Links only again.
Congrats to all the DFIR students graduating this week, including the students who presented last week at MVS2020!
Also a huge congrats to Lodrina for becoming a SANS Certified instructor 🙂
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris and James at Cado Security
Forensic Data Collection in a COVID time – Tool Preview and Considerations - Heather Mahalik at Cellebrite
Data Quality and Quantity – How to Get the Best of Both Worlds, Part 3 – Results Should Not Confuse You - Deriving Cyber Threat Intelligence and Threat Hunting
Cynet Incident Response Challenge 2020 WriteUp - Jose Llopis at Security Art Work
SigmaShooter (III): Desplegando SigmaShooter - Joshua Hickman at ‘The Binary Hick’
Walking the Android (time)line Part 2 – Using Android’s Device Personalization Services to timeline user activity - Peter Stewart
TufMups Network Forensics Challenge Write-up - JBrown
Extracting Windows Prefetch Files
THREAT INTELLIGENCE/HUNTING
- Welcome to blogging with you first threat hunting blog post, Sevickson!
Untangling the Osquery❓ tables web using Jupyter Notebooks - Kate at 360 Total Security
Vendetta-new threat actor from Europe - 3CORESec on Sigma2AttackNet
Contributions to Sigma: CloudTrail/ECS mappings, overrides and S2AN - Adam at Hexacorn
- Jeff LaCroix at AlienVault
Stories from the SOC – Office365 Credential Abuse - Anomali Threat Research Team
Weekly Threat Briefing: APT Group, Linux Malware, Ransomware and More - Atomic Threat Coverage
Check out @atc_project’s tweet - Luigino Camastra at Avast Threat Labs
APT Group Planted Backdoors Targeting High Profile Networks in Central Asia - Troy Kent at Awake
Encrypted Traffic Analysis: Encrypted DNS – Privacy, Security and the SOC (Part 1) - Ben Bornholm at HoldMyBeer
My logging pipeline: Splunk, Logstash, and Kafka - Oleg Skulkin at Group-IB
ATT&CKing ProLock Ransomware - Eyal Itkin at Check Point Research
Reverse RDP – The Path Not Taken - Sylvain Heiniger at Compass Security Blog
Relaying NTLM authentication over RPC - Anthony Kasza at Corelight
Analyzing Encrypted RDP Connections - Allie Mellen at Cybereason
What is the MITRE ATT&CK Framework? - d4v3c0d3r on Testing detection of deleted files in Sysmon v11
Probando la detección de archivos eliminados en Sysmon v11 - EGI CSIRT
Academic data centers abused for crypto currency mining - Alex Marquardt at Elastic
How to enrich logs and metrics using an Elasticsearch ingest node - Daniel Pany at FireEye
Using Real-Time Events in Investigations - Raj Chandel at Hacking Articles
- Shusei Tomonaga at JPCERT/CC
3 Recommended International Cyber Security Conferences - Dex at lab52
The energy reserves in the Eastern Mediterranean Sea and a malicious campaign of APT10 against Turkey - Daan Raman at NVISO Labs
Sigma engine adds support for ee-outliers backend: start tagging your Sigma hits in Elasticsearch! - Riccardo Ancarani at ‘Red Team Adventures’
Hunting for Impacket - Gal Kristal at SentinelLabs
The Anatomy of an APT Attack and CobaltStrike Beacon’s Encoded Configuration - SOC Prime
