Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, Thanks to those who give a little back for their support!
COVID has continued to take over the news, but now we have forensics companies discussing how they can assist during these times.
Some of my highlights from the below links are all the stuff that SANS has put out, the Magnet User Summit now being online and free for all, and Sumuri moving their burn-in process to the folding@home process. Very cool.
- Digital Investigations don’t need to stop when you self-isolate
- Cellebrite Stands With You During These Challenging Times
- Thank You to Everyone on the Front Lines of This Crisis
- Staying Productive During the COVID-19 Crisis
- An update for MSAB customers on the current public health crisis
- How to optimize EnCase for a work-from-home workforce
- An update from the SANS Institute
- This is BIG – Please Help Secure Orgs Around the World (Literally) Due to COVID-19
- So You’re Having To Work From Home Due To The Coronavirus Pandemic … Now What? Here are 18 Tips To Help You Make The Best of Working Remote.
- A Random List of Free Resources
- And Now, for Something Awesome… SANS Launches New Series of Worldwide Capture-the-Flag Cyber Events
- Understanding SANS CyberCast So Much More Than Live Virtual Training
- Training Together: The #SANSTrainFromHomeChallenge Is Here!
- SUMURI’s Response to COVID-19
- Remote ESI Collection and Data Audits in the Time of Social Distancing
But on a more positive note, others have shared their nominations for the Forensic 4Cast awards
- Why Nominate CCO & CCPA For DFIR Training Class Of The Year – Forensic 4:cast Awards
- 2020 Forensic 4Cast Nominations are open!
- Jessica Hyde’s Nominations for This Year’s Forensic 4:cast Awards
FORENSIC ANALYSIS
- Jessica Hyde at Magnet Forensics has started a series on parsing unsupported apps. Jess has also decided to use a freely available image so you can play along at home!
Mobile Forensics: Discovering the Undiscovered - Anton at ‘Have You Secured?’ demonstrates a method of transforming Powershell Transcript logs so they can be ingested by Splunk
Wrangle Your PowerShell Transcript Logs with Apache Nifi - Korstiaan Stam published an article on the MailItemsAccessed operation in Office 365 (E5 only)
Everything you need to know about MailItemsAccessed and more - Trey Amick at Magnet Forensics demonstrates how to use their Cyber product to investigate Microsoft Teams
Investigating Microsoft Teams with Magnet AXIOM Cyber - Maxim Suhanov describes how $Extend\$Deleted on NTFS can be used to locate deleted files on disk. This is because a file may not be able to be deleted when it’s opened and instead will just be moved to the $Deleted directory.
The “\$Extend\$Deleted” directory - Oozan Unal shared a couple of articles on Windows and Linux forensics
- SalvationData have a couple of posts this week
- Teru Yamazaki at Forensicist continues his series on MSSQL forensics, looking into the LOB data structure
MSSQL Forensics Series (4) - kasasagi_f looks into the Unified Audit log on MacOS Catalina
Catalina上で保全してきたUnifiedLogを解析する -Analyze the acquired UnifiedLog on Catalina-
THREAT INTELLIGENCE/HUNTING
- Mike Iacovacci at payl0ad.run released an open source knowledge management framework for referencing and sharing command line programs – use his tool to remind yourself of mimikatz vs mimipenguin syntax or jog your memory on volatility and vssadmin commands.
Learn & Use Hundreds of Command Line Tools - Yanlong Ma, Lingming Tu, Genshen Ye, and Hongda Liu at 360 Netlab share research that attack groups are using the “LILIN DVR 0-day vulnerabilities to spread Chalubo, FBot, Moobot botnets.”
Multiple botnets are spreading using LILIN DVR 0-day - Adam at Hexacorn looks at symbols and shims this week, including how an attacker could potentially use shims for anti-sandboxing or sideloading
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ introduces Pypykatz from SkelSec, which can be run anywhere there’s Python 3.6 or greater
Pypykatz: a Mimikatz Python implementation - Sujit Ghosal at Awake Security tests out the SMB v3 flaw on Win 10 v1903 and v1909 machines.
