on identifying digital data on July 24, 2019 at 11AM (New York)/4PM (London) and July 25, 2019 at 11AM (Singapore)/1PM (Sydney)
- Kristian Lars Larsen at Data Narro advised that they wiill be hosting a webinar with Lorman Education Services on September 12th titled “Guide for Paralegals to Obtain Evidence from Electronic Devices“
A Guide for Paralegals to Obtain Evidence from Electronic Devices
PRESENTATIONS/PODCASTS
- Adrian Crenshaw has uploaded presentations from OISF 2019
- Veronica Schmitt interviewed Eric Zimmerman for her “Behind the Incident” podcast/Youtube series
Behind The Incident Eric Zimmerman - On this week’s Digital Forensic Survival Podcast, Michael talks about the use of psexec by attackers
DFSP # 177 – PSEXEC Forensics - Magnet Forensics shared a couple presentations on using Axiom for malware investigations
- Paraben Corporation have uploaded a couple of short videos on processing email with E3
- SANS shared a couple of presentations from the 2019 CTI Summit
MALWARE
- What can we do about ongoing ransomware threats?
- In popular news, a recent meeting of US mayors agreed to no long pay ransomware authors and Talos weighed in on governments paying as well.
- The LooCipher ransomware Yoroi blog shared last week had more analysis this week with Jasper Manuel at Fortinet and Marco Ramilli shares the ZLab decryption tool.
- Taking advantage of public attention around ransomware, Karsten Hahn at G Data Security looks at a ransomware removal tool that is anything but.
- 0verfl0w_ at 0ffset reposts a two part post from their old website on Turla’s Keylogger.
Analyzing KSL0T (Turla’s Keylogger), Part 1 – Reupload - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ gives recaps of important posts from around the web this week
- The GitHub account of Canonical (the people behind the Ubuntu Linux distro) was compromised.
Canonical’s GitHub Account has been compromised! - More on Cybereason’s Soft Cell announcement where telco CDR data was breached.
Operation Soft Cell: threat actors are stealing years of call records from hacked telecommunication providers - A summary of the Agent Smith malware; more detail by Check Point can be found below in this post.
‘Agent Smith’ malware has infected Android apps on 25 million devices - Kaspersky FinFisher mobile spyware.
New version of FinFisher spyware used to spy on iOS and Android users in 20 countries
- The GitHub account of Canonical (the people behind the Ubuntu Linux distro) was compromised.
- Liviu Arsene at Bitdefender Labs introduces a whitepaper (26 page PDF) on Astaroth targeting Brazil based users.
Astaroth Trojan Resurfaces, Targets Brazil through Fileless Campaign - Katie DeMatteis and Jack Gregory at Carbon Black recap recent blog posts on LoLbins and share some related ATT&CK techniques.
How Carbon Black is Prioritizing Living Off the Land Attacks Part 2 - Swee Lai Lee at Carbon Black also had a few ransomware writeups
- Israel Gubi at Check Point Research looks into the Smokeloader bot and new analysis evasion techniques.
The 2019 Resurgence of Smokeloader - Aviran Hazum, Feixiang He, Inbal Marom, Bogdan Melnykov, and Andrey Polkovnichenko at Check Point Research share detailed findings on mobile malware that infects legit apps with code to deliver malicious advertisements. A summary writeup from Checkpoint can also be found here.
Agent Smith: A New Species of Mobile Malware - Highlights from June according to Check Point Software include the rise of the XMRig cryptominer and Android malware like Lotoor.
June 2019’s Most Wanted Malware: Emotet Takes a Break, but Possibly Not for Long - Danny Adamitis with Paul Rascagneres at Cisco Talos share new activity related to their previously identified “Sea Turtle” DNS hijacking campaign.
Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques - Max Gannon at Cofense shares how multiple methods of infection were seen in a recent malicious Excel file.
Double Duty: Dridex Banking Malware Delivered with RMS RAT - Kai Lu at Fortinet unpacks the IcedID banking trojan.
A Deep Dive Into IcedID Malware: Part I – Unpacking, Hooking and Process Injection - G Data Security unpacks the Silentbruter data stealer.
A deeper dive into the “Silentbruter” malware – Internal folder structures revealed - Shaul Holtzman at Intezer looks at shared code between new and old versions of the BlackSquid cryptominer and other malware.
Intezer Analyze Community: BlackSquid, RobbinHood Ransomware and More - QNAPCrypt Linux ransomware (.encrypt) used a static list of bitcoin addresses for payment; through simulated victims, Ignacio Sanmillan writes Intezer was able to exhaust this list to temporarily halt the campaign.
How We Seized 15 Active Ransomware Campaigns Targeting Linux File Storage Servers - Pavel Shoshin at Kaspersky looks at commercial mobile spyware from Gamma Group.
FinSpy — commercial spyware - Melissa at Sketchymoose’s Blog talks about Javascript, PowerShell, and certutil (10 minute video).
