Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- There’s a post on the attackd0gz blog walking through a packet capture examination to identify data exfil over wifi
WiFi Forensics for Data Leakage - David Milnes breaks down the HSTS database on Chrome and Firefox and shares a Python script to process the data found. “HSTS is a HTTP header which a web server can send to tell a client that they should not accept unencrypted communications from that domain for a specified period of time.”
HSTS For Forensics: You Can Run, But You Can’t Use HTTP - Igor Mikhailov at Group IB has written a lengthy post on Whatsapp for iOS, MacOS and Android
WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts - Joshua Hickman at ‘The Binary Hick’ looks at the transaction data stored by the iOS and Android Venmo apps
Venmo. The App for Virtual Ballers. - Prabhankar Tripathi at Lucideus shares a short guide to examining VOIP packets using Wireshark
A Basic Guide to VOIP Packet analysis through Wireshark - Matt Edmondson at ‘Digital Forensics Tips’ demonstrates Bulk Extractor by running it over a database from a Neo Nazis forum.
Using Bulk Extractor for Quick OSINT Wins - Bob Gendler has discovered a database used by Siri that forensic examiners can use to see inside encrypted email. I think I’ll need to defer to someone with a bit more knowledge on this one however, as I haven’t had to deal with encrypted email very often. If anyone knows a bit more as to why this is a big problem, let me know, the only thing I can think of is it will probably retain data after the email has been deleted.
Apple Mail Stores Encrypted Emails in Plain Text Database, fix included! - The ZecOps Research Team gives an overview of the implications of the Checkm8 vulnerability for iOS acquisition.
Checkm8 Implications on iOS DFIR, TFP0, #FreeTheSandbox, Apple, and Google
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn examines the OCSetup program.
Beyond good ol’ Run key, Part 122 - Kayla Mackiewicz at Black Hills Information Security shares how to use the Cisco Config Analysis Tool.
How to Use CCAT: An Analysis Tool for Cisco Configuration Files - Josh Murchie shares their BSidesDFW presentation about threat hunting on a budget done with Joe Pisano and includes links to the presentation and video.
Presenting at BSidesDFW - Marco Ramilli examines the cyber attack on Kudankulam Nuclear Power Plant (KKNPP).
Is Lazarus/APT38 Targeting Critical Infrastructures ? - Penetration Testing Lab wrote about different forms of persistence this week
- Brian Donohue at Red Canary recapped ATT&CKcon including Red Canary’s Tony Lambert discussing Linux systems and Keith McCammon on prioritizing data sources.
Debriefing ATT&CKcon 2.0: Five great talks at MITRE’s ATT&CK conference - Richard Bejtlich at TaoSecurity shares aspects of the risk equation.
Seven Security Strategies, Summarized - Kaspersky dug into two threat groups this week
- Gabriel Ryan at SpecterOps builds on access point attacks.
Modern Wireless Tradecraft Pt II — MANA and Known Beacon Attacks - Christopher Paschen at TrustedSec plays with Jscript payloads.
Finding and Identifying JScript/VBScript Callable COM Objects - Tyranid’s Lair shares thoughts about Visual Studio and .NET remoting.
The Ethereal Beauty of a Missing Header - Jake Williams at Rendition Infosec shares a valuable lesson regarding OPSEC and IR; “Every time you make a piece of data potentially public, understand what you could be giving up to the adversary”
Incident Response and OPSEC
UPCOMING WEBINARS/CONFERENCES
- Joe Marino and Kim Davis at Cellebrite will be hosting a webinar on the DEA/DoJ IDIQ contract on November 14 at 11:00 AM (New York)
DEA/DoJ IDIQ Contract for Cellebrite Training for all UFED Products
PRESENTATIONS/PODCASTS
- Adrian Crenshaw uploaded the presentations from BSidesCT 2019
- Roberto Rodriguez shared his presentation from AttackCon with Jose Rodriguez
Check out @Cyb3rWard0g’s Tweet - On this week’s Digital Forensic Survival Podcast, Michael covers using Powershell to artefact collection
DFSP # 194 – Powershell Collection Tools - Forensic Focus have started a new podcast, and for the first episode, Christa interviews Brett Shavers
Brett Shavers On DFIR Training And Mental Health In Digital Forensics - Magnet Forensics posted a couple of videos this week
- Larry Compton has started a new podcast called Nerds & Non/Sense, and speaks with Brett Shavers about encryption (full disclosure, haven’t had a chance to listen to this year, but I saw Brett’s name pop up so thought to include it!)
Episode #1 – In the Beginning…(18+ Explicit Language) - Nuix share a video of detecting data exfil using their Adaptive Security product
Detecting Data Exfiltration with Nuix Adaptive Security - SANS announced the 2020 CTI Summit held January 20-21 in Arlington, VA
Cyber Threat Intelligence Summit 2020 - Ted Smith at ‘X-Ways Forensics Video Clips’ released a video on getting started with X-Tensions
Video 59 – Introduction to X-Tensions for Beginners
MALWARE
- BlueKeep takes the headlines this week and in this overview at Andrea Fortuna at ‘So Long, and Thanks for All the Fish’.
