Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections. Links only this week but still plenty to read through!

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• News about Bezos’ iPhone hack
  • TLDR #1: Jeff Bezos’ iPhone hack
  • How to decrypt WhatsApp end-to-end media files
  • There’s no evidence the Saudis hacked Jeff Bezos’s iPhone
  • The Long and Winding Road to Nowhere

• Andrew Hoog at Hack 42 Labs
  Navddoomconductor – Precise Geolocation and Time

• Rich Wisser at Black Hills Information Security
  Dumping Firmware With the CH341a Programmer

• Vico Marziale at Blackbag Technologies
  Exploring the Windows Activity Timeline, Part 1: The High Points

• Felix Fainshtein at Cellebrite
  A Look Into Apple’s Screen Time Feature and What Insights It Lends To Forensics

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Deanonymizing Tor Circuits

• Marco Neumann at ‘Be-binary 4n6’
  • Skype on Android – Images in Web Cache
  • How to handle Bitlocker Encrypted Volumes

• Oxygen Forensics
  It’s as easy as EDL

• Bill Marczak, Siena Anstis, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert at ‘The Citizen Lab’
  Stopping the Press: New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator

• Jeff Lomas at ‘We are OSINTCurio.us’
  Combing Through Video Faster Using DFIR and OSINT Skills
  

THREAT INTELLIGENCE/HUNTING

• Joe at Stranded on Pylos looks at attribution and how to get a story right, applicable not just to threat hunters but anyone in forensics.
  Getting the Story Right, and Why It Matters

• 0xdf hacks stuff
  Digging into PSExec with HTB Nest

• Adam at Hexacorn
  SettingSyncHost.exe as a LolBin

• Ben Bornholm at HoldMyBeer
  Install/Setup MISP on Ubuntu 18.04 with an intro to PyMISP

• Dakota Nelson at Black Hills Information Security
  What You Should Actually Learn From a Pentest Report

• Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
  • 2020-01-27 – Pcap and malware for an ISC diary (Emotet with Trickbot)
  • 2020-01-30 – Traffic analysis exercise: Sol-Lightnet
  • 2020-01-29 – Qbot (Qakbot) infection

• Alexander Chailytko at Check Point Research
  Zoom-Zoom: We Are Watching You

• Crawl3r on GitHub
  DaaC2 – Using Discord as a C2

• Rick Holland at Digital Shadows
  SANS Cyber Threat Intelligence Summit 2020: A Recap

• Jamie Collier at Digital Shadows
  Cyber Threat Intelligence Frameworks: 5 Rules for Integrating These Frameworks

• Financial Security Institute with lengthy PDF reports (Korean)
  TA505 Threat Group Profiling-FSI Intelligence Report

• Evan Kohlmann at Flashpoint
  ISIS Operations Appear to be Unaffected by Death of al-Baghdadi

• Harshit Rajpal at Hacking Articles
  Forensics Investigation of Ping Command

• Kavish Tyagi at Hacking Articles
  Windows Persistence using Application Shimming

• Paul Litvak and Michael Kajiloti at Intezer
  New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset

• Jenko Hwong at Netskope
  • MITRE Att&ck View: Securing AWS Temporary Tokens
  • Applying MITRE Att&ck

• Whitney Champion at Recon InfoSec
  Integrating Graylog With TheHive

• Eric Capuano at Recon InfoSec
  Network Defense Range (NDR) Returning to BlackHat 2020

• Joren McReynolds and Carl Petty at Red Canary
  Introducing Chain Reactor

• SentinelOne
  Rapid Threat Hunting with Deep Visibility – Feature Spotlight

• Nacho Rasche and Christian Martorella at Skyscanner Engineering
  Kubernetes Security monitoring at scale with Sysdig Falco

• Posts from SpecterOps:
  • Move faster, Stay longer
  • Attacking Azure, Azure AD, and Introducing PowerZure
  • Ghostwriter: 2020 Feature Update
  • Detection Engineering using Apple’s Endpoint Security Framework

