Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Stephanie Thompson at BlackBag describes how to ingest the various types of mobile extractions that Cellebrite’s products produce
BlackLight – Ingestion of Cellebrite Mobile Extractions - Ian Whiffin at DoubleBlak posted a couple of times this week on iOS examinations
- Ozan Unal walks through installation and processing of log data using Plaso/Timesketch
Analysis of Log Files Using Timesketch - Peter Stewart walks through a memory analysis challenge created by Memlabs
Memlabs Memory Forensics Challenges – Lab 1 Write-up
THREAT INTELLIGENCE/HUNTING
- Marcello Salvati at Black Hills Information Security shares a lengthy post starting with Marcello’s BSides PR video, then proceeds to .NET and C2 basics.
Red Teamer’s Cookbook: BYOI (Bring Your Own Interpreter) - Bill Stearns at Active Countermeasures with a 4 minute video
Want to See What Port Is Most Commonly Used in a Packet Capture File? – Video Blog - Adam at Hexacorn with Lolbins and sleep posts
- Jordan Drysdaleat Black Hills Information Security looks at how to use SILENTTRINITY.
My First Joyride With SILENTTRINITY - Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
- David Liebenberg and Kendall McKay at Cisco Talos share high level threats including a new move of ransomware operators exfiltrating data and threatening to publish data
Quarterly Report: Incident Response trends in fall 2019 - Jason Trost at covert.io shares a few threat intelligence posts:
- Basis Cyber Triage on OODA
How to Orient During the Incident Response Process: OODA for DFIR 2020 - David Rowe at SecFrame uses BadBlood for AD persistence
Adding a Backdoor to AD in 400 Milliseconds - Joe Slowik at Dragos presents a summary of threat analysis limits, more can be found in Joe’s whitepaper (registration required)
Threat Intelligence and the Limits of Malware Analysis Summary - Annie Ballew at Huntress Labs tracks down the activity behind a cyber criminal
Adversary Exposed: How One Criminal Attempted to Sell an MSP on the Dark Web - Martin Boller at InfoSec Worrier uses a script from Didier to detect CVE-2020-0601
Detecting CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability exploit attempts - Mark Mo changes strings that might be detected like mimikatz
Overwrite Strings in an EXE (AV Evasion maybe) - Microsoft DART detects web shell attacks
Ghost in the shell: Investigating web shell attacks - Mike at “CyberSec & Ramen” with an excursion into C# and T1218
Putting a Spotlight on CSI… the Binary, Not the Show - Jean-Francois Maes at NVISO Labs examines command line spoofing
The return of the spoof part 2: Command line spoofing - Penetration Testing Lab looks at WaitFor and Metasploit with a 30 second video to illustrate
Persistence – WaitFor - Tom Sellers at Rapid7 shares information about DOUBLEPULSAR and RDP
DOUBLEPULSAR over RDP: Baselining Badness on the Internet - Katie Nickels at Red Canary previews her RSA talk later this month on attribution
The Attribution Game: When Knowing Your Adversary Matters - Sebdraven puts together APT40 IOCs
APT 40 in Malaysia - Vitali Kremez at SentinelLabs with news about the Gamaredon group
Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting - Jared Atkinson at SpecterOps on Kerberoasting
Capability Abstraction - Kévin Lim at SEKOIA with quick APT20 news
APT20: The limits of MFA exposed by a Chinese hacker group - Symantec shares a history of geopolitical cyber attacks
Geopolitical Tensions May Increase Risk of Destructive Attacks - Multiple formats of the Sysinternals Sysmon Community Guide are available
Sysinternals Sysmon Community Guide v1.0 - Tyranid’s Lair plays with redirection
DLL Import Redirection in Windows 10 1909 - WhyNotSecurity looks at TeamViewer password storage in the registry and potential for privilege escalation
TeamViewer
UPCOMING WEBINARS/CONFERENCES
- The CFP for the ADFSL 2020 Conference on Digital Forensics, Security and Law, held on May 27-28, 2020 at the New York New York Hotel in Las Vegas, Nevada, USA, has opened and will close 11:59 p.m. EST, 16 February 2020.
Author Instructions - Heather Mahalik at Cellebrite will be hosting a webinar on mobile malware on Wednesday, February 19 11AM New York / 4PM London and Thursday, February 20 | 11AM Singapore / 2PM Sydney.