Sigma rules repository mirror and translations - n0pe_sled at SpecterOps
Building a FreeIPA Lab - Luke Leal at Sucuri
WordPress Malware Collects Sensitive WooCommerce Data - Josh Rickard at Swimlane
Making MITRE ATT&CK Actionable - Oddvar Moe at TrustedSec
Breaking Typical Windows Hardening Implementations
UPCOMING WEBINARS/CONFERENCES
- Cellebrite
- Digital Evidence Review 101 – A Cellebrite Analytics Series: Part Two – Individual Target Review in an Investigation; Start to find the evidence in your investigation
- Digital Evidence Review 101 – A Cellebrite Analytics Series: Part Three – Investigation review – Look at the big picture – and it’s usually big. You don’t arrest on one piece of evidence normally – review the whole investigation
- Digital Evidence Review 101 – A Cellebrite Analytics Series: Part One – Starting the investigation: Make sure you know what you don’t know
- We’re Open! Now What? Practical Considerations For Digital Evidence Post-Pandemic
- Getting Started with Premium: A Beginner’s guide to working with UFED Premium
- Alisha Cales at Paraben Corporation
PFIC 2020 Now Virtual Sept 22-23 2020 - SANS
- Techno security and digital forensics conference
Techno Security Registration
PRESENTATIONS/PODCASTS
- Alexis Brignoni
- Forensic Lunch
Forensic Lunch 5/15/20 – The Magnet Virtual Summit 2020 Episode - Kevin Ripa at SANS
- Arvinder Garcha and Tim Thorne at Blackbag Technologies
Navigating Digital Investigations in 2020 - Cellebrite
Ask the Expert: How to Use The New App Genie in Physical Analyzer by Heather Mahalik - Detections Podcast
Season 2 Episode 2: Let’s Nix This - Digital Forensic Survival Podcast
DFSP # 221 – Mobile Device Security - FIRST
FIRST Cyber Threat Intelligence Webinar Series - Hasherezade
ParamKit library - HelSec Virtual meetup
0x2 iPhone BFU Acquisition and Analysis – Timo Miettinen – HelSec Virtual meetup #1 - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 110 - Magnet Forensics
From the Training Team: Magnet AXIOM Internet and Cloud Investigations (AX320) - MSAB
How to Use the Gallery View in XAMN - Paraben Corporation
E3 Forensic Platform Installation and Licensing
MALWARE
- Ignacio Sanmillan at WeLiveSecurity looks at air-gapped machine attacks
Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks - Marius Tivadar, Rickey Gevers, Rareș Bleotu, Alin Mihai Barbatei, Bíró Balázs And Claudiu Cobliș at Bitdefender Labs
Mandrake – owning Android devices since 2016 - Brad Duncan at Malware Traffic Analysis
- 2020-05-11 – Dridex infection from link-based malspam
- 2020-05-15 – Quick post: 105 examples of German malspam pushing Qakbot (Qbot) spx120
- 2020-05-14 – Quick post: Qakbot (Qbot) spx119 malspam and infection
- 2020-05-14 – Quick post: FedEx-themed Dridex malspam and infection
- 2020-05-12 – Pcap and malware for an ISC diary (Dridex)
- CISA
- Nick Biasini, Edmund Brumaghin, and Nick Lister at Cisco Talos
Threat Spotlight: Astaroth – Maze of Obfuscation and Evasion Reveals Dark Stealer - Jamie at Click All the Things!
