Links only again, busy busy busy!
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
- Daily Blog #671: Sunday Funday 4/12/20
- Daily Blog #672: AWS EBS Snapshot Block Access
- Daily Blog #673: Working AWS EBS Blocks
- Daily Blog #675: The curious case of cloud trail and AWS EBS Block API access
- Daily Blog #674: Forensic Lunch Podcast is up to date!
- Daily Blog #676: Forensic Lunch 4/17/20 with Zach Wasserman
- Daily Blog #677: Solution Saturday 4/18/20
- Cyber Forensicator
- Ian Whiffin & Shafik G. Punja at DoubleBlak
CheckRa1n Extraction for ArtExmProcessing - John Lukach at Cloud 4n6ir
Cloud 4n6ir Fun #1 – What Changed? - Joshua Hickman at ‘The Binary Hick’
iOS 13 Images….ImageS…Now Available! - Oleg Skulkin, Rohit Tamma, Heather Mahalik, and Satish Bommisetty
Practical Mobile Forensics - Oxygen Forensics
Untangling Airbnb - Peter Stewart
OtterCTF 2018 – Network Challenges – Look At Me Write-up - SalvationData
[Case Study] Mobile Forensics: Better Understanding of SQLite Database Based on Smartphone Forensic Data Acquisition - The Leahy Center for Digital Forensics & Cybersecurity
- ThinkDFIR
Part of a Sunday Funday answer – Microsoft Teams
THREAT INTELLIGENCE/HUNTING
- Calum Hall and Luke Roberts at F-Secure share their Objective By The Sea talk on attacks using Jamf
Jamfing for Joy: Attacking macOS in Enterprise - Active Countermeasures
- Adam Chester at XPN
Designing The Adversary Simulation Lab - Anomali Blog
Weekly Threat Briefing: New dark_nexus Botnet, Pegasus Spyware, SFO Airport Data Breach, and More - Brad Duncan at Malware Traffic Analysis
- Brad Garnett
Talos Takes Podcast Interview: Preparing for the worst with Cisco Talos Incident Response - Cisco Talos
Quarterly Report: Incident Response trends in Spring 2020 - Cybereason
Incident Response: Don’t Let That Data Age-out - Cybersecurity Insights
Detection Lab for Pentesters - Dirk-jan Mollema
Introducing ROADtools – The Azure AD exploration framework - Elasticsearch
Generating MITRE ATT&CK® signals in Elastic SIEM: Sysmon data - FireEye Threat Research
Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two - Hacking Articles
- Intezer
The missing MITRE ATT&CK matrix for Linux cloud servers - lab52
China: From culture to conflict in the cyberspace - Lenny Zeltser
How to Set Up a SpiderFoot Server for OSINT Research - Matt Suiche at Comae
Keep Office 365 safe from BEC when you are an SME - Palo Alto Networks
APT41 Using New Speculoos Backdoor to Target Organizations Globally - Red Canary
Invoke-AtomicRedTeam leaves the nest - Robin Moffatt
A quick and dirty way to monitor data arriving on Kafka - Security Art Work
New sonar contact: possible APT on Bearing 028 - Security Intelligence
TA505 Continues to Infect Networks With SDBbot RAT - VMware Carbon Black
VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus
UPCOMING WEBINARS/CONFERENCES
- AceLab
The ACE Lab Online TechCon 2020: What’s on the schedule? - Belkasoft
BelkaDay Europe - Griffeye
Webinar: Create and customize better case reports - Oxygen Forensics
Webinars - Red Canary
Webinar preview: Facing Threats to Banking and Finance
PRESENTATIONS/PODCASTS
- Kevin Ripa
- BlackBag Technologies
BlackBag Tip of the Day: BitLocker Protected Evidence - Heather Mahalik at Cellebrite
Ask the Expert: A fast approach to examining media in UFED Physical Analyzer by Heather Mahalik - ComfyconAU
ComfyconAU - Detections
Episode 21: Craaling with Jay Lagorio - Didier Stevens
zipdump.py: Malformed .docm File - Digital Forensic Survival Podcast
DFSP # 217 – Static Malware Analysis - Down the Security Rabbithole Podcast
DtSR Episode 390 – DFIR 20-20 - Jason Nickola at ‘Trust Me I’m Certified’
Breaking and building your way to an infosec career with Chris Elgee - Magnet Forensics
From the Training Team: Magnet AXIOM Advanced Mobile Forensics (AX300) - Matthew Toussain
Get Certified All You Need to Know to Rock GIAC Exams - Lee Reiber at ‘Mobile Forensic Investigations’
- Matt Danner at Monolith Forensics
Get Monolith Setup in 2 Minutes - MSAB
- Nuix
Promote to Nuix Discover - Paraben Corporation
Using checkra1n for iOS Physical Processing in the E3 Forensic Platform - Recon InfoSec
TheHive For Teams - Richard Davis at 13Cubed
Channel Update (April 2020) - Security Conversations
Matt Suiche, Comae Technologies - Steve at Sumuri
RECON LAB: Beating the Malware Defense
MALWARE
- Ashley Graves at Alien Labs (AT&T Cybersecurity) shares a webhook based Slack attack
Slack phishing attacks using webhooks - Cisco Talos
Trickbot/Excel 4.0 macros: There’s got to be a better way - Click All the Things!
