Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft have posted an article on examining LNK files and their potential as an attack vector for malicious actors
  Forensic Analysis Of LNK Files With Belkasoft Evidence Center

• Heather Mahalik at Cellebrite follows up her recent webinar on iOS 13 covering the need for an examiner to acquire an encrypted backup.
  Follow Up Answers to the “Fact or Fiction – iOS 13 Webinar”

• Andrew Fredericks at Input-Ace “dives into some of the common issues we can encounter when using a proprietary player”
  Under the Hood

• Matthew Green shares the automation that he’s built around the Velocidex Velociraptor live response agent
  Live response automation with Velociraptor

• Mike Cohen (from Velocidex!) has written a couple of posts this week
  • The first is a great post on Windows Event logs, which includes releasing a tool to centrally collect event descriptions from the various DLLs
    Windows Event Logs
  • Mike also looks at manually recovering a deleted file with Velociraptor. Unfortunately this relies on the file not being overwritten and the MFT entry not being reused on the system.
    Recovering deleted NTFS Files with Velociraptor

• Mike Iacovacci shares how to use VMware Fusion including hardware and snapshotting strategies, as well as use cases for opsec, forensics, and traffic analysis.
  VMware Fusion for Security Researchers
  

THREAT INTELLIGENCE/HUNTING

• If you read one threat hunting blog this week, check out Cedric Owens at Red Teaming with a Blue Team Mentality looking at how to get easy wins with macOS detections and post compromise analysis. Parent-child relationships, and research resources including web history parsing are covered.
  A Brief Look At macOS Detections and Post Infection Analysis

• Susan Ghosh at Checkmate introduces the use of access tokens to set up a discussion about token manipulation.
  Token Manipulation Attacks (Part 1: Introduction to Tokens and Privileges)

• Vanja Svajcer at Cisco covers Lolbin activity including loaders for Sodinokibi and Gandcrab as well as cryptocurrency minders.
  Hunting for LoLBins

• Austin Clark at C2Defense looks at monitoring network devices as endpoints
  Man-in-the-Network: Network Devices are Endpoints too

• Dave Zbarsky at Dropbox shares their inhouse Vortex monitoring system.
  Monitoring server applications with Vortex

• Erik Hjelmvik at Netresec uses NetworkMiner and Kali Linux to extract Kerberos passwords.
  Extracting Kerberos Credentials from PCAP

• Penetration Testing Lab covers accessibility features like sticky keys and exploitation using Metasploit.
  Persistence – Accessibility Features

• Tony Lambert at Red Canary shares information about Linux systemd services.
  ATT&CK T1501: Understanding systemd service persistence

• Vijay Erramilli at Salesforce Engineering talks about data exfil.
  How Salesforce Helps Protect You From Insider Threats

• Joe at Stranded on Pylos writes about the history of “owning” an incident and gatekeeping.
  Who ‘Owns’ an Incident?
  

UPCOMING WEBINARS/CONFERENCES

• Ashley Hernandez from Blackbag and Dmitry Sumin from Passware will be given a webinar on November 21 on the latest improvements to Blacklight
  Webinar: New Triage Capabilities In BlackLight

• Shahaf Rozanski and Eric Olson at Cellebrite will be hosting a webinar on mobile data in eDiscovery on December 3 at 11:00 AM (New York) / 4:00 PM (London) and December 4 11:00 AM (Singapore) / 2:00 PM (Sydney)
  The Value of Mobile Device Data in eDiscovery

• Magnet Forensics announced the CFP for their 2020 User Summit in Nashville, held May 11-13
  Submit to the Magnet User Summit 2020 Call for Papers (CFP)

• See the Palo Alto November 20 webinar: 3 Ways to Speed Up Response with Threat Intel.
  When Will Threat Intelligence Deliver on Its Promise?
  

PRESENTATIONS/PODCASTS

• Some of the talks from DEFCON 2019 were uploaded to Youtube

• On this week’s Digital Forensic Survival Podcast, Michael talks about the BAM registry key
  DFSP # 195 – BAM!

• Eric Capuano shared his slides for his talk on hunting with open source tools
  Check out @eric_capuano’s Tweet!

