I mentioned that FOR308 Beta 2 was running next month, but I forgot that I’ll also be taking an in-person FOR500 class in Canberra, Australia next month too.
And Lodrina will be interviewed by Lenny Zeltser from Axonius on August 19!
Life As A CISO – Q&A with Lodrina Cherne
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
Daily Blog #702: Sunday Funday 8/9/20 - Oleg Afonin at Elcomsoft
Extracting Passwords from Qihoo 360 Safe Browser and Tor Browser - Hacking Articles
- Maxim Suhanov
Containerized registry hives in Windows - Theo Giovanna at Open Source DFIR
Forensic Disk Copies in Azure - Ryan Benson at dfir.blog
Tinkering with TikTok Timestamps - Jared Barnhart at Mac4n6
Step-by-step macOS Setup for iOS Research (via @bizzybarney)
THREAT INTELLIGENCE/HUNTING
- MITRE Shield is here: Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement.
Shield - Andreas Klopsch at ‘Malware and Stuff’
Linux/Windows Internals – Process structures - Tawnya Lancaster at AT&T Cybersecurity
Cyber threat intelligence explained - Jannie Li at Azure Sentinel articles
Guided Hunting Notebook: Base64 -Encoded Linux Commands - Check Point on phishing attacks
- David French and Neil Desai at Elastic
Threat hunting capture the flag with Elastic Security: BSides 2020 - Group IB on Red Curl APT (reg wall)
Red Curl - Hacking Articles
- Intel 471’s Blog
Prioritizing “critical” vulnerabilities: A threat intelligence perspective - Marcus Edmonson at ‘Data Analytics & Security’
Create Elastalert Rules with Sigma - Nik Alleyne at ‘Security Nik’
- Olaf Hartong at Falcon Force
Introducing Falcon Friday - Justin Perdok at Orange Cyberdefense
ACE to RCE - Red Alert
Monthly Threat Actor Group Intelligence Report, June 2020 - SANS shares IOCs
SANS Data Incident 2020 – Indicators of Compromise - Darren Mar-Elia at SDM Software
The Attack of the Trojan GPOs - Konstantin Zykov at Securelist
CactusPete APT group’s updated Bisonal backdoor - Tim (Wadhwa-)Brown at Cisco
Intelligence, Modelling and Hunting Through an ATT&CKers Lens - Tenable
CVE-2019-0230: Apache Struts Potential Remote Code Execution Vulnerability - Joe Stocker at The Cloud Technologist
Defending against Pass-the-PRT - Vladimir Zakharevich at Trustwave SpiderLabs
Playdate with Bots: Microsoft SQL Honeypots - u0041
Impacket Remote Execution Tools – smbexec.py
UPCOMING WEBINARS/CONFERENCES
- Jorge Orchilles at Scythe
SCYTHE Presents: Purple Team Exercise Framework (PTEF) Workshop - Nik Alleyne at ‘Security Nik’
Register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class and get a Free copy of “Hack and Detect” or “Mastering TShark Network Forensics”
PRESENTATIONS/PODCASTS
- Alexis Brignoni
- Forensic Lunch
Forensic Lunch 8/14/20 – Sarah Edwards and Jared Barnhart - Jessica Hyde at Magnet Forensics
Magnet Forensics Presents: Cache Up – Ep.11 – Cindy Murphy - Kevin Ripa at SANS
- AccessData
- There’s Even More! Have Quin-C YOUR Way: A Special One-Hour Presentation
- Ensuring Defensible Preservation and Collection Post FRE 902
- Collaborative Review: scaling, tasking, customizing data and customizing tools
- Session 2 Managing Internal Investigations Swamped with Data
- Working with technology to better an investigation through machine learning
- Run Through for IR in the Cloud Webinar
- Visualizing Data: call chains, timelines and geo-plotting
- Network Investigation & Post-Breach Analysis
- Integrated Digital Investigations With AccessData
- Session 3: It’s No Secret: Europe‚GDPR and Other Emergent Privacy Issues
- Session 1 Information Risk and Compliance in the Digital Age
- The Power of the Volume Shadow Analysis Tool
- You’ve Been Breached. Now What?
- Targeted Search on Live Remote Systems with AD Enterprise
- Understanding CCPA: Preparing for California’s New Privacy Act
- Quin-C for Forensic investigators—Follow the Simple Path for the Latest Release
- Insider Threats—Do You Know What Skeletons are in Your Closet?
- Get the Clearest View of Your Data with QView from AccessData
- Ready to Find Your New Forensic Investigator Soulmate? Meet Quin-C.
- Meet Your Match! The Perfect Legal Review Tool Does Exist. Say Hello to Quin-C.
- Incident Response in the Cloud
- Accelerate Incident Response Through Automation
- Decoding the DNC Hack: A Technical Analysis of Cyber-Espionage
- AccessData Managed Cloud Services—a Q&A with Eide Bailly
- BYOD: Do Benefits of Personal Devices at Work Outweigh Drawbacks?
