Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Vladimir Katalov at Elcomsoft describes the checkra1n jailbreak and the process and results of acquisition using their toolkit.
iOS Device Acquisition with checkra1n Jailbreak - On the same topic, Mattia Epifani at Zena Forensics comments on the jailbreak and how it can benefit forensics
Checkm8, Checkra1n and the new “golden age” for iOS Forensics - Ian Whiffin at DoubleBlak describes the 7bit PDU data encoding format that is still used by some mobile devices
7bit PDU (GSM-7)
THREAT INTELLIGENCE/HUNTING
- A new take on ransomware for threat hunters and incident responders to consider: Damian Pfammatter with help from Salvador Richter at Compass Security Blog show a proof of concept for ransomware working at the application level – encrypting the bodies of emails within Outlook.
Challenging Your Forensic Readiness with an Application-Level Ransomware Attack - Susan Ghosh at Checkmate continues working on how processes can elevate to System level privileges.
Token Manipulation Attacks – Part 2 (Process of Impersonation) - Dimitris Margaritis shares a list of built in Windows executables whose connections should be restricted at the firewall to block LOLBAS.
PREVENT Legitimate Windows Executables To Be Used To Gain Initial Foothold In Your Infrastructure - rtcrowley at liberty shell shows how to maintain persistence using IFEO (T1183).
Persistence via IFEO - MENASEC shares EventIDs to check for command line dumping of NTDS.dit, as seen in APT34 (OilRig) campaigns.
Forensics traces of NTDS.dit dumping using ntdsutil utility - Brian Donohue and Susannah Clark at Red Canary recount 10 ATT&CK techniques attackers may use to thwart retail during the holiday season.
10 Hackers Hacking: A Holiday Countdown of Retail Cybersecurity Threats - Phil Stokes at SentinelOne shares a method to get root on macOS using PrivilegedHelperTools.
macOS Red Team: Spoofing Privileged Helpers (and Others) to Gain Root
UPCOMING WEBINARS/CONFERENCES
- Griffeye will be hosting a webinar on GPS data in media on December 9th, 2019 at 15.00 CEST (9 am EST) and 4 pm PST (7 pm EST)
Webinar: How to leverage GPS data from images and videos
PRESENTATIONS/PODCASTS
- Black Hills Information Security shared some of the videos from Awareness Con 2019
Awareness Con 2019 (Adel, IA) - Black Hills also released a presentation on defensive group policies.
Group Policies That Kill Kill Chains - Some more talks from DEFCON were uploaded
- On this week’s Digital Forensic Survival Podcast, Michael discusses network forensics methodology
DFSP # 197 – Approaching Network Forensics - Richard Davis at 13Cubed took a look at the public beta of Volatility3
First Look at Volatility 3 Public Beta - Richard Frawley at ADF demonstrates ADF’s photo probability feature
How to Use ADF Photo Probability to Speed Your Investigation - Ailyn and Jason at Sumuri announced a competition they’re running for a bright yellow Talino workstation for a qualifying law enforcement agency
Sumuri Gives Back this Thanksgiving 2019 - I released my monthly podcast for November.
This Month In 4n6 – November – 2019
MALWARE
- Rico’s blog looks at how to parse code, useful for any reverse engineer. Rico shares general principles about RE and uses Python to create a parser for the game CS:GO.
Writing a parser for CS:GO files - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ recaps the heroism of Michael Gillespie written up at ProPublica for writing ransomware decryptors.
Michael Gillespie, the Ransomware Superhero - Andrea Fortuna also shares highlights from Richard Davis’ video about what’s new in Volatility 3 beta.
What’s new in Volatility 3? - Max Gannon and Alan Rainer at Cofense share how the Raccoon infostealer has been evolved to delivery via Dropbox links.
Raccoon Stealer Found Rummaging Past Symantec and Microsoft Gateways - Adam Martin at Cylance looks at a Machete infostealer campaign purportedly distributed as PowerPoint presentations targeting Spanish speaking areas.
Threat Spotlight: Machete Info-Stealer - Ryan Warns and Carlos Garcia Prado at FireEye introduce “the FLARE IDA Decompiler Library (FIDL), FireEye’s open source library which provides a wrapper layer around the Hex-Rays API.”
FIDL: FLARE’s IDA Decompiler Library - Shaul Holtzman at Intezer shares a variety of malware analysis reports, from EKs to trojans.
Intezer Analyze Community: Buhtrap, Divergent, Kronos, and More - Marco Ramilli looks back on a million samples processed with YARA rules and trends, ranging across EquationGroup tools to anti-debugging techniques.
