Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Marco Fontani at Amped demonstrates using Authenticate to detect a forgery
First Things First: Learn How a Proper Visual Inspection Can Guide Your Image Authentication on the Right Path! - Luis Rocha at Count Upon Security shares some notes on “Linux memory forensics using LiME and Volatility to analyze a Red Hat 6.10 memory capture infected with Diaphormine and Reptile, two known Linux Kernel Module rootkits”
Notes on Linux Memory Analysis – LiME, Volatility and LKM’s - Howard Oakley at ‘The Eclectic Light Company’ examines the changes to the unified log on MacOS Catalina
Inside Catalina’s unified log: how has it changed? - Jason Hale at ‘Digital Forensics Stream’ takes a look at the affects of a Windows 10 feature update on a users shellbags.
ShellBags & Windows 10 Feature Updates - Over on my ThinkDFIR blog I updated my post on obtaining hashes on Win10. If you don’t want to download Mimikatz onto your examination machine then you can use Secrets Dump by Impacket to extract hashes from a Win10 Anniversary update and above system
WinTenTLM Issues - Yogesh Khatri at ‘Swift Forensics’ looks at the call records that can be recovered with ADB backups made with the keyvalue parameter set.
Part 2 – ADB keyvalue backups – Call Logs
THREAT INTELLIGENCE/HUNTING
- Meir Brown at Cyberbit writes about detecting cryptomining software on airport terminals.
Cryptocurrency Miners Now Using Evasive Tactics to Exploit Airport Resources - Dirk-jan Mollema discusses a now patched exploit in O365 tenants created after September 2019.
Office 365 network attacks – Gaining access to emails and files via an insecure Reply URL - Mayank Dhiman, Wilson Kong, and Colin O’Brien from the Dropbox Detection and Response Team share their alerting and response pipeline using Kafka, Alertbox, Forerunner, and Covenant.
How Dropbox Security builds tools for threat detection and incident response - Tobias Krueger at FireEye Threat Research starts looking at the LOWKEY APT41 backdoor beginning with the DEADEYE downloader.
LOWKEY: Hunting for the Missing Volume Serial ID - Haroen Bashir at Fox-IT shares a method for random filename detection using machine learning.
Detecting random filenames using (un)supervised machine learning - Mathias R. Jessen at graceful is noforce examines reflection against .NET types using PowerShell.
Inspecting .NET assemblies with dnlib - SadProcessor at Insinuator.net recaps using BloodHound to help with AD security.
Blue Hands On Bloodhound - Josh Murchie recaps the OpenSOC CTF hosted by Recon InfoSec at the recent Texas Cyber Summit.
Texas Cyber Summit – OpenSOC After Action Report - Kaspersky Lab rewrites the story of Puss in Boots as an APT actor.
“Puss in Boots” APT campaign - Following on the recent NYT expose, Dex at lab52 posted a series of articles on GRU and APT28 structure, targets, and TTPs.
- Brian Donohue recaps ATT&CKcon and the three talks that Red Canary delivered: Prioritizing Data Sources for Minimum Viable Detection, Alertable Techniques for Linux Using ATT&CK, and Brian’s own talk A Love Song for Heat Maps.
Data sources, Linux detection, and more at ATT&CKcon 2.0 - Joe at Stranded on Pylos postulates on the Reuters reported US cyber operation against Iran.
If There’s a Cyber Attack and No One Notices, Did it Even Happen? - WeLiveSecurity covers new activity they call “Operation Ghost” from the Dukes / APT29 / Cozy Bear.
Operation Ghost: The Dukes aren’t back – they never left
UPCOMING WEBINARS/CONFERENCES
- Cellebrite shared a number of upcoming webinars
- Griffeye will be hosting a webinar on Oct 23 at 3 pm CEST (9 am EDT) on the “best tips and tricks to help you make the most of Griffeye Analyze DI Pro and streamline your workflow.”
