Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Marco Fontani at Amped shares a fantastic featured in Authenticate where they’ve included samples as well as the associated analysis.
Learning by Examples: You Have a Treasure in Your Amped Authenticate’s Samples Folder, Learn How to Make the Most of It - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ provides an overview of the Windows Recycle Bin and a tool to parse the internal metadata
Windows Forensics: analysis of Recycle bin artifacts - Chris Vance at ‘D20 Forensics’ looks into the location data stored within the Lime (scooter hire) app
iOS – Free Location Data! The Lime App - Vladimir Katalov at Elcomsoft looks into USB Restricted Mode on iOS 13.
USB Restricted Mode in iOS 13: Apple vs. GrayKey, Round Two - Foxton Forensics have a post on the database that Chrome uses to store passwords
Analysing Chrome login data - Gary at Salt Forensics posted a couple of times this week
- The first focuses on the 1024 events in the TerminalServices-RDPClient event log which is generated by “the RDP client MSTSC.exe in Windows by pressing ‘connect’” and is populated “whether a session connects or not.”
Event ID 1024 - Gary also looks at the data stored by the new swipe-to-type feature in iOS 13
iOS 13 – Swipe to Type
- The first focuses on the 1024 events in the TerminalServices-RDPClient event log which is generated by “the RDP client MSTSC.exe in Windows by pressing ‘connect’” and is populated “whether a session connects or not.”
- Heather Mahalik at Smarter Forensics posted a couple of times this week on what’s new and changed in iOS 13
- Nasreddine Bencherchali shares some data locations for various web browsers and Windows forensic artefacts
- SalvationData have a post on recovering fragmented CCTV data
[Case Study] DVR Forensics: Fragmented Files (Overwritten Video Clips) Come Alive with SalvationDATA Patented Technology - Keven Murphy at SANS continues his series on triaging forensic artefacts at scale
- Sarah Edwards at Mac4n6 looks into the various places the Apple uses protobuf data. Sarah showing me the –decode_raw command helped me immensely in dealing with protobuf….I still don’t like it, but at least I can decode it now
Just Call Me Buffy the Proto Slayer – An Initial Look into Protobuf Data in Mac and iOS Forensics - Volume 30 of the Journal of Digital Investigation was released
- Antonio Sanz at Security Art Work has written up the solution to the Memory Forensics challenge of the Defcon 2019 DFIR CTF
DEFCON DFIR CTF 2019 Writeup (III): Memory Forensics
THREAT INTELLIGENCE/HUNTING
- A number of posts about Sysmon came out this week:
- Blog of Osanda continues the Sysmon conversation with minifilter drivers.
Unloading the Sysmon Minifilter Driver - John Strand at Black Hills Information Security demos how to use Sysmon, testing with ADHD Linux.
Getting Started With Sysmon - Matt Churchill posts at SANS about Sysmon and scripting investigations.
“Parsing Sysmon Events for IR Indicators”
- Blog of Osanda continues the Sysmon conversation with minifilter drivers.
- Itay Cohen at Check Point Research and Omri Ben Bassat at Intezer, with help from Mark Lechtik, Ari Eitan, and Paul Litvak, collaborate on a blog to map Russian APTs. Be sure to check out their interactive map of different APT teams.
- Adam at Hexacorn posts on registry Run key and Dll loading tricks:
- Andreas Sfakianakis reports on teaching CTI and the parallels of Don Quixote tilting at windmills (if you want to understand the title of Andreas’ blog, start here!).
Intelligence Requirements: the Sancho Panza of CTI - Brian Carrier at Cyber Triage continues the Intro to IR series sharing remnants of malware (or any application) that occur on startup or on process run.
How to Detect Malware Remnants: Intro to Incident Response Triage (Part 8) in 2019 - Cylance looks at a Southeast Asian APT actor loading backdoor PcShare and trojans.
PcShare Backdoor Attacks Targeting Windows Users with FakeNarrator Malware - Richard Gold at Digital Shadows maps a pump-n-dump scheme to MITRE ATT&CK.
Mapping the Tyurin Indictment to the Mitre ATT&CK™ framework - lab52 tracks the javascript Vengeance Justice Worm/Vjw0rm.
