Less than a week to go until the (Virtual) DFIR Summit! Our very own Lodrina is even keynoting on day 2!

Also not long till the Forensic 4Cast awards so get your votes in quick!

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Arman Gungor at Metaspike
  Gmail History Records in Forensic Email Investigations

• Cellebrite
  Preserving Data for Departing Employees

• Elcomsoft
  • Significant Locations, iOS 14 and iCloud
  • The iPhone Data Recovery Myth: What You Can and Cannot Recover
  • Extracting Passwords from Tencent QQ Browser
  • Extracting and Using Stored Passwords from Web Browsers

• Shubham Sharma at Hacking Articles
  • Forensic Investiagtion: Extract Volatile Data (Manually)
  • Forensic Investigation: Examining Corrupted File Extension

• Jason Wilkins at ‘Noob to Pro Forensics’
  • DFIR Weblogs
  • A Great Place to Start!
  • The Bookshelf
  • Beginners Training in DFIR

• Magnet Forensics
  Pontificating on the Perplexing Preferences Proliferated by Safari

• Peter Stewart
  DFA/CCSC Spring 2020 CTF – Wireshark – smb.pcapng Write-up

• SANS
  DFIR Advanced Smartphone Forensics Ineractive Poster

THREAT INTELLIGENCE/HUNTING

• CVE-2020-5902
  • Joe Needleman, Andrew Nelson, Tony Lee, Mark Stevens at Blackberry
    Inside the F5 Big-IP TMUI RCE Vulnerability (CVE-2020-5902)
  • Cisco’s Talos
    New Snort rule addresses critical vulnerability in F5 BIG-IP
  • Research and Intelligence Fusion Team at NCC Group
    RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
  • SANS Internet Storm Center
    F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th)
  • SANS Internet Storm Center
    CVE-2020-5902 F5 BIG-IP Exploitation Attempt, (Sun, Jul 5th)
  • SANS Internet Storm Center
    CVE-2020-5902: F5 BIG-IP RCE Vulnerability, (Mon, Jul 6th)
  • SANS Internet Storm Center
    Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th)
  • Joe at Stranded on Pylos
    CVE-2020-5902 In Perspective
  • Satnam Narang at Tenable
    CVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) Actively Exploited

• WeLiveSecurity
  Attackers target critical flaw in popular networking gear

• Keith Chew at Active Countermeasures
  Malware of the Day – Fiesta

• Advanced Intelligence
  • TrickBot Group Launches Test Module Alerting on Fraud Activity
  • The Dark Web of Intrigue: How REvil Used the Underground Ecosystem to Form an Extortion Cartel

• Alex Verboon at ‘Anything about IT’
  Generating Advanced hunting queries with PowerShell

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Using .lnk files as zero-touch downloaders

• Edwardo Rodriguez at AT&T Cybersecurity
  Stories from the SOC – Credential Dumping

• Azure Sentinel
  • Making Azure Sentinel work for you
  • Azure Sentinel Side-by-Side with QRadar
  • Handling sliding windows in Azure Sentinel rules

• B4rtik
  Antimalware Scan Interface Provider for Persistence

• Brad Duncan at Malware Traffic Analysis
  • 2020-07-09 – Pcap and malware for ISC diary (Formbook)
  • 2020-07-09 – Quick post: Ursnif (Gozi/IFSB) from Italian Word docs
  • 2020-07-10 – Trickbot gtag chil65 infection
  • 2020-07-07 – Quick post: Ursnif (Gozi/IFSB) with IcedID from English Word docs

• Chris Long
  Working Through Splunk’s Boss Of The SOC – Part 4

• Ashley Atkins at Cofense
  New Covid-19 Phish Abuses Tax Relief Act to Steal Credentials

• Richard Bejtlich at Corelight
  Network Security Monitoring data: Types I, II, and III

• CronUp
  Threat Alert: Grupo Ta505 Restarts Attacks In Latin America.

