As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Abhiram Kumar
Intro to Linux memory forensics - Cellebrite
- Chris Vance at ‘D20 Forensics’
iOS – Tracking Bundle IDs for Containers, Shared Containers, and Plugins - Craig Ball at ‘Ball in your Court’
The Case for Native, I Swear - Joshua James at Digital Forensic Science
Detecting manual clock modifications - James Smith at DFIR Madness
Case 001 Memory Analysis - John Lukach at Cloud 4n6ir
- Josh Lemon
Forensically Analyzing ZIP & Compressed Files - Lorie Hermesdorf
ProtonMail on iOS - Maxim Suhanov
Exporting registry hives from a live system - NixIntel
DNS Records, QAnon, and How To Handle Uncertainty In OSINT. - Oxygen Forensics
Let’s get Social! - Peter Stewart
DFA/CCSC Spring 2020 CTF – Apple iOS Forensics with iLEAPP
THREAT INTELLIGENCE/HUNTING
- Active Countermeasures
Malware of the Day – Backoff - Adam at Hexacorn
Samir is my hero aka colab on browserexport - Sujit Ghosal at Awake Security
Kerberoasting – Threat Hunting for Active Directory Attacks - Azure Sentinel
- Understanding Microsoft Teams Data Schema in Azure Sentinel – Analyst / Researcher View
- Auditing Azure Sentinel activities
- Enriching Windows Security Events with Parameterized Function
- Analysing Web Shell Attacks with Azure Defender data in Azure Sentinel
- Analysing Web Shell Attacks with ASC data in Azure Sentinel
- Watching the Watchers: Monitoring Azure Sentinel Query Activity for Malicious Activity.
- Exploiting MFA Inconsistencies on Microsoft Services
- Blue Team Blog
Tips to improve your SIEM - Brad Duncan at Malware Traffic Analysis
- BushidoToken
Analysing a Phishing C&C server - Itay Cohen and Eyal Itkin at Check Point Research
Graphology of an Exploit – Hunting for exploits by looking for the author’s fingerprints - Colin Hardy
Threat Hunting with Inquest Labs - CrowdStrike
- Eric Ooi
Zeekurity Zen – Part VII: Zeek To Understand Encryption - Mike Burns at Fire Eye Threat Research
Detecting Microsoft 365 and Azure Active Directory Backdoors - Florian Roth
Ransomware Resistance - Adam Mashinchi at Scythe
SCYTHE Presents: #ThreatThursday – MAZE - Erez Turjeman at Barracuda
Threat Spotlight: New InterPlanetary Storm variant targeting IoT devices - Marco Ramilli
Tracking PhishingKits for Hunting APT Evolution - MITRE ATT&CK and Mandiant
In Pursuit of a Gestalt Visualization: Merging MITRE ATT&CK® for Enterprise and ICS to Communicate - Musings of a cat torturer
Steezy Yara Rule Generator - Nasreddine Bencherchali
- Netscout
Latest NETSCOUT Threat Intelligence Report Shows How Cybercriminals Exploit a Pandemic - Henri Hambartsumyan at Falcon Force
The curious case of Realtek and LSASS - Paul Schnackenburg at 4sysops
Microsoft Cloud App Security - Proofpoint
Emotet Makes Timely Adoption of Political and Elections Lures - Red Canary
- Redheadontherun
Detecting Port Scanning Activity - Securelist
Why master YARA: from routine to extreme threat hunting cases. Follow-up - Security Art Work
- SentinelOne
- StillzTech
Web shell hunting: Meet the web shell analyzer - Stranded on Pylos
Cyber Threat Intelligence and the Concept of the Political - Luke Leal at Sucuri
Backdoor Obfuscation: tempnam & URL Encoding - Symantec
Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors - Trustwave SpiderLabs
- undev.ninja
Sysmon Internals – From File Delete Event to Kernel Code Execution - Zach Stanford
UPCOMING EVENTS
- Cellebrite
- Elan at DFIR Diva
DFIR Related Events for Beginners – October, 2020 - OSDFCon
OSDFCon 2020 Agenda - Security Onion Conference
Security Onion Conference (SOC) 2020
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.18 – Mitch Kajzer - Kevin Ripa at SANS
- The Forensic Lunch with Dave Cowen and Matt Seyer
Forensic Lunch 10/2/20 - Archan Choudhury at BlackPerl
Understanding Windows Event Logs | Fix “Data is Invalid” Error | Windows Event Forensics- Part1 - AWS
AWS Digital Forensics Automation at Goldman Sachs – AWS Online Tech Talks - OSDFCon
Binee: Complete Emulation of Advanced Malware – OSDFCon 2019 – John Holowczak - Breaking Badness podcast
61. Kirkland Signature - Cellebrite
- Understanding Cellebrite Physical Analyzer’s Newest Features
- User Accounts
- Device Connections
- File Downloads
- Filtering
- Image Categorization
- Smart Indexing & Searching
- Windows Jump Lists
- Windows Last Executed Information
- Location Data
- Windows Master File Table
- Ask the Expert: New Features and UI in Physical Analyzer by Heather Mahalik
- Cellebrite UFED will guide you on how to setup a mobile phone. Follow them!