Ongoing Njrat campaign against Middle East - Anton Chuvakin looks at the relationship between good detection and IT hygiene.
SMB: Can I Have Decent Detection and Visibility on a Badly Managed Network?
UPCOMING WEBINARS/CONFERENCES
- With October being cybersecurity awareness month and domestic violence awareness month, This Week in 4n6 contributor Lodrina Cherne along with community members delivers a webcast at Cybereason this week on cyberstalking.
The Intersection of Cybersecurity and Domestic Violence
PRESENTATIONS/PODCASTS
- Veronica Schmitt interviewed Adam Harrison on Behind The Incident
Behind The Incident Adam Harrison - The videos from BSides Sydney 2019 were uploaded to YouTube.
- On this week’s Digital Forensic Survival Podcast, Michael breaks down “container attack vectors for Cloud Incident Response.”
DFSP # 188 – Container Attack Vectors - Brian Dye from Corelight was on Paul’s Security Weekly to discuss threat hunting with network data
Path To Threat Hunting Through Great Network Data – Brian Dye – ESW #155
MALWARE
- Citizen Lab gives us an important reminder that malware and associated threats have very important real world safety implications. Bill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert at Citizen Lab show how Tibetan groups are continuing to be targeted with sophisticated Android and iOS exploits.
Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits - 0xdf hacks stuff walks through the sixth Flare-On Challenge in .NET and featuring space cats 🐱🚀
Flare-On 2019: Memecat Battlestation [Shareware Demo Edition] - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares how to use Th3Hurrican3’s script for PE static analysis.
PEpper: a python script to perform malware static analysis on Portable Executable format - Bogdan Botezatu and Stefana Gal at Bitdefender Labs write about advanced persistent adware loaders and introduce their whitepaper (28 page PDF).
Who IsErIk: A Resurface of an Advanced Persistent Adware? - Carbon Black shared a few threat intelligence notifications
- CB TAU Threat Intelligence Notification: Formbook Harvests Data By Intercepting Clients
- CB TAU Threat Intelligence Notification: Common to Russian Underground Forums, AZORult Aims to Connect to C&C Server, Steal Sensitive Data
- CB TAU Threat Intelligence Notification: JSWorm Ransomware Encrypts Files, Amends File Extensions
- CB TAU Threat Intelligence Notification: Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself
- There were a few posts on Cisco’s Talos blog this week
- Milo Salvia at Cofense looks at emails with percent signs (%) in them to get past email gateway filtering.
Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways - Nick Harbour presents solutions to the twelve problems in the FireEye Flare-On challenge.
2019 Flare-On Challenge Solutions - Fortinet writes about RATs and TrickBot this week:
- Maria Vergelis at Kaspersky looks at a voicemail scam delivered over email – and it’s not vishing!
Voicemail as bait - Lenne Zeltser shares a state of malware analysis discussion he moderated in discussion with SANS FOR610 instructors Jim Clausing, Evan Dygert, Anuj Soni, and Jake Williams.
The State of Malware Analysis: Advice from the Trenches - Malwarebytes Labs shares how Emotet attachments are taking on topical topics with Snowden’s recent book release.
Emotet malspam campaign uses Snowden’s new book as lure - Andrea Lelli from Microsoft Defender ATP Research shares some unusual LOLbin activity.
Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - Robert Falcone and Brittany Ash at Palo Alto Networks look at the evolution of a Kuaiti targeted attack using Sakabota, Hisoka, and Netero backdoors.
xHunt Campaign: Attacks on Kuwait Shipping and Transportation Organizations - Random RE examines exfil with a POC using DNS-over-HTTP(s).
Research into data exfiltration using DOH - Random RE also looks at serving the Gravity RAT.
GoLang dropper with a Gravity RAT - Ryan Campbell at ‘Security Soup’ focuses on Emotet host artifacts like processes and persistence mechanisms.
Quick Post: Host Artifacts from a Recent Emotet Infection - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Konstantin Zykov at Securelist looks at Indian targeted banking malware ATMDtrack and the evolution into the Dtrack RAT.
Hello! My name is Dtrack - SentinelOne released a number of posts this week:
- May Ying Tee and Martin Zhang at Symantec found over two dozen malicious APKs masquerading as photo and fashion apps.
