Links only from me again. Thanks to Lodrina for putting in the work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Arman Gungor at Metaspike
Dates in Hiding Part 2—Gmail MIME Boundary Timestamps - Vico Marziale at BlackBag Technologies
Exploring the Windows Activity Timeline, Part 2: Synching Across Devices - Heather Mahalik at Cellebrite
- Cyber Forensicator
SQM: New Evidence of Execution Source? - Oleg Afonin at Elcomsoft
Attached Storage Forensics: Security Analysis of ASUSTOR NAS - Hal Pomeranz shared Linux Forensics material
Check out @Hal_poweranz’s tweet - Kevin Pagano at Stark 4N6
Google Pixel Now Playing History - Melissa at Sketchymoose’s Blog
A Study of Chrome Remote Desktop Extension - Mike Cohen at Velocidex
- Teru Yamazaki at Forensicist
mssql_4n6 - Yogesh Khatri at ‘Swift Forensics’
Google Search & Personal Assistant data on android
THREAT INTELLIGENCE/HUNTING
- Dragos shared OSINT information from Amy Bejtlich and Selena Larson presented earlier this year at RSAC, including the OSINT Collection Risk and Vulnerability Matrix from Casey Brooks
Dragos Threat Intelligence – OSINT Primer at RSA Conference - Luke Rusten at Recon Infosec details the CVE for Desktop Central and shares new KAPE targets for other teams doing this analysis
Analysis Of Exploitation: CVE-2020-10189 - Bill Stearns at Active Countermeasures kicks off a Threat Simulation how to series:
- Adam at Hexacorn
Hiding process creation and cmd line with a long com… - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a PS script to find service accounts
Windows Service Accounts enumeration using Powershell - Eric Poynton at Awake Security examines what activity can happen with malicious browser extensions
Google Doppelganger & Malicious Chrome Extension - Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
- 2020-03-20 – info_03_23.doc pushes malware (Valak, maybe?)
- 2020-03-20 – Polish malspam with XLS attachment pushes Ursnif (Gozi/IFSB/Dreambot)
- 2020-03-25 – Quick post: two pcaps with GuLoader and NetWire RAT infection traffic
- 2020-03-26 – information_03_26.doc pushes ZLoader
- 2020-03-27 – price_request_9830.doc pushes IcedID (Bokbot)
- Check Point Software looks at serverless benefits and challenges including potential issues with visibility
How Your Attack Surface is Reduced, Moving to Serverless - Didier Stevens points to some interesting MS DC documentation
Quickpost: Windows Domain Controllers Have No Local Accounts - David French and Brent Murphy at Elasticsearch examined how to hunt for different persistence techniques by TTP
Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1) - FireEye looked at continued threat actor activity
- Flavian Dola at Airbus CyberSecurity with Schneider Electric looks at an Stuxnet type attack on PLCs
Applying a Stuxnet Type Attack to a Modicon PLC - Jagaimo Kawaii at Lab52 showed AV evasion techniques in a supposed PDF document
APT-C-36 new anti-detection tricks - Cyb3rWard0g at Microsoft looks at deploying Azure Sentinel via Azure Resource Management
Azure Sentinel To-Go: Sentinel Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates - Pixis at hackndo shared some attack walk throughs
- Jimmy Astle and Greg Foss continue to share information from the Red Canary Threat Detection Report about process injection and an intro to MITRE ATT&CK
Q&A: Insights from the Red Canary 2020 Threat Detection Report - Tas Pentester shared a 2 part writeup on visualizing Windows Event logs and learning new tools:
- Rockie Brockway at TrustedSec talks about breaking out of specialty technical silos to perform better risk assessments
Crossover Sec: Breaking Down the Silos - Scott Knight at Carbon Black shares an overview of APT29 activity
The Dukes of Moscow - John Simpson and Pengsu Cheng at Trend Micro Research look at LNK file analysis
CVE-2020-0729: Remote Code Execution Through .LNK Files
UPCOMING WEBINARS/CONFERENCE
- Belkasoft
Belkasoft Safari Webinar - Berla
iVe Live Community Hangout - BlackBag Technologies
BlackBag Announces New Live Instructor-led Virtual Training Courses - Heather Mahalik
Life Does Not Have a Ctrl+Alt+Del - Crowdstrike
Incident Response and Remediation When Working Remotely - Griffeye
- Group IB
Intelligence-driven threat hunting, or don’t let the hunter become the prey - Magnet Forensics
Magnet Virtual Summit is Bringing Industry Experts Right to You! - Oxygen Forensics
Oxygen Forensics Offers FREE Remote Training During COVID-19 Crisis - SANS
SANS@MIC Schedule
PRESENTATIONS/PODCASTS
- Jason Jordaan at SANS
Building Your Foundation: Getting Started in Digital Forensics | SANS@MIC Talk - Black Hills Information Security – YouTube
How to improve network security for people working from home - BlackBag Technologies
Ask the Experts A Deep Dive into Keychain and Spotlight Artifacts - Cellebrite
Ask the Expert: Why Analytics is Relevant to Every Digital Investigation by Heather Mahalik - David French
BSidesSLC 2020 – David French – A Chain Is No Stronger Than Its Weakest LNK - Detections podcast
Episode 18: Breaking the Colorwheel - Digital Forensic Survival Podcast
DFSP # 214 – CyberChef - Kevin Ripa at ‘3 Minutes Max’
- Phil Hagen at SANS
FOR572: Always Updating, Never at Rest - Ben Abbott at VMRay
SANS Webcast Recap: Practical Malware Family Identification for Incident Responders
MALWARE
- Alejandro Baca and Rodel Mendrez at Trustwave SpiderLabs reverse a malicious USB sent via mail in a targeted snail mail attack
Would You Exchange Your Security for a Gift Card? - Virus Bulletin shared research from Adam Haertlé who was the “reply to” address on a malspam campaign, and the almost 2k email replies Adam got, including a number of replies in the category of “My AV blocked the file, please send again.”
