Less than a week to go until the (Virtual) DFIR Summit! Our very own Lodrina is even keynoting on day 2!
Also not long till the Forensic 4Cast awards so get your votes in quick!
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Arman Gungor at Metaspike
Gmail History Records in Forensic Email Investigations - Cellebrite
Preserving Data for Departing Employees - Elcomsoft
- Shubham Sharma at Hacking Articles
- Jason Wilkins at ‘Noob to Pro Forensics’
- Magnet Forensics
Pontificating on the Perplexing Preferences Proliferated by Safari - Peter Stewart
DFA/CCSC Spring 2020 CTF – Wireshark – smb.pcapng Write-up - SANS
DFIR Advanced Smartphone Forensics Ineractive Poster
THREAT INTELLIGENCE/HUNTING
- CVE-2020-5902
- Joe Needleman, Andrew Nelson, Tony Lee, Mark Stevens at Blackberry
Inside the F5 Big-IP TMUI RCE Vulnerability (CVE-2020-5902) - Cisco’s Talos
New Snort rule addresses critical vulnerability in F5 BIG-IP - Research and Intelligence Fusion Team at NCC Group
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence - SANS Internet Storm Center
F5 BigIP vulnerability exploitation followed by a backdoor implant attempt, (Tue, Jul 7th) - SANS Internet Storm Center
CVE-2020-5902 F5 BIG-IP Exploitation Attempt, (Sun, Jul 5th) - SANS Internet Storm Center
CVE-2020-5902: F5 BIG-IP RCE Vulnerability, (Mon, Jul 6th) - SANS Internet Storm Center
Summary of CVE-2020-5902 F5 BIG-IP RCE Vulnerability Exploits, (Mon, Jul 6th) - Joe at Stranded on Pylos
CVE-2020-5902 In Perspective - Satnam Narang at Tenable
CVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) Actively Exploited
- Joe Needleman, Andrew Nelson, Tony Lee, Mark Stevens at Blackberry
- WeLiveSecurity
Attackers target critical flaw in popular networking gear - Keith Chew at Active Countermeasures
Malware of the Day – Fiesta - Advanced Intelligence
- Alex Verboon at ‘Anything about IT’
Generating Advanced hunting queries with PowerShell - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Using .lnk files as zero-touch downloaders - Edwardo Rodriguez at AT&T Cybersecurity
Stories from the SOC – Credential Dumping - Azure Sentinel
- B4rtik
Antimalware Scan Interface Provider for Persistence - Brad Duncan at Malware Traffic Analysis
- Chris Long
Working Through Splunk’s Boss Of The SOC – Part 4 - Ashley Atkins at Cofense
New Covid-19 Phish Abuses Tax Relief Act to Steal Credentials - Richard Bejtlich at Corelight
Network Security Monitoring data: Types I, II, and III - CronUp
Threat Alert: Grupo Ta505 Restarts Attacks In Latin America. - Oleg Skulkin at Cyber Forensicator
Threat Hunting: What it Is, and What it Is Not - CyCraft Technology Corp
CyCraft Classroom: MITRE ATT&CK vs. Cyber Kill Chain vs. Diamond Model - Max Heinemeyer at Darktrace
Speed of weaponization: From vulnerability disclosure to crypto-mining campaign in a week - Jack Crook at ‘DFIR and Threat Hunting’
Insider Threat Hunting - Jon Hencinski, Tyler Fornes and David Blanton at Expel
6 things to do before you bring in a red team - F-secure
- Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #1
- Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #2
- Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #3
- Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #4
- Attack Detection Fundamentals: Discovery and Lateral Movement – Lab #5
- Matthew Echols at Huntress Labs
ThreatOp$ = Humans * Automation; - Jorge Orchilles at Scythe
SCYTHE Presents: #ThreatThursday – Managing Threats - Marco Ramilli
Cyber Threats Trends 6 Months Of Findings - Mike Walker at Microsoft
Toward trusted sensing for the cloud: Introducing Project Freta - Adam Pennington at MITRE ATT&CK
“ATT&CK with Sub-Techniques” is Now Just ATT&CK - MWLab
Cobalt Strike stagers used by FIN6 - Neil Fox
