Come watch the Forensic Happy Hour next week with Lee Reiber! Friday, 1700ET, which is 7AM for me, so a bit too early for a beer, but I’ll be there with copious amounts of coffee!
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Abhiram Kumar
Basics of Memory Forensics - Marco Fontani at Amped
What’s in Your Past? A Guide to Spotting Traces of Double JPEG Compression With Amped Authenticate (Part 1) - Blue Team Blog
How to spot and analyse a malicious Email - Nir Netanel
How To Use The Keychain In Cellebrite Physical Analyzer - Chris Vance at ‘D20 Forensics’
Setting up a “Testing Lab” of iOS and Android devices - CQURE Academy
- Kieran Murphy at Foregenix
All you need to know about PCI Forensic Investigations - Brendan Mccreesh
Matching an O365 MachineID to a computer’s MachineGUID - Oleg Afonin at Elcomsoft
Breaking LUKS Encryption - Joshua Hickman at ‘The Binary Hick’
Nearby Share – AirDrop for Android (Return of the Unsolicited Richard Photograph) - MSAB
- Oxygen Forensics
Putting an end to child sexual exploitation - Amber Schroader at Paraben
Discord Investigations - Peter Stewart
DFA/CCSC Spring 2020 CTF – Wireshark – https.pcapng Write-up
THREAT INTELLIGENCE/HUNTING
- Katie Nickels at ‘Katie’s Five Cents’ about how to get started in CTI
FAQs on Getting Started in Cyber Threat Intelligence - xorl at %eax, %eax discussing skills that are often overlooked in threat intelligence
The role of linguists in threat intelligence teams - Active Countermeasures
Improving Packet Capture Performance – 2 of 3 - Adam at Hexacorn is back with more Run key and other Windows oddities
- Anton Chuvakin
New Paper: “Future of the SOC: Forces shaping modern security operations” - Azure Sentinel articles
MSTIC Notebooklets – Fast Tracking CyberSec Jupyter Notebooks - Cado Security
Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials - Check Point Software
- Crowdstrike
- Elastic
Find strings within strings faster with the new wildcard field - Eric Conrad
Decrypt all the Things: How Encryption is Impacting Network-Based Security Controls - ericooi.com
Zeekurity Zen – Part VI: Zeek File Analysis Framework - Expel
The power of orchestration: how we automated enrichments for AWS alerts - Hacking Articles
- Journey Notes
Email threat types: Lateral phishing - Microsoft Threat Intelligence Center
Announcing MSTIC Notebooklets - Richard Bejtlich at TaoSecurity
One Weird Trick for Reviewing Zeek Logs on the Command Line! - Sandfly Security
Linux Stealth Rootkit Process Decloaking Tool – sandfly-processdecloak - Secureworks
Frequent Gaps in Log Data Can Hinder Incident Response - Steve Caimi at Cisco
MITRE ATT&CK: The Magic of Mitigations - Security Distractions
Filebeat 7.8 on pfSense 2.4.5 - SentinelOne
Defending macOS Against Sophisticated Attacks - SpecterOps
- The Cloud Technologist
What happened to Defender running in a Sandbox? MP_FORCE_USE_SANDBOX - Trustwave SpiderLabs
From SSRF to Compromise: Case Study - Usenix
A different cup of TI? The added value of commercial threat intelligence
UPCOMING WEBINARS/CONFERENCES
- Cellebrite
- Palo Alto Networks Call For Papers
Call for Papers for Ignite 2020: Share Your Cybersecurity Expertise
PRESENTATIONS/PODCASTS
- Alexis Brignoni
- Jessica Hyde at Magnet Forensics
Magnet Forensics Presents: Cache Up – Ep.12 – Trey Amick - Kevin Ripa at SANS
- AccessData
Decoding the DNC Hack: A Technical Analysis of Cyber-Espionage - Black Hills Information Security
- Breaking Badness
57. A Ransomware To Remember - Digital Forensic Survival Podcast
DFSP # 235 – Scheduled Task Change - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 123 - Heather Mahalik at ‘Life has no CTRL ALT DEL’
- How to Contribute Content to ThisWeekin4n6 and #DFIRfitin2020
- DFIR Virtual Job Fair to Become Aware of Job Availability
- HashCat: Another Method for Cracking Passwords