• Forensic Focus shared presentations from Magnet Forensics and Griffeye
  • How To Use AXIOM In Malware Investigations: Part I
  • How To Use AXIOM In Malware Investigations: Part II
  • How To Integrate LACE Carver With Griffeye Analyze DI Pro

• The Microsoft Security Response Center announced that the videos from BlueHat Seattle are now online
  BlueHat Seattle videos are online!

• Richard Davis at 13Cubed posted a video on hunting with YARA
  Finding Evil with YARA
  

MALWARE

• In a great application of testing theories, research, and writing your own tools when no others exist, Didier Stevens thinks about ways of obfuscating payloads to avoid detection systems and uses Stevens’ own Python tools.
  Steganography and Malware

• James Quinn at Binary Defense looks at HTA/JavaScript delivery of the RevengeRAT.
  Revenge is a Dish Best Served… Obfuscated?

• Holger Unterbrink at Cisco examines the Agent Tesla info stealer delivered by an ARJ archive attached to email.
  Custom dropper hide and seek

• Kim Crawley at ThreatVector summarizes the BlueKeep story and interviews Marcus Hutchins.
  Marcus Hutchins Gives Advice on BlueKeep (CVE-2019-0708)

• Fortinet posted about trojans and RATs this week:
  • New Emotet Report Details Threats From One of the World’s Most Successful Malware Operations
  • Double Trouble:  RevengeRAT and WSHRAT

• Michael Kajiloti at Intezer in a collaboration with IBM X-Force looks at code reuse around the “more_eggs” backdoor, discovering PureLocker.
  PureLocker: New Ransomware-as-a-Service Being Used in Targeted Attacks Against Servers

• Nathan Collier at Malwarebytes Labs describes fake Android ad blocker malware.
  Stealthy new Android malware poses as ad blocker, serves up ads instead

• Marco Ramilli examines a ransomware threat possible associated with TA505.
  TA-505 Cybercrime on System Integrator Companies

• Patrick Wardle at Objective-See shares an Excel RCE example using .slk (symbolic link) files.
  [0day] Abusing XLM Macros in SYLK Files

• Gayathri Anbalagan at Zscaler shares a fake Flash Player update that compromises CMS sites like WordPress or Drupal.
  NetSupport RAT installed via fake update notices

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • Did the recent malicious BlueKeep campaign have any positive impact when it comes to patching?, (Sun, Nov 10th)
  • Are We Going Back to TheMoon (and How is Liquor Involved)?, (Mon, Nov 11th)
  • An example of malspam pushing Lokibot malware, November 2019, (Wed, Nov 13th)
  • Some packet-fu with Zeek (previously known as bro), (Mon, Nov 11th)

• SentinelOne posted about ransomware and privilege escalation this week:
  • Privilege Escalation | macOS Malware & The Path to Root Part 2
  • YARA Hunting for Code Reuse: DoppelPaymer Ransomware & Dridex Families

• Michael Tyler at PhishLabs examines an O365 phishing campaign with a spoofed Microsoft login page.
  Active Office 365 Credential Theft Phishing Campaign Targeting Admin Credentials

• Feike Hacquebord, Cedric Pernet, and Kenney Lu at TrendMicro examine an APT33 botnet campaign targeting the oil industry.
  More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting

• Adan Valencia, Taree Reardon, and Ray Adams at VMware Carbon Black examined unusual RDP activity resulting in an exploit of BlueKeep.
  Wild Blue Yonder: VMware Carbon Black ThreatSight Dissects BlueKeep Windows Exploit
  

MISCELLANEOUS

• Mark Spencer at Arsenal shares a brief note about the company’s mission
  A Brief Note About Our Mission

• Andrew Rathbun at AboutDFIR shares the latest updates to the site
  • Just Another AboutDFIR Content Update
  • AboutDFIR Content Update 11/15/2019
  • AboutDFIR Content Update 11/16/2019

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ talks about VPN providers this week.
  The myths of VPNs

• A new DFIR social media site, The Cyber Social Hub has launched

• Sally Vandeven at Black Hills Information Security shares some great Windows command line tricks
  Rainy Day Windows Command Research Results

• Brett Shavers at DFIR.Training shares updates for the site
  What’s New at DFIR Training?

