Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris Vance at ‘D20 Forensics’ explores the location data stored by the Tile app on Android
Android – Locating Location Data: The Tile App - Todd Reid at Cisco shared some documentation for obtaining forensic evidence from various Cisco platforms, such as “devices that run Cisco IOS and IOS XE Software, and devices that run Cisco ASA or Firepower Threat Defense (FTD) Software.”
New Forensic Investigation Procedures for First Responder Guides - There’s a post on Hackers Arise about accessing stored browser passwords on live machines; you can do a similar thing if you virtualise a system, or copy out the user’s browser history into your own VM.
Digital Forensics, Part 11: Recovering Stored Passwords from the Browser - Ozan Unal shares a writeup of the 2019 Unofficial DEFCON DFIR CTF
Defcon DFIR CTF 2019 Writeup - Sarah Edwards at Mac4n6 shares details of a recent fix to APOLLO that adds mapping for cellular and wifi locations
iOS Location Mapping with APOLLO – Part 2: Cellular and Wi-Fi Data (locationd) - Phil Stokes at SentinelOne walks through examining various sqlite databases on MacOS to track user activity
macOS Incident Response | Part 2: User Data, Activity and Behavior
THREAT INTELLIGENCE/HUNTING
- Ian Beer at Google’s Project Zero unveiled an iPhone 0-day involving users visiting a website which made them vulnerable to various exploit chains and fixed with an out-of-band iOS release in Feb 2019. For details on the various exploits and the data stealing + location sharing implant, see the links at the bottom of this post.
iOS Compromise from Google Project Zero - Adam at Hexacorn more than doubles the number of Lolbins from last week:
- ASUSTeK KillProcess
Sitting on the Lolbins, 5 - Dell launchers using GetPrinterDriverDirectory API
Sitting on the Lolbins, 6 - Dell User’s Guide Launcher
Sitting on the Lolbins, 7 - Dell Setup Launcher
Sitting on the Lolbins, 8 - On libraries written by one company but signed by another, and often whitelisted
Sitting on the Lolbins, 9 - Dell’s Viewer Executable
Sitting on the Lolbins, 10 - Dell WebUpdater Executable.
Sitting on the Lolbins, 11 - On KnownManagedDebuggingDlls and MiniDumpAuxiliaryDlls.
Beyond good ol’ Run key, Part 113 - A lengthy post on unintended data leakage focusing on user friendly dictionary or translation software – is what you type locally being sent remotely?
That’s a very fine Chardonnay you’re not drinking - And looks at PDB paths from primarily clean files
PDB Goodness
- ASUSTeK KillProcess
- Anton Chuvakin on using current threat intel to look back at older telemetry data.
About Threat Intel Retro-Matching - Thierry Viaccoz at Compass Security Blog shares an example of privilege escalation using mimikatz.
Privilege escalation in Windows Domains (3/3) - Cylance examines an APT28 sample for a backdoor and data stealer.
Inside the APT28 DLL Backdoor Blitz - Jordan Potti looks at the flow of a phishing attack with single sign-on providers.
Phishing with SAML and SSO Providers - Mike at “Cyber & Ramen” examines the network traffic of an Excel dropper.
Quick Network Analysis of Excel Document Utilizing WS-Discovery Protocol - Michael Haag at Red Canary looks at macros that attempt to evade Microsoft EMET’s attack surface reduction and uses the HTA Atomic Test. In addition the blog post, an hour long webinar on gaining initial access is embedded for additional context.
Testing initial access with “Generate-Macro” in Atomic Red Team - Syed Ishaq shares commands that can be run on a live Linux system to assess if it is compromised including seeing who else is on the box and how to review the most recently changed files.
A quick set of anomalies to look for to identify a compromised Linux system - ThreatRecon reviews Russian group SectorJ04 and the broad range of industries, countries, and techniques (backdoor RATs) recently seen.
SectorJ04 Group’s Increased Activity in 2019 - Hara Hiroaki, Jaromir Horejsi, and Loseway Lu at TrendMicro follow TA505 and explore activity including “targeting Turkish and Serbian banks with emails that had .ISO file attachments.”
