Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’ pulls apart the Imgur app on iOS
iOS Imgur app – A Realm database example - Arman Gungor at Metaspike compares using Google Takeout and a forensic tool capable of accessing the data via the API
Google Takeout and Vault in Email Forensics - An unnamed author pulls apart the DF File app on Android
Forensic Analysis On DS File For Android - Prince Clement hides data using steganography on a mobile device and tries to see if a variety of open source tools are useful in detecting the encoded message.
Blog #7: Mobile Anti-Forensics & Steganalysis - Ryan Benson at dfir.blog describes his new tool, unfurl, for expanding URL data into a graph
Introducing Unfurl - Antonio Sanz at Security Art Work continues the case study of the compromised CEO, looking at data from the Exchange server
THREAT INTELLIGENCE/HUNTING
- With Velociraptor gaining users, there were a couple of posts about it this week:
- Check Point had a few posts this week:
- Sylvain Heiniger at Compass Security Blog uses BloodHound to check on AD security.
Finding Active Directory attack paths using BloodHound - Vijit Nair at Corelight examines how ATT&CK can be used to secure cloud storage.
Finding Truth in the Cloud: Google Cloud Packet Mirroring & Corelight Network Traffic Analysis - Cylance looks at the spread of Zeppelin ransomware, derived from Vega/VegaLocker.
Zeppelin: Russian Ransomware Targets High Profile Users in the U.S. and Europe - Digital Shadows shares some basics about Threat Intel.
Threat Intelligence: A Deep Dive - Dirk-jan Mollema revisits Azure AD credential dumping with help from Benjamin Delpy.
Updating adconnectdump – a journey into DPAPI - Isaac Palmer at Flashpoint examines credential stuffing and how to counter the attack.
Credential-Stuffing Attacks a Universal Key for Threat Actors - Lee Holmes searches for obfuscated content:
- Marcus Bakker at MB Secure looks at using Kusto Query Language (KQL) to query data in the Azure cloud.
KQL Cheat Sheet - Katie Nickels at the MITRE ATT&CK blog talks about effective ways with breadth and depth to use ATT&CK.
How to Be a Savvy ATT&CK Consumer - Penetration Testing Lab shows how red teamers can gain persistence using Office macros with PS Empire.
Persistence – Office Application Startup - Radwarecovers major APT players including APT28, The Equation Group, and Lazarus Group.
The State-Sponsored Cyberthreat Landscape - Tony Lambert at Red Canary shares how to enrich alerts with context.
Context matters: harnessing creativity to triage security alerts - SentinelOne looks back at recent threat actor activity:
- Grzegorz Tworek goes over why services are such a popular method of persistence for attackers, examining everything from privileges to API calls.
Persistence with Windows Services - Verint Cyber Engineering starts with choosing a threat hunting vector and hunting according to common attack vectors.
Linux Threat Hunting Primer — Part I
UPCOMING WEBINARS/CONFERENCES
- The CFP for the ADFSL 2020 Conference on Digital Forensics, Security and Law held in Las Vegas, Nevada USA on 27-28 May 2020 has opened
The Annual ADFSL Conference On Digital Forensics, Security and Law - In what may be Mary Ellen Kennel’s favourite time of the year, the SANS Holiday Hack Challenge/Kinglecon has begun, and Mary Ellen shares her cheat sheet for it
Save the Date! - SANS shared some further details about the upcoming CTI Summit
“Kick off the new year with the industry’s top CTI experts at the SANS Cyber Threat Intelligence Summit”
PRESENTATIONS/PODCASTS
- The Forensic Lunch returned! Dave and Matthew spoke with Rick Holland, Ryan Johnson, and Evan Dygert about their work with the upcoming Cyber Threat Intel summit, as well as SANS instructing, and BBQ
Forensic Lunch 12/13/19 - On Beers with Talos they spoke with Sean Mason from Talos IR. They also threw out my new favourite DFIR related quote: “You can’t spell Friday without DFIR”.
Beers with Talos Ep. #67: Inside Incident Response - More videos from DEFCON were uploaded (Blue Team Village videos this week!)