- Media Categorization: The Power of Machine Learning
- State Adversary Forensics and Building a Solid Resume
- A Personal Tour of a Data Recovery Lab
- Arman Gungor at Metaspike
Forensic Email Collector Power User Webinar - SANS Institute
MALWARE
- An important report from CISA in conjunction with the FBI
AR20-232A: MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN - 0day in {REA_TEAM}
Manual Unpacking IcedID Write-up - Aon
Close, but no Ragnar - Automated Malware Analysis
Analyzing VM-Malware with Joe Lab and Trace - Bitdefender Labs
WannaRen Decryption Tool - CQURE Academy
Black Hat USA 2020 Highlights: Demystifying Modern Windows Rootkits - Darktrace Blog
Evil Corp intrusions: WastedLocker ransomware detected by Darktrace - Forcepoint
A New Way to Think About Breach Detection - Heimdal Security
Emotet Malware Over the Years: The History of an Active Cyber-Threat - Intezer
ELF Malware Analysis 101 Part 2: Initial Analysis - Kyle Cucci at SecurityLiterate
Chantay’s Resume: Investigating a CV-Themed ZLoader Malware Campaign - LIFARS Cybersecurity Blog – LIFARS, Your Cyber Resiliency Partner
What is Deepfake Phishing and How to Detect It? - Malwarebytes Labs
‘Just tell me how to fix my computer:’ a crash course on malware detection - Morphisec
QakBot (QBot) Maldoc Campaign Introduces Two New Techniques into Its Arsenal - Palo Alto walkthrough related to Dridex
Wireshark Tutorial: Decrypting HTTPS Traffic - SANS Internet Storm Center
- Small Challenge: A Simple Word Maldoc – Part 3, (Sun, Aug 16th)
- Password Reuse Strikes Again!, (Mon, Aug 17th)
- ISC Blocked, (Tue, Aug 18th)
- Using API’s to Track Attackers, (Tue, Aug 18th)
- Example of Word Document Delivering Qakbot, (Wed, Aug 19th)
- Office 365 Mail Forwarding Rules (and other Mail Rules too), (Thu, Aug 20th)
- Remote Desktop (TCP/3389) and Telnet (TCP/23), What might they have in Common? , (Sat, Aug 22nd)
- Securelist
Transparent Tribe: Evolution analysis, part 1 - Shaquib Izhar at Medium
- Greg Iddon at Sophos
MTR casebook: the ransomware hunt that unearthed a historic banking trojan - Scott Nusbaum at TrustedSec
Become The Malware Analyst Series: PowerShell Obfuscation Shellcode - Trustwave SpiderLabs
GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered - WMC Global Blog
Phishing Kit Exfiltration Methods
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
- Red Canary
Braving the blank page: advice and inspiration for new writers - Adrian at ‘Agood cloud’
- Kent Ickler at Black Hills Information Security
How SPF, DKIM, and DMARC Authentication Works to Increase Inbox Penetration (Testing) Rates - J Huff at “Learn All The Things”
Virtual Machines for OSINT - Cellebrite
- Santosh Khadsare
4N6 Sunday – What’s Your Worth: Pay Scales of Digital Forensic Professionals in India - Haydn Johnson at Hackerrolls
WinRM Cheatsheet & PowerShell Syntax - Mike Cohen at Velocidex
- MISP
MISP service monitoring (and a bit of healing) with OpenNMS - Mathieu Tarral
Check out @mtarral’s tweet - Passware
- Richard Frawley at ADF
How to Sanitize a CSAM Report for Court, Prosecutors or Investigators
SOFTWARE UPDATES
- Belkasoft
- Brim
v0.19.1 - Cellebrite
New support for Samsung and Huawei, Qualcomm-based devices with Cellebrite Responder 7.36 - Costas K
- Didier Stevens
Update: numbers-to-string.py Version 0.0.10 - eCrimeLabs
Phish2MISP v.1.0 released - Elcomsoft
Elcomsoft adds LUKS encryption support - Eric Zimmerman
ChangeLog - Foxton Forensics
Browser History Viewer — Version History - Intezer
Community Beta Announcement - Metaspike
Remote Authenticator v1.0.0 for macOS - MISP
MISP 2.4.130 released (Various fixes, performance improvements and new features) - Nettitude Labs
Introducing PoshC2 v7.0 - Open Source DFIR
Plaso 20200717 released - X-Ways
- YARP
1.0.30
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 