VB2019 paper: 2,000 reactions to a malware attack – accidental study - 0day in {REA_TEAM} shares an IDA post (Vietnamese)
REVERSING WITH IDA FROM SCRATCH (P29) - 0verfl0w_ at 0ffset reverses DLLs
Unpacking Malicious DLLs – IcedID - 0xEvilC0de.com traces a bad macro from an Office document
Maldoc drops DLL and executes via ExecuteExcel4Macro - 360 Netlab Blog shared a few posts in multiple languages this week
- Elmer Hernandez at Cofense shares the risk of opening a .html file loading a malicious .php element
One, Two, Three Phish: Adversaries Target Mobile Users - Danus Minimus sorts through a bunch of samples with Splunk
The Malware Lake Project - Marius Genheimer at Dissecting Malware reverses a Java based ransomware
Why would you even bother?! – JavaLocker - Paul Litvak and Shaul Holtzman at Intezer examine activity of what might be an attacker uploading samples to VT, trying to understand scoring detections
Evasion Techniques Dissected: A Mirai Case Study - Kaspersky talked about mobile threats and Windows CVEs this week
- James Haughom at Lastline shares IQY (Internet Query) files, read by Excel and their use in a ransomware campaign
IQY files and Paradise Ransomware - Herbie Zimmerman posted packet analysis post 1337 about Agent Tesla on “Lost in Security (and mostly everything else)”
2020-03-23 Agent Telsa Malspam - Jérôme Segura at Malwarebytes Labs found a web skimmer on the Tupperware website (which has since been removed)
Criminals hack Tupperware website with credit card skimmer - Microsoft Security
Latest Astaroth living-off-the-land attacks are even more invisible but not less observable - Neil Fox shared two analysts posts this week
- PC’s Xcetra Support traces malware from VBA, to Base64, to PS, then to an IP
Extracting Shellcode from VBA to PowerShell - ReversingLabs, true to their name, did some more reversing this week
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Pavel Asinovsky at Security Intelligence recaps findings from IBM X-Force about a mobile TrickBot implementation on Android
TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany - Elliot Cao, Joseph C. Chen, William Gamazo Sanchez, Lilang Wu, and Ecular Xu at TrendMicro share iOS malware, similar to an Android campaign seen in 2019
Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links - JW at Wilbur Security follows a lab infection of Cobalt Strike -> Trickbot -> Ryuk
Trickbot to Ryuk in Two Hours - Avinash Kumar and Nirmal Singh at Zscaler ThreatLabZ look at Drive-by downloads (blame me for the pun, it’s been a long week -LC)
Multistaged Downloader Leverages Google Drive to Download Advanced Malware - Bad actors continued to deploy malware via COVID based phishing emails and threaten to disrupt remote workforce routines. Review the breadth of these attacks here:
- Andreas Klopsch at ‘Malware and Stuff’ – Mustang Panda joins the COVID-19 bandwagon
- Anomali Blog – Anomali Aggregates Open Source Threat Intelligence to Fight COVID-19-themed Cyber Attacks
- Anomali Blog – COVID-19 Themes Are Being Utilized by Threat Actors of Varying Sophistication
- Anomali Blog – Leverage ThreatStream and DomainTools COVID-19 Threat List
- Bitdefender Labs – Android Apps and Malware Capitalize on Coronavirus
- Cisco’s Talos – Threat Update: COVID-19
- Cofense – Cofense Launches COVID-19 Phishing Resource Center, Announces Webinar to Arm Cyber Security Professionals with Actionable Intelligence
- Cofense – Threat Actors Innovate to Exploit COVID-19, Delivering OpenOffice .OPD Attachments on a Shoestring Budget
- Corelight – Using Corelight and Zeek to Support Remote Workers
- COVID-19 CTI League – Welcome to the CTI League
- Cybereason – Remote Work is the New Normal
- Dissecting Malware – Jamba Superdeal: Helo Sir, you want to buy mask? – Corona Safety Mask SMS Scam
- Forcepoint – Malware Authors and Scammers Adapt to Current Events with Phishing and More
- Heimdal Security Blog – Traffic to Malicious Websites Spiking as more Employees Take Up Work from Home
- Illusive Networks – 4 Ways Coronavirus Will Affect Cybersecurity, and 4 Defense Methods