Impacket usage & detection - Nik Alleyne at ‘Security Nik’
- Alex Teixeira at Opstune
Splunking BOTS V3: Q212, Q214, Q300 - Palantir
Restricting SMB-based lateral movement in a Windows environment - Chip Epps at ReversingLabs
Advancing YARA through Community – REVERSING 2020 Showed Us How - Sandfly Security
Detecting Linux memfd_create() Fileless Malware with Command Line Forensics - SentinelOne
How Do Attackers Use LOLBins In Fileless Attacks? - Jared Atkinson, Luke Paine, and Jonathan Johnson at SpecterOps
Utilizing RPC Telemetry - Luke Leal at Sucuri
Pirated WordPress Plugins Bundled with Backdoors - ThaiCERT
Threat Group Cards: A Threat Actor Encyclopedia - Peter Evans and Rodel Mendrez at Trustwave SpiderLabs
Injecting Magecart into Magento Global Config
UPCOMING WEBINARS/CONFERENCES
- Cellebrite
- COVID-19 CTI League
Hackathon Is Official: First CTI-League Event July 15th to 18th - Bret Peters at ADF
2020 Digital Forensic Conferences (Updated with COVID-19 Information)
PRESENTATIONS/PODCASTS
- Alexis Brignoni
- Jessica Hyde at Magnet Forensics
Magnet Forensics Presents: Cache Up Ep.6 – Heather Smith - Kevin Ripa at SANS
- Black Hills Information Security – YouTube
What about Ransomware w John Strand 1 Hour BHIS HEVC 4k - Carved from Unallocated
Episode 3: 10 Common Examiner Mistakes - Heather Mahalik at Cellebrite
How to leverage Cloud capabilities inside of Cellebrite Physical Analyzer. - Colin Hardy
Coding Expectations for Malware & Pentesting - CySecK
Webinar | Malware trends and analysis| Samgacchadhwam Series webinar 16| McAfee - Detections Podcast
Season 2 Episode 9: The One with No Topic - Joshua James at DFIR.Science
Tsurugi Linux – Device Unlocker Code Review - Digital Forensic Survival Podcast
DFSP # 229 – Mobile Attacks Part 2 - John Hubbard at ‘The Blueprint podcast’
Understanding and Applying Threat Intelligence - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 117 - Christopher Vance at Magnet Forensics
From the Training Team: Magnet AXIOM macOS Examinations (AX350) - Neil Fox
#2 How To Analyse a Malicious Word Document - Radware
Radware Threat Researchers Live: Recent Network Threats - Rasta Mouse
- Richard Davis at 13Cubed
Linux Memory Forensics – Memory Capture and Analysis - SANS Institute
- Scott Nusbaum at TrustedSec
Become The Malware Analyst Series: Malicious Code Extraction and Deobfuscation - WoSEC Barcelona (Spanish)
WoSEC Barcelona & Madrid Virtual Meetup
MALWARE
- 360 Netlab
- 360 Total Security
- Janos Gergo Szeles and Bogdan Botezatu at Bitdefender Labs
Kingminer Botnet Keeps up with the Times - Certego
Advanced VBA macros: bypassing olevba static analyses with 0 hits - Check Point
- CISA
- Cisco’s Talos
- Ryan Campbell and Devin Cargill at CrowdStrike
Automating Remote Remediation of TrickBot via Falcon’s Real Time Response API: Part 2 - Forrest Orr at Cyberark
Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing - Allie Mellen at Cybereason
What Modern Ransomware Looks Like - DarunGrim
Advanced Windows Malware Analysis – Acquiring Memory Artifacts - Didier Stevens
- Matthew Haigh and Trevor Haskell at Fire Eye Threat Research
Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool - Xiaopeng Zhang at Fortinet
Deep Analysis of a QBot Campaign – Part II - Greg Linares
- Intel 471
Iran’s domestic espionage: Lessons from recent data leaks - Johannes Bader
The Domain Generation Algorithm of BazarBackdoor - Malwarebytes Labs
- Michael Gorelik at Morphisec
Improve Threat Prevention with a Focus on Tactics, Not Techniques - Ashwin Vamshi at Netskope
Lnkr Makes a Comeback – This Ad’s For Us - Nikhil Hegde
HackFest iHack 2020 MalwareTheFlag Write-up - Patrick Wardle at Objective-See
- Proofpoint