Trickbot/Excel 4.0 macros: There’s got to be a better way - Compass Security Blog
Reversing a .NET Orcus dropper - Didier Stevens
Analyzing Malformed ZIP Files - ~Dissecting Malware
The Blame Game – About False Flags and overwritten MBRs - Fortinet
NetWire RAT Targeting Taxpayers is Spreading via Legacy Microsoft Excel 4.0 Macro - Intel 471’s Blog
Understanding the relationship between Emotet, Ryuk and TrickBot - Josh Stroschein at 0xEvilC0de
Excel 4 Macros – Get.Workspace Reference - Malwarebytes Labs
New AgentTesla variant steals WiFi credentials - Marco Ramilli
Cybersecurity Trends - Morphisec
Lokibot with AutoIt Obfuscator + Frenchy Shellcode - MrT4ntr4’s Blog
- Neutralize Cyber Threats
- Palo Alto Networks
Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns - Rapid7
Uncooking Eggs: Manual Dridex Dropper Malicious Document Deobfuscation Methods - ReversingLabs Blog
Mining for malicious Ruby gems - SandmaxPrime
Malware Analysis – Adwind JRat - SANS Internet Storm Center
- Reader Analysis: “Dynamic analysis technique to get decrypted KPOT Malware.”, (Sun, Apr 12th)
- Look at the same phishing campaign 3 months apart, (Mon, Apr 13th)
- No IOCs? No Problem! Getting a Start Hunting for Malicious Office Files, (Wed, Apr 15th)
- Using AppLocker to Prevent Living off the Land Attacks, (Thu, Apr 16th)
- Weaponized RTF Document Generator & Mailer in PowerShell, (Fri, Apr 17th)
- Maldoc Falsely Represented as DOCX Invoice Redirecting to Fake Apple Store, (Sat, Apr 18th)
- Sebdraven
Yeti and Pandas love VirusTotal Hunting - Security Intelligence
Grandoreiro Malware Now Targeting Banks in Spain - SentinelOne
MBRLocker Wiper Malware | Destructive Pranks Are No Joke For Victims - SpecterOps
Methodology for Static Reverse Engineering of Windows Kernel Drivers - TrendMicro
Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems - Trustwave SpiderLabs
Excel Malspam: Password Protected … Not! - Yoroi
A Brand New Ursnif/ISFB Campaign Targets Italian Organizations - ZScaler
Multistage FreeDom Loader Used to Spread AZORult and NanoCore RAT - The COVID-19/Coronavirus threats, malware, and workplace risks:
- Check Point Software
Is your Hospital Prepared for the Next Cyber Attack? - Cisco Talos
PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors - Gradiant
Privacidad en tiempos del COVID-19 - Malwarebytes Labs
Lock and Code S1Ep4: coronavirus and responding to computer viruses with Akshay Bhargava - Malwarebytes Labs
Keep Zoombombing cybercriminals from dropping a load on your meetings - Radware
Navigating the Threat Landscape in Unprecedented Times - Radware
Radware Threat Researchers Live: Coronavirus & FSB - Secureworks
Weekly Threat Intelligence Bulletin: COVID-19 - The PhishLabs Blog
COVID-19 Phishing Update: Workplace Concerns Exploited to Distribute Malware - The PhishLabs Blog
COVID-19 Phishing Update: Voicemail Attacks Surface Targeting Office 365 Users - The Threat Blog | COVID-19 Cyber Threat Coalition
2020-04-14 Weekly Threat Advisory - TrendMicro
Coronavirus Update App Leads to Project Spy Android and iOS Spyware - TrendMicro
Gamaredon APT Group Use Covid-19 Lure in Campaigns - Trustwave SpiderLabs
COVID-19 Themed BEC Scams
- Check Point Software
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
- AceLab
The PC-3000 Portable III Now Supports the NVMe SSDs Based on Phison PS5007 Controller! - Alissa Torres
Check out @sibertor’s tweet - Brett Shavers at DFIR.Training
Review of Foxton Forensics’ Browser History Examiner - DME Forensics
- Forensic Focus
- Haydn Johnson at Hackerrolls
OpenSoc Experience - Kaspersky Lab
Think you know how to hide info in images? - Lee Holmes at ‘Precision Computing’
List of InfoSec Cognitive Biases - LockBoxx
Course Review: Red Team Operator - Magnet Forensics
- Matt at ‘Bit of Hex’
- Microsoft Security
Afternoon Cyber Tea: Building operational resilience in a digital world - Mike Cohen
Velociraptor - Matt Danner at Monolith Forensics
- Mike Dickinson at MSAB
What does ‘Forensically Sound’ mean? - Whitney Champion at OpenSOC
Camp COVID – A Recap - Rapid7
Meet AttackerKB - Brian Greunke at Recon InfoSec
Visualizing Geo IP Information using Python - SANS
- Ways to Earn CPEs to Renew Your Certs
- SANS Live Online: Revealing a New Training Schedule for Your ‘New Normal’
- Get a Free GIAC Certification Attempt with Your Live Online or OnDemand Course Purchase – Now Through April 30
- SANS Challenge Coins: The Ultimate Recognition to Elite Cybersecurity Professionals
SOFTWARE UPDATES
- Brim
v0.8.0 - David Dym at EasyMetaData
MetaDiver 3.4 release - Didier Stevens
- Elcomsoft
Elcomsoft Internet Password Breaker 3.10 extracts Edge Chromium passwords, updates Chrome support - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 11.94 - GetData
15 Apr 2020 – 5.2.2.9452 - John Lukach at Cloud 4n6ir
AWS Snapshot 4n6ir Imager v0.1.9 - Eric Zimmerman
Kape Changelog - Monolith Forensics
Monolith Update v0.8.1 - Nirsoft
Image/text Cache preview for Chromium based web browsers (Chrome, Edge, Opera, and others…) - OpenText
- radare2
4.4.0 Codename: pangolin - Andriller
3.3.1 - regipy
1.5.0 - Velociraptor
Release 0.4.2
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 