Detecting Mobile Malware When Time is of the Essence - Kent Hoffman and Magnus Hedlund will be hosting a webinar on ForensIQ One’s “Case Investigator” on Wednesday, 12 February 2020, at 2:00 PM (UTC-5)
ForensIQ One
PRESENTATIONS/PODCASTS
- AccessData shared a video about what’s new in FTK
What’s New in FTK 7 1 & 7 2 - On the Detections podcast, the hosts spoke to Jared Folkins about his tool, Kushtaka
Episode 11: Otter Ways of Detections - On this week’s Digital Forensic Survival Podcast, Michael discussed his favourite tools on the SIFT workstation
DFSP # 207 – Forensic Grab Bag - Cisco “have a new video series called “Stories from the Field” with Cisco Talos Incident Response
Check out @TalosSecurity’s tweet
MALWARE
- We had a break from Emotet taking the top billing in malware news, but now it’s back:
- James Quinn at Binary Defense
Emotet Evolves With new Wi-Fi Spreader - Tonia Dudley at Cofense
Emotet Gears Up to File (Your) Taxes - Hugh Ashton at First Response
Emotet – Malware as a Service - Yaniv Hoffman at Radware
Emotet Attacks Spread Alongside Fears of Coronavirus - Limor Kessem with Ashkan Vila at Security Intelligence
Emotet Activity Rises as It Uses Coronavirus Scare to Infect Targets in Japan
- James Quinn at Binary Defense
- Marcel Feller at Cofense writes about phishing targeting Android devices
Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications - Jason Trost at covert.io with a post on malware for machine learning
6 Short Links on Malware Training Set Creation for Machine Learning - Lior Rochberger and Assaf Dahan at Cybereason examine payloads delivered via Bitbucket
The Hole in the Bucket: Attackers Abuse Bitbucket to Deliver an Arsenal of Malware - Dragos releases a previous customer only report on EKANS malware
EKANS Ransomware and ICS Operations - Rick Cole, Andrew Moore, Genevieve Stark, and Blaine Stancill at FireEye examine phishing campaigns delivering the MINEBRIDGE backdoor
STOMP 2 DIS: Brilliance in the (Visual) Basics - Xiaopeng Zhang at Fortinet shares the growing reach of the Metamorfo banking trojan
Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries - Kaspersky had two malware posts this week:
- Quentin Fois, Jason Zhang, and Stefano Ortolani at Lastline reverses a bypass of AMSI
Threat Research Report: Infostealers and self-compiling droppers set loose by an unusual spam campaign - There were a few posts on the Palo Alto Networks blog this week
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Chen Nahman with Limor Kessem at Security Intelligence with input from Andre Piva and Ofir Ozer at X-Force looks at the banking trojan CamuBot
CamuBot Resurfaces With Cross-Channel, Targeted Attacks in Brazil - Lorin Wu at TrendMicro examines purported Android cleaning apps
Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud - Helen Martin at Virus Bulletin shares work from Santiago Pontiroli at Kaspersky about gaming and anti-cheating, which also involves heavy code obfuscation
VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games - AC and Swee Lai Lee at VMware Carbon Black looks at MailTo ransomware
Threat Analysis Unit (TAU) Threat Intelligence Notification: MailTo (NetWalker) Ransomware
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR posted a couple of content updates
- Andreas Sfakianakis at ‘Tilting at windmills’ wrote about a few conferences
- Vladimir Katalov at Elcomsoft comments on the state of iCloud security
Apple vs Law Enforcement: Cloudy Times - There were a couple of posts on Forensic Focus this week
- They also continued their ‘What’s Happening In Forensics’ series
- Howard Oakley at ‘The Eclectic Light Company’ describes log retention on MacOS
How long does your Mac keep its log for? - Michael Karsyan at the Event Log Explorer blog describes some Windows event log internals relating to level, keywords, and type
Windows Event. Level, Keywords or Type. - Amy L. Robertson at MITRE looks back at ATT&CKcon
ATT&CKcon 2.0 - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — January 26 to February 1 - Ryan Hausknecht at SpecterOps provides an overview of “native Activity Log service functionality within Azure and provide insight into how to detect many of the TTPs” of PowerZune
Defense and Detection for Attacks Within Azure
SOFTWARE UPDATES
- AccessData updated FTK Imager to v4.3.0. They demonstrate a large imaging speed improvement, so Eric compared the results with X-ways.
FTK Imager version 4.3.0 - Amped Replay Update 15666 was released
Amped Replay Update 15666: Further Intuitive Annotation and Enhancement Tools and More - Eric Zimmerman updated pretty much all of his tools. Use the PowerShell script to update now!
ChangeLog - ExifTool 11.86 was released with new tags and bug fixes
ExifTool 11.86 - GetData released Forensic Explorer v5.1.2.9306
5 February 2020 – 5.1.2.9306 - Saleh Bin Muhaysin released CSVFilterator, which looks like an awesome way to filter CSVs based on predefined rules. I currently use Eric’s TimelineExplorer for this, but with this kind of script you can automate some of your checks very quickly.
CSVFilterator - JPCERT updated LogonTracer to v1.4.0
v1.4.0 - MobilEdit released a beta for Forensic Express 7.1
Beta of MOBILedit Forensic Express 7.1 Released - Maxim Suhanov released v1.0.2 of dfir_ntfs
1.0.2
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 