And we’re back! Starting the 5th year of the blog. Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
A few people have reached out to see how we’re going with the fires which is very much appreciated. Thankfully I live in an area of Sydney that’s very urban so we’re ok save for the poor air quality. A lot of the country isn’t so lucky so I wanted to take a minute to explain the situation.
The effects of the fires can be felt across the country (and even in New Zealand). Millions of acres of land in my state alone have burned; there are around 200 fires currently burning across the country. Reports say almost 20 people have died and it’s estimated that half a billion animals have been killed. Many of the fires are impossible to put out, so people have been advised to pack up what they can and be ready to get out. The images are horrifying.
Various charities are accepting donations, and any donations to the cause would go a long way. I’ve donated to our Rural Fire Service, which is a volunteer-based firefighting agency, who have been battling the fires for months, and will for months to come. We’re only a month into the Summer, and typically February is even hotter – which is insane because at one point one of the Western Suburbs of Sydney, Penrith, was the hottest place on Earth at 48.9C. We even had country-wide average temperatures over 40C for a couple of days in December.
These brave men and women of the RFS have had to sacrifice their time, their jobs, their homes, their holidays to help defend and protect. An Australian comedian, Celeste Barber, has helped raise $20 million for the Rural Fire Service, which is amazing.
There are also a variety of other charities that are needing assistance such as The Red Cross, or Wires Wildlife Rescue. Gizmodo has compiled a small list of charities, and Cnet has provided coverage of the situation along with links to various places to donate.
Every cent counts (and with the current exchange rate, even further), and I’ll be throwing all of this months Patreon donations to a worthy cause.
- Raj Chandel at Hacking Articles demonstrates a variety of tools to create forensic images
Multiple Ways to Create Image file for Forensics Investigation
- On Ponkotsu Digital Forensic Memo, the author looked into the forensic artefacts left behind when a USB Ninja is connected to a Windows machine
Check USBNinja connection history
- Bill Stearns at Active Countermeasures looks at what to investigate after seeing suspicious traffic.
Suspicious Traffic Found – What Are the Next Steps?
- Adam at Hexacorn uses one of my favorite analogies to talk about what we think we’re seeing with the way we have begun to perform threat hunting in the last decade+.
The Hour Between Dog and Wolf
- Daniel Dieterle at CYBER ARMS looks at Covenant for red teaming.
Covenant the .NET based C2 on Kali Linux
- Didier Stevens shows how to use YARA with tools like oledump.py.
YARA “Ad Hoc Rules”
- Didier also looks at usual ZIP files in a 13 minute video.
Analyzing Unusual ZIP Files
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’ shares some stories about what he’s found looking at the logs of his website
It’s All Fun and Games
- Gcow looks at Pakistan as a target of SideWinder (aka Rattlesnake).
The phantom wandering between China and Pakistan-the SideWinder APT organization’s recent activities against Pakistan and a summary of its activities in 2019
- Raj Chandel examines BITSAdmin for pen testing.
Windows for Pentester: BITSAdmin
- Josh Rickard documents possible APT commands.
Apt33 Apt34 possible commands
- Binary Hick looks at forensic evidence left by Ryuk.
Ryuk and GPOs and Powershell, Oh My!
- Kevin Beaumont at DoublePulsar examines targeted ransomware activity.
Big Game Ransomware being delivered to organisations via Pulse Secure VPN
- Koen Van Impe at vanimpe.eu shares a timely post about Iranian threat actors.
Iranian threat groups
- Mike Cohen has added SRUM parsing to Velociraptor and describes the new artefact.
Digging into the System Resource Usage Monitor (SRUM)
- Pixis at hackndo shares a lengthy post on PTH.
Pass the Hash
- Stephan Borosh at Trustwave examines IPFS for offensive use.
Using the InterPlanetary File System For Offensive Operations
- Tyranid’s Lair looks at Windows services.
Empirically Assessing Windows Service Hardening
- JW at Wilbur Security examines lateral movement in an RDP honeypot.
From Zero to Lateral Movement in 36 Minutes
- xorl looks at the maturity of CTI teams.
Growing your intelligence team beyond cyber
- Sarah Edwards at Blackbag Technologies will be hosting a webinar on her Apollo framework and its intergration with Blacklight
BlackLight and APOLLO: How to Use Apple Pattern-of-Life Data in Your Investigations
- This weeks episode of the Detections Podcast covered SOC metrics
Episode 6: How Metrics Got Their Groove Back
- Joshua James at Digital Forensic Science continues his series on Go
Go Programming 004: Golang Loops
- On this week’s Digital Forensic Survival Podcast, Michael described base64 encoding and a tool to assist in dealing with base64 data
DFSP # 202 – Base64 Forensics
- Recon Infosec shared a debrief of their “Urgent IT Update!!!” scenario.