TA505 At It Again: Variety is the Spice of ServHelper and FlawedAmmyy
UPCOMING WEBINARS/CONFERENCES
- Mark Hallman will be hosting a SANS webcast on implementing KAPE at scale
Enabling KAPE at Scale - SANS provided an overview of their upcoming DFIRCon 2019 training event
“Countdown to DFIRCON 2019!”
PRESENTATIONS/PODCASTS
- AccessData shared two videos on automating forensic collection
- Black Hills Information Security uploaded their recent webcast on sysmon and applocker
Webcast: Implementing Sysmon and Applocker - Blackbag Technologies shared a recording of Ashley Hernandez’s recent webcast on Blacklight 2019 R2
What’s New in BlackLight 2019 R2 - Cellebrite shared the recording of Simon Woolley’s recent presentation on Cellebrite Advanced Services
Overcome bottle necks in investigations and speed time to accessing locked data sources - A couple of interesting presentations from Defcon were uploaded
- On this week’s Digital Forensic Survival Podcast, Michael talks about preparing yourself to perform DFIR investigations on EC2 instances
DFSP # 184 – Cloud Incident Response - Forensic Focus uploaded Lee Reiber’s recent webinar on the Oxygen Forensic JetEngine
Webinar: Oxygen Forensic Jet Engine with Facial Recognition - Jamie McQuaid at Magnet Forensics “talks about standard images and hash lists.”
AXIOM at Work: Building a Gold Build Hash Set for Use in Magnet AXIOM - Richard Davis at 13Cubed walks through the various features of the recently updated Arsenal Image Mounter including the ability to launch virtual machines from a forensic image
Introduction to Arsenal Image Mounter - Katie Nickels gave a CTI webinar at SANS
The Cycle of Cyber Threat Intelligence - I released my podcast for August 2019.
This Month In 4n6 – August – 2019
MALWARE
- With back to school time upon us, Karl at Malware Musings discusses first getting into reverse engineering and the long journey it’s been since then. For anyone who is starting to get into the field, have a read and remember that there’s no one “right” way to get into the industry!
#Life2.0 - James Quinn at Binary Defense looks at Ursnif delivered by password protected .zip files.
SOC Alert! Uptick in Ursnif Distribution - There were a couple of posts on Cisco’s Talos blog this week
- Vanja Svajcer looks back at the China Chopper webshell, given the recent mentions in Cybereaon’s Soft Cell investigation.
China Chopper still active 9 years later - Edmund Brumaghin and Holger Unterbrink examine a threat actor making heavy use of Orcus RAT and RevengeRAT.
RAT Ratatouille: Backdooring PCs with leaked RATs
- Vanja Svajcer looks back at the China Chopper webshell, given the recent mentions in Cybereaon’s Soft Cell investigation.
- There were a couple of posts on the Cofense blog this week
- Max Gannon looks at a Word document delivering the Quasar RAT.
Advanced Phishing Campaign Delivers Quasar RAT - Tej Tulachan shares how Trickbot has been delivered by a Google Docs link and a subsequent executable disguised as PDF.
Trickbot Is Using Google Docs to Trick Proofpoint’s Gateway
- Max Gannon looks at a Word document delivering the Quasar RAT.
- Kim Crawley at Cylance looks back at the Mirai botnet and the recent evolution to Echobot.
Mirai Botnet Spawns Echobot Malware - Michael Marriott at Digital Shadows reports on the return of Emotet and suggests searching on “Emotet” to keep up with IOCs.
Emotet Returns: How To Track Its Updates - Steve Miller at FireEye examines the importance of PDB paths and common PDB names along with associated families and groups.
Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware - Malwarebytes Labs had a few posts on mobile malware:
- Didier Stevens at NVISO Labs shares how to extract DER formatted certificates from inside a Windows registry. Outside of the certificate extraction itself, this is a great example of reverse engineering an unknown data structure.
Extracting Certificates From the Windows Registry - Rico’s blog tears down a malicious Word file starting with the Cyber Kill Chain as well as static and dynamic analysis. Rico shares the file and so you can follow along and credits Lenny Zeltser’s cheat sheets to help with analysis.
