Links only this week for the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some free tools for acquiring data from an OS X system. I would recommend using this version of the pmem suite rather than the one linked too however as this is the one that Mike is actively maintaining.
  OS X forensic acquisition: a basic workflow

• Cellebrite shared a couple of posts this week
  • Chen Kimhi gives a background of the various versions of the Telegram iOS app and its implications in forensic investigations, as well as an explanation of the “new proprietary format and a unique database structure”
    Why Decoding Both Versions of the iOS Telegram App is Critical to Investigations
  • The team also shared a new case study
    Multinational product fraud uncovered with digital evidence

• Chris Vance of Magnet Forensics fame has started a new blog, and will begin posting soon!
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Beyond good ol’ Run key, Part 112

• Sankeerti Haniyur at AlienVault Labs
  Entity extraction for threat intelligence collection

• Anton Chuvakin
  Top 10 SIEM Log Sources in Real Life?

• TJ Nicholls at Black Hills Information Security
  PyFunnels: Data Normalization for InfoSec Workflows

• Empow
  Check out @empowcyber’s Tweet

• Koen Van Impe
  Docker image for PyMISP (and create MISP data statistical reports)

• Evan Klein at Logz io
  The World Of Cloud-Native Monitoring

• Leandro Costantino and Cedric Cochin at McAfee Labs
  The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

• Mike at “CyberSec & Ramen”
  Malware Traffic Analysis Exercise (July 2019)

• Caleb Yu at Salesforce Engineering
  GQUIC Protocol Analysis and Fingerprinting in Zeek

• Ryan Hausknecht at SpecterOps
  Offensive Lateral Movement

• David French at Threat Punter
  Detecting Adversary Tradecraft with Image Load Event Logging and EQL
  

UPCOMING WEBINARS/CONFERENCES

• Cellebrite will be running a webinar on digital evidence in human trafficking on Aug. 21, 2019 at 11AM (New York)
  Digging for Digital Evidence in Human Trafficking

• A couple of dates of interest were announced for next year
  • Magnet User Summit
  • SANS DFIR Summit
    

PRESENTATIONS/PODCASTS

• Alexandre Borges shared the slides from his presentation at Defcon 2019
  Check out @ale_sp_brazil’s Tweet

• The briefings from Blackhat 2019 were made available on their website
  Blackhat 2019

• On this week’s Digital Forensic Survival Podcast, Michael discusses the Density Scout application
  DFSP # 182 – Density Scout

• Kasasagi shared a presentation that they wrote on Mac forensics. I don’t speak Japanese so I can’t really comment on it, but hopefully Japenese readers will find it helpful
  Check out @kasasagi_ta’s Tweet

• Similarly, a presentation by Sosuke Tokuda on Mac OS X Bookmark (alias) artefacts was shared.
  Check out @stqp00’s Tweet

• Trey Amick at Magnet Forensics continues the Axiom at Work series, covering “how you can use Magnet.AI within AXIOM to quickly investigate an employee’s claim of harassment.”
  AXIOM at Work: Magnet.AI in Harassment Investigations

• Mark Orlando shared the slides from his presentation at the Blue Team Village at Defcon 2019
  Check out @markaorlando’s Tweet

• SANS shared the recent presentation by Anuj Soni on Ghidra
  Ghidra Code Analysis with Anuj Soni
  

MALWARE

• Carbon Black
  • CB TAU Threat Intelligence Notification – Karagany Malware
  • CB TAU Threat Intelligence Notification: Smominru Botnet Leverages New Attack Techniques
  • CB TAU Threat Intelligence Notification: Sodinokibi Ransomware
  • CB TAU Threat Intelligence Notification: Trickbot Banking Trojan Continues to Evolve

• Marcel Feller at Cofense
  Remote Access Trojan Uses Sendgrid to Slip through Proofpoint

• Hod Gavriel at Cyberbit
  HawkEye Malware Changes Keylogging Technique

• Cymulate Research Lab
  Immediate Threat Analysis – New Dharma Ransomware Strain Found in the Wild

• Deriving Cyber Threat Intelligence and Threat Hunting
  Extracting Sodinokibi Configuration

• Jasper Manuel at Fortinet
  Fake Indian Income Tax Calculator Delivers xRAT Variant

• Karsten Hahn at G Data Security
  Taming the mess of AV detection names

• Omri Ben Bassat at Intezer
  MoP – “Master of Puppets” – Advanced malware tracking framework revealed at BlackHat Arsenal 2019.

• Malwarebytes Labs
  • The Hidden Bee infection chain, part 1: the stegano pack
  • QxSearch hijacker fakes failed installs

• SANS Internet Storm Centre Handler Diaries
  • Malicious .DAA Attachments, (Mon, Aug 12th)
  • Recent example of MedusaHTTP malware, (Wed, Aug 14th)
  • Analysis of a Spearphishing Maldoc, (Thu, Aug 15th)
  • The DAA File Format, (Fri, Aug 16th)

• TrendMicro
  • Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices
  • Analysis: New Remcos RAT Arrives Via Phishing Email

• Yoroi
  New GoBrut Version in the Wild
  

MISCELLANEOUS

• Adam Harrison at 1234n6 advised that he will be doing a writeup of the Unofficial DEFCON DFIR CTF which he recently completed
  2019 Unofficial DEFCON DFIR CTF Writeups

• Brett Shavers shares his experience in boot camp for the military and how the skills he learned there can be utilised for DFIR
  Everything I Needed to know about working in DFIR, I Learned in Boot Camp

• As well as providing a recommendation to test yourself against your previous work to identify if you’ve improved year on year
  Did you improve your DFIR skills at all?

• Bryan Ambrose at Data Digitally provides an overview of the CyLR live response tool
  CyLR — Live Response Collection tool

• Chris Crowley has announced that his previous SOC Management class (SANS MGT517) has been revived externally to SANS

• Heather Mahalik explains her reasoning behind the move to Cellebrite
  Mission Matters: That’s Why I Joined Cellebrite

• There were a couple of posts on Forensic Focus this week
  • They interview Scott Sattler about his work as an IR manager
    Scott Sattler, Incident Response Manager, HealthFirst
  • Jade James reviewed the recent update to Oxygen Forensic Detective
    Review: Oxygen Forensic Detective From Oxygen Forensics

• They also continued their ‘What’s Happening In Forensics’ series
  • What’s Happening In Forensics – Aug 12, 2019
  • What’s Happening In Forensics – Aug 13, 2019
  • What’s Happening In Forensics – Aug 14, 2019
  • What’s Happening In Forensics – Aug 16, 2019

• Griffeye announced that they have added an integration for Two Hat Security’s Cease.ai
  Griffeye Integrates with Two Hat Security’s CEASE.ai

• Matthew Toussain at Open Security shares a guide for building an index to prepare for a GIAC certification exam
  Wargaming GIAC Certifications
  

SOFTWARE UPDATES

• Carlos Perez released v1.1 (Network Scooter) of the “PSGumshoe PS module for IR and Threat Hunting”
  Check out @Carlos_Perez’s Tweet

• Eric Zimmerman updated RECmd, AppCompatCacheParser, and KAPE
  ChangeLog

• ExifTool 11.62 was released with new tags and bug fixes
  ExifTool 11.62

• OSForensics v7.0 build 1002 was released
  V7.0 build 1002 15th August 2019

• radare2 was updated to v3.7.1
  3.7.1

• Yogesh Khatri updated Mac_apt to v0.4.1
  20190816

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!