Links only again!
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
- Mark Spencer at Arsenal Recon
The Interesting Case of Windows Hibernation and BitLocker - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
- Daily Blog #678: Sunday Funday 4/19/20
- Daily Blog #679: Snapshot 4n6ir Imager
- Daily Blog #681: DFIR Discord
- Daily Blog #680: Apple Unified Audit Logging
- Daily Blog #683: Forensic Lunch 4/24/20 with the Google IR Team (GRR, Timesketch, Turbinia, DTTimewolf, More!)
- Daily Blog #682: Linux Kernel patches for safe forensic imaging
- Daily Blog #684: Solution Saturday 4/25/20
- Ron Serber and Heather Mahalik at Cellebrite
Hex Diving — The Easy Way to Uncover Hidden Forensic Artifacts - Faisal Abdul Malik Qureshi
Memory Forensics – GrrCon2015 CTF - Vladimir Katalov at Elcomsoft
iOS acquisition methods compared: logical, full file system and iCloud - Oxygen Forensics
Hunting Computer Artifacts with Oxygen Forensic KeyScout - Sarah Edwards at Mac4n6
- Introducing ‘Analysis of Apple Unified Logs: Quarantine Edition’ [Entry 0]
- Analysis of Apple Unified Log: Quarantine Edition [Entry 1] – Converting Log Archive Files on 10.15 (Catalina)
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 2] – sudo make me a sandwich
- Analysis of Apple Unified Logs: Quarantine Edition [Entry 3] – Playing in the Sandbox, Enumerating Files and Directories
THREAT INTELLIGENCE/HUNTING
- Follow along with James Kainth blogging towards a Champlain College capstone project pre-graduation on “Hunting Anomalous Network Connections with Machine Learning”:
- Bill Stearns at Active Countermeasures
Threat Simulation – Client Signatures (TLS Signature) - Adam at Hexacorn
Re-sauce, Part 1 - Patrick Olsen at Awake Labs
It’s not just Zoom, Hunting for All Video Conference Traffic using Awake - Jerry Hayes at AWS
How to track changes to secrets stored in AWS Secrets Manager using AWS Config and AWS Config Rules - David Rowe at SecFrame
Escalation Defenses: AD guardrails every company should deploy - Asjad Athick at Elasticsearch
Monitoring Amazon EKS logs and metrics with the Elastic Stack - Epic Turla at The Lost Reports
Nazar: A Lost Amulet - Raj Chandel at Hacking Articles
- Marcus Bakker at MB Secure
The sources for hunts and how to prioritise - Adam Chester at MDSec
Designing The Adversary Simulation Lab - Diana Kelley at Microsoft Security
Protecting your organization against password spray attacks - Mike at “CyberSec & Ramen”
Detecting Malicious Activity in Network Traffic - Pixis at hackndo
Kerberos Delegation - JB at Red Canary
Comparing open source adversary emulation platforms for red teams - Cedric Owens at Red Teaming with a Blue Team Mentality
Leveraging OSQuery for macOS Post-Exploitation - Tamás Kocsír and Sean Gallagher at SophosLabs
Following the money in a massive “sextortion” spam scheme - Tasos Chatziefstratiou at Tas Pentester
Discover Hidden GPO(s) on Active Directory using PS>ADSI - Venkat Iyer at Tranquil Security
Maintaining Persistence and Password Hash Dumping using Meterpreter and Mimikatz - David Fiser and Jaromir Horejsi at TrendMicro
Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining - Tyranid’s Lair
Sharing a Logon Session a Little Too Much - Leading off with a post from Frank Duff at MITRE, everyone’s talking about the APT29 based evaluations revealed this week:
ATT&CK Evaluations: Understanding the Newly Released APT29 Results- Cybereason + MITRE APT29
Understanding the MITRE ATT&CK APT29 (Round 2) Product Evaluations - Cybereason + MITRE APT29
MITRE ATT&CK Evaluations Showcase Cybereason’s Detailed Context and Visibility - Elasticsearch + MITRE APT29
Easily visualizing MITRE ATT&CK® round 2 evaluation results in Kibana - Elasticsearch + MITRE APT29
MITRE ATT&CK® round 2 APT emulation validates Elastic’s ability to eliminate blind spots - Kaspersky Lab + MITRE APT29
MITRE ATT&CK evaluations - Microsoft Security + MITRE APT29
