Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
Who’s at #AAFS2020 this week? We’d love to see a blog about DFIR in the greater forensic world next week!
FORENSIC ANALYSIS
- Oleg Skulkin and Svetlana Ostrovskaya at Group-IB examine the Chromium-based Microsoft Edge browser
Chromium-based Microsoft Edge from a Forensic Point of View - Elcomsoft have a few posts this week on Google Fit data, jailbreaking iOS devices, and their new agent-based iOS acquisition method
- Ashley Frazer at Fire Eye Threat Research shares an interesting observation about LNK files created when a file is accessed from the results of a search with Windows Explorer.
The Missing LNK — Correlating User Search LNK files - Joshua Hickman at ‘The Binary Hick’ examines the data stored in Android’s Digital Wellbeing app
Walking the Android (time)line. Using Android’s Digital Wellbeing to timeline Android activity. - Peter M Stewart walks through the memory challenges from the 2019 DEFCON DFIR CTF
Defcon 2019 DFIR CTF – Memory Forensics Write-up - Antonio Sanz at Security Art Work continues walking through a fictional case put together for the “XIII STIC Conference of the CCN-CERT”
THREAT INTELLIGENCE/HUNTING
- Huy at the identityaccess.management blog shares a great primer on PTH activity. Don’t know what PTH stands for? This is a good intro
Pass-the-Hash is still a nuclear bomb - The US State Department confirms activity by GRU Unit 74455, including Sandworm
Andy Greenberg on GRU Unit 74455 - Anton Chuvakin examines telemetry and good detection
Detection Coverage and Detection-in-Depth - Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
- Alex Holland at Bromium tracks threat actors behind similar malware campaigns
Spot the Difference: Tracking Malware Campaigns using Visually Similar Images - The ClearSky Research Team looks at overlaps between APT34-OilRig, APT33-Elfin, and APT39-Chafer
Fox Kitten – Widespread Iranian Espionage-Offensive Campaign - Richard Bejtlich at Corelight looks at threats that reside on the network
Countering Network Resident Threats - David Rowe at SecFrame shares a story about how to access an NTDS file
Administrator Escalation: Creeping to the Top - Matthew Quinn at Digital Shadows reviews the Citrix vuln timeline
The evolving story of the Citrix ADC Vulnerability: Ears to the Ground - Dragos posted an executive summary of their three 2019 year in review reports: ICS Vulnerabilities, ICS Threat Landscape And Activity Groups, and Lessons Learned from the Front Lines of ICS Cybersecurity
Dragos 2019 ICS Year in Review: Executive Summary - Will Yu at Elastic looks at security changes on macOS with EndpointSecurity
Mac system extensions for threat detection: Part 3 - Mark Mo shares a list of tools including credential, priv escalation, and obfuscation tools shared at PWN school. Check out the nonsense activity generator!
Tool Links - Check out the latest updates from MITRE ATT&CK from Frank Duff and Blake Strom this week
- Pixis at hackndo breaks down Privilege Attribute Certificates
Silver & Golden Tickets - Paul Diorio and Lee Lawson at Dell give a high level overview of ATT&CK
What is MITRE ATT&CK and How Can it Help Your Security? - Dr. Fahim Abbasi and Phil Hay at Trustwave SpiderLabs look at evolutions in phishing links to cloud sites. Check out this week’s post “Phishers Are Using Google Forms to Bypass Popular Email Gateways” from Cofense for more on a similar threat
Phishing in the Cloud - René Holt at ESET thinks about examining encrypted DNS
What DNS encryption means for enterprise threat hunters - Yoroi reverses a sample related to recent Russian FSB activity
Cyberwarfare: A deep dive into the latest Gamaredon Espionage Campaign
UPCOMING WEBINARS/CONFERENCES
- Belkasoft will be hosting a webinar on their support for Checkm8 on Thursday, Feb 27, 2020
Belkasoft Evidence Center now supports Checkm8 acquisitions - Cellebrite announced a couple of webinars
- Mark Hallman will be will be hosting a webinar on the new EZTools commandline poster on Wednesday, March 11th, 2020 at 3:30 PM EST (19:30:00 UTC)
Fast, Scalable Results with EZ Tools and the New Command-line poster.
PRESENTATIONS/PODCASTS
- Black Hills Information Security shared a number of presentations
- Cisco’s Talos IR shared another “Stories from the field” video
Cisco Talos Incident Response “Stories from the Field” #2: When do lawyers get involved? - On this week’s Digital Forensic Survival Podcast, Michael discussed autorun locations for Macs
DFSP # 209 – Mac Autoruns - Dave returned with a Forensic Brunch this week with a raft of Australian guests including myself, Nick Klein, Shanna Daly, Bradley Schatz, and Michael Cohen.
