Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- There were some writeups of the Defcon DFIR challenge by Adam Harrison and Antonio Sanz
- Joshua Hickman at ‘The Binary Hick’ breaks down the Wickr app on a variety of platforms
Wickr. Alright. We’ll Call It A Draw. - URSA Secure demonstrate how their model is able to approximate the time that a drone dropped its payload based on RPM and power data
Detecting UAV Payload Delivery (The Power of Platform Delivered UAV Forensics)
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures looks at persistent, long, and recurring connections using Bro/Zeek.
Identifying Long Connections with Bro/Zeek - Adam at Hexacorn writes part 115 in the Run key series. The most important part may be theorizing and spitballing ideas related to the registry, stating “I think I am right, but I have not tested it.”
Beyond good ol’ Run key, Part 115 - Anton Chuvakin write about attribution, IR, and intel along with the different levels of actionable feedback an organization can get from incidents.
Does Your Incident Evidence Really Lead to Better Intelligence? - Richard Bejtlich at Corelight describes a surge in network activity around the Commonwealth Games and how Zeek could have helped determine if the activity was an attack or something more benign.
An attack or just a game? Corelight can help you tell the difference quickly - Brian Carrier at Cyber Triage looks for how malware tries to run while avoiding detection. Then Brian goes on to collecting memory and analysis on the process tree, connections, and listening ports.
How to Detect Running Malware – Intro to Incident Response Triage (Part 7) - Willem Zeeman at Fox-IT suggests reviewing “risk events” in the Azure portal to begin assessing O365 safety and security.
Office 365: prone to security breaches? - The MISP team creates models to connect events and help make sense of IOCs and threat intel.
Decaying of Indicators – MISP improved model to expire indicators based on custom models - Phil Hagen at Red Canary asks you to choose the red pill or the blue pill in a republished post looking at endpoint versus network security.
Endpoint Security vs Network Security: Where to Invest Your Budget - Ben Nahorney at Cisco shares a story illustrating how threat hunting is not just about threats, it’s “implementing policies and playbooks to shore up your security posture.”
The Value of Threat Hunting - SentinelOne looks at five threat categories: APTs, organized crime, insiders, hacktivists, and script kiddies.
Threat Actor Basics: Understanding the 5 Main Threat Types - James Forshaw at Tyranid’s Lair examines how a 0 byte Python exe found on some Win 10 1903 systems could interact with Execution Aliases released in 1709.
Overview of Windows Execution Aliases
UPCOMING WEBINARS/CONFERENCES
- Xavier Mertens announced he will be running his “Hunting with OSSEC” training at DeepSec 2019
Training Announce: “Hunting with OSSEC”
PRESENTATIONS/PODCASTS
- Jessica Hyde’s presentation on ChromeOS from DFRWS EU 2019 was shared on Forensic Focus
Chrome Nuts And Bolts: ChromeOS / Chromebook Forensics - On this week’s Digital Forensic Survival Podcast, Michael covers events created by Powershell usage
DFSP # 186 – Powershell Forensics - Forensic Focus shared the webinar and transcript by Rich Frawley from ADF
Webinar: Field Forensics For The Front Line - Tarah Melton at Magnet Forensics walks through processing and reviewing USB devices in Axiom
AXIOM at Work: Windows USB Investigations
MALWARE
- The U.S. Treasury announced sanctions again Lazarus Group, Bluenoroff and Andariel who the Treasury says are part of the North Korean Reconnaissance General Bureau.
North Korean government hackers sanctioned by U.S. Treasury - See where some malware stories that ended up in popular news resolved this week:
- Zhang Yujing was charged with trespassing at Trump’s resort in Florida; at the time she possessed a USB drive with “malicious software” on it.
Chinese Woman Guilty of Trespassing at Trump’s Mar-a-Lago
- Zhang Yujing was charged with trespassing at Trump’s resort in Florida; at the time she possessed a USB drive with “malicious software” on it.
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ had a few posts this week:
- The NetCat attack (not to be confused with nc.exe)
NetCat attack (CVE-2019-11184): steal encrypted SSH keystrokes exploiting DDIO - A serious new simjacking attack
Simjacker: a brand new mobile vulnerability exploited by surveillance companies for espionage operation - Abusing BITS
Win32/StealthFalcon malware uses Windows Background Intelligent Transfer Service (BITS) to communicates to its C&C servers
- The NetCat attack (not to be confused with nc.exe)
- Sean Koessel and Steven Adair at Volexity cover how APT actors have been using the vulnerability in Pulse Secure VPN within a week of the technique having been exposed at Black Hat 2019.
Vulnerable Private Networks: Corporate VPNs Exploited in the Wild - Check Point Software shares the top seen malware in August 2019 with XMRig, Jsecoin, and Dorkbot holding steady at the top of the list.
August 2019’s Most Wanted Malware: Echobot Launches Widespread Attack Against IoT Devices - There were a couple of posts on the Cofense blog this week
- Aaron Riley shares how the Astaroth trojan spread via .htm and .LNK files in a recently observed geofenced Brazilian campaign.
Astaroth Uses Facebook and YouTube within Infection Chain - Milo Salvia gives details about how Sharepoint URLs can help bypass some phishing security controls.
Phishing Emails Are Using SharePoint to Slip Past Symantec’s Gateway and Attack Banks
- Aaron Riley shares how the Astaroth trojan spread via .htm and .LNK files in a recently observed geofenced Brazilian campaign.