- On this week’s Digital Forensic Survival Podcast, Michael explores the hashdeep program
DFSP # 199 – Hashdeep - On ‘Nerds & Non/Sense’ Larry Compton spoke with Josh Brunty’s about the Encryption Backdoor Debate of 2019. (Full disclosure, haven’t listened, but Josh is a Professor of Digital Forensics at Marshall University)
Episode 3 – Complete Episode – Peter Serefine, Professor Josh Brunty, & more w/Music Man Mark - Paraben Corporation uploaded a number of videos to their YouTube channel
- E3 Platform Processing Amazon Alexa Data
- Processing DJIGo Data inside the E3 Platform
- Processing Microsoft Exchange files to PST files
- Using E3 Platform to process FitBit data
- Using the Image Analyzer Booster with the E3 Platform
- Using E3 Platform with Lnk Files
- Processing WhatsApp Data from Smartphones
- Sarah Edwards at Mac4n6 shared her presentation from the Jailbreak Security Summit and BSides NoLA titled “Poking the Bear – Dynamic Forensic Testing and Analysis”
New(ish) Presentation: Poking the Bear – Teasing out Apple’s Secrets through Dynamic Forensic Testing and Analysis
MALWARE
- Aaron Riley at Cofense examines the Hawkeye Keylogger, loading a cryptocurrency miner.
This Advanced Keylogger Delivers a Cryptocurrency Miner - Assaf Dahan, Lior Rochberger, Eli Salem, Mary Zhao, Niv Yona, Omer Yampel, and Matt Hart at Cybereason drop a lengthy report on Anchor malware targeting PoS systems with ties to TrickBot.
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware - Yahav Levin at Cymulate Blog goes over PS, BITSadmin, WMI, and other fileless attacks.
The Who, How, and Why Behind Fileless Attacks - Intezer examined China this week:
- Alexey Malanov at Kaspersky Lab examines how crypoexanges have been hacked via phishing and malware and Bitcoin ATM robbery.
4 types of cryptohacks, explained - Jovi Umawing at Malwarebytes Labs examines Wizard Spider and CryptoTech apparently behind Ryuk ransomware.
Threat spotlight: The curious case of Ryuk ransomware - Anuj Soni at malwology links to their writeup from this past summer on the Blackberry Cylance site about using Ghidra for analysis.
An Introduction To Code Analysis With Ghidra - Microsoft shared a few posts including a technical evolution of phishing:
- Erik Hjelmvik at Netresec shows how to set up a dynamic malware analysis environment.
Installing a Fake Internet with INetSim and PolarProxy - There were a few posts on the Palo Alto Networks blog this week
- TrickBot Campaign Uses Fake Payroll Emails to Conduct Phishing Attacks
- Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
- Unit 42 Presents New Research at BlueHat Seattle on Three new Windows RDP Vulnerability Exploit Methods
- What I Learned from Reverse Engineering Windows Containers
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- German language malspam pushes yet another wave of Trickbot, (Wed, Dec 11th)
- Code & Data Reuse in the Malware Ecosystem, (Thu, Dec 12th)
- Internet banking sites and their use of TLS… and SSLv3… and SSLv2?!, (Fri, Dec 13th)
- (Lazy) Sunday Maldoc Analysis: A Bit More …, (Sat, Dec 14th)
- Wireshark 3.0.7 Released, (Sun, Dec 8th)
- (Lazy) Sunday Maldoc Analysis, (Mon, Dec 9th)
- Andrew Brandt at Sophos News shares how Snatch ransomware reboots a PC into safe mode, potentially to evade EDR, before encrypting files.
Snatch ransomware reboots PCs into Safe Mode to bypass protection - Michael Tyler at The PhishLabs Blog examines O365 App security and the ability to compromise victims through a link to a file sharing site.
Phishing Campaign Uses Malicious Office 365 App - TrendMicro shared two posts this week:
- Virus Bulletin continued to release content from VB19 including my colleagues research on Soft Cell:
- VMware Carbon Black released a number of summaries:
- Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)
- Threat Analysis Unit (TAU) Threat Intelligence Notification: Skidmap
- Threat Analysis Unit (TAU) Threat Intelligence Notification: Cyborg Ransomware
- Threat Analysis Unit (TAU) Threat Intelligence Notification: njRAT
- VMware Carbon Black TAU Malware Analysis: Tofsee Botnet Resurfaces
- VMware Carbon Black TAU Threat Research: Visualizing Ransomware with MITRE
- Threat Analysis Unit (TAU) Threat Intelligence Notification: Tofsee Botnet
- Threat Analysis Unit (TAU) Threat Intelligence Notification: BlackRemote RAT
- Mohd Sadique and Pradeep Kulkarni at Zscaler look at lateral movement by the BlueHero botnet.