- After the Attack—Surviving and Thriving Post-Breach
- Session 1: Information Risk and Compliance in the Digital Age
- What’s New in Quin-C? Enhanced Automation Tools for Legal Teams
- After the Incident: Investigating and Responding to a Data Breach
- Quin-C for Law Firms
- Drone Forensics
- Connect the Cloud to the Ground with QView
- Data Processing for Service Providers
- What You Need to Know about Forensics in the Cloud
- Data Encryption and Forensics in the Cloud
- The Dark Web and Your Data
- Internal Investigations in Today’s Connected World
- Heather Mahalik at Cellebrite
Making sense of location information is important to most investigations. - Colin Hardy
SANS Got Hacked – 5 Things to Consider - Roberto Rodriguez
Check out @Cyb3rWard0g’s tweet - David Bernal
Defcon 28 BTV 2020 - Detections Podcast
Season 2 Episode 14: Will Podcast for Work with JenFer_ and K4tTr33 - Digital Forensic Survival Podcast
DFSP # 234 – Divide & Conquer with Brian Carrier - Forensic Focus
- John Hubbard at ‘The Blueprint podcast’
A Machine Learning Primer for the Blue Team - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 122 - Neil Fox
#6 Common Malware Persistence Techniques - Passware
Video on Passware Kit Forensic new features in 2020 - SANS Institute
Remote Forensic Investigations in the Context of COVID-19 | SANS@MIC Talk
MALWARE
- An important read from the NSA/FBI (45 page PDF)
Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware - Adam Chester at XPN
Debugging into .NET - Malware analysis at Binary Defense
- Ron Ben Yizhak at Deep Instinct
Why Emotet’s Latest Wave is Harder to Catch than Ever Before - Nick Schroeder, Harris Ansari, Brendan McKeague, Tim Martin, and Alex Pennino at FireEye
COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon
Tracker Module - Val Saengphaibul at Fortinet
Latest COVID-19 Variants from the Ridiculous to the Malicious - Alina Georgiana Petcu at Heimdal Security
Netwalker Ransomware Explained: What You Need to Know - Welcome Josh++ to blogging and catch up with some posts
- Hugh Aver at Kaspersky Lab
Operation PowerFall: Two zero-day vulnerabilities - Kirtar Oza
Black Energy 2 — Revisited - Pieter Arntz at Malwarebytes Labs
Chrome extensions that lie about their permissions - NTCore (1 minute video)
Malicious PDF Analysis in Cerbero Suite - Edouard Bochin, Tao Yan, Jin Chen, and Fang Liu at Palo Alto Networks
Script-Based Malware: A New Attacker Trend on Internet Explorer - PC’s Xcetra Support
Ursa Loader and the many rabbit holes - SANS Internet Storm Center
- Small Challenge: A Simple Word Maldoc – Part 2, (Sun, Aug 9th)
- Scoping web application and web service penetration tests, (Mon, Aug 10th)
- To the Brim at the Gates of Mordor Pt. 1, (Wed, Aug 12th)
- Definition of ‘overkill’ – using 130 MB executable to hide 24 kB malware, (Fri, Aug 14th)
- Wireshark 3.2.6 Released, (Sat, Aug 15th)
- SentinelLabs
- Shaquib Izhar
Testing capa the Malware analysis tool - Sean Gallagher at Sophos News
Color by numbers: inside a Dharma ransomware-as-a-service attack - Sucuri
- TrendMicro
XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits - VMRay
Malware Analysis Spotlight: MassLogger’s Noisy Stealing Attempts - Mohd Sadique at ZScaler
PurpleWave—A New Infostealer from Russia
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 8/15/2020 - Stephanie Thompson at Blackbag Technologies
Utilizing the Portable Case Feature in Blacklight - Cellebrite
- Cyberdefenders
Check out @Cyberdefenders’ Tweet on Boss Of the SOC - Allie Mellen at Cybereason
Hacker Summer Camp Is Cancelled Long Live Virtual Hacker Summer Camp - Facebook investigations from Griffin
Think Private Facebook Profiles Pages Are A Dead End? Think Again! - LIFARS Cybersecurity
What is CSIRT/CERT Team? - Magnet Forensics
- Olga Milishenko at Atola
Imaging RAID 0 array - Whitney Champion at OpenSOC
OpenSOC @ DEF CON 28 Safe Mode - Pepe Berba
DEFCON 28 OpenSOC Blue Team CTF: Lessons and Tips - Richard Frawley at ADF
Using PhotoDNA in Digital Forensics Investigations | Photo Forensics - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — August 9 to August 15 - SANS
Entering the Field of Cybersecurity - teambi0s
InCTFi 2020
SOFTWARE UPDATES
- ALEAPP
1.3 – Dark mode + sorted plugin modules - Arsenal Recon
Quick Tour of New Features in Arsenal Image Mounter v3.2.128 - Brim
v0.15.0 - Cellebrite
New support for Samsung and Huawei, Qualcomm-based devices with UFED 7.36 - Chapin Bryce
Libvxshare - Ciphey
New Ciphers + Bug Fixes - Costas K
WindowsTimeline parser (x64) - Elcomsoft
Elcomsoft Internet Password Breaker 3.30 extracts passwords from Tor and 360 Safe browsers - ExifTool
ExifTool 12.04 - Hancom
HancomWITH – 2Q 2020 MD-Series Release Note Highlights - Malwoverview
Malwoverview 4.0.2 - Mihari
v1.3.0 - MathildeVenault
SysMainView - Microsoft Threat Intelligence Center
MSTICpy 0.7.0/1 Release - Ray Canzanese at Netskope
Netskope Threat Coverage: GuLoader - Oxygen Forensics
Oxygen Forensic Detective Ramps Up Huawei Capabilities - Rhaegal
Rhaegal v1.3.1 - TheHive
- Velociraptor
Release 0.4.8
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 