As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
It’s alive! – Attachment links in Discord - Abhiram Kumar
Getdents – Insomni’hack teaser 2020 - Atropos4n6
Has the user logged into this account, or not? (Google Chrome’s Login Data-Part 1) - Alexi Michaels at Cellebrite
Validating Artifacts with Cellebrite BlackLight - Chris Vance at ‘D20 Forensics’
- Cqure Academy
Forensics and Prevention in the New Reality by Paula J – Q&A Session - Jeenali Kothari at Hacking Articles
Digital Forensics: An Introduction - Heather Mahalik at Smarter Forensics
Rotten to the Core? Nah, iOS14 is Mostly Sweet - Howard Oakley at ‘The Eclectic Light Company’
Imaging APFS storage in Disk Utility, and size of the VM volume - James Duffy
Taking The First Step – iOS Security & Forensics -P1 - Jesse Spangenberger at Cyber Fēnix Tech
iOS Forensics: VMP4 File format - Jon Baumann at Ciofeca Forensics
- Johan Persson at MSAB
Super-fast iPhone extraction times! - Olaf Hartong at Falcon Force
Sysmon 12.0 — EventID 24 - Sandor Tokesi at Forensics Exchange
Prompt response to ransomwares - Kaushal Bhavsar at Sucuri
Missing DMARC Records Lead to Phishing
THREAT INTELLIGENCE/HUNTING
- ZeroLogon
- Detecting Zerologon (CVE-2020-1472) with Zeek
- Zerologon vulnerability threatens domain controllers
- Sentinel Query: Detect ZeroLogon (CVE-2020-1472)
- Detecting CVE-2020-1472 Using Splunk Attack Range
- Hijacking a Domain Controller with Netlogon RPC (aka Zerologon: CVE-2020-1472)
- Grave Vulnerabilità in Sistemi Windows Server (Zerologon)
- 43nsicBot
Threat Hunting Summit 2020 Summary - Adam at Hexacorn
Beyond good ol’ Run key, Part 128 - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Red Commander: open source Red Team C2 Infrastructure - Anomali
Weekly Threat Briefing: APT Group, Malware, Ransomware, and Vulnerabilities - Brad Duncan at Malware Traffic Analysis
- 2020-09-14 – Traffic Analysis Quiz: Pcap and alerts from an ISC Diary
- 2020-09-02 – Quick post: 2 days of Emotet infections with Trickbot
- 2020-09-03 – Pcap only: Emotet epoch 1 infection with Trickbot gtag mor119
- 2020-09-10 – Pcap only: TA551 (Shathak) sends IcedID
- 2020-09-16 – Qakbot (Qbot) infection
- 2020-09-11 – ZLoader (Silent Night) infection from myResume.xls
- Bricata
Suricata or Zeek? The answer is both. - Check Point
- CISA Analysis Reports
AR20-259A: MAR-10297887-1.v1 – Iranian Web Shells - Maciej Kosz and Mike Jankowski-Lorek at Cqure Academy
The tale of Enhanced Key (mis)Usage - CrowdStrike
New Report: Falcon OverWatch Threat Hunting Leaves Adversaries with Nowhere to Hide - Drew Schmitt at Crypsis
Ransomware’s New Trend: Exfiltration and Extortion - Josh Campbell at Cyborg Security
The Trouble with Attribution in Cyber Threat Intelligence (Part 1) - Moshe Elias at Cymulate
The NIST Cyber Security Framework - Sachin Frayne at Elastic
Enriching data with GeoIPs from internal, private IP addresses - William Jardine at F-secure
Application-level Purple Teaming: A case study - Ryan Tomcik and David Pany at Fire Eye Threat Research
A “DFUR-ent” Perspective on Threat Modeling and Application
Log Forensic Analysis - Intel 471
Partners in crime: North Koreans and elite Russian-speaking cybercriminals - Jorge Orchilles at Scythe
SCYTHE Presents: #ThreatThursday – HoneyBee - Dominic Chell at MDSec
I Like to Move It: Windows Lateral Movement Part 2 – DCOM - Microsoft Threat Protection Intelligence Team
Industry-wide partnership on threat-informed defense improves security for all - Joseph Opacki at Palo Alto Networks
Introducing Actionable Threat Objects and Mitigations (ATOMs) - Picus Security
MITRE ATT&CK T1059 Command Line Interface - Recon InfoSec
- Katie Nickels at Red Canary
Getting started in cyber threat intelligence: 4 pieces of advice - SANS Internet Storm Center
- Michael Pedersen at Security Distractions
Squid Proxy Log Format - Robby Winchester at SpecterOps
Detections of Past, Present, and Future - Bandar Alanazi