- Journey Notes – Threat Spotlight: Coronavirus-Related Phishing
- Kaspersky Lab – People infected with coronavirus are all around you, says Ginp Trojan
- Kaspersky Lab – Coronavirus as a hook
- Lost in Security (and mostly everything else) – 2020-03-25 Agent Telsa Malspam – Covid-19 Themed
- Malwarebytes Labs – Coronavirus Bitcoin scam promises “millions” working from home
- Microsoft Azure Blog – Keeping your cloud deployments secure during challenging times
- Palo Alto Networks – Don’t Panic: COVID-19 Cyber Threats
- SANS Internet Storm Center – More COVID-19 Themed Malware, (Sun, Mar 22nd)
- SANS Internet Storm Center – Another Critical COVID-19 Shortage: Digital Security, (Tue, Mar 24th)
- SANS Internet Storm Center – Help us classify Covid19 related domains https://isc.sans.edu/covidclassifier.html (login required), (Fri, Mar 27th)
- SANS Internet Storm Center – Covid19 Domain Classifier, (Sat, Mar 28th)
- Sophos News – Facing down the myriad threats tied to COVID-19
- The PhishLabs Blog – COVID-19 Phishing Update: Campaigns Exploiting Hope for a Cure
- The PhishLabs Blog – COVID-19 Phishing Update: Threat Actors Impersonating CDC, WHO
- VMware Carbon Black – VMware Carbon Black Removes Endpoint Limits for Customers to Secure Their Changing Environments During the COVID-19 Crisis
- ZScaler – Four Ways Attackers Are Exploiting the Coronavirus Crisis
- ZScaler – Four Factors to Consider for an At-Home Workforce
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 3/27/2020 - AccessData
Are you interested in FTK® Imager Training? - Lori Tyler at AccessData
Simpler Than Ever! Quin-C Predesigned Workflow for Fast Legal Review - AceLab
The PC-3000 Portable III Is Even Faster and More Powerful Now! - Anomali
Weekly Threat Briefing: APT36, Coronavirus, Phishing, Remote Access Trojan, and More - Anton Chuvakin
So, Chronicle, Are You a SIEM? - BlackBag Technologies
- Brett Shavers at DFIR.Training
What’s New at DFIR Training - Cellebrite
- Coding | Reversing
PyInstaller Extractor updated to v2.0 - COVID Assistance
- Cyber Triage
Cyber Triage 2.12: Online File Reputation Service is Released - Didier Stevens
Carving PE Files With pecheck.py - Joshua James at Digital Forensic Science
General overview of investigation process - Sarvottam Kumar at Fossbytes
Tsurugi Linux Review: A Linux Distro For Digital Forensics, OSINT, And More - Forensic Focus
- Christa Miller at Forensic Horizons
Maintaining Digital Forensics’ Integrity in the Age of Automation - Gina Cristiano at ADF
Meet Rich Brown from Project VIC International - Griffeye
Griffeye Connect – Opening up new possibilities for users and teams - Matt Asay at Infoworld
Zeek and Jitsi: 2 open source projects we need now - iNPUT-ACE
Response to Imminent Need for many Law Enforcement Professionals to Work at Home - Action Dan
Red Teaming WRCCDC 2020 - Logz.io
- Magnet Forensics
- Matt C. A. Smith
SANS FOR508: I’m now a GIAC Certified Forensic Analyst - MISP
Cogsec Collab MISP Community - Msab
- Richard Bejtlich at TaoSecurity
- Ryan Campbell at ‘Security Soup’
Weekly News Roundup — March 22 to March 28 - X-Ways Forensics Practitioner’s Guide/2E
Righted the rights! - XORL
The 2018 NSA Cyber Exercise (NCX) Module 2 tabletop board game
SOFTWARE UPDATES
- Atola
TaskForce 2020.3 introduces segmented hashing! - Brim
v0.5.4 - Didier Stevens
Update: oledump.py Version 0.0.49 - Digital Detective
NetAnalysis® v2.11 and HstEx® v4.11 Released - Griffeye
Release of Analyze 20.0 - Monolith Forensics
Weekly Build – v0.6.3 - OSForensics
V7.1 build 1010 25th March 2020 - SalvationData
[Software Update] Mobile Forensics: SPF Pro V6.100.0 New Version Release for Better User Experience! - Sandfly Security
Sandfly 2.5.2 – Scheduling Priority, Detecting Command Line Web Servers, Port Scanners and Kernel Thread Masquerading - Trail of Bits
Announcing the Zeek Agent - Velociraptor
Release 0.4.1 - Yara
v4.0.0-rc3
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically, hit us up through the contact page or on the social pipes!
This Week In 4n6 