Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Roey Arato announced that full file system extractions via the Checkra1n jailbreak will be incorporated into UFED4PC/Touch2/PA (don’t know which, all?). This is great for those who are outside of law enforcement or aren’t able to jailbreak to get at the hidden gems
iOS Breakthrough Enables Lawful Access for Full File System Extraction - Mike Williamson at Magnet Forensics walks through acquiring a device using the Checkra1n jailbreak
Using the checkra1n Jailbreak - Mattia Epifani at Zena Forensics continues to investigate retrieving data from an iPhone in BFU state using checkra1n.
- QuoScient released some interesting research into the effects of various operations of timestamps across Linux operating system distributions. They also released a tool to “profile how your Unix-like OS (Linux, BSD…) modifies MACB timestamps.”
MAC(B) Timestamps across POSIX implementations (Linux, OpenBSD, FreeBSD) - Antonio Sanz at ‘Security Art Work’ walks through a fictional case study of a CEO falling for a scam and the subsequent investigation
THREAT INTELLIGENCE/HUNTING
- Sergio Caltagirone at Dragos shares a post developed for the Red Cross site: the potential humanitarian impact of ICS threats in the coming years.
Industrial Cyber Attacks: A Humanitarian Crisis in the Making - Chris Brenton at Active Countermeasures does a video demo (75 sec) of how to look for long connections in Zeek.
Finding Long Connections With Zeek – Video Blog - Chris Doman at AlienVault Labs looks at a Javascript injection DDoS.
The “Great Cannon” Has Been Deployed Again - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ recaps news from re:Invent about how Access Analyzer for S3 can help find unsecured buckets.
Access Analyzer for S3: a new tool from Amazon for monitor, review, and protect S3 buckets - Gary Golomb at Awake Security shares a case study involving a persistence mechanism for running WLL add ons in Word.
Threat Hunting Series: Detecting Command & Control in the Cloud - Cyber Triage introduces how to use OODA (Observe > Orient > Decide > React) in IR.
How to Use OODA Loop in Your Incident Response Process in 2020 - Ryan Tracey at Cylance shares information about the PyXie Python RAT.
Meet PyXie: A Nefarious New Python RAT - Florian Roth looks into the value of creating Sigma rules to help with detection queries.
An Overlooked but Intriguing Sigma Use Case - Rich Turner at Journey Notes continues their AWS cloud security series.
The fifth pillar to well-architected AWS cloud security – IR (Incident Response) - Ken Sajo at JPCERT/CC shares straightforward high level and technical explanations on how to deal with Emotet (if you’re doing family tech support over the holidays, bookmark this page!).
How to Respond to Emotet Infection (FAQ) - Koen Van Impe at vanimpe.eu looks at DNS monitoring, collection, and tracking queries.
Use Sysmon DNS data for incident response - Action Dan at LockBoxx thinks about issues with kill chain models and incomplete simulations.
On Better Red Teaming - Maarten Goet shares what it means by having ML in Azure Sentinel, including how TTPs can be mapped.
Advanced multistage attack detection — real machine learning for the real world - Patrick Wardle at Objective-See looks at a new Lazarus trojan reported by Dinesh_Devadoss, AppleJeus with a payload downloaded and run from memory.
Lazarus Group Goes ‘Fileless’ - Tony Lambert and Brian Donohue Red Canary looks at Empire and a similar campaign seen in recent IR investigations.
Detection Déjà Vu: a tale of two incident response engagements - David Emm at Securelist shares a survey of APT activity seen over the past year.
APT review: what the world’s threat actors got up to in 2019 - SpecterOps continues showing how to use FreeIPA Lab.
Attacking FreeIPA — Part II Enumeration - Tyranid’s Lair looks at a hole in application allow-listing.
The Mysterious Case of a Broken Virus Scanner
UPCOMING WEBINARS/CONFERENCES
- Tim Thorne and Stephanie Thompson from Blackbag Technologies will be hosting a webinar on imaging Macs with Macquisition. The webinar will take place December 19th at 11am EST
Solving the Mystery Behind Imaging a Mac Computer - The CFP for DFRWS USA 2020, held in Memphis, TN on July 19-22, has been announced.
