Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

Did you miss #ShareTheMicInCyber Friday the 26th on Twitter and LinkedIn?
In the DFIR community be sure to check out:

• O’Shea Bowens elevated by Phil Hagen;
  
• Tyrone E. Wilson spotlighted by Katie Nickels;
  
• Najla Lindsay amplified by Rachel Tobac;
  
• DFIR Diva celebrated by Wendy Nather;
  
• Chris Cochran killing it with his recent threat intel talk at the SANS CTI Summit paired up with Theresa Payton.

Why this campaign? As Camille Stewart Esq one of the co-leaders of the event shares at the Council on Foreign Relations site, Systemic Racism is a Cybersecurity Threat. Follow the hashtag to learn about more leaders in infosec you may not have heard of yet, shared by Craig Newmark, Tarah Wheeler, Selena Larson, and more. -LC

FORENSIC ANALYSIS

• Stephanie Thompson at Blackbag Technologies
  Apple Keychain Parsing in BlackLight

• Cellebrite
  • How to Use The New “Topic Detection” Capability of Cellebrite Pathfinder
  • A Technical Pocket Guide to Examining the Windows Registry

• Forensica8or
  Visualising Data with Pandas

• James Duffy
  KnowledgeC.db – The iOS Database that knows more about you than you.

• John Lukach at Cloud 4n6ir
  Cloud 4n6ir Fun #3 – Searching CIDRs for IPv4/6 Addresses

• Maxim Suhanov
  Extracting unallocated clusters from a shadow copy

• Open Source DFIR
  Libcloudforensics and Cloud Logs

• Sarah Edwards at Mac4n6
  Socially Distant but Still Interacting! New and Improved Updates to macOS/iOS CoreDuet interactionC.db APOLLO Modules

THREAT INTELLIGENCE/HUNTING

• The latest episode of Darknet Diaries from Jack Rhysider includes commentary from Julian Gutmanis, Naser Aldossary, Marina Krotofil, and Robert M. Lee on an ICS/OT threat actor
  Darknet Diaries EP 68: TRITON

• Jorge Orchilles at SCYTHE interviews Jamie Williams at MITRE on ATT&CK evaluations and Cozy Bear
  SCYTHE Presents: #ThreatThursday – Cozy Bear

• Graham Cluley shares a long post from Gavin Ashton about NotPetya as well as a podcast that Graham and Gavin recorded together.
  The inside story of the Maersk NotPetya ransomware attack, from someone who was there

• Mark Simos, John Dellinger, Kristina, Solomon Kiakona, David Fosth, and Shaw at Microsoft Security continue sharing information and lessons learned from DART
  Lessons learned from the Microsoft SOC—Part 3d: Zen and the art of threat hunting

• Alex Verboon at ‘Anything about IT’
  Defender ATP Advanced hunting with TI from URLhaus

• Amazon
  AWS Security Incident Response Guide

• New threat actor posts from Anomali:
  • Weekly Threat Briefing: APT Group, Cobalt, COVID-19, Ransomware and More
  • Unknown China-Based APT Targeting Myanmarese Entities

• Alex Holland at Bromium
  Investigating Threats in HP Sure Controller 4.2

• ClearSky Cyber Security
  CryptoCore Group

• Crypsis Group
  Arm Yourself: Key Findings from The Crypsis 2020 Incident Response and Data Breach Report

• Phishing and ransomware at the Darktrace Blog:
  • What Darktrace finds: QuickBooks impersonation phishing attack
  • What the EKANS ransomware attack reveals about the future of OT cyber-attacks

• Elastic shares different ways of looking at attacks:
  • Machine learning in cybersecurity: Training supervised models to detect DGA activity
  • Kubernetes observability tutorial: Log monitoring and analysis
  • A close look at the advanced techniques used in a Malaysian-focused APT campaign

• J. A. Guerrero-Saade
  ACIDBOX Clustering

• Alfie Champion at F-Secure presents a walkthrough of attack basics and how to detect them
  • Attack Detection Fundamentals: Initial Access – Lab #1
  • Attack Detection Fundamentals: Initial Access – Lab #2
  • Attack Detection Fundamentals: Initial Access – Lab #3
  • Attack Detection Fundamentals: Initial Access – Lab #4

• Huntress Labs had two threat detection posts:
  • Evolving the Hunt
  • Huntress Service: Ransomware Canaries

• Jack Crook at ‘DFIR and Threat Hunting’
  Dynamic Correlation, ML and Hunting

• More posts from Jorge Orchilles at Scythe:
  • SCYTHE Presents: SCYTHE & PlexTrac Present: Dealin’ With The Data
  • SCYTHE Presents: “Measuring Cyber Risk” webinar with Bryson Bort & Paul Rosenzweig.