Analysis of the JSE malware - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Compiling malware with JScript Compiler “jsc.exe” and Visual Studio component “msbuild.exe”.
Malware Samples Compiling Their Next Stage on Premise, (Wed, Aug 28th) - More on JScript malware.
Malware Dropping a Local Node.js Instance, (Fri, Aug 30th)
- Compiling malware with JScript Compiler “jsc.exe” and Visual Studio component “msbuild.exe”.
- There were a couple of posts on Securelist blog this week
- Igor Golovin and Anton Kivva detail the compromise of the CamScanner mobile application.
An advertising dropper in Google Play - Petr Mareichev and Ayman Shaaban look back on IR incidents and summaries of trends seen during 2018.
Incident Response report 2018
- Igor Golovin and Anton Kivva detail the compromise of the CamScanner mobile application.
- Ole Villadsen from X-Force IRIS with Kevin Henson, Melissa Frydrych, and Joey Victorino write at Security Intelligence about FIN6 (ITG08) targeting POS machines, including the malware as a service “More_eggs” JScript backdoor.
More_eggs, Anyone? Threat Actor ITG08 Strikes Again - Daniel Bunce at SentinelOne decompiles the Gootkit Banking Trojan.
Gootkit Banking Trojan | Part 2: Persistence & Other Capabilities - StillzTech covers some basics of dynamic analysis.
Basic Dynamic Analysis – PE - Jindrich Karasek at TrendMicro examines how bank accounts can be drained through the “Heatstroke” phishing as a service campaign.
‘Heatstroke’ Campaign Uses Multistage Phishing Attack to Steal PayPal and Credit Card Information - Martijn Grooten at Virus Bulletin previews two upcoming talks at VB2019 in London
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics gave an overview of her time at the “Women in Forensics Camp at Notre Dame … put together by members of the St. Joseph County Cyber Crimes Unit”. Jessica also interviewed the organisers about their experience working in the unit and setting up the camp.
Women in Forensics Camp - Richard Frawley at ADF shares a short video on filtering in ADF software
Learn How To Filter Digital Forensic Scan Results in ADF Software - Marco Fontani at Amped Software demonstrates how to bulk convert videos using DVRConv
The Lifesaver: Convert Hundreds of Unplayable Videos in Batch and Save Hours and Headaches With Amped DVRConv! - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ looks at Windows system profiling using PowerShell.
Windows information gathering using Powershell: a brief cheatsheet - Arman Gungor at Metaspike shares a free tool for deleting emails from a mailbox
Free Mailbox Sanitization Software—Obliterator - There a post on attackd0gz-sec about getting started with memory forensics on Linux
Linux Memory Forensics - Sara Newcomer at Blackbag Technologies demonstres how import Berla iVe data into Blacklight 2019R2
Blacklight Provides Berla iVe Support - Brett Shavers posted a few times this week
- He warns about becoming complacent in DFIR. This is something that generally causes me a lot of stress because I don’t know everything, and it’s impossible to know everything, but I don’t know everything. Cyclical right? What this means is that I try to read things and test things and play with things to make sure my understanding of a topic matches reality. Complacency does sound appealing though.
If you are comfortable in DFIR, you might be doing it wrong - He gives an update on the recent happenings at DFIR.Training
What’s New at DFIR Training? - As well as a description of the purpose of the site.
Forensicators! Choose your weapons!
- He warns about becoming complacent in DFIR. This is something that generally causes me a lot of stress because I don’t know everything, and it’s impossible to know everything, but I don’t know everything. Cyclical right? What this means is that I try to read things and test things and play with things to make sure my understanding of a topic matches reality. Complacency does sound appealing though.
- Craig Ball at ‘Ball in your Court’ comments on the pending removal of iTunes from MacOS and how it will most likely not affect forensic collection of iOS devices. My preference would be to use the other free tools for iOS collection such as Magnet Acquire or Belkasoft Acquisition Tool as these are simpler for non-technical users, but iTunes is a good alternative.