A brand-new mass attack uses BlueKeep exploit to infect with Monero miners - Warren Mercer, Paul Rascagneres, and Vitor Ventura at Cisco Talos examine a collection of different types of malware.
C2 With It All: From Ransomware To Carding - Prabhankar Tripathi at Lucideus looks at finding IOCs in Wireshark.
A Basic Guide to Malware Traffic Analysis Through Wireshark - Jovi Umawing at Malwarebytes Labs looks at Business Email Compromise.
Not us, YOU: vendor email compromise explained - McAfee Labs posted about ransomware this week.
- Microsoft Security writes about the RDP BlueKeep exploit.
Microsoft works with researchers to detect and protect against new RDP exploits - Brad Duncan at Palo Alto Networks shares how to examine Trickbot with Wireshark.
Wireshark Tutorial: Examining Trickbot Infections - Radware shares a lengthy post about TCP reflection attacks.
Threat Alert: TCP Reflection Attacks - Justin Buchanan at Rapid7 writes about BlueKeep.
The Anatomy of RDP Exploits: Lessons Learned from BlueKeep and DejaBlue - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Fake Netflix Update Request by Text, (Sat, Nov 9th)
- You Too? “Unusual Activity with Double Base64 Encoding”, (Sun, Nov 3rd)
- Bluekeep exploitation causing Bluekeep vulnerability scan to fail, (Tue, Nov 5th)
- More malspam pushing Formbook, (Wed, Nov 6th)
- Microsoft Apps Diverted from Their Main Use, (Fri, Nov 8th)
- SentinelOne posted a few times this week
- Nguyen Hoang Giang, Eduardo Altares, and Muhammad Hasib Latif at Symantec write about the Trik botnet and Nemty/Phorpiex ransomware.
Nemty Ransomware Expands Its Reach, Also Delivered by Trik Botnet - Suweera De Souza at Netscout shares the latest Emotet IOCs.
Emotet – What’s Changed? - TrendMicro wrote about adware and exploit kits this week
- Virus Bulletin continued sharing presentations from VB2019 and beyond
MISCELLANEOUS
- Marco Fontani at Amped walks through the output functionality of Amped Authenticate
Feed The Machine! Learn How to Easily Generate Computer-Processable Results With Amped Authenticate - Craig Ball at ‘Ball in your Court’ shares a document that he’s written as a primer for processing in e-Discovery
A Primer on Processing and a Milestone - There were a number of posts on Forensic Focus this week
- How To Use Amped DVRConv To Quickly Convert And Make Playable Proprietary CCTV V
- Forensic Focus Reviewer Required
- What Changes Do We Need To See In eDiscovery? Part V
- VFC5: Now With Windows Live ID Exploit
- Walkthrough: What’s New In XAMN v4.4
- Belkasoft Discusses Proper Timelines And How to Handle Them
- Cost-Effective Tools For Small Mobile Forensic Labs
- How To Export Media Files From BlackLight Into Semantics21
- They also continued their ‘What’s Happening In Forensics’ series
- Foxton Forensics have released a Chrome history based challenge
Cyber Challenge #1 — November 2019 - Katie Nickels at ‘Katie’s Five Cents’ shares tips on how to make better infosec presentations.
How to Make Better Infosec Presentation Slides - Koen Van Impe shares an article on building an IR capability
Measure and Improve the Maturity of Your Incident Response Team - MantaRay Forensics released their q4 VirusShare hashsets
VirusShare.com MantaRay Forensics Refined Hash Set (v.2019_Q4) - Morpheus______ has released an updated version of plutil, called jlutil, along with documentation on the plist format
Check out @Morpheus______’s Tweet - Richard Frawley at ADF describes how to create search profiles with MDI
How to Create Search Profiles with Mobile Device Investigator - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
- VirusTotal released new APIs.
Pipelining VT Intelligence searches and sandbox report lookups via APIv3 to automatically generate indicators of compromise
SOFTWARE UPDATES
- Arsenal released v3.0.84 Beta of their Image Mounter tool
Check out @ArsenalRecon’s Tweet - Adam at Hexacorn updated DeXRAY to v2.17
DeXRAY 2.17 update - Didier Stevens updated his format-bytes Python script
Update: format-bytes.py Version 0.0.10 - Eric Zimmerman updated Timeline Explorer, and Registry Explorer
ChangeLog - ExifTool 11.75 was released with new tags and bug fixes
ExifTool 11.75 - GetData released Forensic Explorer v5.1.2.9128
08 November 2019 – 5.1.2.9128 - Magnet Forensics updated Axiom to v3.7
Magnet AXIOM 3.7 is Available with Google Warrant Returns, Mac Updates and More! - NetworkMiner 2.5 was Released
NetworkMiner 2.5 Released - X-Ways Forensics 19.9 Beta 4 was released
X-Ways Forensics 19.9
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 