Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris Vance at ‘D20 Forensics’ shares his research into the way that iOS 12 records notifications (per application, in an nskeyedarchive plist). Based off this research, Alexis Brignoni put his Python skills to work (and it looks like he used his learnings from our KnowledgeC parser), and has created a parser for the plists in the folder
iOS 12 – Delivered Notifications and a new way to parse them - Chris also finds SMS data outside of the typical messages databases.
Android – SMS Applications and that Syncing Feeling - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes how to generate a Volatility profile on a Linux host.
How to generate a Volatility profile for a Linux system - There’s a post on the Cyber Triage blog about searching for various persistence mechanisms used by malware, and how to examine the data with Cyber Triage
Intro to Incident Response Triage (Part 6): Malware Persistence - Darkdefender walks through the Memory Forensics section of the Defcon Unofficial DFIR CTF
Write-Up: Memory Forensics in the DEF CON DFIR CTF. - Jai Minton has written up a walkthrough for the Unofficial Defcon DFIR CTF
2019 Defcon DFIR CTF Write-up - Alex Ocheme Ogbole at Hallym University demonstrates the binwalk tool over a dump of a chip to determine the file system.
File System Analysis with Binwalk - Mari DeGrazia at ‘Another Forensics Blog’ shares “detailed instructions on how to use KAPE to collect triage data and generate a mini-timeline from the data collected.”
Triage Collection and Timeline Generation with KAPE - Passware describe how to save the state of a password recovery attack and transfer it to another computer
Transferring a Password Recovery Process to a Different Computer - Sarah Edwards at Mac4n6 demonstrates how to use APOLLO to map locations in Google Earth
iOS Location Mapping with APOLLO – I Know Where You Were Today, Yesterday, Last Month, and Years Ago! - Phil Stokes at SentinelOne shares details on collecting useful information from MacOS during an incident investigation
macOS Incident Response | Part 1: Collecting Device, File & System Data - Jeff Lomas at OSINTCurio.us demonstrates how to use open source cell tower data to provide additional data points to an investigation
Making Sense of OSINT Cell Tower Data for DFIR
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn unveils all the Lolbins this week:
- HP Printer Lolbin
Sitting on the Lolbins, 1 - Intel wireless Lolbin
Sitting on the Lolbins, 2 - Intel delayed launcher Lolbin
Sitting on the Lolbins, 3 - ASUS batch utility Lolbin
Sitting on the Lolbins, 4
- HP Printer Lolbin
- FireEye had two posts on threat actors:
- Alex Pennino and Matt Bromiley follow up on how FireEye was able to detect APT41 including the certutil detection, and use of HIGHNOON + China Chopper.
GAME OVER: Detecting and Stopping an APT41 Operation - FireEye releases a 15 minute audio summary of their “Cyber Threats and Healthcare” report.
Healthcare: Research Data and PII Continuously Targeted by Multiple
Threat Actors
- Alex Pennino and Matt Bromiley follow up on how FireEye was able to detect APT41 including the certutil detection, and use of HIGHNOON + China Chopper.
- Blake Strom at the MITRE ATT&CK blog solicits community feedback on adding sub-techniques in ATT&CK.
ATT&CK Sub-Techniques Preview - Tony Lambert and Brian Donohue at Red Canary discuss VSC deletion by attackers using vssadmin.exe and numerous ways to detect this activity.
It’s all fun and games until ransomware deletes the shadow copies - Tal Eliyahu at SentinelOne writes about unintentional insider threats and citing case studies related to banks, their impact on an organization.
Insider Threats | From Malicious to Unintentional - Russel Van Tuyl at SpecterOps writes about encrypted message traffic in a post-exploit scenario using Merlin.
Merlin Goes OPAQUE for Key Exchange - Rick Yocum at TrustedSec lists the top ten ATT&CK techniques and some associated tactics.