OpenSOC Scenario Debrief – “Urgent IT Update!!!”
- I recorded my last ‘this month in 4n6’ podcast for 2019
This Month In 4n6 – December – 2019
- Patrick Wardle at Objective-See reminds us how much our work impacts lives: by working with the NYT and with input from CitizenLab, Patrick shows the ToTok app is a spying tool “the American intelligence community has claimed, was spy tool used by the United Arab Emirates government.”
Mass Surveillance, is an (un)Complicated Business
- Aneesh Dogra shares some reversing posts this week:
- Cofense shares a 20 minute discussion about Emotet with Jason Meurer.
Phish Fryday – The Latest on Emotet
- Gary Warner at CyberCrime & Doing Time investigates a commodity phishing kit with a backdoor for the original code author.
Backdoored Phishing Kits are still popular
- Allie Mellen at Cybereason breaks down mobile malware targets.
Mobile Malware: From Consumer Fraud to Enterprise Espionage
- Yossi Basha at Microsoft shares compromised Azure AD user investigation techniques.
Unified SecOps Investigation for Hybrid Environments
- Minh Tran at FortiGuard looks at DeathRansom ransomware which doesn’t in fact encrypt files.
- Jérôme Segura at Malwarebytes Labs looks at skimmer evolutions including use of WebSockets.
New evasion techniques found in web skimmers
- One Night in Norfolk reverses memory scraper PoSlurp.B.
Fuel Pumps II – PoSlurp.B
- Patrick Wardle also shares a Mac malware roundup from 2019.
The Mac Malware of 2019
- Petter Potts at PepperMalware reverses the Redaman banking trojan.
Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Miscellaneous Updates to our “Threatfeed” API, (Mon, Dec 30th)
- ELK Dashboard for Pihole Logs, (Sun, Dec 29th)
- Some Thoughts About the Critical Citrix ADC/Gateway Vulnerability (CVE-2019-19781), (Tue, Dec 31st)
- “Nim httpclient/1.0.4”, (Wed, Jan 1st)
- Ransomware in Node.js, (Thu, Jan 2nd)
- CCPA – Quick Overview, (Fri, Jan 3rd)
- KringleCon 2019, (Sat, Jan 4th)
- Dennis Schwarz has launched the Zeus Museum, which contains references to 382 versions of the Zeus trojan across 23 families.
- Andrew Rathbun at AboutDFIR posted a couple of content updates
- Alpha Sec Lab uploaded a list of forensics tools and research
- Darlene Alvar at Amped provided an overview of their 2019
In Case You Missed It: See What Happened in 2019!
- Joshua James at Digital Forensic Science walks through “downloading Tsurugi Linux, verifying the download and importing the vritual appliance into VirtualBox.”
Tsurugi Linux for Digital Forensics – Download and verify
- Dr. Ali Hadi at ‘Binary Zone’ reviews Harlan Carvey’s “Investigation Windows Systems” book
Investigating Windows Systems (Book Review)
- Mike Williamson walks through utilising UI frameworks to improve html reporting
Spice up your forensic web reports with UI Frameworks
- Helen Patton at Palo Alto Networks has written a review of “Defensive Security Handbook” by Lee Brotherston and Amanda Berlin
Cybersecurity Canon Candidate Book Review: Defensive Security Handbook – Best Practices for Securing Infrastructure
- Wade Woolwine at Rapid7 counts down ways to improve threat detection.
10 Threat Detection and Response Resolutions for 2020
- Suzanne Moore at Red Canary reflects on the past decade.
Decade in review: a look back at Red Canary’s greatest hits
- Richard Frawley at ADF describes the three methods that ADF uses for file identification
How ADF Tools Identify Files
- Ryan Benson has announced that he will be posting a tweet about DFIR every day of 2020. Check out the #DailyDFIR hashtag to follow along.
Check out @_RyanBenson’s tweet
- Joe at Stranded on Pylos continues sharing his thoughts on the OST debate
Security Externalities and the Undefended Victim
- I wrote a wrap up for 2019!
2019 Wrap Up
- Arsenal released HBIN Recon v126.96.36.199 and Hive Recon v188.8.131.52
- AChoir Version 4.3 was released
AChoir Version 4.3
- Plaso 20191203 was released with new parsers, bug fixes, and other improvements
Plaso 20191203 Released
- ExifTool 11.81 was released with new tags and bug fixes
- OA Labs released v2.4.0 of UnpacMe with improved intregration with Malpedia
- Tsurugi Acquire was updated
Check out @tsurugi_linux’s tweet
- Yogesh Khatri has released v0.9 beta of his Spotlight parser to deal with iOS databases.
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!