Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Teru Yamazaki at Forensicist has started a series on MSSQL forensics
  MSSQL Forensics Series (1)

• Jamie McQuaid at Magnet Forensics describes a couple of the timestamps available in Google searches
  Analyzing Timestamps in Google Search URLs

• Mail Xaminer have a post about geolocation data that may be held within the EXIF data off pictures
  Do You Know How to Find Out Where A Photo Was Taken: Check Out Here!

• Mari DeGrazia at ‘Another Forensics Blog’ looks into the forensic artefacts left behind by the WinSCP application (as well as a reminder that Win10 now supports SSH)
  Detecting Laterial Movment with WinSCP

• Russ Taylor at Hats Off Security explores the forensic artefacts left behind by the Keybase application
  Keybase.io Forensics Investigation

• Antonio Sanz at Security Art Work continues to work through the fictional case study
  Vientos remotos, tempestades locales (V)
  

THREAT INTELLIGENCE/HUNTING

• Felix Roider at Airbus gives a high level overview about ATT&CK for ICS
  Filling the gap with MITRE ATT&CK for ICS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ looks at how attackers may use port 8009 maliciously
  Ghostcat (CVE-2020-1938), a brand-new file inclusion vulnerability in Apache Tomcat

• Andreas Sfakianakis at ‘Tilting at windmills’ reviews purported Turkish attribution of the Sea Turtle campaign
  On Sea Turtle campaign targeting Greek governmental organisations

• Andrew Pease at HuntOps looks at a QBot infection
  2/28/2020 – Qbot (Qakbot)

• Anton Chuvakin catches up with posts about Chronicle:
  • Chronicle Road to Detection: Context — Part 1 of 3
  • Chronicle: One Year Later — Anton’s Reflections
  • Chronicle Road to Detection: YARA-L Language — Part 3 of 3
  • Chronicle Road to Detection: Approach — Part 2 of 3

• Osanda Malith Jayathissa links to an article he wrote on exploiting WMIC
  WMI 101 for Pentesters

• Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
  • 2020-02-24 – Ursnif infection from Italian XLS spreadsheet with macros
  • 2020-02-25 – Trickbot gtag red4 distributed as DLL file

• The English version of the TA505 profiling report has been updated
  Check out @darb0ng tweet

• David Rowe at SecFrame shows how a non privileged user account can log onto a DC
  A SIDHistory Attack: Marching onto a DC

• Harrison Van Riper at Digital Shadows shows for to apply ATT&CK to the Equifax DoJ and GAO reports
  Mapping MITRE ATT&CK to the Equifax Indictment

• Josh Day at Gigamon covers advice for those wanting to work in endpoint or network detection
  So, you want to be a detection engineer?

• Kevin Beaumont shares points to a DART incident response case study
  Check out @GossiTheDog’s tweet

• Geet Madan at Hacking Articles shared multiple threat analysis articles:
  • Threat Hunting – A proactive Method to Identify Hidden Threat
  • Multiple Ways to Exploit Windows Systems using Macros
  • Beginners Guide to TShark (Part 3)

• Vladimir Unterfingher at Heimdal Security Blog shares a review of the kill chain and importance of early detection
  Cyber Kill Chain (CKK) – APT Interception Methodologies and Advanced Malware Mitigation.

• Koen Van Impe at vanimpe.eu shares how Sysmon may not log Windows sandboxed processes
  Sysmon not logging all process creation events (Calculator and other sandboxed apps)

• liberty shell discusses persistence information via shims beyond AppCompatFlags
  Persistence via Shims

• Maarten Goet traces a MS attack script by hand with lots of step by step CyberChef examples
  Microsoft Threat Protection: going down the rabbit hole

• Maarten Goet also does a Linux EDR walkthrough
  Defender ATP & Linux: trusting Microsoft to protect your open-source workloads

• Mark Mo looks at AV evasion
  UglyEXe — bypass some AVs

• Penetration Testing Lab builds on work of Didier Stevens and others by taking a long look at PID spoofing
  Parent PID Spoofing

• RedDrip7 shares SilencerLion APT report information
  Check out @RedDrip7’s tweet

• Ryan McGeehan shares information about insider information through case study excerpts
  Malicious Insider Scenarios

• The Secureworks Counter Threat Unit looks at Iranian threats
  Business as Usual For Iranian Operations Despite Increased Tensions

• ThreatRecon shares information related to political and diplomatic hacking attempts from 2019
  Hacking Activity of SectorC Group in 2019

• Emiliano Martinez at VirusTotal shares how to hunt through VT with URLs
  Uncovering threat infrastructure via URL, domain and IP address advanced pivots a.k.a. Netloc Intelligence