Exfiltrate Data Using Virtual Directory - Luke Leal at Sucuri
The Hidden PHP Malware that Reinfects Cleaned Files - Trend Micro
- Dr. Fahim Abbasi at Trustwave SpiderLabs
Evasive URLs in Spam - Zach Stanford
Replaying Windows Event Logs against Elastalert (and Sigma) rules using HELK
UPCOMING EVENTS
- Lodrina Cherne is presenting for Cybereason at the 2020 Grace Hopper Celebration
Digital Forensic Breadcrumbs at the 2020 Grace Hopper Celebration - Cellebrite
- Richard Frawley at ADF
Digital Forensics Africa Conference and Training: Computer & Mobile
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.16 – Lodrina Cherne - Kevin Ripa at SANS
- The Forensic Lunch with Dave Cowen and Matt Seyer
Forensic Lunch 9/18/20 – Ulf Frisk - Cellebrite
- Chris Sienko at the Cyber Work podcast
Job hunting tips for cybersecurity professionals - Detections Podcast
Season 3 Episode 1: The Curious Case of Diaper Dandy - Digital Forensic Survival Podcast
DFSP # 239 – Registry Persistence Part 1 - Forensic Focus
Remote Working Capabilities For Mobile Computers And Cloud Collections - Jason Nickola at ‘Trust Me I’m Certified’
Better job hunting with a hacker mentality with Jason and Jacquelyn Blanchard - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 127 - Life has no CTRL ALT DEL with Heather Mahalik
- Nothing to See Here? I Beg to DFIR
Episode 9: iBeg to DFIR – What Happens When A Device Gets Wiped? Top Ten Questions Answered - SANS Institute
What’s New in SEC401: Security Essentials Bootcamp Style - SANS Cyber Camp
- Need for Speed: Cracking Hashes to Pwn Passwords w/ Jason Nickola – SANS Cyber Camp: New to Cyber
- Introduction to Metasploit w/ Jeff McJunkin – SANS Cyber Camp
- Introduction to Programming Workshop – SANS Cyber Camp
- Cybersecurity for Social Good – SANS Cyber Camp
- Thinking Like a Forensicator – SANS Cyber Camp
- A Teenagers Perspective on Helping Your Parents Help You – SANS Cyber Camp
- The Hidden Information in Photos – SANS Cyber Camp
- Introduction to SANS Cyber Camp
- Be Smarter Than the Smartphone Workshop – SANS Cyber Camp
- Introduction to Network Analysis Workshop – SANS Cyber Camp
- Cyber Camp Panel – SANS Cyber Camp
- Cyber Security Awareness for Online Safety – SANS Cyber Camp
- Intro to Web Applications: What the Heck is a Web App? – SANS Cyber Camp
- SANS Security Awareness Forum
- SANS DFIR Summit
- Live Response With Ansible – SANS DFIR Summit 2019
- Kansa for Enterprise scale Threat Hunting w/ Jon Ketchum – SANS DFIR Summit 2020
- capa: Automatically Identify Malware Capabilities w/ Ballenthin & Moritz Raabe – SANS DFIR Summit
- Healthy Android exams: Timelining digital Wellbeing data
- Help! We need an adult! Engaging an external IR team w/ Liz Waddell – SANS DFIR Summit 2020
- Extract and Visualize Data from URLs using Unfurl w/ Ryan Benson – SANS DFIR Summit 2020
- Hunting bad guys that use TOR in real-time w/ Milind Bhargava – SANS DFIR Summit 2020
- From Threat Research to Organizational Threat Detection w/ O’Shea Bowens & Nico Smith – DFIR Summit
- DFIR To Go w/ Heather Mahalik & Phil Hagen – SANS DFIR Summit 2020
- Using Storytelling to Be Heard and Remembered w/ Frank McClain – SANS DFIR Summit 2020
- If at first you don’t succeed, try something else w/ Jim Clausing – SANS DFIR Summit 2020
- Keynote: Developing Diversity in DFIR w/ Eoghan Casey & Daryl Pfeif – SANS DFIR Summit 2020
- Data Science for DFIR – The Force Awakens w/ Jess Garcia – SANS DFIR Summit 2020
- Making Memories: Using Memory Analysis for Faster Response to User Investigations – SANS DFIR Summit
- Just Forensics, Mercifully w/ Lee Whitfield – SANS DFIR Summit 2020
- Forensic Analysis of Apple HomePod & Apple HomeKit Environment w/ Mattia Epifani – SANS DFIR Summit
- Captain’s Log: Take your application log analysis from Starfleet to Star Fleek – SANS DFIR Summit
- Security Conversations
Selena Larson, Intelligence Analyst, Dragos - The Cyber5
Episode 24: How Much Intelligence Does a CISO Need?