- Detections Podcast
Season 3 Episode 3: Threat Hunting Thrillers - Joshua James at DFIR.Science
- DFS101: 1.2 Intro to Cybercrime and Networks
- DFS101: 1.3 Cybersecurity and Cybercrime
- DFS101: 2.1 Cybersecurity
- DFS101: 2.2 How hackers hack
- DFS101: 2.3 How to secure a Windows computer
- DFS101: 2.4 How to secure a Linux computer
- DFS101: 3.1 Intro to Computers
- DFS101: 3.1 Intro to Computers II
- DFS101: 3.2 Introduction to Network Analysis
- DFS101: 3.3 Password attacks
- DFS101: 4.1 Basics of Cybercrime Investigation
- DFS101: 4.2 Digital Investigation Methods
- DFS101: 4.3 Electronic Evidence
- DFS101: 4.4 Documentation and Reporting for Digital Investigations
- DFS101: 5.1 Digital Investigation Definition
- DFS101: 5.2 Scientific Method in Digital Investigations
- DFS101: 5.3 Digital Investigation Procedure
- Digital Forensic Survival Podcast
- Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 129 - Life has no CTRL ALT DEL with Heather Mahalik
- Nextron Systems
THOR Thunderstorm Showcase 1 – Agentless & Binary-Less Web Server Scanning - NTCore
1-Minute Malicious VBA Deobfuscation - SANS Institute
- The Cyber5
Episode 26: Appropriate Security Tools and Log Aggregation at Scale For Medium Size Enterprise - This Month In 4n6
This Month In 4n6 – September – 2020
MALWARE
- Chris Neal at Cisco’s Talos
LodaRAT Update: Alive and Well - Didier Stevens
“Epic Manchego” And My Tools - Follow The White Rabbit
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #09: Reanalysis - Paul Litvak at Intezer
VB2020 – Advanced Pasta Threat: Mapping Malware Use of Open Source Offensive Security Tools - Shusei Tomonaga at JPCERT/CC
BLINDINGCAN – Malware Used by Lazarus – - Ashwin Vamshi at Netskope
Leaky Images: Accidental Exposure and Malware in Google Photos and Hangouts - Patrick Wardle at Objective-See
FinFisher Filleted - Süleyman Özarslan at Picus Security
The Most Used Persistence Technique by Adversaries: MITRE ATT&CK T1053 Scheduled Task/Job - fG!
The Finfisher Tales, Chapter 1: The dropper - SANS Internet Storm Center
- Wireshark 3.2.7 Released, (Sun, Sep 27th)
- Decoding Corrupt BASE64 Strings, (Sun, Sep 27th)
- PowerShell Backdoor Launched from a ShellCode, (Mon, Sep 28th)
- Some Tyler Technologies Customers Targeted with The Installation of a Bomgar Client, (Mon, Sep 28th)
- Managing Remote Access for Partners & Contractors, (Tue, Sep 29th)
- IOC’s turning into IOOI’s, (Thu, Oct 1st)
- Scans for FPURL.xml: Reconnaissance or Not?, (Wed, Sep 30th)
- Making sense of Azure AD (AAD) activity logs, (Thu, Oct 1st)
- Analysis of a Phishing Kit, (Fri, Oct 2nd)
- Scanning for SOHO Routers, (Sat, Oct 3rd)
- Juan Carlos David Paglinawan at Trend Micro
Cross-Platform, Modular Glupteba Malware Uses ManageX - Vishal Thakur
Grinju Downloader: Anti-analysis (on steroids) | Part 2 - VMRay
Malware Analysis Spotlight: Formbook (September 2020) - Lukas Stefanko at WeLiveSecurity
APT‑C‑23 group evolves its Android spyware - Mohd Sadique and Atinderpal Singh at ZScaler
Spear Phishing Campaign Delivers Buer and Bazar Malware
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 9/30/2020 - Lori Tyler at AccessData
The evidence is overwhelming. Quin-C 7.4 isn’t. - Adrian at ‘Agood cloud’
Cylance Cybot - Marco Fontani at Amped
Handle With Care: Edit Project Files With a Text Editor - Brett Shavers at DFIR Training
Supporting DFIR.Training and getting STUFF! - Elcomsoft
- Forensic Focus
- On Demand Webinar: So Many Logs, So Little Time: Efficient Windows Event Log Analysis
- How To Use And Export Cloud Tokens With XRY
- Forensic Focus Legal Update September 2020: Evidence, Experts, And Due Diligence
- How To Expose Evidence Of Timestomping In Magnet AXIOM 4.4
- Nuix Investigate Power User Webinar
- Success Or Failure In A Murder Case Can Depend On Deleted Text Messages
- Register For Webinar: Best Strategies for Remote Collections of Computer, Mobile and Cloud Data
- 25 Days, 25 Questions: Part 1 – Process And Practice
- Jon Baumann at Ciofeca Forensics
Sponsorship - Jorge Orchilles at Scythe
SCYTHE Presents: Defend Our Healthcare - Mike Cohen
Velociraptor Network Communications - Pauline Bourmeau at MISP
Create an import script for MISP , step-by-step tutorial - Wil Hernandez at MSAB
Fighting Child Exploitation with Digital Forensics - NIST
NIST Cybersecurity Practice Guide SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events. - Passcovery
Passcovery announces a global update of its entire line of password recovery solutions with a new unified index – 20.09 - Project Cyber
A chat with Ms. Heather Mahalik–SANS Instructor, Author, & Inspirational Changemaker! - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — September 27 to October 3 - SANS
SOFTWARE UPDATES
- iLEAPP
iTunes backup support and more - Binalyze
Version 2.4.2 - Acelab
- ANSSI DFIR-ORC
v10.0.15 - Atola
Atola TaskForce 2020.7.1 introduces RAID and connectivity features - Cellebrite
Cellebrite UFED and Cellebrite Responder Version 7.38 Now Available - Ciphey
More decoders + bug fixes - Apra
CobaltStrikeScan - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.07 - F-response
What is F-response Collect? - IntaForensics
Welcome to Lima 2.8 Release - SalvationData
[Software Update] Mobile Forensics: SPF Pro V6.106.23 New Version Release for Better User Experience! - X-Ways Forensics 20.1 Preview 6
X-Ways Forensics 20.1 Preview 6
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 