After 1 Million of Analyzed Samples - Netskope shares their paper presented at MalCon about cloud C2 (7 page PDF by Erick Galinkin, Jenko Hwong, Abhinav Singh, Colin Estep, Ashwin Vamshi, and Ray Canzanese).
MalCon Recap - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Securelist recounts the RevengeHotels campaign targeting Brazillian tourism targets.
RevengeHotels: cybercrime targeting hotel front desks worldwide - Jim Walter at SentinelOne writes about MedusaLocker which encrypts local systems and also mapped drives.
How MedusaLocker Ransomware Aggressively Targets Remote Hosts - Michael Tyler at The PhishLabs Blog shares a recent TrickBot campaign.
Active TrickBot Campaign Observed Abusing SendGrid and Google Docs - Lance Jiang and Jesse Chang at TrendMicro look at the WhatsApp vulnerability from earlier this year and other mobile applications that may still be at risk.
Patched GIF Processing Vulnerability CVE-2019-11932 Still Afflicts Multiple Mobile Apps - Joey Chen, Hiroyuki Kakara and Masaoki Shoji also at TrendMicro introduce their paper (51 page PDF) on Operation ENDTRADE, focusing on “defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China.”
Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK - Martijn Grooten at Virus Bulletin shares material from VB2019.
- Vladislav Hrčka at WeLiveSecurity looks at the Stantinko botnet and cryptomining capabilities.
Stantinko botnet adds cryptomining to its pool of criminal activities
MISCELLANEOUS
- Xavier Mertens recaps talks across security and malware from DeepSec.
DeepSec 2019 Wrap-Up Day #1 - Andrew Rathbun at AboutDFIR posted a couple of content updates
- Adam Harrison at 1234n6 shares how he completed the badge challenge at CyberThreat 2019
CyberThreat 2019 Badge Writeup - Marco Fontani at Amped describes the various datasets that are available to assist in validating their products
Try This at Home! Validation Is Important: Use These Datasets to Test Amped Solutions - Brett Shavers updates us on what’s happening at DFIR.Training
What’s New at DFIR Training? - John Walther at Carpe Indicium walks through processing a forensic image with Nuix Workstation
Nuix Workstation – Triage all the Things - Christian at IT-Dad demonstrates a tool by Denny Mleinek designed to hunt for veracrypt containers
Veracrypt Container aufspüren mit VC Hunter - Chris Brook at Digital Guardian interviewed Harlan Carvey who is their new senior threat hunter
Meet Harlan Carvey, Digital Guardian’s New Senior Threat Hunter - There were a few posts on Forensic Focus this week
- They shared a roundup of the top forum posts of the month
Forensic Focus Forum Round-Up - They shared the webinar and transcript of the AccessData presentation on Quin-C’s Social Analyzer widget
Walkthrough: Quin-C Social Analyzer Widget From AccessData - They shared Harald Baier presentation and transcript from DFRWS EU 2019.
On Efficiency Of Artifact Lookup Strategies In Digital Forensics - Oxygen Forensics provide an overview of the Wickr app
Wickr Messenger Extraction And Decryption In Oxygen Forensic Detective - Dr Tristan Jenkinson introduces a series on password managers
The Potential Importance Of Information From Password Managers - Belkasoft announced a customer survey with a chance to win a license
Belkasoft’s Customer Survey: Your Chance To Win A License
- They shared a roundup of the top forum posts of the month
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the last couple of weeks
SOFTWARE UPDATES
- Alexis Brignoni added a GUI to his iOS Mobile Installation Logs parser
- Belkasoft Evidence Center 2020 v.9.8 which include the capability of a full file system acquisition of some non-jailbroken iOS devices.
What’s new in BEC v.9.8 - An updated build of CDQR was released
20191128 - Cellebrite released UFED PA 7.26
Faster iOS extraction time and more app data - DVR Examiner Version 2.8.0 was released
DVR Examiner Version 2.8.0 released 2019-11-25 - iOS Forensic Toolkit 5.20 was released.
iOS Forensic Toolkit 5.20 adds future-proof file system extraction support for Apple devices with checkra1n jailbreak - ExifTool 11.77 was released with new tags and bug fixes
ExifTool 11.77 - Sandfly Security released a new tool that “allows Linux admins and incident responders to quickly scan for compressed or encrypted executable files often linked to malware.”
Sandfly Filescan Open Source File Entropy Scanner for Linux - X-Ways Forensics 19.9 SR-1 was released.
X-Ways Forensics 19.9 SR-1
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 