Week 25 – 2019

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!



  • John Wunder at MITRE ATT&CK shares different ways to use ATT&CK detections for new to mature investigators and organizations. John suggests for example starting with process and command line monitoring before putting together a purple team.
    Getting Started with ATT&CK: Detection and Analytics 
  • Neil Thacker at Netskope shares a case study of a malicious DNS redirection issue that was seen and solved inhouse.
    Customer Zero: a case study 
  • Terrance DeJesus at NTTSecurity shares examples of LOLBins, benign tools used in malicious ways, and their ATT&CK mappings.
    Living-off-the-Land blog series 
  • Whitney Champion at Recon InfoSec discusses fine tuning threat signatures in Graylog using Python and Ansibl
    Automating Graylog Pipelines 



  • On this week’s Digital Forensic Survival Podcast, Michael spoke about the challenges when dealing with VMEM files from Virtual Machines
    DFSP # 174 – The VMEM Experience 
  • Richard Davis at 13Cubed has uploaded a tutorial on searching for “Auto-Start Extensibility Points (ASEPs) directly from memory” with Volatility
    Detecting Persistence in Memory 


  • Erik Pistelli at Cerbero Suite shares new features in the Carbon disassembler including support for ELF files.
    Cerbero Suite 3.1 is out! 
  • Yaroslav Harakhavik and Aliaksandr Chailytko at Check Point Research look at how DanaBot has evolved from a malware that could spread spam and install a RAT to more recently dropping ransomware.
    DanaBot Demands a Ransom Payment 
  • Xiaopeng Zhang at Fortinet looks at the HawkEye keylogger spread via phishing email as well as the collection capabilities observed.
    Analysis of a New HawkEye Variant 
  • Tarun Dewan and Lenart Brave at Zscaler look at new malware targeting individual (non POS) debit and credit card information.
    Felipe, a new infostealer Trojan 


  • Paul Sanderson has announced that his tools are now being actively distributed by Teel Technologies 


  • Eric Zimmerman updated PECmd, Registry Explorer, RECmd, and TLE
  • Evimetry v3.2.2 was released with a number of improvements and bug fixes
    Release 3.2.2 
  • ExifTool 11.52 was released with new tags and bug fixes
    ExifTool 11.52 
  • OpenText™ EnCase™ Forensic 8.09 is now available, but release notes are behind a login page 

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s