• Oleg Skulkin at Cyber Forensicator
  Threat Hunting: What it Is, and What it Is Not

• CyCraft Technology Corp
  CyCraft Classroom: MITRE ATT&CK vs. Cyber Kill Chain vs. Diamond Model

• Max Heinemeyer at Darktrace
  Speed of weaponization: From vulnerability disclosure to crypto-mining campaign in a week

• Jack Crook at ‘DFIR and Threat Hunting’
  Insider Threat Hunting

• Jon Hencinski, Tyler Fornes and David Blanton at Expel
  6 things to do before you bring in a red team

• F-secure
  • Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #1
  • Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #2
  • Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #3
  • Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #4
  • Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #5

• Matthew Echols at Huntress Labs
  ThreatOp$ = Humans * Automation;

• Jorge Orchilles at Scythe
  SCYTHE Presents: #ThreatThursday – Managing Threats

• Marco Ramilli
  Cyber Threats Trends 6 Months Of Findings

• Mike Walker at Microsoft
  Toward trusted sensing for the cloud: Introducing Project Freta

• Adam Pennington at MITRE ATT&CK
  “ATT&CK with Sub-Techniques” is Now Just ATT&CK

• MWLab
  Cobalt Strike stagers used by FIN6

• Neil Fox
  Impacket usage & detection

• Nik Alleyne at ‘Security Nik’
  • Continuing SQL Injection with SQLMap – Detection via Packet Analysis
  • Continuing SQL Injection with SQLMap – Detection via logs
  • Continuing SQL Injection with SQLMap – Exploitation

• Alex Teixeira at Opstune
  Splunking BOTS V3: Q212, Q214, Q300

• Palantir
  Restricting SMB-based lateral movement in a Windows environment

• Chip Epps at ReversingLabs
  Advancing YARA through Community – REVERSING 2020 Showed Us How

• Sandfly Security
  Detecting Linux memfd_create() Fileless Malware with Command Line Forensics

• SentinelOne
  How Do Attackers Use LOLBins In Fileless Attacks?

• Jared Atkinson, Luke Paine, and Jonathan Johnson at SpecterOps
  Utilizing RPC Telemetry

• Luke Leal at Sucuri
  Pirated WordPress Plugins Bundled with Backdoors

• ThaiCERT
  Threat Group Cards: A Threat Actor Encyclopedia

• Peter Evans and Rodel Mendrez at Trustwave SpiderLabs
  Injecting Magecart into Magento Global Config

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • Cellebrite Commander – Safe Transition of Extraction Capabilities to the Field to Reduce Lab Backlogs
  • Corporate data theft case study: End to end digital investigative review
  • Join Us Virtually at the 2020 Cyber Crime Conference

• COVID-19 CTI League
  Hackathon Is Official: First CTI-League Event July 15th to 18th

• Bret Peters at ADF
  2020 Digital Forensic Conferences (Updated with COVID-19 Information)

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Class 13 – DFIR Python Study Group
  • Class 14 – DFIR Python Study Group

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up Ep.6 – Heather Smith

• Kevin Ripa at SANS
  • Episode 71: How do I convert hexadecimal to decimal?
  • Episode 72: This episode will define Endian, and what it means to computer data.
  • Episode 73: What is the ASCII Table?
  • Episode 74: How to Get Started in Digital Forensics
  • Episode 75: What is the Windows Registry?

• Black Hills Information Security – YouTube
  What about Ransomware w John Strand 1 Hour BHIS HEVC 4k

• Carved from Unallocated
  Episode 3: 10 Common Examiner Mistakes

• Heather Mahalik at Cellebrite
  How to leverage Cloud capabilities inside of Cellebrite Physical Analyzer.

• Colin Hardy
  Coding Expectations for Malware & Pentesting

• CySecK
  Webinar | Malware trends and analysis| Samgacchadhwam Series webinar 16| McAfee

• Detections Podcast
  Season 2 Episode 9: The One with No Topic

• Joshua James at DFIR.Science
  Tsurugi Linux – Device Unlocker Code Review

• Digital Forensic Survival Podcast
  DFSP # 229 – Mobile Attacks Part 2

• John Hubbard at ‘The Blueprint podcast’
  Understanding and Applying Threat Intelligence

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 117

• Christopher Vance at Magnet Forensics
  From the Training Team: Magnet AXIOM macOS Examinations (AX350)

• Neil Fox
  #2 How To Analyse a Malicious Word Document

• Radware
  Radware Threat Researchers Live: Recent Network Threats

• Rasta Mouse
  • SharpC2 – Episode 10 [Client]
  • SharpC2 – Episode 11 [Agent DataGrid]
  • SharpC2 – Episode 12 [TabControl]

• Richard Davis at 13Cubed
  Linux Memory Forensics – Memory Capture and Analysis