How Will We Back Up iPhones Without iTunes? - Rich Mogull at DisruptOps gives suggestions for dealing with AWS security.
What You Need to Know About Security Monitoring, Logging, and Alerting in AWS - Elcomsoft posted a few times this week regarding iOS passwords, jailbreaks, and decrypting Signal from full file system iOS dumps
- There were a few posts on Forensic Focus this week
- They shared a roundup of top forum posts
Forensic Focus Forum Round-Up - Alexander Leonenko describes some of the issues when dealing with RAIDs
Making Complex Issues Simple: A Unique Method To Extract Evidence From RAID - Oxygen Forensics posted about the various data sources for the Parrot drone
Parrot drone data extraction in Oxygen Forensic Detective - There was also a post about the connection graph in Belkasoft Evidence Centre
How To Use Connection Graphs By Belkasoft For Complex Cases
- They shared a roundup of top forum posts
- They also continued their ‘What’s Happening In Forensics’ series
- Griffeye have a post about some of the recent additions to their Griffeye Brain technology
Multi-object detection – now in Griffeye Brain - The folks from Deepspar have started a new blog for their Guardonix product, and uploaded four videos to it
- James Kainth shares some IR life cycle basics.
Let’s Talk About Incident Response - Maxim Suhanov shares a list of his research topics; I’m looking forward to seeing what findings comes out of it
Windows forensics: open research topics - Michael Karsyan at the Event Log Explorer blog describes the various ways to view event logs using Event Log Explorer
Using different opening methods to read event log files - Microsoft posted some useful things this week
- They released the specification for the exFat file system.
- They also released the first Beta preview of chromium-based Edge.
Announcing the Microsoft Edge Insider Bounty
- Scott Miller at Microsoft Security Response Center describes how to use their toolkit to build infrastructure across Azure for performing DFIR in the cloud
Scalable infrastructure for investigations and incident response - Nir Sofer gave a preview of some of the tools he’s working on
nirsoft.net is 15 Years Old, and you get a new Pre-release Web page. - Olga Milishenko at Atola explains the drive identification process on the Taskforce
TaskForce drive identification - Steven Alexander at TraceDF describes what can be found in a “CyberTipline Report from the National Center for Missing and Exploited Children (NCMEC)”
Understanding NCMEC CyberTipline Reports
SOFTWARE UPDATES
- Ben Reardon released Packet Strider (v0.1) which “is a packet forensics tool that aims to provide valuable insight into the nature of SSH traffic, shining a light into the corners of SSH network traffic where golden nuggets of information previously lay in the dark.”
Packet Strider - Cyber Triage 2.9 was released, and with it a Recommendation Engine to try to recommend reviewing related artefacts when you mark something as “bad” or “suspicious”
Incident Response Recommendation Engine: “You may like this process based on your interest in this file” - Elcomsoft Phone Viewer 4.60 was released
Elcomsoft Phone Viewer 4.60 reveals Restrictions and Screen Time passwords, decrypts Signal history - Eric Zimmerman updated EvtxECmd, XWFIM, MFTECmd, and KAPE
ChangeLog - ExifTool 11.65 was released with new tags and bug fixes
ExifTool 11.65 - Blackbag Technologies released Blacklight 2019 R2
BlackBag Announces Release Of BlackLight 2019 R2 - Griffeye updated Analyze to v19.2
Release of Analyze 19.2 - Mark Baggett released beta versions of his SRUM Dump and ESE2CSV
Check out @MarkBaggett’s Tweet - Metaspike updated their Remote Authenticator to v1.10.1
Remote Authenticator v1.10.1 - “A new version of MISP (2.4.114) with some new features supporting collaboration and a list of fixes and small improvements”
MISP 2.4.114 released (aka the community care package release) - Paraben released E3 v2.3 Bronze edition
E3 2.3 Bronze Edition is now available! - Martin Korman updated regipy to v1.2.5
Fixed transaction log bugs - Tsurugi Linux Lab 2019.1 was released
Rilasciata Tsurugi Linux Lab 2019.1. - USB Detective v1.5.3 was released
Version 1.5.3 (08/26/2019)
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 