Purple Fox EK Adds Exploits for CVE-2020-0674 and CVE-2019-1458 to its Arsenal - SANS Internet Storm Centre Handler Diaries
- Wireshark 3.2.5 Released, (Sun, Jul 5th)
- Excel spreasheet macro kicks off Formbook infection, (Fri, Jul 10th)
- Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 , (Thu, Jul 9th)
- If You Want Something Done Right, You Have To Do It Yourself… Malware Too!, (Wed, Jul 8th)
- Scanning Home Internet Facing Devices to Exploit, (Sat, Jul 11th)
- VMware XPC Client validation privilege escalation vulnerability – https://www.vmware.com/security/advisories/VMSA-2020-0017.html, (Sat, Jul 11th)
- Sansec
North Korean hackers are skimming US and European shoppers - Sebdraven
How to unpack Chinoxy backdoor and decipher the configuration of the backdoor - SentinelOne
- Bogdan Vennyk
Building (not ML driven) Ransomware prevention system - Augusto Remillano II and Jemimah Molina at TrendMicro
New Mirai Variant Expands Arsenal, Exploits CVE-2020-10173 - Pascal Brackmann at VMRay
Threat Bulletin: Dissecting GuLoader’s Evasion Techniques - VMware Carbon Black
- Matías Porolli at WeLiveSecurity
More evil: A deep look at Evilnum and its toolset - Rohit Chaturvedi and Naveen Selvan at ZScaler
Deep Dive Into the M00nD3V Logger - NekochanSecurity555
VirusTotal, ANY.RUNなどのオンライン検査サービス利用における注意点
MISCELLANEOUS
- Alexis Brignoni at ‘Initialization Vectors’
DFIR Resources - Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 7/8/2020 - Tony at AboutDFIR
DFIR Without Certs – What Books Can Help You - Olga Milishenko at Atola
Damaged drive imaging with TaskForce: A drive with a damaged head - Igor Mikhailov at Group-IB
Digital forensics specialist’s bookshelf - Bjorn Townsend at CI Security
Be Ready for a Breach: The Case for Remote DFIR and Virtual Incident Response - Jason Trost at Covert IO
All your SPF are belong to us: Exploring trust relationships through global scale SPF Mining - Allie Mellen at Cybereason
Post-incident Review and the Big Data Problem - Tyler Schlecht at DME Forensics
DVR Examiner 3.0 Feature Friday – Scan Options - Yamin Tian at Elastic
macOS vs. Windows – What kernels tell you about security events: Part 2 - Forensic Focus
Put Your Lab’s Existing Tools And Processes To Work — For Science - Joseph Pochron at ‘Forensic Horizons’
Show Your Work: The impact of privacy regulation on technology practitioners and why they should… - Mike Burridge at iNPUT-ACE
Conducting a Video-Centric Investigation: Using an Expert’s Investigative Checklist - Koen Van Impe
Install MITRE ATT&CK Navigator in an isolated environment - Magnet Forensics
- Mark Mckinnon
New Autopsy Modules Now Available - Matthias Wilson at NixIntel
Geolocating Mobile Phones With An IP - Ollie Green at ‘Open Source DFIR’
Incident Response in the Cloud - Phil Hagen at Red Canary
Everything you need to engage a virtual audience - J.J. Wallia at ADF
The 3 Levels of DOMEX in Sensitive Site Exploitation - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — July 5 to July 11 - SANS
- Santosh Khadsare
- VMware Carbon Black
Court Ruling on Forensic Data Breach Reporting Flying Under the Radar - VTO
Data Retrieval from an Unlikely Device – Satellite Connected Ocean Buoy
SOFTWARE UPDATES
- Airbus CERT
Splunk-ETW - Amped
Amped DVRConv Update 17521: H.264 Quality Settings and New Formats - Binalyze
Version 2.3.6(Preview) - Blue Team Labs
v.1.4.2 - Bolodev
OSXRipper - Brim
v0.13.1 - Elcomsoft
Elcomsoft Internet Password Breaker 3.20 extracts Yandex Browser, Tencent QQ and UC Browser passwords - ArtEx
Check out @BlakDouble’s Tweet - RawSec
Library v1.2.4 & Tools - Xways
X-Ways Forensics 20.0 Beta 6b
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
Thank you for taking all the efforts to publish this great collection. Just a small thank you note. Have a great week ahead
LikeLike