More Hidden App Malware Found on Google Play with over 2.1 Million Downloads - Recent Intezer discoveries related to Linux malware like HiddenWasp and QNAPCrypt were reiterated on the Virus Bulletin blog. Also watch for breaking news from the big Virus Bulletin conference in London this week.
Guest blog: Why we should be paying more attention to Linux threats - ESET examines activity from the Sednit group (APT28) resulting in delivery of the Zebrocy backdoor.
No summer vacations for Zebrocy - Antonio Farina and Luca Mella at Yoroi dive into the Aggah campaign and decrease confidence on ties to the Gorgon Group.
APT or not APT? What’s Behind the Aggah Campaign
MISCELLANEOUS
- Richard Frawley at ADF demonstrates “how to conduct a boot scan of a MacBook Air with APFS & FileVault2 enabled.”
How to Boot Scan a Mac with APFS and FileVault 2 - Tom McNeila at Cellebrite describes a methodology for examining mobile devices in eDiscovery cases
eDiscovery in a Mobile World - David Toy at Cyan Forensics announced that they will be delivering capability to the UK’s Child Abuse Image Database
Delivering Fast Forensics Triage for CAID - Allie Mellen at Cybereason shares a timeline from anti virus to endpoint detection and response (EDR) and endpoint protection platform (EPP)
The Timeline to Consolidation of Endpoint Protection Platforms and EDR - There were a few posts on Forensic Focus this week
- They interviewed Guillermo Román Ferrero about his background and review of Belkasoft Evidence Centre
Interview With Guillermo Román Ferrero, Incident Response Expert - and Kathy Helenek about her background and research into antiforensics techniques
Interview With Kathy Helenek, Director of Digital Forensics & Incident Response - Scar posted a round-up of some of the forum posts
Forensic Focus Forum Round-Up
- They interviewed Guillermo Román Ferrero about his background and review of Belkasoft Evidence Centre
- They also continued their ‘What’s Happening In Forensics’ series
- Igor Mikhailov at Group-IB shares his favourite digital forensics software and hardware
Tools up: the best software and hardware tools for computer forensics - 유혜민 at Hallym University shares a summary of the paper, “RAM data significance in Digital Forensics”
RAM data significance in Digital Forensics - Hexrays announced the results of their annual plugin contest
Hex-Rays Plugin Contest Results 2019 - Koen Van Impe discusses tracking false positives in MISP
Use PyMISP to track false positives and disable to_ids in MISP - Magnet Forensics have a post on some of the features of Axiom
Top 6 Reasons Why You Should Use AXIOM to Verify Your UFED Results - MISP have a post on the benefits of hosting your own instance
Benefits of running your own MISP instance - Ryan Campbell at ‘Security Soup’ shares his infosec news picks for the last couple of weeks
SOFTWARE UPDATES
- A new version of Arsenal Image Mounter (v3.0.75 Beta) was released with “password bypass of more Windows account types, assistance launching VMs from BitLockered disk images, support for more Windows edge cases launched into VMs, new AIM Virtual Machine Tools, & more”
Check out @ArsenalArmed’s Tweet - ANSSI released DFIR ORC, an open-source forensics tool dedicated to artefact collection
- Barnaby Skeggs released “gcp_log_toolbox and gcp_timeliner, two tools to assist with #GCP log acquisition, manipulation, normalisation and timelining”
Check out @barnabyskeggs’s Tweet - Didier Stevens updated his strings Python script
Update: strings.py Version 0.0.4 - KAPE 0.8.7.3 was released
Kape Changelog - Eric Zimmerman updated JumplistExplorer, JLECmd, and Timeline Explorer
ChangeLog - Foxton Forensics released Browser History Examiner v1.12.0
September Newsletter - iNPUT-ACE Version 2.5 was released
iNPUT-ACE Version 2.5 is Here - F-Response Universal v8 was released
F-Response Universal v8 - Maxim Suhanov updated his dfir_ntfs file system parser to v1.0.0-beta20
1.0.0-beta20 - OSForensics V7.0 build 1004 was released
V7.0 build 1004 24th September 2019 - Ulf Frisk released MemProcFS version 2.10
Version 2.10 - Updates were released for various version of X-Ways Forensics
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 