Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’ shares his thoughts on the state of data parsing on an Android 10 image and how tools are still missing data. This is based on the image that Joshua Hickman at ‘The Binary Hick’ produced and shared for the community
  Initial thoughts on Android 10 parsing 

• Sara Newcomer at Blackbag Technologies walks through some useful Windows forensic artefacts for tracking program execution.
  Analyzing Program Execution Windows Artifacts 

• Heather Mahalik at Cellebrite answers some questions about iOS extractions
  iPhone Extractions: 5 Questions That Will Unlock More Data with Checkm8 

• Chapin Bryce at Pythonic Forensics shares a pretty cool project for automating IOC collection and distribution for RDP attacks
  • 3-Step RDP Honeypot: Step 0 | Introduction
  • 3-Step RDP Honeypot: Step 1 | Honeypot Setup
  • 3-Step RDP Honeypot: Step 2 | Operationalize PCAPs
  • 3-Step RDP Honeypot: Step 3 | Build the Bot 

• Koen Van Impe describes how to ingest Windows Event logs with Security Onion
  Parse stored Windows Event logs with Security Onion 

• Marco Fontani at Amped shares a method of cross checking a photographs EXIF data.
  Where Are You From? Learn How to Investigate Which Camera Model Took an Image Using Exif Metadata and JPEG Quantization Tables 

• Maxim Suhanov discusses additional metadata about an opened file that is available in memory, “which isn’t exposed by usual memory forensics frameworks”
  Carving file control blocks from memory dumps 

• Antonio Sanz at Security Art Work walks through a fictional case put together for the “XIII STIC Conference of the CCN-CERT”
  • Vientos remotos, tempestades locales (I)
  • Vientos remotos, tempestades locales (II)

THREAT INTELLIGENCE/HUNTING

• Proud to share the research written up by teammates at Cybereason on the Spark campaign and Pierogi backdoor
  • New Cyber Espionage Campaigns Targeting Palestinians – Part 1
  • New Cyber Espionage Campaigns Targeting Palestinians – Part 2: The Discovery of the New, Mysterious Pierogi Backdoor 

• Adam at Hexacorn looks at rundll32 this week
  • Run Lola-bin, run…
  • Run DLL – Walk this way 

• Adam Chester at XPN looks at managing and planning Red Team infrastructure
  Testing your RedTeam Infrastructure 

• ao.gl shares how to use bmon to monitor traffic on Linux
  How to monitor Network Traffic on Linux 

• Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
  2020-02-11 – Pcap and malware for an ISC diary (Ursnif) 

• Samuel Alonso at Cyber-IR looks at different defensible architecture models
  Defensible architectures 

• Bronson Boersma at Cylance ThreatVector shares a retrospective on cryptomining
  Threat Research Report: The State of Cryptomining 

• Grant Oviatt and Billy James Velasco at FireEye walk through the mindset of a threat hunter
  Managed Defense: The Analytical Mindset 

• Matt at ‘Bit_of_Hex’ finds samples similar to Sapphire Mushroom from the 2018 360 TIC report
  Suspected Sapphire Mushroom (APT-C-12) malicious LNK files 

• Mike at “CyberSec & Ramen” has a post covering “hunting for and detecting persistence created by a toolkit written in C#.”
  Sifting Through ETW for Persistence in C# 

• John Wunder at MITRE ATT&CK wants you to share more ATT&CK Sightings in the wild. If you’ll be at RSA there’s an information session on sharing intel as well
  ATT&CK Sightings — We Need YOU! 

• Penetration Testing Lab looks at tampering with RIDs in the registry
  Persistence – RID Hijacking 

• Brian Greunke at Recon InfoSec show how to map data sources to ATT&CK
  Automating Detection Coverage Analysis with ATT&CK Navigator 

• Cedric Owens at Red Teaming with a Blue Team Mentality tests a post exploitation POC against Catalina
  Taking The macOS Endpoint Security Framework For A Quick Spin 

• Homer Pacag at Trustwave SpiderLabs shares health related phishing alerts playing on Coronavirus fears
  Multiple Phishing Attacks Discovered Using the Coronavirus Theme

UPCOMING WEBINARS/CONFERENCES

• Katie Nickels has started a SANS webcast series, SANS Threat Analysis Rundown. The first webcast will kick off February 12 with a 1 p.m. EST.
  Prepare for Cyber Threats to Power Grids with the New SANS Threat Analysis Rundown (STAR) Webcast Series

PRESENTATIONS/PODCASTS

• Black Hills Information Security introduced competitive Backdoors & Breaches
  Webcast: Introducing Competitive Backdoors & Breaches and More! 