zloader and XLM 4.0: Making Evasion Great Again - Thomas Dube at CrowdStrike
Oh No! My Data Science Is Getting Rust-y - Jacob Thompson at FireEye
Analyzing Dark Crystal RAT, a C# backdoor - Derek Manky, Aamir Lakhani, and Douglas Santos at Fortinet
Ransomware: Here Today, Here Tomorrow - Karsten Hahn at G Data Security
Netwire RAT via paste.ee and MS Excel to German users - Andrey Chigrin at Kaspersky
Ransomware: Collateral damage - Subrat Sarkar, Jason Zhang, and Stefano Ortolani at Lastline
InfoStealers Weaponizing COVID-19 - Christopher Boyd at Malwarebytes Labs
Sodinokibi drops greatest hits collection, and crime is the secret ingredient - Ryan Campbell at ‘Security Soup’
Analysis of a Dridex Downloader with Locked Excel Macros - SANS Internet Storm Centre Handler Diaries
- YARA v4.0.0: BASE64 Strings, (Sun, May 10th)
- Excel 4 Macro Analysis: XLMMacroDeobfuscator, (Mon, May 11th)
- Malspam with links to zip archives pushes Dridex malware, (Wed, May 13th)
- SHA3 Hashes (on Windows) – Where Art Thou?, (Fri, May 15th)
- Hashes in PowerShell, (Fri, May 15th)
- Base Conversions and Creating GUI Apps in PowerShell, (Thu, May 14th)
- Scanning for Outlook Web Access (OWA) & Microsoft Exchange Control Panel (ECP), (Sat, May 16th)
- Jason Reaves at SentinelLabs
Deep Dive Into TrickBot Executor Module “mexec”: Reversing the Dropper Variant - Sophos
- Gabrielle Joyce Mabutas with Kazuki Fujisawa at Trend Micro
New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability - VMRay
- Tom Kellermann at VMware Carbon Black
‘Modern Bank Heists’ Threat Report Finds Dramatic Increase in Cyberattacks Against Financial Institutions Amid COVID-19 - Peter Kálnai at WeLiveSecurity
Mikroceen: Spying backdoor leveraged in high‑profile networks in Central Asia - Yet Another Security Blog
Evading Detection with Excel 4.0 Macros and the BIFF8 XLS Format - ZScaler
- News about remote workforce threats continues
- Check Point Software
Coronavirus cyber-attacks update: beware of the phish - Microsoft Security
Open-sourcing new COVID-19 threat intelligence - Palo Alto Networks
COVID-19 Themed Malware Within Cloud Environments - Tenable Blog
Scams Exploit COVID-19 Giveaways Via Venmo, PayPal and Cash App
- Check Point Software
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 5/14/2020 - Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
- Jessica Hyde at Magnet Forensics
How To Use the Magnet Custom Artifact Generator - Binalyze
- Adrian at AGood
- Belkasoft
Decrypting iOS Signal App Data with Belkasoft Evidence Center - Yohai West at Cellebrite
How to Simplify Digital Evidence Collection with Cellebrite Frontline - Craig Ball at ‘Ball in your Court’
Don’t Bet the Farm on Slack Space - Elcomsoft
- Forensic Focus
Forensic Focus Offline This Weekend For Site Update - Christa Miller at Forensic Horizons
- Matt Edmondson at ‘Digital Forensics Tips’
Nation State Quality OSINT on a Taco Bell Budget – Part 2 - Mission Darkness
Do Faraday Bags Block 5G? - Oxygen Forensics
Combating Global Corruption with Digital Forensics: Organized Crime - Patrick J. Siewert at Pro Digital Forensic Consulting
So You Want To Start A Digital Forensic Business - Tasha Carl
MacOS – RAW to/from EWF Image Conversion - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — May 10 to May 16 - SANS
DISC – SANS ICS Virtual Conference Highlights - VeteranSec
SANS Cyber Fast Track 2020 – Part 1 - Michael Hale Ligh at Volatility Labs
The 8th Annual Volatility Plugin Contest! - ZScaler
How an Outage Prepared CAPTRUST for a Pandemic
SOFTWARE UPDATES
- Binalyze
Version 2.0.2 - AceLab
The PC-3000 Flash Software Update 7.4.11 is now available! - Didier Stevens
Update: XORSelection.1sc Version 5.0 - Digital Detective
Dcode - Elcomsoft
iOS Forensic Toolkit 5.50: iPhone extraction simplified - Eric Zimmerman updated Registry Explorer
ChangeLog - ExifTool
ExifTool 11.99 - Magnet Forensics
New Free Tool Available: MAGNET Custom Artifact Generator, Plus Exciting Updates to MAGNET Web Page Saver and MAGNET Encrypted Disk Detector! - Mail Xaminer
- Sandfly Security
Sandfly 2.6.0 – Elasticsearch Replication, Linux Docker Container Security Scanning, Hidden Process De-Cloaking and More - Xways
X-Ways Forensics 20.0 Beta 1c - YARA
YARA v4.0.1
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 