• Lavine A. Oluoch
  Network Traffic Analysis of Zeus Malware.

• Reshmi Mangalore at the Microsoft Azure Blog
  Azure Container Registry: Securing container workflows

• Mike at “CyberSec & Ramen”
  Analysis of LODEINFO Maldoc

• Nik Alleyne at ‘Security Nik’
  Detecting HTTP Basic Authentication Brute Force Attacks via packets with TShark

• Olaf Hartong at Falcon Force
  Sysmon 11.1 Bug fixes, a schema update and a new field

• Matt Graeber, Erika Noerenberg, and David Kaplan at Red Canary
  Process Injection: a primer

• Robert Simmons at ReversingLabs Blog
  Five Uses of YARA

• Boris Larin at Securelist
  Magnitude exploit kit – evolution

• The Secureworks team
  Details on BRONZE VINEWOOD, Implicated in Targeting of the U.S. Election Campaign

• Kelly Ryver with Jennifer Szkatulski at Security Intelligence
  A Game of Chess: Entropy and Patterns in Threat Intelligence

• Jim Jaeger, Larry Wescott, and Rae Jewell from Arete guest blog at SentinelOne
  Ransomware – A Complex Attack Needs a Sophisticated Defense

• Thomas Barabosch at Telekom
  TA505 returns with a new bag of tricks

• The DFIR Report on Snatch Team
  Snatch Ransomware

• Rodel Mendrez at Trustwave SpiderLabs
  Pillowmint: FIN7’s Monkey Thief

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • Simplify digital data collection in real-time with the Cellebrite Frontliner App
  • Navigating Digital Investigations in 2020 Using BlackLight and MacQuisition

• Griffeye
  Webinar: Victim ID workflows in Analyze DI

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Class 9 – DFIR Python Study Group
  • Class 10 – DFIR Python Study Group – Study Hall

• Forensic Lunch
  Forensic Lunch 6/26/20

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up – Ep.4 – Alissa Torres

• Kevin Ripa at SANS
  • Episode 63: Using a Password Manager – Part 1
  • Episode 64: Using a Password Manager – Part 2
  • Episode 65: Understanding Computer Data
  • Episode 66: Bits
  • Episode 67: Bytes

• Black Hat
  Black Hat Fast Chat: Matt Suiche

• Black Hills Information Security
  • Webcast: Durable vs. Ephemeral Threat Intel
  • Durable vs. Ephemeral Threat Intel w/ John Strand (1-Hour)

• BlackBag Technologies
  Trust But Verify  Digital Artifact Edition

• Cellebrite
  • Ask the Expert: How to Use The New Topic Detection Capability in Pathfinder by Heather Mahalik
  • Finding results from the App Genie and Fuzzy Model Plug-In within Physical Analyzer.
  • Cellebrite Pathfinder – Leverage Location Data to Visualize the Journey of a Suspect or Victim
  • 6 Reasons Why You Need Cellebrite UFED Cloud – #2

• CySecK
  Webinar on “Introduction to MITRE ATT&CK framework” – Samgacchadhwam Series webinar 14

• Detections Podcast
  Season 2 Episode 7: Cost of Entry

• Digital Forensic Survival Podcast
  DFSP # 227 – New Service Triage

• John Hubbard at ‘The Blueprint podcast’
  Creativity and Choices: Talking About Thinking

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 116

• Magnet Forensics
  Explore the Magnet Virtual Instructor-Led Classroom

• Mathias Fuchs at CyberFox
  Aurora Incident Response Walkthrough

• Neil Fox
  #1 Building a Malware Lab

• Nuix
  Building a Contact Tracing App on Nuix Software

• SANS recordings from DFIR and CTI Summits
  • Hack the Reader: Writing Effective Threat Reports with Lenny Zeltser – SANS CTI Summit
  • Achieving Effective Attribution: Case Study on ICS Threats w/ Robert M Lee – Keynote SANS CTI Summit
  • Understanding & Managing Collection to Support Threat Intelligence Analysis – SANS CTI Summit
  • Forensic Investigation of Emails Altered on the Server | SANS DFIR Summit 2019
  • Finding Badness: Using Moloch for DFIR | SANS DFIR Summit 2019
  • Cloud Storage Forensics  Endpoint Evidence