MITRE ATT&CK APT 29 evaluation proves Microsoft Threat Protection provides deeper end to end view of advanced threats - Palo Alto Networks + MITRE APT29
MITRE Round 2 Results Solidify Cortex XDR as a Leader in EDR - Secureworks + MITRE APT29
Update: Secureworks Announces ATT&CK® Evaluation Results, Momentum in Software Innovation - SentinelOne + MITRE APT29
The Complete Guide To Understanding MITRE’s 2020 ATT&CK Evaluation - SentinelOne + MITRE APT29
Coverage and Context: The Key Measures of MITRE ATT&CK 2020 - Trend Micro Simply Security + MITRE APT29
Getting ATT&CKed By A Cozy Bear And Being Really Happy About It: What MITRE Evaluations Are, and How To Read Them - VMware Carbon Black + MITRE APT29
MITRE ATT&CK Evaluation Demonstrates the Power of the VMware Carbon Black Cloud
- Cybereason + MITRE APT29
UPCOMING WEBINARS/CONFERENCES
- Cellebrite
- Mobile Network Basics and Ingestion of Telecommunication Records for Investigative Review
- Cellebrite Virtual User Forum Belgium 2020
- 2020 Global Digital Intelligence Benchmark for Law Enforcement
- Leveraging Physical Analyzer to Prepare Defense Discovery Reports in Child Exploitation Cases
- The Transition Towards a New Mode of Operation: Understanding the Why and How.
- Blackbag Technologies
Register For Webinar: Analyzing Data From iCloud File Sharing - Lenny Zeltser shares upcoming online learning opportunities in reverse engineering and writing
Learning Malware Analysis and Cybersecurity Writing Online - MSAB
MSAB Webinar: Q1 SW release highlights: XRY 9.0.1 and XAMN 5.0.1 - Infosec Jupyterthon
Infosec Jupyterthon
PRESENTATIONS/PODCASTS
- Kevin Ripa
- Basis Technology
Webinar: Crisis Fincrime – How to Use AI to Combat Financial Crime During Coronavirus - Black Hills Information Security
- Detections
Episode 22: Behind the Microphone - Digital Forensic Survival Podcast
DFSP # 218 – Plaso & SOF ELK Timelines - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Dumping COVID-19.jar RAT with Java Instrumentation - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 107 - MSAB
- Paraben Corporation
Feature Phone Acquisition Walk Through - Sumuri
- SUMURI Podcast Episode 001 – Who or what is SUMURI?
- RECON LAB: How to Process Evidence in Minutes
- SUMURI Podcast Episode 006 – Buying a forensic workstaion? Listen to this first!
- SUMURI Podcast Episode 005 – PALADIN Forensic Suite
- SUMURI PODCAST Episode 002 – RECON LAB
- SUMURI PODCAST Episode 003 – SUMURI’s CEO – Roslewicz… Common Spelling
- SUMURI Podcast Episode 004 – TALINO Custom Workstations
MALWARE
- In a joint release by the NSA and the Australian Signals Directorate, advice on how to detect and prevent web shell malware was released (link to 17 page PDF).
Detect & Prevent Cyber Attackers from Exploiting Web Servers via Web Shell Malware - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Beware! A fully functional SMBGhost exploit will be coming soon! - Andreas Klopsch at ‘Malware and Stuff’
IoT Malware : Dissecting Dark Nexus - Liviu Arsene at Bitdefender Labs
Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal - Andrew Case, Dave Lassalle, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster at Volexity
Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant - Blog 360
深度揭露Anubis移动银行木马 [Anubis banking trojan] - Brad Duncan at Malware Traffic Analysis
- 2020-04-20 – Quick post: Trickbot gtag ono38 infection
- 2020-04-20 – Qakbot (Qbot) spx100
- 2020-04-21 – Qakbot (Qbot) spx101
- 2020-04-21 – Quick post: Word macro –> Fastloader pushing Trickbot and AnyDesk
- 2020-04-22 – Qakbot (Qbot) spx102
- 2020-04-24 – Traffic analysis exericse – SteelCoffee
- 2020-04-23 – Qakbot (Qbot) spx103
- Mila Parkour at contagio
KPOT info stealer samples - Dragos, Inc
Malware Infections Increase at Industrial Companies Globally - Cameron Sabel and Jared Semrau at FireEye Mandiant Threat Intelligence