Forensic Lunch 2/21/20 - Richard Davis at 13Cubed walks through extracting Prefetch files from memory
Extracting Prefetch from Memory - SANS shared Nicole Ibrahim’s presentation from the 2019 DFIR Summit
MacOS DS_Stores: Like Shellbags but for Macs – SANS DFIR Summit 2019 - Ulf Frisk shared his presentation from the Disobey conference on “Live memory attacks and forensics”
Check out @UlfFrisk’s Tweet
MALWARE
- Robert McCallum at Palo Alto Networks Unit 42 shares a malware themed post that applies to everyone in DFIR: don’t blindly trust your tool output! Check, test, and check again
Can You Trust Your AutoIT Decompiler? - 0verfl0w_ at 0ffset shares how to look at a shellcode sample, stepping through each stage of analysts
Statically Reverse Engineering Shellcode Techniques: Stage 1 - Brian Laskowski at Laskowski-Tech looks at a tax themed email that fires up BITS admin and, well, bad stuff follows
What is this? Bad for sure! Racoon Stealer, maybe? - Michał Praszmo at CERT Polska shares recent changes to Emotet in a Feb 2020 sample
What’s up Emotet? - Check Point Research released multiple posts this week
- Check Point Software examines phishing trends
- Cisco’s Talos blog writes about RATs and case study this week
- Kian Mahdavi at Cofense looks at “bypassing” AV via cloud links. Check out this week’s post “Phishing in the Cloud” from Trustwave for more on a similar threat
Phishers Are Using Google Forms to Bypass Popular Email Gateways - Cybersecurity Insights shares info about Qbot
Qakbot/Qbot – What to do if it got you? - Alan McCarthy at Cylance looks at the Nuke ransomware (.nuclear55 extension)
Threat Spotlight: Nuke Ransomware - Jurgen Kutscher at FireEye Threat Research previews the annual M-Trends report (60 page PDF)
M-Trends 2020: Insights From the Front Lines - Bianca Soare gives a brief high level overview of an Emotet infection
SECURITY ALERT: Emotet Infected A Large Danish Company - Jason Zhang and Stefano Ortolani at Lastline look at the Nemty and Phorpiex ransomware
Threat Brief Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders - Pieter Arntz at Malwarebytes Lab shares what victims infected with RobbinHood ransomware (.enc_robbinhood extension) will experience
Threat spotlight: RobbinHood ransomware takes the driver’s seat - Marco Ramilli reverses a Magecart threat
Uncovering New Magecart Implant Attacking eCommerce - Matt Suiche at Comae Technologies reverses a malicious Excel doc
Active Email Campaign Identified With Malicious Excel Files - Jesse Brown at Red Canary carries the Steve Martin / Chevy Chase / Martin Short title throughout this post on ransomware
The Third Amigo: detecting Ryuk ransomware - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- SOAR or not to SOAR?, (Sun, Feb 16th)
- curl and SSPI, (Mon, Feb 17th)
- Discovering contents of folders in Windows without permissions, (Tue, Feb 18th)
- Quick Analysis of an Encrypted Compound Document Format, (Fri, Feb 21st)
- Whodat? Enumerating Who “owns” a Workstation for IR, (Thu, Feb 20th)
- Simple but Efficient VBScript Obfuscation, (Sat, Feb 22nd)
- Dmitry Bestuzhev at Securelist shares an incident involving a fake installer distributing the AZORult infostealer
AZORult spreads as a fake ProtonVPN installer - Security Intelligence shared a variety of stories across different threats this week
- Why Threat Actors Are Increasingly Conducting Cyberattacks on Local Government
- Banking Trojans and Ransomware — A Treacherous Matrimony Bound to Get Worse
- Emotet SMiShing Uses Fake Bank Domains in Targeted Attacks, Payloads Hint at TrickBot Connection
- Cyberthreat Intelligence Tooling — How to Quickly Locate Your Key Indicators
- Luca Nagy at Sophos looks at traffic sent by malware
Nearly a quarter of malware now communicates using TLS - Ryan Seguin at Tenable shares why you should update your WordPress plugins – frequently.