• SANS Institute
  • Checkm8, Checkra1n and the new “golden age” for iOS Forensics | SANS@MIC Talk
  • Welcome to SANS Community CTF – Services Challenges
  • The 14 Absolute Truths of Security | SANS@MIC Talk

• Scott Nusbaum at TrustedSec
  Become The Malware Analyst Series: Malicious Code Extraction and Deobfuscation

• WoSEC Barcelona (Spanish)
  WoSEC Barcelona & Madrid Virtual Meetup

MALWARE

• 360 Netlab
  • The Gafgyt variant vbot seen in its 31 campaigns
  • The new Bigviktor Botnet is Targeting DrayTek Vigor Router
  • An Update for a Very Active DDos Botnet: Moobot

• 360 Total Security
  • FileCry file encryption ransomware analysis
  • YourFilesEncrypted ransomware decryption

• Janos Gergo Szeles and Bogdan Botezatu at Bitdefender Labs
  Kingminer Botnet Keeps up with the Times

• Certego
  Advanced VBA macros: bypassing olevba static analyses with 0 hits

• Check Point
  • New Joker variant hits Google Play with an old trick
  • June‘s Most Wanted Malware: Notorious Phorpiex Botnet Rises Again, Doubling Its Global Impact On Organizations

• CISA
  • AR20-133G: MAR-10285677-2.v1
  • AR20-133H: MAR-10285677-3.v1
  • AR20-133I: MIFR-00435108-1.v2
  • AR20-133J: MIFR-10027371-1.v2
  • AR20-133K: MIFR-10050855-1.v2
  • AR20-133L: MIFR-10056799-1.v2
  • AR20-133M: MIFR-10077745-1.v2
  • AR20-133N: MIFR-10079682-1.v2
  • AR20-133O: MIFR-10079683-1.v2
  • AR20-133P: MIFR-10121050-1.v2

• Cisco’s Talos
  • WastedLocker Goes “Big-Game Hunting” in 2020
  • Threat Roundup for July 3 to July 10

• Ryan Campbell and Devin Cargill at CrowdStrike
  Automating Remote Remediation of TrickBot via Falcon’s Real Time Response API: Part 2

• Forrest Orr at Cyberark
  Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing

• Allie Mellen at Cybereason
  What Modern Ransomware Looks Like

• DarunGrim
  Advanced Windows Malware Analysis – Acquiring Memory Artifacts

• Didier Stevens
  • Tampering With Digitally Signed VBA Projects
  • Quickpost: curl

• Matthew Haigh and Trevor Haskell at Fire Eye Threat Research
  Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool

• Xiaopeng Zhang at Fortinet
  Deep Analysis of a QBot Campaign – Part II

• Greg Linares
  • Malicious Shapes In Office — Part 1
  • Malicious Shapes In Office — Part 2

• Intel 471
  Iran’s domestic espionage: Lessons from recent data leaks

• Johannes Bader
  The Domain Generation Algorithm of BazarBackdoor

• Malwarebytes Labs
  • Credit card skimmer targets ASP.NET sites
  • We found yet another phone with pre-installed malware via the Lifeline Assistance program
  • Mac ThiefQuest malware may not be ransomware after all
  • Threat spotlight: WastedLocker, customized ransomware

• Michael Gorelik at Morphisec
  Improve Threat Prevention with a Focus on Tactics, Not Techniques

• Ashwin Vamshi at Netskope
  Lnkr Makes a Comeback – This Ad’s For Us

• Nikhil Hegde
  HackFest iHack 2020 MalwareTheFlag Write-up

• Patrick Wardle at Objective-See
  • OSX.EvilQuest Uncovered (part one)
  • OSX.EvilQuest Uncovered (part two)

• Proofpoint
  Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal

• SANS Internet Storm Centre Handler Diaries
  • Wireshark 3.2.5 Released, (Sun, Jul 5th)
  • Excel spreasheet macro kicks off Formbook infection, (Fri, Jul 10th)
  • Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 , (Thu, Jul 9th)
  • If You Want Something Done Right, You Have To Do It Yourself… Malware Too!, (Wed, Jul 8th)
  • Scanning Home Internet Facing Devices to Exploit, (Sat, Jul 11th)
  • VMware XPC Client validation privilege escalation vulnerability – https://www.vmware.com/security/advisories/VMSA-2020-0017.html, (Sat, Jul 11th)

• Sansec
  North Korean hackers are skimming US and European shoppers

• Sebdraven
  How to unpack Chinoxy backdoor and decipher the configuration of the backdoor