• JW at Wilbur Security traces through malicious BAT activity
  Interesting Recon Script

UPCOMING WEBINARS/CONFERENCES

• Cellebrite announced Cellebrite Connect 2020 in 12 worldwide locations
  Learn How To Turn Digital Evidence Into Digital Intelligence at Connect 2020

• Joshua James at Digital Forensic Science shared the CRP for ICDF2C 2020
  ICDF2C 2020 @Boston Call for Papers
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw shared the recordings from Bsides Tampa 2019

• Black Hills Information Security shared a couple of introduction to packet capture/analysis videos
  • Getting Started With TCPDump
  • Getting Started With Wireshark

• Stephanie Thompson at Blackbag Technologies showcases some of the new features in Macquisition.
  Take it or Leave it: Triaging Digital Evidence with MacQuisition

• On this week’s Digital Forensic Survival Podcast, Michael discussed the benefits of using Pivot tables to highlight key information quickly
  DFSP # 210 – Pivot Tables for Forensics

• Jonathon Poling shared the slides from his presentation at RSA
  Logging in the Cloud: From Zero to (Incident Response) Hero

• RSA shared the keynotes and talks from the recent conference.

• SANS shared a number of videos from the 2019 THIR Summit
  • My “Aha!” Moment – Methods, Tips, & Lessons Learned in Threat Hunting – SANS THIR Summit 2019
  • Once Upon a Time in the West: A Story on DNS Attacks – SANS THIR Summit 2019
  • BZAR – Hunting Adversary Behaviors with Zeek and ATT&CK – SANS THIR Summit 2019
  • Jupyter Notebooks and Pre-recorded Datasets for Threat Hunting  – SANS THIR Summit 2019

• I recorded my ‘This Month in 4n6’ podcast for February
  This Month In 4n6 – February – 2020
  

MALWARE

• Joe Security looks at how to get around anti-evasion techniques
  Analyzing Azorult’s Anti-Analysis Tricks with Joe Sandbox Hypervisor

• Brian Laskowski at Laskowski-Tech shared a couple of posts this week
  • OSTAP: Maldocs, with a sprinkle of Jscript
  • Definitely Racoon this time!

• Chris Neal at Cisco shares a paper by Alessandro Mantovani, Simone Aonzo, Xabier Ugarte-Pedrero, Alessio Merlo, and Davide Balzarotti on low-entropy packers (15 page PDF).
  New Research Paper: Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem

• Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, and Jeremy Kennelly at FireEye examine adversaries targeting IT and operational technology.
  Ransomware Against the Machine: How Adversaries are Learning to Disrupt
  Industrial Production by Targeting IT and OT

• Stefan Hausotte at G Data Security shares resources related to a malware graph interface from the Global Graph Summit 2020
  Presenting a Graph-based User Interface for Malware Analysis at the Global Graph Summit

• Kota Kino at JPCERT/CC looks at a new spear phishing attack dubbed LODEINFO
  Malware “LODEINFO” Targeting Japan

• Nikolay Pankov at Kaspersky shares information presented by Fabian Ising at CCC about reading data in encrypted PDFs
  Can you read an encrypted PDF?

• Jason Zhang and Stefano Ortolani share a Nemty campaign now utilizing Phorpiex
  Nemty Ransomware Scaling UP: APAC Mailboxes Swarmed by Dual Downloaders

• Malware Must Die! shares a new Mirai FBOT variant
  MMD-0066-2020 – Linux/Mirai-Fbot – A re-emerged IoT threat

• Malwarebytes writes about Domen delivering the Smoke Loader dropper
  Domen toolkit gets back to work with new malvertising campaign

• Khris Tolbert at MaverisLabs steps through a VBS file that is provided to download and analyze step by step
  Analysis of a VBS Malware Dropper

• Michael Gorelik at Morphisec reverses a new Trickbot sample
  Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10

• Didier Stevens at NVISO Labs shares how VBA Purging can impact AV detection evasion
  Evidence of VBA Purging Found in Malicious Documents

• Mike Harbison, Brittany Barbehenn, and Bryan Lee at Unit 42 look at a RAT delivered by Word and a .bat file
  Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT

• Random RE reverses the Obscene Trojan
  Golang wrapper on an old obscene malware

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • Maldoc: Excel 4 Macros in OOXML Format, (Sun, Feb 23rd
  • Maldoc: Excel 4 Macros and VBA, Devil and Angel?, (Mon, Feb 24th
  • Show me Your Clipboard Data!, (Fri, Feb 28th)
  • Offensive Tools Are For Blue Teams Too, (Thu, Feb 27th)
  • Quick look at a couple of current online scam campaigns, (Tue, Feb 25th)

• Suguru Ishimaru at Securelist looks at Android SMiShing related threats
  Roaming Mantis, part V