• QuoScient GmbH on Medium
  The Chicken keeps laying new eggs: uncovering new GC MaaS tools used by top-tier threat actors

• LOLbins from Reegun J on Medium
  • Curl.exe is the new rundll32.exe — LOLbin
  • LOLbin — ProtocolHandler.exe

• Tom Connell
  Update-Sysmon Overview

• Tyranid’s Lair
  Don’t Use SYSTEM Tokens for Sandboxing (Part 1 of N)

• Greg Foss at VMware Carbon Black
  Invoke-APT29: Adversarial Threat Emulation

• JW at Wilbur Security
  VBS Downloader and Defender Control
  

UPCOMING WEBINARS/CONFERENCES

• AceLab
  Save the Date: the ACE Lab Free Technology Conference on Data Recovery & Digital Forensics 2020

• Cellebrite
  Practical guide on Checkm8 extractions and the latest UFED 7.28 capabilities
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  • Getting Started with Tracking Hackers with Honeybadger – John Strand
  • Introducing Competitive Backdoors & Breaches and More!
  • How to use Portspoof (Cyber Deception) – John Strand
  • Tracking attackers with Word Web Bugs (Cyber Deception) – John Strand

• Sarah Edwards at BlackBag Technologies
  BlackLight and APOLLO : How to Use Apple Pattern of Life Data in Your Investigations

• Beers with Talos
  Beers with Talos Ep. #71: I Have the Power(Shell)

• Detections Podcast
  Episode 10: SOC Puppets

• Digital Forensic Survival Podcast
  DFSP # 206 – Certutil Abuse

• Magnet Forensics
  • Magnet AXIOM Cyber – Remote Acquisition
  • Magnet AXIOM Cyber – Incident Response Investigation
  • Magnet AXIOM Cyber – Intellectual Property Theft Investigation
  • Magnet AXIOM Cyber – Corporate Fraud Investigation
  • Magnet AXIOM Cyber – Investigate Amazon S3 Buckets
  • Magnet AXIOM Cyber – Corporate Harassment Case

• OALabs
  IDA Pro Automated String Decryption For REvil Ransomware

• Olaf Schwarz
  Waiting for a cyber range exercise is not enough

• Sumuri
  • SUMURI’s Solution to macOS Architecture Changes
  • A New RECON with 2 times the Power

• This Month in 4n6
  This Month In 4n6 – January – 2020
  

MALWARE

• How we analyze security vulnerabilities will involve more IoT: “In a paper written for VB2019, Fortinet researchers Axelle Apvrille and Aamir Lakhani asked: what threats are faced by diabetes sufferers who want to use medical IoT devices?”
  VB2019 paper: Medical IoT for diabetes and cybercrime

• Brian Laskowski at Laskowski-Tech
  Is That Really Your AV Company? (Trickbot gtag mor85)

• Check Point Research on malware:
  • Phorpiex Arsenal: Part I
  • Predator the Thief

• Steven Cardinal at Cofense
  Phish Fryday – Ransomware Trends

• Allie Mellen at Cybereason
  Why is Emotet So Popular and Who is it Targeting Now?

• Evan Pena, Ruben Boonen, and Brett Hawkins at FireEye
  Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

• Quentin Fois, Jason Zhang, and Stefano Ortolani at  Labs Blog
  Threat Research Report: Infostealers and self-compiling droppers set loose by an unusual spam campaign

• Marco Ramilli
  Cyber Threat Trends Dashboard

• Arnold Osipov at Morphisec
  Trickbot Trojan Leveraging a New Windows 10 UAC Bypass

• There were a couple of posts on the Palo Alto Networks blog this week
  • xHunt Campaign: New Watering Hole Identified for Credential Harvesting
  • Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed

• Tony Lambert at Red Canary
  Trapping the Netwire RAT on Linux

• Robert Simmons at ReversingLabs Blog
  RATs in the Library

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • Wireshark 3.2.1 Released, (Sat, Feb 1st)
  • Is Threat Hunting the new Fad?, (Sat, Jan 25th)
  • Network Security Perspective on Coronavirus Preparedness, (Mon, Jan 27th)
  • Emotet epoch 1 infection with Trickbot gtag mor84, (Tue, Jan 28th)