• There were a couple of posts on the Cellebrite blog this week
  • Muna Assi provides an overview of the smart translation addon for UFED PA
    How On-Demand Translation with Cellebrite’s Smart Translator Expedites Investigations
  • They also released a new case study
    Digital Intelligence Leads to Multiple Arrests in Nepal Drug Bust

• Tim Bandos & Bill Bradley at Digital Guardian share their list of favourite tools
  Mastering DFIR: Tools and Processes to Analyze Forensic Data

• There were a few posts on Forensic Focus this week
  • Jade James reviewed Griffeye Brain
    Review: Griffeye Brain In Analyze DI Pro
  • Yulia provides an overview of the recent updates to the Atola Taskforce
    Atola TaskForce’s Productivity: Express Mode, Automation And Much More
  • Scar shared an article from MSAB on a new feature in XAMN for counting artefacts
    How To Save Time With XAMN’s Dynamic Artifact Count Feature
  • Harold Burt-Gerrans concludes his series on the changes he wants to see in eDiscovery
    What Changes Do We Need To See In eDiscovery? Part VI

• Frikky writes about careers in DFIR and SOC alert handling.
  The unsexy, unthankful, but essential jobs of IT and Infosec

• Jessica Hyde shares a paper written with Eoghan Casey and Alex Nelson about “definitions of  ‘deleted’ content – and why we didn’t just say deleted” in this Elsevier journal article.
  Standardization of file recovery classification and authentication

• Mike Dickinson at MSAB gives an overview of the Formobile project
  FORMOBILE’s Goal: Improve digital safety and security in Europe

• Olga Milishenko at Atola demonstrates the new integration between the Taskforce and Magnet Automate v2.0
  TaskForce integration into Magnet AUTOMATE workflow

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — November 10 to November 16

• One of the teams of students at Champlain College announced they will be looking at forensic evidence available for a variety of Windows applications
  Application Analysis Blog 1

• Michael Hale Ligh at Volatility Labs announces the results of the 2019 Volatility contest
  Results from the 2019 Volatility Contests are in!

• Sam Bock at X1 shared a recent interview with John Patzakis from the Relativity blog
  How Case Teams Can Streamline Collections with X1 in RelativityOne
  

SOFTWARE UPDATES

• Cellebrite updated UFED PA, now at version 7.25, with a new database viewer
  Accelerate investigations with the new Database Viewer in UFED Physical Analyzer

• Cyber Triage 2.10 was released
  Cyber Triage 2.10 Features: Visualization, Exporting, and More

• ElcomSoft Phone Breaker 9.30 was released
  ElcomSoft Phone Breaker 9.30 is out with new iCloud engine, low-level iCloud Drive access, iOS 13.2 and macOS Catalina support

• Eric Zimmerman updated TimelineExplorer
  ChangeLog

• Event Log Explorer 4.9 was released
  Download Event Log Explorer

• ExifTool 11.76 was released with new tags and bug fixes
  ExifTool 11.76

• AccessData announced the release of FTK and AD Lab v7.2
  New Versions Of AccessData’s FTK And AD Lab Improve Processing Of Apple Devices

• Magnet Forensics announced version Automate v2.0
  Complete Investigations Over 2x Faster with the New Magnet AUTOMATE 2.0

• “A new version of MISP (2.4.118) has been released including a functionality that allows for tag exclusivity within taxonomies, the support for external Sighting sources via SightingDB and many fixes.”
  MISP 2.4.118 released (aka the exclusivity tag release and SightingDB support)

• OpenText released the Tableau Firmware Update v7.31 to update the TX1 Imager to v3.0
  Tableau Firmware Update Revision History for v7.31

• OpenText also announced updates to EnCase Forensic 8.10 and EnCase Mobile Investigator 1.06
  What’s new in OpenText digital forensic solutions for Release 16 EP7

• SalvationData updated VIP 2.0 to V19.0.1.1020
  [Software Update] DVR Forensics: VIP 2.0 V19.0.1.1020 New Version Released for Better User Experience!

• Sandfly 2.3.2 was released to assist in detecting packet sniffers on Linux
  Sandfly 2.3.2 – Linux Packet Sniffer Detection and Faster Process Forensics

• TZWorks released their Nov 2019 build with bug fixes and maintenance updates
  Nov 2019 build (package)

• Velociraptor v0.3.6 was released
  Release 0.3.6

• X-ways Forensics 19.8 SR-10 and 19.9 were released

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!