• SentinelOne
  • “EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One
  • Breaking EvilQuest | Reversing A Custom macOS Ransomware File Encryption Routine

• Bogdan Vennyk
  Building (not ML driven) Ransomware prevention system

• Augusto Remillano II and Jemimah Molina at TrendMicro
  New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173

• Pascal Brackmann at VMRay
  Threat Bulletin: Dissecting GuLoader’s Evasion Techniques

• VMware Carbon Black
  • TAU Threat Analysis: Medusa Locker Ransomware
  • TAU Threat Analysis: Hakbit Ransomware
  • TAU Threat Analysis: Bundlore (macOS) mm-install-macos
  • TAU Threat Discovery: Conti Ransomware

• Matías Porolli at WeLiveSecurity
  More evil: A deep look at Evilnum and its toolset

• Rohit Chaturvedi and Naveen Selvan at ZScaler
  Deep Dive Into the M00nD3V Logger

• NekochanSecurity555
  VirusTotal, ANY.RUNなどのオンライン検査サービス利用における注意点

MISCELLANEOUS

• Alexis Brignoni at ‘Initialization Vectors’
  DFIR Resources

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 7/8/2020

• Tony at AboutDFIR
  DFIR Without Certs – What Books Can Help You

• Olga Milishenko at Atola
  Damaged drive imaging with TaskForce: A drive with a damaged head

• Igor Mikhailov at Group-IB
  Digital forensics specialist’s bookshelf

• Bjorn Townsend at CI Security
  Be Ready for a Breach: The Case for Remote DFIR and Virtual Incident Response

• Jason Trost at Covert IO
  All your SPF are belong to us: Exploring trust relationships through global scale SPF Mining

• Allie Mellen at Cybereason
  Post-incident Review and the Big Data Problem

• Tyler Schlecht at DME Forensics
  DVR Examiner 3.0 Feature Friday – Scan Options

• Yamin Tian at Elastic
  macOS vs. Windows – What kernels tell you about security events: Part 2

• Forensic Focus
  Put Your Lab’s Existing Tools And Processes To Work — For Science

• Joseph Pochron at ‘Forensic Horizons’
  Show Your Work: The impact of privacy regulation on technology practitioners and why they should…

• Mike Burridge at iNPUT-ACE
  Conducting a Video-Centric Investigation: Using an Expert’s Investigative Checklist

• Koen Van Impe
  Install MITRE ATT&CK Navigator in an isolated environment

• Magnet Forensics
  • Our Contributions to the Reform of the Justice Sector and Racial Equality
  • Tips to Improve Your Digital Forensic Lab’s Efficiency

• Mark Mckinnon
  New Autopsy Modules Now Available

• Matthias Wilson at NixIntel
  Geolocating Mobile Phones With An IP

• Ollie Green at ‘Open Source DFIR’
  Incident Response in the Cloud

• Phil Hagen at Red Canary
  Everything you need to engage a virtual audience

• J.J. Wallia at ADF
  The 3 Levels of DOMEX in Sensitive Site Exploitation

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — July 5 to July 11

• SANS
  • 17K DFIR Summit Registrations and Counting! Deep-Dive into this content before you join us next week!
  • Before you join us at the DFIR Summit read this…
  • Vulnerability Management Maturity Model

• Santosh Khadsare
  • Mentorship (Part I):Digital Forensics Courses
  • 4N6 Sunday: Grouping of Professionals in Cyber Forensics

• VMware Carbon Black
  Court Ruling on Forensic Data Breach Reporting Flying Under the Radar

• VTO
  Data Retrieval from an Unlikely Device – Satellite Connected Ocean Buoy

SOFTWARE UPDATES

• Airbus CERT
  Splunk-ETW

• Amped
  Amped DVRConv Update 17521: H.264 Quality Settings and New Formats

• Binalyze
  Version 2.3.6(Preview)

• Blue Team Labs
  v.1.4.2

• Bolodev
  OSXRipper

• Brim
  v0.13.1

• Elcomsoft
  Elcomsoft Internet Password Breaker 3.20 extracts Yandex Browser, Tencent QQ and UC Browser passwords

• ArtEx
  Check out @BlakDouble’s Tweet

• RawSec
  Library v1.2.4 & Tools

• Xways
  X-Ways Forensics 20.0 Beta 6b
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!