Links only again!
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
Normalizing iTunes Backups – Squeeze more data out of them, possibly… - Amped
- Elcomsoft
- Oleg Skulkin at Group-IB
Reconstructing User Activity for Forensics with FeatureUsage - Inversecos
Successful 4624 Anonymous Logons to Windows Server from External IPs? - John Lukach at Cloud 4n6ir
Cloud 4n6ir Fun #2 – Detecting direct API access to EBS Snapshot content - Mike Williamson
Analysis of the ABTraceTogether app (iOS) - MSAB
- Joachim Metz at Open Source DFIR
Parsing the $MFT NTFS metadata file - Russ Taylor at Hats Off Security
NoScript Plugin Forensic Investigation – Firefox/ToR Browser - Sarah Edwards at Mac4n6
- Secjuice
Windows Forensics: Artifacts (1) - Alissa Torres
Check out @sibertor’s tweet - Xavier Mertens at /dev/random
Web Conferencing Tools Used for Forensic Investigations
THREAT INTELLIGENCE/HUNTING
- Andrew Pease at HuntOps
4/30/2020 – Tuning Suricata for Gh0st RAT - Anomali
- Liviu Arsene at Bitdefender Labs
Coronavirus-themed Threat Reports Haven’t Flattened The Curve - Brad Duncan at Malware Traffic Analysis
- 2020-04-27 – Quick post: Dridex malspam and infection
- 2020-04-24 – Quick post: unusual HTTP traffic from Qakbot-infected host
- 2020-04-28 – Quick post: Dridex malspam and infection
- 2020-04-29 – Dridex from link-based malspam
- 2020-04-30 – Password-protected zip files from German malspam push Dridex
- 2020-05-01 – XLS macro –> Loader EXE –> IcedID (Bokbot)
- ClearSky Cyber Security
ClearSky Q1 summary report - Curtis Brazzell
Exploiting the Exploiters - DFIR and Threat Hunting
Hunting for Beacons - Didier Stevens
NVISO Innovation Coin - Dragos
Dragos Presents: 2019 ICS Year in Review Posters - Katie Bowen and Stu Reynolds at Fire Eye Threat Research
Putting the Model to Work: Enabling Defenders With Vulnerability
Intelligence — Intelligence for Vulnerability Management, Part Four - G Suite
New data exfiltration protections for G Suite data on iOS devices - Feixiang He at Group-IB
PerSwaysion Campaign - Shubham Sharma at Hacking Articles
Data Exfiltration using DNSSteal - Microsoft Security
- Olaf Hartong at Falcon Force
Sysmon 11 — DNS improvements and FileDelete events - Red Alert
- Tony Lambert at Red Canary
Lateral Movement with Secure Shell (SSH) - Roberto Rodriguez
Check out @Cyb3rWard0g’s tweet - Saad Abdul Malik
Setting up Security Onion & initial host logging using Sysmon/WinLogBeat with Logstash and Kiban - Securelist
- SentinelOne
- Sophos
“Asnarok” Trojan targets firewalls - COVID-19 Cyber Threat Coalition
- Tranquil Security
Challenges of Detecting RDP Anomalies in a SOC - Trend Micro
Trend Micro’s Top Ten MITRE Evaluation Considerations
UPCOMING WEBINARS/CONFERENCES
- Cqure Academy
Webinar replay with LIVE CHAT – Expand Your Cybersecurity Skillset and Become Windows Forensics Master 2.0 - Magnet Forensics
Magnet Virtual Summit Kicks Off May 4: Join Us All Month For The Free Event - Nuix
Live Webinar: Remote Collections Made Easy - Hal Pomeranz
Linux Forensics Magical Mystery Tour with Hal Pomeranz (1-Hour) - Cellebrite
PRESENTATIONS/PODCASTS
- Kevin Ripa at 3MinMax
- Jason Jordaan, Lee Whitfield, Kathryn Hedley, and myself
Securing Your Future in DFIR - Black Hills Information Security
- BlackBag Technologies
Ask the Expert: Analyzing Data From iCloud File Sharing - Cellebrite
- Detections
Episode 23: Analysis Polarity with Ed Dorsey - Digital Forensic Survival Podcast
DFSP # 219 – Forensic Grab Bag - Magnet Forensics
Jad Saliba Announces Magnet Virtual Summit Lineup - Mattia Epifani at Zena Forensics
BYOM – Build Your Own Methodology (in Mobile Forensics) - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics 108 - Nate Warfield
What your hands! This is bot country - Sumuri
SUMURI Podcast Episode 007 – Triaging a Mac and RECON ITR - This Month in 4n6
This Month In 4n6 – April – 2020
MALWARE
- Alex Turing and Hui Wang at 360 Netlab
The LeetHozer botnet - Keith Chew at Active Countermeasures
Malware Analysis as a Prey Animal - Andreas Klopsch at ‘Malware and Stuff’