• SANS Institute
  • Catch and Release: Phishing Techniques for the Good Guys | SANS@MIC Talk
  • Maldocs: A Bit of Blue, A Bit of Red | SANS@MIC Talk
  • The Only Constant is Change: Tracking Adversary Trends | STAR Webcast
  • Cyber Security Career Development: Personal Branding
  • Hacking the SRUM and other Devious New Ways to Interrogate Windows | SANS@MIC Talk
  • Untapped Potential – SANS Blue Team Summit 2020
  • Threat Hunting via DNS | SANS@MIC Talk

• The Incident Response Podcast
  Fireless Malware, we think not – Ep 014

• The Many Hats Club
  Ep. 68, A View From a Blue Mountain (with Rey Bango)

• Tribe of Hackers Podcast
  Cheryl Biswas

MALWARE

• Andrew Brandt introduces a 47(!) page report from Sophos News on malware making use of EternalBlue
  Glupteba malware hides in plain sight

• Kate at 360 Total Security Blog
  Tor2Mine Revived Monero mining activity，360 Security Center has achieved comprehensive killing

• Keith Chew at Active Countermeasures
  Malware of the Day – Zeus

• Jakub Vávra at Avast Threat Labs
  HiddenAds up to no good again and spreading via Android gaming apps

• Brad Duncan at Malware Traffic Analysis
  • 2020-06-25 – Resume-themed malspam pushing ZLoader
  • 2020-06-24 – Quick Post: Valak (Soft_sig: Mad35) Infection With Icedid (Bokbot)
  • 2020-06-25 – Still seeing Trickbot from BLM malspam dated 2020-06-23
  • 2020-06-22 – Quick post: Dridex infection
  • 2020-06-26 – Valak (soft_sig: mad36) infection with IcedID (Bokbot)

• Liron Yosefian and Ori Hamama at Check Point Research
  DarkCrewBot – The Return of the Bot Shop Crew

• Asheer Malhotra at Cisco Talos
  IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

• Umesh Wanve at CrowdStrike
  GuLoader: Peering Into a Shellcode-based Downloader

• Mike at Cyber And Ramen
  Analysis of LODEINFO Maldoc

• Reid Wightman at Dragos
  Vulnerability identified in PACTware Instrument Management Software

• Nikolaos Pantazopoulos, Stefano Antenucci, and Michael Sandee at Fox-IT
  WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

• Phillip Kemkes and Stefan Hausotte at G Data Security
  Introducing the TypeRefHash (TRH)

• Intezer on malware + vulns
  Detect Malware Associated with the Most Exploited CVEs

• Pavel Shoshin at Kaspersky Lab
  Google Analytics as a data exfiltration channel

• Jérôme Segura at Malwarebytes Labs
  Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

• Marco Ramilli
  Is upatre downloader coming back ?

• Arnold Osipov at Morphisec
  Obfuscated VBScript Drops Zloader, Ursnif, Qakbot, Dridex

• There were a few posts on the Palo Alto Networks blog this week
  • Attackers Cryptojacking Docker Images to Mine for Monero
  • Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
  • Threat Assessment: EKANS Ransomware

• Sherrod Degrippo at Proofpoint
  Hakbit Ransomware Campaign Against Germany, Austria, Switzerland

• Ben Zilbermanat Radware
  Malicious Bots Have Realized Your APIs Are the Weak Link

• Karlo Zanki at ReversingLabs Blog
  Hidden Cobra – from a shed skin to the viper’s nest

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red, (Sun, Jun 21st)
  • Comparing Office Documents with WinMerge, (Mon, Jun 22nd)
  • Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider, (Mon, Jun 22nd)
  • Using Shell Links as zero-touch downloaders and to initiate network connections, (Wed, Jun 24th)
  • Tech Tuesday Recap / Recordings: Part 2 (Installing the Honeypot) release., (Thu, Jun 25th)
  • Share the Mic in Cyber, (Fri, Jun 26th)

• Alexander Eremin at Securelist
  Oh, what a boot-iful mornin’

• Joshua Platt and Jason Reaves at SentinelLabs
  Inside a TrickBot Cobalt Strike Attack Server

• Symantec
  WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations

• Tilden Swans on Android malware
  APK Quickie: MediaPlayer.apk

• Augusto Remillano II with Patrick Noel Collado and Karen Ivy Titiwa at TrendMicro
  XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers 

• Brian Hussey at Trustwave SpiderLabs
  The Golden Tax Department and the Emergence of GoldenSpy Malware

• Dave Greten at VMRay
  Indicators of Compromise (IOCs) and Artifacts: What’s the Difference?