• Phil Stokes at SentinelOne
  Scripting Macs With Malice | How Shlayer and Other Malware Installers Infect macOS

• ESET researchers Peter Kálnai and Michal Poslušný at Virus Bulletin
  VB2019 paper: Rich headers: leveraging the mysterious artifact of the PE format

• Swee Lai Lee at VMware Carbon Black
  Threat Analysis Unit (TAU) Threat Intelligence Notification: SNAKE Ransomware

• Luigi Martire and Luca Mella at Yoroi
  Aggah: How to run a botnet without renting a Server (for more than a year)

• Sahil Antil at ZScaler
  Frenchy – Shellcode in the Wild
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 1/28/2020

• AccessData
  Legal Reviewers Rejoice! QView Makes Mobile Data Easy to Review, Search, Tag, and Code During Discovery

• AceLab
  Technology Breakthrough: the PC-3000 Portable III is now available!

• Kate Brew at AlienVault
  Do you need certifications to get an InfoSec job?

• Memory image!
  Check out @Sibertor’s status

• Joanna Shemesh at Cellebrite
  How Cellebrite And Freeland Are Partnering To Stop Human Trafficking

• Didier Stevens
  etl2pcapng: Support For Process IDs

• Vladimir Katalov at Elcomsoft
  The Worst Mistakes in iOS Forensics

• There were a few posts on Forensic Focus this week
  • Take It Or Leave It: Triaging Digital Evidence
  • Forensic Focus Forum Round-Up
  • Amped Authenticate Update 15518: Customizable Reporting, Sun Position And More

• They also continued their ‘What’s Happening In Forensics’ series
  • What’s Happening In Forensics – Jan 27, 2020
  • What’s Happening In Forensics – Jan 28, 2020
  • What’s Happening In Forensics – Jan 29, 2020

• Foxton Forensics
  Investigating web history in the new Edge Chromium browser

• Ian Whiffin at DoubleBlak
  A Hundred Million TimeStamps

• Magnet Forensics
  • Magnet AXIOM Cyber is Here! Get a New Way to Simplify Remote Forensic Investigations
  • Employee Misconduct Investigations — Get the Whole Story with Magnet AXIOM Cyber
  • Investigating Intellectual Property Theft with Magnet AXIOM Cyber
  • How Magnet AXIOM Cyber Can Be a Critical Tool in Your Incident Response Investigations
  • Using Magnet AXIOM Cyber to Fight Workplace Fraud

• Kjell Svedman at MSAB
  Five ways to gather evidence faster

• Duncan Bradley at OpenText
  Air-gapped eDiscovery

• Richard Frawley at ADF
  How To Add Keywords On Scene

• Xavier Mertens at /dev/random
  CoRIIN 2020 Wrap-Up
  

SOFTWARE UPDATES

• Arsenal
  HBIN Recon v1.0.0.51

• Plaso
  Plaso 20200121 released

• Cellebrite
  Gain better user insights from iOS device activity with UFED Physical Analyzer 7.29

• Didier Stevens
  • Update: pecheck.py Version 0.7.9
  • Update: hash.py Version 0.0.8

• AppCompatParser
  ChangeLog

• ExifTool
  ExifTool 11.85 (production release)

• GetData
  29 January 2020 – 5.1.2.9288

• Griffeye
  Release of Analyze 19.5

• MSAB
  New XRY 8.2.4 now released

• Netresec
  RawCap Redux

• PenTestIT
  UPDATE: Tsurugi Linux 2019.2

• radare2
  4.2.1

• Rapid7
  How to Analyze Your Log Data Using the Log Search API in InsightIDR

• Sleuthkit
  The Sleuth Kit 4.8.0 was released

• Sumuri
  SUMURI Set to Release a New Software

• Timesketch
  20200131

• VirusTotal
  VirusTotal MultiSandbox += BitDam ATP

• Xways
  X-Ways Forensics 19.9 SR-3

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!