• Cellebrite shared some videos demonstrating how to get different iPhone models into DFU mode
  • How to place different iPhone models into DFU mode (8/8+/X)
  • How to place different iPhone models into DFU mode (7/7+)
  • How to place different iPhone models into DFU mode (5S/6/6+/6S/6S+/SE) 

• On this week’s Digital Forensic Survival Podcast, Michael discussed a methodology for triaging for persistence mechanisms on Windows systems
  DFSP # 208 – Persistence Fast Triage 

• Florian Roth released a workshop of useful resources of security analysts
  Security Analyst Workshop – 20200212 

• David Kovar was interviewed on the topic of UAV forensics
  UNMANNED-UNCOVERED: Drone Detective | Episode 50 

• Nuix shared a few videos to their YouTube channel
  • Partner Spotlight – OnRetrieval
  • Partner Spotlight – Rampiva
  • Partner Spotlight – TIMG
  • Company Monitoring and Privacy Concerns and Considerations 

• Paraben Corporation shared a couple of videos
  • Adding Hash Databases to E3 Platform
  • EDL Chip Dumps of Smartphones 

• SANS shared a couple of the presentations from the 2019 DFIR Summit.
  • AmCache Investigation – SANS Digital Forensics & Incident Response Summit 2019
  • From Tool Building to Scalable Automation – SANS DFIR Summit 2019 Keynote

MALWARE

• Malwarebytes shared malware from mobile, Mac, and Windows endpoints in their blog and their “State of Malware” report (57 page PDF):
  • Malwarebytes Labs releases 2020 State of Malware Report
  • Android Trojan xHelper uses persistent re-infection tactics: here’s how to remove 

• Cisco Talos came out with a few posts including the launch of a few video series:
  • Introducing Cisco Talos Incident Response: Stories from the Field
  • Loda RAT Grows Up
  • Threat actors attempt to capitalize on coronavirus outbreak 

• Cylance breaks down an older sample of the IcedID (BokBot) infostealer
  BlackBerry Cylance vs. IcedID Banking Trojan 

• Ben Hunter at FortiGuard Labs shares information about the ViperSoftX RAT
  ViperSoftX – New JavaScript Threat 

• Ionstorm shared a tool to attempt to kill a running Emotet process
  Check out @ionstorm’s Tweet 

• Alexander Eremin at Kaspersky writes up the Ginp Android banking trojan
  Ginp mobile Trojan fakes incoming SMS 

• ml10 at Lab52 finds malware targeting Indonesia, they theorize it is part of an intelligence operation but can not identify the malware family\
  Intelligence operation against targets in Indonesia 

• Marijan Ralasic at ReversingLabs examines macOS threat Flashback, still in play today
  Reminiscence of the Flashback 

• Deb Radcliff at SANS examines the EKANS ransomware targeting ICS/SCADA systems
  Turning Out the Lights on Ransomware 

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • Malpsam pushes Ursnif through Italian language Word docs, (Wed, Feb 12th)
  • Current PayPal phishing campaign or “give me all your personal information”, (Mon, Feb 10th)
  • Keep an Eye on Command-Line Browsers, (Fri, Feb 14th)
  • bsdtar on Windows 10, (Sat, Feb 15th)
  • KBOT: sometimes they come back 

• TrendMicro released multiple malware posts this week:
  • Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems
  • An In-Depth Technical Analysis of CurveBall (CVE-2020-0601)
  • LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File 

• VMware Carbon Black had two TAU reports:
  • VMware Carbon Black TAU Threat Analysis: Shlayer (macOS)
  • VMware Carbon Black TAU: Ryuk Ransomware Technical Analysis 

• Prakhar Shrotriya at Zscaler ThreatLabZ finds CS:GO related sites stealing Steam creds
  Fake Sites Stealing Steam Credentials

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR posted a content update
  AboutDFIR Content Update 2/11/2020 

• Brett Shavers shares some of the recent updates at DFIR.Training
  What’s New at DFIR Training 