Separating the Signal from the Noise: How Mandiant Intelligence Rates
Vulnerabilities â Intelligence for Vulnerability Management, Part Three - fl0x2208 at XNotes Blog
Fake New Order on Hold serving Formbook Stealer - Kyle Cucci at SecurityLiterate
- Lasq at MalFind
Revisiting Code Injection #1. Classic DLL injection - Didier Stevens at NVISO Labs
Video: Attack Surface Reduction (ASR) Bypass using VBA - SANS Internet Storm Centre Handler Diaries
- Kaspersky Securelist
A look at the ATM/PoS malware landscape from 2017-2019 - Edmund Brumaghin with Amit Raut at Cisco Talos Group
Threat Spotlight: MedusaLocker - Ben Wagner and Limor Kessem at IBM X-Force
New Android Banking Trojan Targets Spanish, Portuguese Speaking Users - Albert Zsigovits at Sophos
LockBit ransomware borrows tricks to keep up with REvil and Maze - Sucuri
- Fernando Mercês at Trend Micro
Grouping Linux IoT Malware Samples With Trend Micro ELF Hash - Vitali Kremez
Let’s Learn: TrickBot “BazarBackdoor” Process Hollowing Injection Primer - Sachin Matte and Mohd Sadique at Zscaler
New Distribution Mechanism for the NanoCore RAT - COVID and Coronavirus threat related news:
- COVID-19 CTI League
CTI League Inaugural Report (March 2020) - FireEye Threat Research
Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese
Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage - Flashpoint
COVID-19 Key Developments: April 14-17 - Forcepoint
Three-Month Trend Analysis: COVID and Coronavirus-Themed Web and Email Traffic - Fortinet
Deconstructing an Evasive Formbook Campaign Leveraging COVID-19 Themes - Intezer
Malicious APKs share code during Covid-19 pandemic - James Kainth
Let’s Talk About: My Capstone (vs. COVID-19) - Palo Alto Networks
Studying How Cybercriminals Prey on the COVID-19 Pandemic - Radware
DDoS in the Time of COVID-19: Attacks and Raids - SentinelLabs
IcedID Botnet | The Iceman Goes Phishing for US Tax Returns - The PhishLabs Blog
COVID-19 Phishing Update: Bad Actors Use Stimulus Payment Delays to Capture Banking Credentials - The Threat Blog | COVID-19 Cyber Threat Coalition
2020-04-20 Weekly Threat Advisory
- COVID-19 CTI League
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
- Amped
- Vitaliy Mokosiy at Atola
How we create Atola products - BlackBag Technologies
- Brett Shavers
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned. - Cellebrite
- Elan at DFIR Diva
DFIR Related Events for Beginners – April, 2020 - ENISA
Encrypted Traffic Analysis - ETSI
ETSI releases standard for cyber digital evidence bag to confirm integrity of data in legal proceedings - Haydn Johnson at Hackerrolls
Incident Handling Certification - Magnet Forensics
- Matt Edmondson at ‘Digital Forensics Tips’
Nation State Quality OSINT on a Taco Bell Budget – Part 1 - Matt Danner at Monolith Forensics
3 Tips to Get Started with X-Ways - MSAB
Checkm8 exploit is now integrated in XRY 9.0.1 - Patrick J. Siewert at Pro Digital Forensic Consulting
Screen Shots Are Not Evidence - ADF
- Ryan Campbell at ‘Security Soup’
Weekly News Roundup — April 19 to April 25 - SANS
- Slo Sleuth
Installing Autopsy on MacOS Catalina - TrustedSec
- Xways
Viewer Component
SOFTWARE UPDATES
- Apache
21 April 2020: Apache Tika Release - BlackBag Technologies
BlackBag Announces Release of BlackLight 2020 R1 - Didier Stevens
Update: python-per-line.py Version 0.0.7 - ExifTool
ExifTool 11.96 - Foxton Forensics
Browser History Viewer — Version History - GetData – Forensic Explorer
21 Apr 2020 – 5.2.2.9472 - GetData – MountImagePro
21 Apr 2020 – v7.1.2.1881 - Jack Farley
M.E.A.T. v1.0.3 - JPCERT/CC
LogonTracer v1.4 Released - Mail Xaminer
Is Message-ID Helpful for Forensic Email Analysis? - F-Response
F-Response v 8.0.1.54 Released - MobilEdit
New MOBILedit 7.2 released! - OSForensics
V7.1 build 1011 20th April 2020 - Regipy
1.5.2 - Timesketch
20200422 - Xways
X-Ways Forensics 20.0
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 