- Vlad Ogranovich at Cybereason gives technical details about the Golang Glupteba trojan and rootkit which leverages EternalBlue for propagation.
Glupteba Expands Operation and Toolkit with LOLBins And Cryptominer - Cylance gives an overview about TrickBot MITM attacks on banking websites and dives into reverse engineering a sample from 2018.
Threat Spotlight: TrickBot Infostealer Malware - Abigail Showman at Flashpoint looks at attacks against small ecommerce sites.
Threat Actors Seek, Solicit Access to Compromised E-commerce Sites - There were a couple of posts on the Fortinet blog this week
- They examine a new LokiBot campaign observed targeting a manufacturing company.
Newly Discovered Infostealer Attack Uses LokiBot - Wayne Chin Yick Low looks at vulnerable code in Windows potentially vulnerable to process creation hijacking.
Another Local Privilege Escalation Vulnerability Using Process Creation Impersonation
- They examine a new LokiBot campaign observed targeting a manufacturing company.
- Thomas Roccia, Marc Rivero Lopez, and Chintan Shah at McAfee Labs review how malware can perform common checks to see if it’s in a sandbox: delaying execution; checking CPU, hardware and the environment; and looking for user interaction.
Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study - Girish Chander at Microsoft Office 365 Security shares new capabilities and workflows to speed up security analysis.
Automated incident response in Office 365 ATP now generally available - Positive Technologies looks at August 2019 activity related to the Sustes cryptominer.
Sustes malware updated to spread via vulnerability in Exim (CVE-2019-10149) - Sahil Antil and Rohit Chaturvedi at Zscaler ThreatLabZ write about the .NET InnfiRAT which attempts to deal cryptocurrency wallet information.
InnfiRAT: A new RAT aiming for your cryptocurrency and more - There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
- Vitali Kremez has a post on SentinelOne on the internals of the RIG exploit kit
RIG Exploit Kit Chain Internals - SERT at NETSCOUT write about airport and airline industry targeting by APT groups.
Air APT - Johnlery Triunfante and Earle Earnshaw at TrendMicro discuss Purple Fox, a fileless downloader delivered by the Rig EK.
‘Purple Fox’ Fileless Malware with Rookit Component Delivered by Rig Exploit Kit Now Abuses PowerShell - Antonio Farina, Davide Testa, and Antonio Pirozzi at Yoroi share research about the Word document and Java dropper delivery of a current (September 2019) TrickBot sample.
Dissecting the 10k Lines of the new TrickBot Dropper
MISCELLANEOUS
- Richard Frawley at ADF explains how to install DEI and DEI Pro in online and offline environments
- Brett Shavers shares an update on what’s happening at DFIR Training
What’s New at DFIR Training? - Craig Ball at ‘Ball in your Court’ shares a personal post about keeping up with the ever changing field of digital investigation as well as coping with the tail end of an extensive career. On a similar note, people may be interested in this Wait but Why
Who Am I If I’m Not That Guy Anymore? - Expanding on this, Brett Shavers shares his views on Craigs article, as well as providing some guidance for those who may be going through the DFIR career grief cycle
The Five Stages of the DFIR Career Grief Cycle - There were a couple of posts on Forensic Focus this week
- There was a post about reporting in Amped Authenticate
How To Create Compelling Image Authentication Reports With Amped Authenticate - There was also a post about the imaging process in Macquisition
How To Acquire Data From A Mac Using MacQuisition
- There was a post about reporting in Amped Authenticate
- They also continued their ‘What’s Happening In Forensics’ series
- Daniel Berman at Logz.io shares how to look at logging on Kubernetes.
A Practical Guide to Kubernetes Logging - Mike Cohen has added a client side buffer to Velociraptor and describes how it can be utilised. This feature will allow for monitoring artefacts to be run even when the client is offline.
Velociraptor’s client side buffer - There were a number of posts on the MSAB
- Quix0te at MuSecTech walks through the process of creating a self destructing version of his Achoir endpoint collection utility.
Creating a Dissolving Live Response Tool - There’s a post on the Oxygen Forensics blog describing how to use Key Scout to uncover and extract “user data, tokens and passwords from apps and web browsers as well as Wi-Fi hotspot passwords, iTunes backups, and operating system data on PCs running Windows.”
Oxygen Forensic Key Scout
- SalvationData share a case study on where their VIP tool was used
[Case Study] DVR Forensics: Sophisticated Tool in VIP 2.0, Makes Video Retrieval Technology Easily Achievable - John Patzakis at X1 shares some US-based cases where social media evidence wasn’t preserved properly
Overcoming Evidentiary Challenges to Social Media Evidence
SOFTWARE UPDATES
- Atola Insight Forensic 4.13.2 was released
Atola Insight Forensic 4.13.2 - Cellebrite released Analytics Desktop v8.1
Analytics Desktop 8.1 provides better visualization of more data to surface leads - Didier Stevens updated msoffcrypto-crack.py to v0.0.4
Update: msoffcrypto-crack.py Version 0.0.4 - GetData updated Mount Image Pro to v6.4.2.1859
14 Sep 2019 – v6.4.2.1859 - “A new version of MISP (2.4.115) with a major security fix (CVE-2019-16202) and various small improvements has been released.”
MISP 2.4.115 released (aka CVE-2019-16202) - Ulf Frisk released MemProcFS version 2.9
Version 2.9
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 