A look at the recent BuleHero botnet payload
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR posted a content update
AboutDFIR Content Update 12/12/2019 - Joe Gray has a post on the AlienVault blog about certifications in infosec
Which security certification is for you (if any) - Denis Sazonov has open-sourced Andrilla, which is an automated acquisition and decoding tool for Android devices
Check out @den4uk’s Tweet - Anton Chuvakin shares some thoughts on SOC mistakes
Beware: Clown-grade SOCs Still Abound - Frederick Huang and Ajay Krishnan at Cellebrite will be hosting a webinar on January 27, 2020 at 11:00AM (India Standard Time) recapping 2019, answering frequently asked questions, and previewing what’s in the pipeline for 2020
Cellebrite’s 2019 Highlights and What to Look Forward to in 2020 - The Champlain College Digital Forensics Association announced their Fall 2019 CTF
Check out @champda’s tweet - There were a few posts on Forensic Focus this week
- How To Help Small Governments To Respond To Ransomware Attacks
- How To Use Quin-C’s Simple Review Widget
- Case Study: Using Susteen’s Data Pilot 10 In Law Enforcement Investigations
- Considerations When Investigating Data From Password Managers
- Interview With Eric Oldenburg, Law Enforcement Liaison, Griffeye
- Debunking Fake Images: Fact-Check The Information In Front Of You
- Magnet Forensics And Child Rescue Coalition Partner On Magnet OUTRIDER
- Walkthrough: VFC From MD5
- They also continued their ‘What’s Happening In Forensics’ series
What’s Happening In Forensics – Dec 9, 2019 - Passware announced online training and certification for Passware Kit Forensic
Passware Certified Examiner (PCE) Training - Patrick Siewert at Pro Digital Forensic Consulting explains the use of digital forensics in sexual assault cases
Digital Forensics in Sexual Assault Cases - Richard Frawley at ADF demonstrates their standalone case viewer
Archiving with the Standalone Viewer - Ring3API shared out a diagram of the Windows account logon process/flow
Check out @rimpg’s tweet - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — December 18 to December 14 - SANS announced the winners of their 2019 Difference Makers Awards.
SANS Announces 2019 Difference Makers Award Winners - Marcos at ‘Un minion curioso’ reviews the Guardonix write blocker
#Review of #Guardonix: Write blocker and read stabilizer - Brett Shavers advised that the second edition of X-Ways Forensics Practitioner’s Guide will be self published (due to Syngress no longer publishing new books).
X-Ways Forensics Practitioner’s Guide, Second Edition
SOFTWARE UPDATES
- Alexandre Borges released Malwoverview 2.0, which “is a first response tool to perform an initial and quick triage in a directory containing malware samples, specific malware sample, suspect URL and domains. Additionally, it allows to download and send samples to main online sandboxes.”
Check out @ale_sp_brazil’s tweet - Atola updated their Insight Forensic software to v.4.15. Olga Milishenko demonstrates some of the new features.
Atola Insight Forensic 4.15 - Belkasoft Evidence Centre v9.9 was released
What’s new in BEC v.9.9 - Didier Stevens updated a couple of his tools
- ExifTool 11.79 was released with new tags and bug fixes
ExifTool 11.79 - Oxygen Forensic Detective 12.1 was released
Oxygen Forensic Detective 12.1: Let AI Take A Look - GetData released Forensic Explorer v5.1.2.9202
12 December 2019 – 5.1.2.9202 - Griffeye released Analyze 19.4
Release of Analyze 19.4 - Input-Ace version 2.5 was released
iNPUT-ACE Version 2.5.1 - Intezer Analyze added “Genetic Malware Analysis for Android applications”
Now Supporting Genetic Malware Analysis for Android Applications - Timesketch was updated with a new UI
New Timesketch UI – same great functionality, new wrapping
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 