ThemeGrill Demo Importer Vulnerability Actively Exploited in the Wild - Trey George at PhishLabs shares about malware evasion techniques this week
Evasion Techniques: Geoblocking by IP - Helen Martin at Virus Bulletin shares a paper by Aditya K Sood on LokiBot (7 page PDF, or HTML report)
New paper: LokiBot: dissecting the C&C panel deployments - VirusTotal added QiAnXin RedDrip to their multisandbox project
VirusTotal MultiSandbox += QiAnXin RedDrip - Vitali Kremez reverses the “Mozart” DNS TLD loader
Let’s Learn: Diving Deeper into “Mozart” TLD Loader & DNS TLD Commands - Takahiro Haruyama at Carbon Black looks at new Winnti malware
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part2 (Winnti 4.0) - JW at Wilbur Security steps through different malware examples, including ransomware authors on AOL 😶
- Yoroi always produces great writeups, in English and Italian this week
- Amandeep Kumar and Preksha Saxena at ZScaler look at badware that’s a password stealer and cryptominer
Multicomponent Malware Targeting Cryptocurrency
MISCELLANEOUS
- Lee Whitfield has opened the nominations for the Forensic 4Cast Awards
2020 Forensic 4:cast Awards – Nominations are OPEN - Andrew Rathbun at AboutDFIR posted a couple of content updates, and Devon is looking to hire new grads
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ looks at FDE on Windows, macOS, Android, and iOS
Full Disk Encryption: tools and setup suggestion for personal data protection - Brett Shavers at DFIR.Training comments on the cyber skills gap
Open Source is Key to Solving Cyber Skills Gap - Darkdefender shares a review of the SANS FOR572 course.
SANS FOR572 / GNFA Overview - There were a few posts on Forensic Focus this week
- They also continued their ‘What’s Happening In Forensics’ series
- Raj Chandel at Hacking Articles demonstrates the “Statistical Functionalities of TShark”
Beginners Guide to TShark (Part 2) - Juho Jauhiainen shares a script for installing RegRipper on Linux. Speaking of which, RegRipper 2.8 (20200220) was released with an advisory regarding whether a registry hive is dirty.
[0x04] Installing RegRipper on Linux - Katie Nickels at ‘Katie’s Five Cents’ describes her decision to move jobs, and things to consider for those thinking of doing the same
The Difficult Decision to Switch Jobs - Action Dan at LockBoxx reviews “The Cuckoo’s Egg” by Cliff Stoll
Book Review: “The Cuckoo’s Egg” - Magnet Forensics posted a few times this week
- Matt Edmondson at ‘Digital Forensics Tips’ demonstrates a method of indexing a large dataset
Filelocator Pro Tips and Tricks for Indexing Large Breach Data Sets - Maxim Suhanov has identified that reading an NTFS logical volume may also modify timestamps
You write to a logical drive when you read from it - James Eichbaum at MSAB describes some custom Python scripting that was developed to assist with investigations
Unleash the Power of Python in Mobile Forensics - Oxygen Forensics have posted an overview of the Checkm8 exploits use in forensics
Everything you ever wanted to ask about Checkm8 and Checkra1n - Richard Frawley at ADF demonstrates using MDI for iOS devices
Backing Up and Scanning iOS Devices - Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — February 16 to February 22 - Yoroi announces their first CTF type “Hunting Challenge”
Launching the First “Yomi Hunting” Challenge!
SOFTWARE UPDATES
- Alexis Brignoni at ‘Initialization Vectors’ released ALEAPP, Android Logs Events And Protobuf Parser, to compliment his iLEAPP parser
ALEAPP – Android Logs Events And Protobuf Parser - BlackBag announced the release of MacQuisition 2020 R1, introducing a new triage capability
Triaging with MacQuisition - Cellebrite Analytics Desktop 8.2 was released
Analytics Desktop 8.2: Cutting edge textual analysis takes the edge off searching through conversations - Didier Stevens updated a few of his tools
- DVR Examiner 2.8.3 was released
Download DVR Examiner 2.8.3 - Elcomsoft updated a few of their tools
- KAPE 0.9.0.0 was released
Kape Changelog - Eric Zimmerman also updated his Get-ZimmermanTools downloader script
ChangeLog - ExifTool 11.88 was released with new tags and bug fixes
ExifTool 11.88 - GetData released Forensic Explorer 5.1.2.9324
24 February 2020 – 5.1.2.9324 - Magnet Forensics released Axiom 3.10.
Uber Acquisition, Timestamps in Google Search URLs, and Updated Artifacts in Magnet AXIOM 3.10! - Metaspike released FEC v3.13.3.0
Forensic Email Collector (FEC) Changelog - Nirsoft updated ChromePass and ChromeCookiesView to deal with Chrome’s new encryption
Tools update for the new encryption of Chrome / Chromium version 80 - Sergei Frankoff at OA LABS shares a new release
AutoIt Extraction and More - Passmark Software released OSForensics V7.1 build 1006
V7.1 build 1006 18th February 2020 - Oxygen Forensic Detective 12.2 was released
Oxygen Forensic® Detective 12.2 Release Notes - radare2 4.2.1 was released
4.2.1 - RockNSM 2.5 was released
Check out @Rocknsm’s Tweet - Sandfly 2.5.0 was released
Sandfly 2.5.0 – Higher Performance, SSH Key Certificates and More Linux Forensics
This Week In 4n6 