DFRWS USA 2020 - Gina Cristiano at ADF shares a list of upcoming LE focused conferences in North America
Best 2020 Law Enforcement Conferences in North America
PRESENTATIONS/PODCASTS
- Amanda Rousseau’s keynote from Black Hat Europe 2019, “Blue to Red: Traversing the Spectrum”, was uploaded to YouTube.
Black Hat Europe 2019 Keynote: Blue to Red: Traversing the Spectrum by Amanda Rousseau - Black Hills Information Security shared a webcast on deploying group policies that will increase your security posture
Webcast: Group Policies That Kill Kill Chains - More videos from Awareness Con 2019 and DEFCON were uploaded
- Philippe Lagadec shared the slides from his presentation at Black Hat Europe 2019 on “Advanced VBA Macros Attack & Defence”
Advanced VBA Macros Attack & Defence – Black Hat Europe 2019 - On this week’s Digital Forensic Survival Podcast, Michael discussed the Linux Malware Detect tool
DFSP # 198 – Linux Malware Detect - Trey from Magnet Forensics demonstrated how Axiom parses Airdrop artefacts
AirDrop Artifacts in Magnet AXIOM - MSAB released a short video on what’s new in XAMN 4.5
What’s new in XAMN 4.5 - OALabs released an intro to IDA Pro scripting video demonstrating how to “automate resolving the dynamic imports for REvil ransomware”
IDA Pro Scripting Intro – Automate Dynamic Import Resolving for REvil Ransomware - SANS shared a video by Lee Crognale on the FOR585 Smartphone Forensic Analysis In-Depth class
Interested in Smartphone Forensics? - Jason and Sam at Sumuri shared a tip for supporting your 3.5″ drives while they’re imaging in a Talino workstation.
Talino Tip on External Drives
MALWARE
- Matthew McWhirt, Nick Carr, and Douglas Bienstock at FireEye examine in detail Outlook client homepage changes allowing for RCE. (bonus, is that a baby shark reference in there?)
Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774) - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ examines RIPlace rename requests that help ransomware evade detection.
RIPlace: a new evasion technique that allows ransomware to bypass most antivirus - David French at Elasticsearch posts about a Sodinokibi process injection related threat.
Ransomware, interrupted: Sodinokibi and the supply chain - hasherezade, with siri_urz, and Jérôme Segura at Malwarebytes Labs discuss the Proofpoint TA2101 report and share their own analysis of the IcedID Trojan.
New version of IcedID Trojan uses steganographic payloads - Marco Ramilli writes about Sofacy Group and surveys published material about APT28.
APT28 Attacks Evolution - There were a few posts on the Palo Alto Networks blog this week
- Pepper Potts at PepperMalware writes about Electrum network phishing attacks.
Analysis of Malicious ElectrumX Servers Source Code - Dmitry Makarov and Evgeny Ustinov at Positive Technologies examine a spyware campaign.
Malware creators trying to avoid detection. Spy.GmFUToMitm as an example - Ryan Campbell at ‘Security Soup’ looks at a new Emotet campaign with VBA obfuscation.
Quick Post: Analyzing Maldoc with “Do While” Loop in VBA Downloader - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Ursnif infection with Dridex, (Tue, Dec 3rd)
- Next up, what’s up with TCP port 26?, (Mon, Dec 2nd)
- Analysis of a strangely poetic malware, (Wed, Dec 4th)
- E-mail from Agent Tesla, (Thu, Dec 5th)
- Phishing with a self-contained credentials-stealing webpage, (Fri, Dec 6th)
- Integrating Pi-hole Logs in ELK with Logstash, (Sat, Dec 7th)
- Sebdraven unpacks a sample of Clop ransomware.
Unpacking Clop - Security Intelligence posted two writeups this week:
- Phil Stokes at SentinelOne continues creating a post-exploitation script for macOS
macOS Red Team: Calling Apple APIs Without Building Binaries - Andrew Brandt at Sophos News shares a high level Emotet overview.
Emotet’s Central Position in the Malware Ecosystem - ThreatRecon shares an email based attack.
Threat Actor Targeting Hong Kong Pro-Democracy Figures - TrendMicro had two posts this week:
- Helen Martin at Virus Bulletin publishes the VB2019 paper about new/old threats from Righard Zwienenberg at ESET and Eddy Willems at G DATA.