‘SMBGhost’ Wormable Vulnerability Analysis (CVE-2020-0796) - John Strand at Black Hills Information Security shared some detection research this week
- John shares in this post and video (8 mins) how to find DNS backdoors using ADHD and DNScat2
Detecting Long Connections With Zeek/Bro and RITA - John also discusses ADHD and Honeyports in this post and video (7 mins)
Messing With Portscans With Honeyports (Cyber Deception)
- John shares in this post and video (8 mins) how to find DNS backdoors using ADHD and DNScat2
- Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
- 2020-03-16 – Quick post: malspam known for Ursnif switches to IcedID
- 2020-03-16 – More Hancitor malspam using Covid-19/coronavirus theme
- 2020-03-17 – Pcap and malware for an ISC diary (Trickbot as a DLL))
- 2020-03-18 – German malspam pushes Ursnif (Gozi/IFSB)
- 2020-03-20 – IcedID from info_03_20.doc
- 2020-03-19 – English malspam pushes Ursnif (Gozi/IFSB)
- Josh Day at Gigamon how dormant and noisy rules can help detection engineers control their environments
Quality Control: Keeping Your Detections Fresh - Raj Chandel at Hacking Articles overviews the pyramid of pain and threat hunting techniques
A Deep Drive on Proactive Threat Hunting - Action Dan at LockBoxx reviews the book “Threat Modeling” by Adam Shostack covering account and human security to cryptography. Dan also shares Adam’s 2019 Black Hat talk
Book Review: “Threat Modeling” - Digit Oktavianto at MII describes some considerations when it comes to triaging systems for suspicious items in a threat hunt or IR investigation.
Triage Incident Response - Alexander Popov at Positive Technologies looks at a Linux race condition that can be exploited, with a short video (<2 mins) and the story of reporting the PoC to Linus Torvalds himself
CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem - Wade Woolwine at Rapid7 writes about goals for IR planning
Top 3 Outcomes Organizations Try to Achieve in Their Incident Detection and Response Programs - Have you checked out the Red Canary 2020 Threat Detection Report yet? This excerpt covers the ATT&CK techniques seen with worms, plus TrickBot and remote admin tools
Worms shape the narrative in Red Canary’s 2020 Threat Detection Report - Phil Stokes at SentinelOne looks at malicious uses for AppleScript
How Offensive Actors Use AppleScript For Attacking macOS - Satnam Narang Tenable shares information researched by Trend Micro about Apex One and OfficeScan vulnerabilities
CVE-2020-8467, CVE-2020-8468: Vulnerabilities in Trend Micro Apex One and OfficeScan Exploited in the Wild - William Woodruff at Trail of Bits Blog released a new osquery table to do real-time file change monitoring and explains monitoring via Win32/WinAPI interfaces, filesystem drivers, and journal monitoring
Real-time file monitoring on Windows with osquery - Hans Lakhan at TrustedSec shares some OSINT basics anyone can benefit from
Upgrade Your Workflow, Part 1: Building OSINT Checklists - Karl Sigler at Trustwave shares a Powershell command to mitigate the SMBGhost vulnerability
SMBGhost (CVE-2020-0796): a Critical SMBv3 RCE Vulnerability - JW at Wilbur Security shares a script from a honeypot that adds then hides new users
Iranofficall User Creator Script
UPCOMING WEBINARS/CONFERENCES
- Lesley Carhart will be hosting PancakesCon 2020 today! Or in the past, depending on when you’re reading this…
PancakesCon 2020: Quarantine Edition - In a similar fashion, Comfycon Au will be taking place April 11th 2020
Comfycon AU - The CFP for Secure 2020 in Poland has opened and closes 24 July 2020
CFP Secure 2020 - Frederick Huang, Ashwin Nair, and Thasneem Marecar at Cellebrite will be hosting a webinar on Checkm8 extractions on April 09, 2020 11:00 AM (India Standard Time)
Practical guide on Checkm8 extractions and the latest UFED 7.30 capabilities - OPCDE will be going online, and be held March 25, 2020 9AM PST
OPCDE Online - Magnet Forensics announced a couple of upcoming webinars
PRESENTATIONS/PODCASTS
- Dave and Matt hosted a Forensic Lunch with guests Lance Spitzner and Jessica Hyde
Forensic Lunch 3/20/20 - Dave also briefly hosted a Test Kitchen to try and recreate an anomaly in the data stored in the Windows 10 Timeline
Forensic Lunch Test Kitchen 3/17/20 - Basis Technology shares the 2019 OSDFCon talk from Kristinn Gudjonsson and Johan Berggren