MALWARE
- JoeSecurity
GuLoader’s VM-Exit Instruction Hammering explained - Jan Rubin at Avast
Complex obfuscation? Meh… (1/2) - David Driker and Amir Landau at Check Point Research
Rudeminer, Blacksquid and Lucifer Walk Into A Bar - Jamie at Click All the Things!
Trickbot: ActiveDocument.Words is the word! - Colin Hardy
Crack The BAT – Identifying Compression, Packers & Googling for IOCs - Eduardo Hotta at Foregenix
Magento 1 Under Attack - Intezer
Looking Back on the Last Decade of Linux APT Attacks - Alon Groisman at Morphisec
Trickbot/Emotet Delivery through Word Macro - PWC UK
Analysis of WellMail malware’s Command and Control (C2) server - OSXReverser
Is macOS under the biggest malware attack ever? - Dave McMillen, Wei Gao, Charles DeBeck at Security Intellgience
A New Botnet Attack Just Mozied Into Town - Andrew Brandt and Peter Mackenzie at Sophos
Maze attackers adopt Ragnar Locker virtual machine technique - Tilden Swans
Let’s build an Android Analysis VM - Veronica Valeros
A Study of RATs: Growth and Commoditization of Remote Access Trojans - VinCSS
[RE016] Malware Analysis: ModiLoader - VMRay
Malware Analysis Spotlight: Qbot’s Delivery Method - Yoroi
Nuove Campagne di Attacco Quakbot - Avinash Kumar and Aditya Sharma at ZScaler
Malware Leveraging XML-RPC Vulnerability to Exploit WordPress Sites
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 9/16/2020 - AceLab
The New PCIe x16 SSD Adapter Is Now Available for Order! - Bill Stearns at Active Countermeasures
Improving Packet Capture Performance – 3 of 3 - Marco Fontani at Amped
Amped FIVE’s Histogram Tool: A Simple And Effective Way to Guide Your Enhancement! - Yulia Samoteykina at Atola
Screen cover for TaskForce - Jason Alvarez at 0xBanana
Tribe Of Hackers Blue Team Edition - John Gamble at Corelight
Meet the Corelight CTF tournament winners - David Rowe at SecFrame
Create a Fully Loaded, Free Active Directory Lab in 15 Minutes - Jimmy Schroering at DME Forensics
Development Methodologies at DME - Forensic Focus
- Christa Miller at Forensic Horizons
How Complete is “Complete” When It Comes to Digital Evidence? - Frank McGovern
Purchased Microsoft 365 E5, Now What? - Hex Rays
Igor’s tip of the week #07: IDA command-line options cheatsheet - Howard Oakley at ‘The Eclectic Light Company’
- Lifars
Incident Response: Jumpbag - Magnet Forensics
- nullteilerfrei
VMware for Homelab - Brian Greunke at OpenSOC
Validation in Depth - Patrick Siewert at Pro Digital Forensic Consulting
Digital Forensics: Adding Value To Title IX (Title 9) Cases - Richard Frawley at ADF
Image Video Classification Entity Extraction Keyword Digital Forensics - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — September 13 to September 19 - SentinelOne
How Ransomware Attacks Are Threatening Our Critical Infrastructure - Evan Sharenow at TrustWave
When Should Organizations Consider Digital Forensic Services? - James Martens
Tsurugi Linux – First Impressions
SOFTWARE UPDATES
- iLEAPP
Tile, Discord, Files and iCloud metadata. - AccessData
- Adam at Hexacorn
DeXRAY 2.21 update - Ciphey
4 new decoders + bug fixes - KAPE 0.9.4.0
Kape Changelog - mac_apt
20200917 - Microsoft
Windows Sysinternals - Sophos
Sophos Endpoint Detection and Response now available for Macs - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 