• Mark at Sneakymonkey
  Excel 4.0 Macros – So hot right now…🔥🔥🔥

• 0VERFL0WZ2A at Zero2Automated Blog
  Unpacking Visual Basic Packers – IcedID

• Tran Trung Kien with Ricardo Narvaja at 0day in {REA_TEAM} [in Vietnamese]
  REVERSING WITH IDA FROM SCRATCH (P30)

• ZScaler
  Taurus: The New Stealer in Town

• This week in remote workforce related threats:
  • Dragos
    ICS/OT Incident Response in Times of Lockdown
  • Security Intelligence
    Visibility and Threat Detection in a Remote Working World
  • WeLiveSecurity
    New ransomware posing as COVID‑19 tracing app targets Canada; ESET offers decryptor

MISCELLANEOUS

• Speaking of inclusivity in infosec, words matter! Check out this post from Cisco Talos
  Cisco Talos replacing all mentions of ‘blacklist,’ ‘whitelist’

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 6/24/2020

• AWS Security Blog
  What is a cyber range and how do you build one on AWS?

• Brian Maloney
  KAPE at Scale

• Chris Sanders
  Toward Applied Andragogy in Cyber Security Education

• Alex Kirk at Corelight
  Zeek & Sigma: Fully Compatible for Cross-SIEM Detections

• Didier Stevens
  VBA Purging

• Tyler Schlecht at DME Forensics Inc.
  DVR Examiner 3.0 Feature Friday – Start Page

• Forensic Focus
  • Telegram Messenger Data Extraction In Oxygen Forensic Detective
  • DFRWS Virtual Europe 2020 — Recap

• Haydn Johnson at Hackerrolls
  Tcpdump Notes

• Howard Oakley at ‘The Eclectic Light Company’
  Controlling what’s written to the unified log

• Trey Amick at Magnet Forensics
  Yep, Magnet AXIOM Cyber Supports Slack!

• Oxygen Forensics
  Selective Extractions: Popular App Data Extraction on iOS

• Amber Schroader at Paraben Corporation
  Setting Up a Digital Forensic Lab Part 1

• Passware
  Tips on Efficient TrueCrypt/VeraCrypt Decryption

• Santosh Khadsare’s Blog
  • Cyber Lawyers in India
  • DIGITAL FORENSICS PROFESSIONALS IN INDIA – I

• Secureworks
  Your IR Contact List May Not Be Complete

• TrustedSec
  Using Effectiveness Assessments to Identify Quick Wins

• VMware Carbon Black
  Popular Techniques Used by Cybercriminals Amid COVID-19

• VTO
  Back by Popular Demand – Our Drone Forensics page is back online

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 17338: Introducing Three New Filters! Annotate, Picture in Picture and Convert Frame Rate, Plus New H.264 Quality and More

• Brim
  v0.12.0

• Cloudy Forensics
  Introducing Cado Cloud Collector — A free tool to forensically image AWS EC2 Instances

• Duo
  Duo Log Sync: Sending Your Duo Logs to Your SIEM

• Eric Zimmerman
  ChangeLog

• ExifTool
  ExifTool 12.01

• GetData
  22 June 2020 – 5.2.2.9662

• Griffeye
  Release of Analyze 20.2

• Yogesh Khatri
  20200625

• Mathias Fuchs
  Aurora Incident Response

• Metaspike
  Forensic Email Collector v3.50 Release Notes

• MISP
  MISP 2.4.128 released (STIX import/export refactored release edition)

• SalvationData
  [Software Update] DVR Forensics: VIP 2.0 V20.0.1.1113 New Version Released for Better User Experience!

• IsoBuster
  IsoBuster 4.6 released

• YARA
  YARA v4.0.2
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!