• Ben Nahorney at Cisco looks at threats spam can bring, for example Emotet
  Explorations in the spam folder

• SentinelLabs shared a couple of posts this week
  • Revealing the Trick | A Deep Dive into TrickLoader Obfuscation
  • DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity

• Diana Lopera at Trustwave  examines how a PNG within an ISO within a ZIP file can deliver a RAT
  RATs Wrapped and Hidden in PNG

• Virus Bulletin shares information from Chintan Shah at McAfee about static malware analysis, previously prevented at VB2019
  VB2019 paper: Static analysis methods for detection of Microsoft Office exploits

• Vitali Kremez reverses how a photo can deliver a RAT
  Let’s Learn: Inside Parallax RAT Malware: Process Hollowing Injection & Process Doppelgänging API Mix: Part I

• Yoroi examines bad actors exploiting the Corona Virus threat
  New Cyber Attack Campaign Leverages the COVID-19 Infodemic
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR posted a content update as well as his guide for preparing for GIAC certs
  • AboutDFIR Content Update 2/23/2020
  • My Take on Preparing for GIAC Certification Exams

• Yulia Samoteykina at Atola walks through the process of imaging “into files on an encrypted target drive using VeraCrypt for data encryption.”
  Imaging to a file on an encrypted drive with TaskForce

• Elan at DFIR Diva shows off her amazing home lab
  The Evolution of my Home Lab: From Break-Fix to Forensics

• There were a few posts on Forensic Focus this week
  • Forensic Focus Forum Round-Up
  • FORMOBILE Survey: Law Enforcement Officers’ Requirements For Training
  • Forensic Pattern Of Life Analysis

• An announcement about the end of the MDNC (Blog/Kafeine/MISP) project
  Choose again

• Maxim Suhanov describes a type of shadow copy called a “Scoped shadow copy” which have existed since Windows 8 but “are inconsistent when dealing with user files.”
  Scoped shadow copies

• Michael Moore at LawDawg4n6 has started a blog and describes his journey into DFIR
  In the beginning…

• Mike Williamson comments on the benefit of using Git for forensic coding projects
  Examiner-coder-types: Learnin’git can make you a better developer

• Amber Schroader at Paraben Corporation describes the impact that 5G may have on DFIR investigations for LE
  5G & Digital Forensic Impact

• Richard Frawley at ADF demonstrates how to scan for low hanging fruit
  The Power of ADF Computer Triage

• Ryan Benson at dfir.blog has identified a new VED parameter version, which thankfully still contains the timestamp
  Google “ved” Parameter Versions

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — February 23 to February 29

• Mark Hallman and Lee Whitfield at SANS have released a new poster for Eric Zimmerman’s command line tools.
  Want fast DFIR results? Learn how with the EZ Tools command-line poster

• Sumuri will be releasing an Inteception edition of the their Talino workstations
  SUMURI to Unveil New Forensic Workstation for its 2020 SUMURI Gives Back Campaign
  

SOFTWARE UPDATES

• Plaso 20200227 was released
  Plaso 20200227

• Atola TaskForce 2020.2 was released
  TaskForce 2020.2 release with E01 segmentation

• Cellebrite updated UFED Physical Analyzer to v7.30.
  New Dashboard Widget Provides Application Insights

• Cylance demos malware protection
  CylancePROTECT vs. DoppelPaymer, BitPaymer and Dridex

• ExifTool 11.89 was released with new tags and bug fixes
  ExifTool 11.89

• Foxton Forensics updated Browser History Viewer to version 1.3.1
  Browser History Viewer — Version History

• MS Azure and fileless Linux attacks
  Fileless attack detection for Linux in preview

• A new version of MISP (2.4.122) has been released. This version includes various fixes, minor new features and improvements.
  MISP 2.4.122 released (aka the bug fix release)

• MOBILedit 7.1 was released
  New MOBILedit 7.1 released!

• OpenText released the Tableau Firmware Updater v20.1 that updates the following models: TX1, T3iu, T35u, T35u-R2, T356789iu, T356789iu-R2, T6u, T6u-R2, T7u, T8u
  Tableau Firmware Update Revision History for 20.1

• There were a couple of Osquery+Community ID related releases
  • Creating my second Osquery extension with osquery-go
  • Correlate Network Connections With Community ID In Osquery

• Recruit-CSIRT released a new Mac triage tool
  macOSTriageTool

• Leonard Savina released the ADtimeline app for Splunk. ADtimeline is a Powershell script retrieving Active Directory replication metadata which is a valuable  forensics artefact to characterize a modification in AD.
  Check out @ldap389’s tweet

• Timesketch was updated to v20200227
  20200227

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!