Webinar: Get The Most Out Of Your Digital Media Investigations
PRESENTATIONS/PODCASTS
- Vitaliy Mokosiy at Atola shared a video demonstration of the Atola TaskForce
Atola TaskForce Demo - Black Hills Information Security shared a webcast on preparing for a compromise
How to Prepare Before the Compromise - On this week’s Digital Forensic Survival Podcast, Michael discussed the various file systems you may come across on a Linux system
DFSP # 191 – Linux File Systems - Paul Melson shared the recordings of the presentations that he gave at BSides Augusta 2019
- Peter Kruse was interviewed on Paul’s Security Weekly on threat hunting
Cybercrime, Threat Hunting, & APT – PSW #623 - SANS shared Omar Sardar and Blaine Stancill’s presentation from the 2019 DFIR Summit
Finding Evil in Windows 10 Compressed Memory - Dr. Ali Hadi shared his recent Linux Forensics workshop (labs, slides, forensic images “E01”) and talk from OSDFCon 2019
Check out @binaryz0ne’s tweet - Veronica Schmitt interviewed Heather Mahalik on “Behind The Incident”
Behind The Incident – Episode 8 : Heather Mahalik
MALWARE
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ writes about the PAN uncovered cryptojacking worm that spreads via Docker.
Meet Graboid, the first cryptojacking worm that spreads using Docker images: how to defend your infrastructure from this new threat? - Attify Blog – IoT Security, Pentesting and Exploitation continues a series on problems from the Flare-On CTF.
- Cosmin Carp at Bitdefender Labs writes about the Fallout EK and Raccoon credential stealer.
A close look at Fallout Exploit Kit and Raccoon Stealer - Brian Laskowski at Laskowski-Tech covers the Emotet infection chain as seen in October 2019 in a link to a 24 page PDF.
Emotet, an Analysis of TTP’s: Part 1 The Break-in - Kobi Eisenkraft and Arie Olshtein at Check Point Research shares details about banking malware Redaman / RTM.
Pony’s C&C servers hidden inside the Bitcoin blockchain - Milo Salvia at Cofense covers a phishing campaign harvesting Stripe payment processor credentials.
This Credential Phish Masks the Scam Page URL to Thwart Vigilant Users - Aaron Riley at Cofense shares the rise of the commodity Agent Tesla keylogger.
Agent Tesla Keylogger Is Now a Top Phishing Threat - Adam Kozy at CrowdStrike begins a series examining various Chinese cyber actors; including a look at the C919 aircraft.
Huge Fan of Your Work: How TURBINE PANDA and China’s Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet — Part I - Matt Berninger at FireEye Threat Research continues looking at sets of PDB paths using different analysis techniques.
Definitive Dossier of Devilish Debug Details – Part Deux: A Didactic
Deep Dive into Data Driven Deductions - G Data Security examines Ordinypt malware delivering cryptocurrency.
Resurgence - Marco Ramilli looks at Emotet spreading via a fake “SOC report”.
Is Emotet gang targeting companies with external SOC? - John Fokker and Christiaan Beek at McAfee Labs continue their Sodinokibi / GandCrab series.
McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money - Palo Alto Networks documents a new commodity RAT driven by a Swedish actor and campaigns it’s been seen in since September 2019.
Blackremote: Money money money – a Swedish actor peddles an expensive new RAT - Jay Chen at Palo Alto Networks gives details about the Docker cryptojacking worm that PAN discovered.
Graboid: First-Ever Cryptojacking Worm Found in Images on Docker Hub - Patrick Wardle at ‘Objective-See’ reverse engineers the Mac backdoor written by the Lazarus APT group.