Top 10 MITRE ATT&CK™ Techniques
UPCOMING WEBINARS/CONFERENCES
- Drew Fahey and Ashley Hernandez at Blackbag Technologies will be hosting a webinar on the recent updates to Blacklight on August 29th at 2:00pm EST
What’s New in BlackLight 2019 R2 - Heather Mahalik and Shahar Tal at Cellebrite will be hosting a webinar on overcoming Android device acquisition and password brute forcing on Sept. 11, 2019 at 11AM (New York)/4PM (London) and Sept. 12, 2019 Time: 11AM (Singapore)/1PM (Sydney)
Accessing the Inaccessible: Overcoming the Challenge of Encryption - Heather will also be hosting a webinar with Eric Olsen on “the methodologies and capabilities of both current and future eDiscovery solutions.” The webinar will take place “Sept. 4, 2019 at 11AM (New York)/4PM (London) and Sept. 5, 2019 at 11AM (Singapore)/1PM (Sydney).
Mastering the Mobile Device Challenge in eDiscovery - The agenda for OSDFCon 2019 has been released
2019 Agenda
PRESENTATIONS/PODCASTS
- AccessData shared a couple of videos about Quin-C features
- Black Hills Information Security shared a presentation on implementing Sysmon and Applocker
Implementing Sysmon and Applocker - On this week’s Digital Forensic Survival Podcast, Michael discusses WMI attacks
DFSP # 183 – WMI Forensics - SANS shared a number of recent presentations by various instructors
MALWARE
- Yup, Emotet is back. Now on to the rest of this week’s malware news.
Emotet is back! - attackd0gz-sec shares malware analysis basics including the difference between static and dynamic analysis.
Malware Research Explained, Part 1 - James Quinn at Binary Defense traces a new TrickBot gtag campaign and exploitation flow.
TrickBot: Ono! New Tricks! - Liviu Arsene and Eduard Budaca at Bitdefender Labs introduce the Beapy/PCASTLE cryptominer + worm delivered via supply chain attack and share a white paper (36 page PDF) on the topic.
Worm-Cryptominer Combo Lets You Game While Using NSA Exploits to Move Laterally - Swee Lai Lee at Carbon Black gives information about GermanWiper “ransomware.”
CB TAU Threat Intelligence Notification: GermanWiper Ransomware - Milo Salvia at Cofense looks at a PDF delivering infostealer Adwind (aka JRAT / SockRat).
New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry - Patrick Wardle’s Mac malware talk from DEFCON is up on YouTube (49 minutes).
DEF CON 27 – Patrick Wardle – Harnessing Weapons of Mac Destruction - Evgeny Ananin and Artem Semenchenko at Fortinet examine a potentially politically motivated WinRAR campaign by Gamaredon Group.
The Gamaredon Group: A TTP Profile Analysis - Leonid Grustniy at Kaspersky Lab details Syrk ransomware (.SYRK extension), masquerading as a Fortnite cheat pack and gives information about how to recover files without paying the ransomware.
Syrk ransomware lurking in Fortnite cheat pack - Jérôme Segura at Malwarebytes Labs shares updated details about Magecart credit card skimmers.
Magecart criminals caught stealing with their poker face on - MalwareTech analyzes recently patched Microsoft RDP vulnerabilities.
DejaBlue: Analyzing a RDP Heap Overflow - OALabs unpacks the Remcos RAT in a 12 minute YouTube video.
Remcos RAT Unpacked From VB6 With x64dbg Debugger - Zhanhao Chen, Jun Javier Wang, and Kelvin Kwan at Palo Alto Networks note activity around the huge number of newly registered domains every day (~200,000) and how those relate to malware distribution.
Newly Registered Domains: Malicious Abuse by Bad Actors - Lonnie Best at Rapid7 traces a credential scraping attack and the MDR team response to the attacker.
How Attackers Can Harvest Users’ Microsoft 365 Credentials with New Phishing Campaign - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- There were a couple of posts on the TrendMicro blog
- Miguel Ang, Erika Mendoza and Buddy Tancio look at an EternalBlue related attack in the Asia-Pacific region.
Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response - Ian Mercado and Mhica Romero examine the Asruex backdoor as delivered by a PDF.
Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities
- Miguel Ang, Erika Mendoza and Buddy Tancio look at an EternalBlue related attack in the Asia-Pacific region.
- Martijn Grooten at Virus Bulletin recaps how Kaspersky, Cylance, and ESET have all written about threat actor Machete and previews the upcoming research by Veronica Valeros, Maria Rigaki, Kamila Babayeva, and Sebastian Garcia.
VB2019 preview: A study of Machete cyber espionage operations in Latin America
MISCELLANEOUS
- There were a couple of posts by Richard Frawley on the ADF blog this week
- He demonstrates how to acquire an iOS device backup using DEI Pro
Create a Forensic Backup of an iOS Device with DEI PRO - Richard also explores “the Text Analytics capabilities built into ADF’s digital forensic software with the integration of Rosoka”
Rosoka Add-on Powerful Text Analytics
- He demonstrates how to acquire an iOS device backup using DEI Pro
- Brett Shavers at DFIR.Training describes the various test images and ctfs categorised by the site
Forensic Test Images - Ariel Watson at Cellebrite describes a homicide case where data from a mobile device proved critical
Extracted Google location data proves turning point in solving homicide case - Darkdefender reviewed their experience at the recent Defcon
A Week in Vegas - There were a few posts on Forensic Focus this week
- They interviewed Nicole Odom from the Virginia Department Of Forensic Science
Interview With Nicole Odom, Forensic Scientist, Virginia DFS - Oxygen Forensics have a post on the options for acquiring data from a Huawei device
Huawei Device Support In Oxygen Forensic Detective - and Berla and Blackbag have announced a partnership
BlackBag Announces New Partnership With Berla
- They interviewed Nicole Odom from the Virginia Department Of Forensic Science
- They also continued their ‘What’s Happening In Forensics’ series
- Jim Hoerricks at ‘Forensic Video and Image Analysis’ comments on the need for multiple tools to provide “the greatest coverage possible for the evidence that arrives at your lab”
Fusion-based approach to digital and multimedia forensics - Jonathan Castro at “Cyber Curiosity” has started a blog and posts about his background, as well as an overview of cloud computing
An brief overview of the cloud - Filip Jadczak at Magnet Forensics answers some questions about the usability features in Axiom
Our Approach to Usability Within AXIOM: A Q&A with Filip Jadczak - Melanie Maynes at Microsoft Security shares how multifactor authentication (MFA) can stop most attacks.
One simple action you can take to prevent 99.9 percent of attacks on your accounts - Russ McRee at HolisticInfoSec gives an overview of Eric Zimmerman’s KAPE and demonstrates its usage against an “attacker” using SharpDump and Mimikatz
KAPE: Kroll Artifact Parser and Extractor - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
- A second edition to the X-Ways Forensic Practitioners guide has been announced
XWF 2E
SOFTWARE UPDATES
- ADF Solutions released new Pro versions of their tools, as well as updates to various products
ADF Releases New Digital Forensic Software to Power Field Investigations - Berla released v2.4.1 of iVe
iVe Software v2.4.1 Release - Winpmem v3.3 was released
Release 3.3 - Eric Zimmerman updated his Get-ZimmermanTools script
ChangeLog - ExifTool 11.63 was released with new tags and bug fixes
ExifTool 11.63 – “PNG Early Text” - Magnet Forensics updated Axiom to v3.5
Magnet AXIOM 3.5 Includes Apple Warrant Returns and User Experience Improvements - “A new version of MISP (2.4.113) with tons of fixes and small improvements.”
MISP 2.4.113 released (aka the bugs fixing marathon) - MASB released XRY 8.0.2
Now released: XRY 8.0.2 - OSForensics V7.0 build 1003 was released
V7.0 build 1003 23rd August 2019 - Ulf Frisk released MemProcFS version 2.8
Version 2.8
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 