The Beautiful Mind of a Timeline - The videos from Blackhat 2019 have been uploaded
How to Discover Artifacts in UFED Physical Analyzer – Part 2 - Heather Mahalik at Cellebrite shared a video on parsing chat applications
How to Discover Artifacts in UFED Physical Analyzer – Part 2 - On this week’s Digital Forensic Survival Podcast, Michael discussed the capabilities of some of Microsoft’s Trusted Developer Utilities
DFSP # 213 – Trusted Developer Utilities - Nuix shares a 7 minute video on endpoint detection
Finding Data Archiving Activity Using Nuix Adaptive Security - Paraben shares a 5 minute walk through of their E3 platform
E3 Forensic Platform Overview - SANS shared the recordings of a couple of recent webcasts
- Jason Nickola at GIAC interviewed Chris Cochran on “Trust me, I’m certified”
Practicing confidence, mental agility, and vulnerability while building your cybersecurity career with Chris Cochran
MALWARE
- Adam Chester at XPN examines how Windows ETW can signal .NET assemblies
Hiding your .NET – ETW - Liviu Arsene, Radu Tudorica, and Alexandru Maximciuc at Bitdefender Labs share their whitepaper (16 page PDF) which traces a new TrickBot module: rdpScanDll
New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong - Brian Laskowski at Laskowski-Tech shows how speedy TrickBot infections can spread
Breakout Time: Trickbot edition - Brian also demonstrates how to unpatch Office to get a sample to execute
TIL: How to Unpatch Office and get that sweet execution - Crypsis Group looks at ransomware this week
- Dr. Ali Hadi at ‘Binary Zone’ shows one way to use the Cuckoo VM and how to look up data in Moloch
Howto Setup and use the CuckooVM v2 - Dragos shared a summary of Joe Slowik’s whitepaper on LockerGoga
Spyware Stealer Locker Wiper: LockerGoga Revisited - FireEye shared posts about ASLR and ransomware
- Cheng Lu and Steven Ouellette at Flashpoint look at a vulnerability in Apache Tomcat
Apache Tomcat Vulnerability “Ghostcat” Attracting Threat Actor Attention - John Ferrell at Huntress Labs writes about malware targeted to a specific user or machine
ThreatOps Analysis: Keyed Malware - Pavel Shoshin at Kaspersky writes about the stalkerware tool MonitorMinor, purported to be a parental control app for Android, which is hard to detect and harder to remove.
The dangers of MonitorMinor stalkerware - Mike at “CyberSec & Ramen” shares a write for a recent malware traffic analysis exercise and you can follow along
Malware Traffic Analysis “MondoGreek” Exercise Write-Up - Arnold Osipov at Morphisec shares behavior and IOC information about the Parallax RAT
Parallax: The New RAT on the Block - Ken Hsu, Zhibin Zhang, and Ruchna Nigam at PAN Unit 42 write about the “Mukashi” Mirai variant
New Mirai Variant Targets Zyxel Network-Attached Storage Devices - RandomRE dives deeper into a sample seen in a Securelist report
Loaders loading loaders, Buer to Smoke - There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Trickbot gtag red5 distributed as a DLL file, (Wed, Mar 18th)
- A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th)
- Desktop.ini as a post-exploitation tool, (Mon, Mar 16th)
- SANS Work From Home Deployment Kit. Free Material to Help You Stay Secure While Working From Home (Mon, Mar 16th)
- VPN Access and Activity Monitoring, (Sun, Mar 15th)
- Honeypot – Scanning and Targeting Devices & Services, (Sat, Mar 21st)
- Sergei Shevchenko at Sophos shares research presented last year at VB2019 about Mac malware distribution
“Double agent”: a MacOS bundleware installer that acts like a spy - VMware Carbon Black shared posts on AMSI and ghostSMB this week
- JW at Wilbur Security demonstrated the Zeppelin ransomwares execution
Zeppelin Ransomware - Davide Testa, Luigi Martire, Antonio Pirozzi, and Pierluigi Paganini at Yoroi report on Ursnif targeting Italian users
Ursnif Campaign Targets Italy with a New Infection Chain - Lots of people discussed threats this week about attackers using Coronavirus as a premise for bad actors. Here’s our roundup:
- 3/20/2020 – Hancitor w/Coronavirus Themed Malspam
- COVID-19 Impact: As Retailers Close their Doors, Hackers Open for Business
- Just Because You’re Home Doesn’t Mean You’re Safe
- Eagle vs. Panda: Does COVID-19 Rhetoric Have Us On The Brink Of War?
- APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT
- Coronavirus scams, found and explained
- Cybercriminals impersonate World Health Organization to distribute fake coronavirus e-book
- Is APT27 Abusing COVID-19 To Attack People ?!
- Protecting against coronavirus themed phishing attacks
- COVID-19 Themed Multistage Malware, (Thu, Mar 19th)
- New version of chinoxy backdoor using COVID19 document lure
- IBM X-Force Threat Intelligence Cybersecurity Brief: Novel Coronavirus (COVID-19)
- Threat Intel Update | Cyber Attacks Leveraging the COVID-19/CoronaVirus Pandemic
- The Line Between Biological and Cyber Threats Has Never Been So Thin | What Can We Learn and What Should We Do?
- COVID Phishing Update – Coronavirus wants your Bonus, too
- Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware
- Incremento delle Campagne a Tema CoronaVirus
- Incremento Campagne Tematizzate COVID-19
- Coronavirus-Themed Document Targets Brazilian Users
- CovidLock: Android Ransomware Walkthrough and Unlocking Routine
MISCELLANEOUS
- Alexis Brignoni at ‘Initialization Vectors’ has a very important post on errors in tool parsing. Cellebrite has identified that there’s a bug in their processing of DAR files (used in iOS full file system extractions) that misinterprets file system timestamps.
Trust but verify: Formats, timestamps, and validation - Andrew Rathbun at AboutDFIR shared a content update, as well as an RSS starter pack
- Alexander Jäger demonstrates the new Timesketch UI
Timesketch new UI example - Cellebrite posted a couple of times this week
- Vladimir Katalov at Elcomsoft describes the benefits of the newly added data extraction method in their iOS Forensic Toolkit.
Full file system and keychain extraction: now with iOS 13 and iPhone 11 support - Elcomsoft also updated their various forensic bundles
Elcomsoft Mobile, Desktop and Premium forensic bundles - There were a few posts on Forensic Focus this week
- Interview With Samuel Abbott, Software Trainer, Amped Software
- Register For Webinar: A Deep Dive Into Keychain And Spotlight Artifacts
- How To Acquire Cloud Data With MD-CLOUD
- Toward Exact And Inexact Approximate Matching Of Executable Binaries
- Interview With Joe Sylve, Director Of Research And Development, BlackBag
- Mission Darkness shared an infographic on how their products fit within the mobile forensic workflow
Digital Forensics Field To Lab Evidence Handling Solution - Starting Monday, March 23rd, a new challenge will be posted by NW3C every weekday morning at 8 AM EST.
Capture the Flag for the National White Collar Crime Center - Oxygen Forensics posted a couple of times this week
- Red Canary brought some levity to a WFH world
From our team to yours (because they’re really the same thing) - Richard Frawley at ADF posted a couple of times this week
- Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
Weekly News Roundup — March 15 to March 21 - Xavier Mertens shares ways to educate yourself despite conferences being cancelled left and right
InfoSec Conferences Canceled? We’ve Hours Of Recordings!
SOFTWARE UPDATES
- ANSSI released a new version of DFIR-ORC
v10.0.9 - Apache Tika 1.24 has been released
17 March 2020: Apache Tika Release - Mark Spencer at Arsenal describes some of the great new features in Arsenal Image Mounter v3.1.101
Quick Tour of New Features in Arsenal Image Mounter v3.1.101 - Binalyze IREC was updated to v1.9.16
Version 1.9.16 - UFED Physical Analyzer 7.31 was released
Application Enhancements & Important Product Updates in UFED Physical Analyzer - Elcomsoft iOS Forensic Toolkit 5.40 was released
iOS Forensic Toolkit 5.40: jailbreak-free extraction for iOS 11-13.3 - ExifTool 11.92 was released with new tags and bug fixes
ExifTool 11.92 - GetData released Forensic Explorer v5.1.2.9378
17 Mar 2020 – 5.1.2.9378 - Nextron Systems released Thor Lite
THOR Lite – Free YARA and IOC Scanner - Passmark Software released OSForensics v7.1 build 1008
V7.1 build 1008 17th March 2020 - Timesketch 20200319 was released
20200319 - Ulf Frisk released MemProcFS version 3.2
Version 3.2 - X-Ways Forensics 19.9 SR-5 and 20 Preview 2 were released
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically, hit us up through the contact page or on the social pipes!
This Week In 4n6 