Pass the AppleJeus - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- YARA’s XOR Modifier, (Mon, Oct 14th)
- When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15., (Mon, Oct 14th)
- Security Monitoring: At Network or Host Level?, (Wed, Oct 16th)
- Phishing e-mail spoofing SPF-enabled domain, (Thu, Oct 17th)
- Quick Malicious VBS Analysis, (Fri, Oct 18th)
- What Assumptions Are You Making?, (Sat, Oct 19th)
- Dan Demeter, Marco Preuss, Yaroslav Shmelev at Securelist examine malware honeypots.
IoT: a malware story - Daniel Bunce at SentinelOne looks at “writing a traffic decrypter for ISFB.”
Writing Malware Traffic Decrypters for ISFB/Ursnif - Virus Bulletin covers the “Save Yourself” malware delivered by a spam sextortion campaign.
Analysis of malware responsible for sextortion spam that mines for Monero on the side - Vitali Kremez dissects the Lazarus Win and Mac malware targeting cryptocurrency exchanges.
Let’s Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: “snowman” & ADVObfuscator - Marc-Etienne M.Léveillé and Mathieu Tartare at WeLiveSecurity covers a supply chain attack in a new whitepaper (27 page PDF).
Connecting the dots: Exposing the arsenal and methods of the Winnti Group
MISCELLANEOUS
- Carrie Roberts guest posts on the Black Hills Information Security blog about brute forcing a password that has Umlaut
Cracking Passwords with Umlauts - Brett Shavers at DFIR.Training announced a competition to win a 3-year license of Forensic Notes
Win a 3-year license of Forensic Notes! - Heather Mahalik at Cellebrite walks through the Cellebrite Reader interface
Cellebrite Reader Part 2: Familiarizing Yourself with the Reader Platform - Cyber Forensicator shared a link to Igor Mikhailov’s recent article on tools he can’t work without
Tools up: the best software and hardware tools for computer forensics - There were a few posts on Forensic Focus this week
- They also continued their ‘What’s Happening In Forensics’ series
- Kristian Lars Larsen at Data Narro highlights the importance of the identification and collection phases in a digital forensic investigation/e-discovery process
3 Mistakes Legal Professionals Make During E-Discovery (Part I) - Magnet Forensics have released a new product, Outrider, which is a triage tool for computers and mobile devices
Clearing the Way with Magnet OUTRIDER - MSAB announced that their new Kiosk Mk III is available for pre-order
The new MSAB Kiosk Mk III - Richard Frawley at ADF walks through importing and exporting search profiles in DEI
Import and Export Digital Forensic Search Profiles - SalvationData share a data recovery process using their DRS product
[Case Study] Computer Forensics: Bad Sector Issue Solved by SalvationDATA - A couple of the teams at Champlain College announced their projects for the semester
- Alan Orlikoski shared an open letter to all of the SkadiVM, CDQR, and CyLR users
Check out @AlanOrlikoski’s Tweet - Veronica Schmitt shares her experience and tips for being a facilitator for a SANS training class
The SANS Journey : Being a Facilitator - John Patzakis at X1 comments on the reporting requirements under GDPR and CCPA
Incident Reporting Requirements Under GDPR and CCPA Require Effective Incident Response
SOFTWARE UPDATES
- The Beta of Volatility3 was released, as well as a web-based GUI
Volatility3 - DVR Examiner released a filesystem database update
DVR Examiner Filesystem Database Version 3.0.7591 released - Eric Zimmerman updated Timeline Explorer, Jumplist Explorer, and JLECmd
ChangeLog - Michael Karsyan at Event Log Explorer has released a new tool to export event logs into different formats
New utility to export event logs into different formats - Evimetry v3.2.5 was released
Release 3.2.5 - ExifTool 11.71 was released with new tags and bug fixes
ExifTool 11.71 - GetData released Forensic Explorer v5.1.2.9054
17 October 2019 – 5.1.2.9054 - SalvationData released SPF Pro V6.96.27
[Software Update] Mobile Forensics: SPF Pro V6.96.27 New Version Release for Better User Experience! - Autopsy and the Sleuth Kit had updates this week
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 