VB2019 paper: Oops! It happened again! - Tomáš Foltýn at ESET looks at commodity spyware Imminent Monitor RAT (IM-RAT).
Notorious spy tool taken down in global operation - Xavier Mertens at /dev/random had more BotConf posts this week:
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR posted a couple of content updates
- Stephanie Thompson at Blackbag Technologies demonstrates the file filters available in Blacklight
Getting Through the Data Quickly - Tim Bienvenu-Bate from DME Forensics guest posts on the Cellebrite blog about the benefits of using a DVR-Forensics specific tool
How to Record Video Evidence the Right Way with DME Forensics, a Cellebrite Partner - Jake Nicastro and David Pany at Fire Eye shares some handy analysis tips for everyone’s favourite forensic tool, Excel
Excelerating Analysis – Tips and Tricks to Analyze Data with Microsoft Excel - There were a number of posts on Forensic Focus this week
- Digital Forensics For National Security Symposium – Alexandria, VA
- The Often-Ignored Value Of Training Investigators To Use Digital Forensic Tools
- How To Digital Forensic Boot Scan A Mac With APFS
- Forensic Extraction Of Data From Mobile Apple Devices
- Amped Replay: Giving Police Investigators The Tools To Close More Cases
- Digital Forensic Techniques To Investigate Password Managers
- Deleted File Fragment Dating By Analysis Of Allocated Neighbors
- How To Easily And Accurately Play CCTV With Amped Replay
- Analysis Of Jump Lists With Belkasoft Evidence Center
- They also continued their ‘What’s Happening In Forensics’ series
What’s Happening In Forensics – Dec 2, 2019 - Sofia Björketun at MSAB describes how to extract a binary image from an .xry file using XAMN Elements.
Goodbye XACT, hello XAMN Elements: How to export binary data - Amber Schroader describes some of the changes in mobile forensic acquisition over the years.
Mobile Forensic Imaging through the years - Passware shared their findings of the various passwords seen across their Password Exchange
Password Trends 2019 - Richard Frawley at ADF describes a new tool for migrating your data between upgrades
Transferring Data With the ADF Migration Tool - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — December 1 to December 7 - Liam DiFalco was interviewed about his experience at the Leahy Center for Digital Forensics & Cybersecurity
Leahy Center Student Showcase: Liam DiFalco
SOFTWARE UPDATES
- Amped released Five update 15018
Amped FIVE Update 15018: Customizable Reporting, Further Audio Support and More - Apache Tika v1.23 was released
Release 1.23 – 12/02/2019 - UFED Cloud Analyzer 7.10 was released with “improvements in multiple categories; performance, security, app support, and more”
UFED Cloud Analyzer 7.10 Now Available! - DVR Examiner 2.8.1 has been released
- ExifTool 11.78 was released with new tags and bug fixes
ExifTool 11.78 - There was a new release of F-Response v8
- GetData released Forensic Explorer v5.1.2.9180
5 December 2019 – 5.1.2.9180 - Magnet Forensics released Axiom v3.8, as well as a video of the highlights
Magnet AXIOM 3.8 Brings AirDrop Artifacts, Updates to Acquisitions with checkra1n, and More! - Metaspike updated FEC to v3.12.1.0
Forensic Email Collector (FEC) Changelog - “A new version of MISP (2.4.119) has been released, including several functionalities that should make the operation of a MISP instance more convenient.”
MISP 2.4.119 released (aka the quality of life release) - MSAB released XRY 8.2, XAMN 4.5 and XEC 5.3, as well as a video showing the highlights.
Now released: XRY 8.2, XAMN 4.5 and XEC 5.3 - Nextron Systems announced updates to Thor and Asgard
- Passmark released OSForensics V7.1 build 1002
V7.1 build 1002 6th December 2019 - Paraben released E3 Platform 2.41
E3 Platform 2.41 Release - Ryan Benson published unfurl, which is a tool to “extract and visualize data from URLs”
unfurl - IsoBuster 4.5 Beta was released
IsoBuster 4.5 Beta released - Ulf Frisk released MemProcFS version 3
Version 3.0 - Velociraptor v0.3.7 was released
Release 0.3.7 - VMRay Analyzer 3.2 was released
What’s New in VMRay Analyzer 3.2?
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 