• Jon Munsey at Computer Forensic Reviews Online has written a lengthy review of Blackbag Technologies’ Macquisition. I’m a little surprised by some of his findings however, as I haven’t run into that many issues with it. Sometimes I’ve had issues with MQ not booting, and rewriting the firmware back to the drive fixed it. Not to mention the whole dealing with T2 and fusion drives is a huge plus to the product. I think I’ve had a couple instances where I’ve used Target Disk Mode and disk arbitration but that’s rare, and definitely not recently (albeit I don’t deal with nearly as many Macs now that I’m out of LE). Overall, I’d still pick it a key piece of kit if you’re imaging Mac’s regularly.
  Macquisition (BlackBag) 2019R1.2 Review 

• Elan at DFIR Diva has started a blog and shares her journey into DFIR
  My Journey into DFIR 

• There were a few posts on Forensic Focus this week
  • Christa at Forensic Focus spoke with three attorneys from NW3C about DFIR challenges from a legal perspective
    Digital Forensic Challenges In Major Case Law And Global Legislation
  • They provide an overview of Techno Security San Diego 2020
    Techno Security & Digital Forensics 2020 – San Diego March 9-11
  • They share Arthur Villeneuve and Franck Bitsch’s presentation from DFRWS EU 2019.
    The Rise Of Evil HID Devices 

• They also continued their ‘What’s Happening In Forensics’ series
  • What’s Happening In Forensics – Feb 12, 2020
  • What’s Happening In Forensics – Feb 13, 2020 

• JPCERT gave an overview of the presentations from the Japan Security Analyst Conference 2020.
  • Japan Security Analyst Conference 2020 -Part 1-
  • Japan Security Analyst Conference 2020 -Part 2- 

• MantaRay Forensics released the 2020 Q1 VirusShare (0-376) refined hash sets
  Check out @MantaRay4ensics’s Tweet 

• Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ shared the picture of the first Kringle Coin, as well as a link to the NYC KringleCon party recording.
  The World’s First Kringle Coin! 

• Mike Dickinson at MSAB shared a questionnaire in relation to the Formobile project
  Call for Participation from LEOs 

• Oxygen Forensics have written a post about the benefits of examining IOT information in an investigation
  IoT Devices Can Solve Crimes. Tech Companies Don’t Want Them To. 

• Amber Schroader at Paraben Corporation compares having an internal or external forensic lab
  Inside lab vs Outside lab 

• SANS announced the details of the annual Ken Johnson Scholarship
  Ken Johnson Scholarship 2020 

• Alissa Torres shared out another memory dump (skeleton key)
  Check out @sibertor’s Tweet 

• Gabriel Mathenge released “a little C# tool that uses @Blurbdust’s kickass work (CVE-2019-18988) to enumerate and decrypt TeamViewer credentials from Windows registry.”
  Check out @_theVIVI’s Tweet 

• Brett Shavers shared the (tentative) table of contents for the 2nd edition of the X-Ways Forensics Practitioner’s Guide
  XWF/2E Table of Contents

SOFTWARE UPDATES

• AccessData released FTK v7.2.0.
  Forensic Toolkit (FTK) International version 7.2.0 

• Atola updated the TaskForce firmware to v2020.1, and Yulia Samoteykina describes the new feature of  imaging into a file on an encrypted target drive
  TaskForce Changelog 

• Berla released iVe v2.6
  iVe Software v2.6 Release 

• Didier Stevens updated a couple of his scripts
  • Update: xmldump.py Version 0.0.4
  • Update: oledump.py Version 0.0.45
  • Update: hex-to-bin.py Version 0.0.4 

• ExifTool 11.87 was released with new tags and bug fixes
  ExifTool 11.87 

• GetData released Forensic Explorer v5.1.2.9314
  13 February 2020 – 5.1.2.9314 

• Maxim Suhanov updated his dfir_ntfs file system parser to v1.0.2
  1.0.2 

• “A new version of MISP (2.4.121) has been released. This version is a security/bug fix release and users are highly encouraged to update as soon as possible.”
  MISP 2.4.121 released (aka the security release) 

• SpecterOps released BloodHound v3.0
  Introducing BloodHound 3.0 

• Thiago Canozzo Lahr shared a new tool, UAC, which “is a command line shell script that makes use of built-in tools to automate the collection of system artifacts”.
  uac 

• Ulf Frisk released MemProcFS version 3.1
  Version 3.1 

• Velociraptor v0.3.9 was released
  Release 0.3.9 

• Gerardo Fernández at VirusTotal shared an official VT plugin for IDA Pro 7
  Official VirusTotal Plugin for IDA Pro 7 

• Two new updates to X-Ways Forensics this week
  • X-Ways Forensics 19.9 SR-4
  • X-Ways Forensics 20.0 Preview 1

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!