An old enemy – Diving into QBot part 2 - Ohad Mana, Aviran Hazum, Bogdan Melnykov, and Liav Kuperman at Check Point Research
Lucy’s Back: Ransomware Goes Mobile - Asheer Malhotra at Cisco’s Talos
Upgraded Aggah malspam campaign delivers multiple RATs - Cybereason
EventBot: A New Mobile Banking Trojan is Born - Danus Minimus
- Fortinet
- Vladimir Unterfingher at Heimdal Security
Oil Industry Targeted by Elaborate Spearphishing Attacks Amid Fuel Crisis - Johannes Bader
The DGA of Zloader - Pavel Shoshin at Kaspersky Lab
PhantomLance Android backdoor discovered on Google Play - Microsoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk - Lars at Nullteilerfrei
Use Ghidra to decrypt strings of KpotStealer malware - Jin Chen, Tao Yan, Taojie Wang and Zhanglin He at Palo Alto Networks
Anatomy of Formjacking Attacks - SANS Internet Storm Center
- Video: Malformed .docm File, (Sun, Apr 26th)
- Powershell Payload Stored in a PSCredential Object, (Mon, Apr 27th)
- Agent Tesla delivered by the same phishing campaign for over a year, (Tue, Apr 28th)
- Attack traffic on TCP port 9673, (Fri, May 1st)
- Collecting IOCs from IMAP Folder, (Thu, Apr 30th)
- Phishing PDF with Unusual Hostname, (Sat, May 2nd)
- Security Intelligence
- Shade decryptor
- Bitdefender Labs
Shade / Troldesh Ransomware decryption tool - Kaspersky Lab
Decrypt all strains of Shade ransomware - Malwarebytes Labs
Threat actors release Troldesh decryption keys
- Bitdefender Labs
- Symantec
- Trend Micro
WebMonitor RAT Bundled with Zoom Installer - WeLiveSecurity
- Luigi Martire, Antonio Pirozzi and Pierluigi Paganini at Yoroi
Outlaw is Back, a New Crypto-Botnet Targets European Organizations
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
- Daily Blog #685: Sunday Funday 4/26/20
- Daily Blog #686: Want to be on the Forensic Lunch?
- Daily Blog #687: Forensic Lunch schedule for the next 4 weeks
- Daily Blog #688: How to make AWS EBS Direct Block API Events appear in Cloudtrail
- Daily Blog #689: Feature Usage from Oleg Skulkin
- Daily Blog #690: Forensic Lunch 5/1/20 – Oleg Skulkin (FeatureUsage), Brian Marks (Office 365) , Lee Whitfield (Forensic 4Cast Nomations)
- Daily Blog #691: Solution Saturday 5/2/20
- Daily Blog #692:
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 4/29/2020 - Anuj Soni at Malwology
SANS FOR610 Reverse-Engineering Malware – Now, with Ghidra - Autopsy
Autopsy 4.15 Release Highlights - Brett Shavers at DFIR.Training
What’s New at DFIR Training - Cellebrite
- DFA & CCSC
DFA & CCSC Joint Spring 2020 CTF - Digital Forensics Challenge
DFChallenge - DME Forensics
Meet Rodrigo - Elan at DFIR Diva
DFIR Related Events for Beginners – May, 2020 - Jake Nicastro and David Pany at Fire Eye Threat Research
Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya - Forensic Focus
Forensic Focus Forum Round-Up - Haydn Johnson at Hackerrolls
Threat Defense Workshop - Koen Van Impe
Create and delete training alerts in TheHive - Magnet Forensics
- Mail Xaminer
DD File Forensics: Fetch the Evidence From Image File - Nextron Systems
THOR 8 and SPARK End-of-Support - Oxygen Forensics
Activity Matrix: we know how active you are - Gina Cristiano at ADF
Meet Jim Emerson NW3C IACP USMC Military Police Veteran Cybercrime - Sumuri
RECON ITR – Two macOS Imagers in One Solution - The Leahy Center for Digital Forensics & Cybersecurity
- Craig Carpenter at X1
Remote Collection: The Apple Pay of eDiscovery in a COVID-19 World
SOFTWARE UPDATES
- Acelab
The new versions of PC-3000 Express/UDMA-E/Portable Ver. 6.7.12, Data Extractor Ver. 5.10.7, Data Extractor RAID Edition Ver. 5.10.7, PC-3000 SSD Ver. 2.8.2 are available! - Basis Technology
autopsy-4.15.0 - Brian Warehime
Threatnote - Brim
v0.9.0-dev - Cellebrite
First time access to untapped evidence in Samsung Exynos devices - Didier Stevens
- iOS Backup UnFunker
iOS-UNF - Elcomsoft
- Eric Zimmerman
XWFIM - ExifTool
ExifTool 11.98 - JPCERT/CC
SysmonSearch v2.0 Released - mac_apt
20200426 - OpenText
Tableau Firmware Update Revision History for 20.2 - YARA
v4.0.0
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 