Looking at Some Javascript - Andrea Lelli at Microsoft Security debunks the invisibility of fileless malware like Astaroth.
Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack - Brad Duncan at Palo Alto Networks pulls out malware information from pcap files.
Using Wireshark: Exporting Objects from a PCAP - Prakhar Shrotriya, Dhruval Gandhi, and Mohd Sadique at Zscaler share new developments in Magecart skimmer activity.
Magecart activity and campaign enhancements - Sebdraven debunks the discovery of a new variant of APT Sidewinder.
Copy cat of APT Sidewinder ? - TrendMicro had a few posts about mobile, IoT, and Windows malware
- Zuzana Hromcová at WeLiveSecurity writes that Korean TV fans who view programs using torrent sites are impacted by the GoBotKR backdoor.
Malicious campaign targets South Korean users with backdoor-laced torrents - Antonio Farina, Davide Testa, and Luca Mella at Yoroi examine an .iso delivering the XpertRAT.
Spotting RATs: Tales from a Criminal Attack
MISCELLANEOUS
- Vitaliy Mokosiy at Atola advises that as part of the recent TaskForce update, Atola has included a Web API.
Atola TaskForce 2019.7 with Web API for Automation - Richard Frawley at ADF demonstrates how to create a search profile for DEI Pro
Creating a Search Profile in DEI PRO - Samuel Alonso shares links to a few cyber intel courses from Augusta University
Free cyber intelligence courses from Augusta university - Cheryl Biswas shares some advice for submitting a presentation to an InfoSec con
Yes you can! Submitting an InfoSec CFP - From memory OpenText released Encase 8.09 in the last few weeks but didn’t share out the release notes; Sunali Sagar describes the recent updates to Encase and Tableau
What’s New in OpenText Security - There were a few posts on Forensic Focus this week
- Christa Miller has written a great article on the various capabilities of forensic tools to recognise and categorise media and text
Industry Roundup: Image Recognition And Categorization - Nuix have posted a short case study of using their tools to analyse “three terabytes of data from disparate sources within the company.”
Global Development Company Uses Nuix To Analyze 3TB Of Data In Misconduct Probe - Belkasoft have written an article on the various types of information that can be identified from the Win10 timeline and how to utilise BEC to examine the database that stores this information
How To Analyze Windows 10 Timeline With Belkasoft Evidence Center - Scar De Courcier has written an overview of the program for Techno Security in San Antonio
Techno Security & Digital Forensics 2019 – San Antonio Sept 30 – Oct 2 - Jade James reviews Mobile Device Investigator From ADF
Review: Mobile Device Investigator From ADF - Oxygen Forensics have summarised all that they have achieved over the last six months
6 Month Checkup At Oxygen Forensics - Blackbag Technologies have announced a new Windows investigations course
BlackBag Technologies Announces New Windows® Forensic Investigations Course
- Christa Miller has written a great article on the various capabilities of forensic tools to recognise and categorise media and text
- They also continued their ‘What’s Happening In Forensics’ series
- Megan Roddie shares her process for parsing memory dumps with Volatility and loading them into Graylog
Volatility Analysis with Graylog - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — July 7 to July 13
SOFTWARE UPDATES
- Amped released DVRConv Update 13785
DVRConv Update 13785: New Output Conversion and Frame Rate Options, Support for More New Formats and Format Variants - Atola Insight Forensic 4.13.1 was released with a minor bug fix
Changelog - As well as an update to their TaskForce firmware, 2019.7
TaskForce Changelog - IREC was updated to v1.9.2
IREC Release Notes - Eric Zimmerman updated RECmd to include some additional batch files
ChangeLog - Evimetry v3.2.3 was released to fix some bugs
Release 3.2.3 - ExifTool 11.55 was released with new tags and bug fixes
ExifTool 11.55 - An update to F-Response v8 was released.
F-Response v8 – New Release, Cloud Updates, etc. - GetData released Forensic Explorer 4.8.4.8680
13 July 2019 – 4.8.4.8680 - Maxim Suhanov updated his dfir_ntfs file system parser to v1.0.0-beta15
1.0.0-beta15 - Metaspike updated Forensic Email Collector to v3.9.2.0
Forensic Email Collector (FEC) Changelog - “A new version of MISP (2.4.110) has been released with a host of new features, improvements, many bugs fixed and one security fix.”
MISP 2.4.110 released (aka local-tags and new MISP modules supporting MISP standard format) - Compelson released the beta of MOBILedit Forensic Express 7.0
Beta of MOBILedit Forensic Express 7.0 Released! - TestDisk and PhotoRec 7.1 were released
TestDisk 7.1 Release - TZWorks released their July 2019 package, including a new tool to parse $MFT and $LogFile
July 2019 build (package) - Ulf Frisk released MemProcFS version 2.7.1
Version 2.7.1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 