As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
OSX Forensics: a brief selection of useful tools - Shafik Punja guest post on Arsenal Recon
Arsenal Image Mounter (AIM) Walkthrough - Atropos4n6
How to use Partition%4DiagnosticParser - Bryan Ambrose at Data Digitally
Apple Pattern of Life Lazy Output’er (APOLLO) on Windows - Heather Mahalik at Cellebrite
Navigating The Analyzed Data Modal In Physical Analyzer - Christiaan Beek
Looking at LockerGoga Ransomware in Memory - Elcomsoft
- Dr. Ali Hadi at Forensic Focus
A Linux Forensics Starter Case Study - Magnet Forensics Weekly CTF
- Marco Fontani at Amped
Discover the Power of the Amped FIVE Assistant With a Guided Example - Oxygen Forensics
A New Extraction Method for Signal Messenger - Ryan Benson
Check out @_RyanBenson’s Tweet
THREAT INTELLIGENCE/HUNTING
- FireEye data breach
- Unauthorized Access of FireEye Red Team Tools
- FireEye Breach Detection Guidance
- FireEye Red Team Tool Breach
- Security Advisory Regarding the Recent FireEye Breach Reports
- FalconFriday — Teams RCE & FireEye tools— 0xFF09
- Implement FireEye’s List of CVEs and Detections with RiskIQ Attack Surface Intelligence
- FireEye Breached: Taking Action and Staying Protected
- Malwarebytes detects leaked tools from FireEye breach
- Threat Brief: FireEye Red Team Tool Breach
- Writing Yara Rules for Fun and Profit: Notes from the FireEye Breach Countermeasures, (Thu, Dec 10th)
- Reassuring Sophos customers following the theft of Mandiant/FireEye tools
- Trustwave’s Action Response To the FireEye Data Breach
- 360 Core Security
Domestic Kitten组织(APT-C-50)针对中东地区反政府群体的监控活动 - Arch Cloud Labs
DLL Hijacking for Persistence – SteelSeries Engine - Luigino Camastra and Igor Morgenstern at Avast Threat Labs
APT Group Targeting Governmental Agencies in East Asia - Azure Sentinel
- Brad Duncan at Malware Traffic Analysis
- Nils Kuhnert at Censys
Advanced Persistent Infrastructure Tracking - Cisco’s Talos
- Elastic
- Intel 471
No pandas, just people: The current state of China’s cybercrime underground - Jaron Bradley at Objective-See
Detecting SSH Activity via Process Monitoring - Sean Sun and Jorge Orchilles at Scythe
SCYTHE Presents: #ThreatThursday – FIN6 Phase 2 - Koto Kino at JPCERT/CC\
Attack Activities by Quasar Family - LIFARS Cybersecurity
Applying MITRE ATT&CK and Shield Frameworks in the Real-World - Marco Ramilli
Malware Delivery Platforms in 2020 - Microsoft Security
- National Security Agency
Russian State-Sponsored Malicious Cyber Actors Exploit Known Vulnerability in Virtual Workspaces - Red Alert
Monthly Threat Actor Group Intelligence Report, October 2020 - Matt Graeber at Red Canary
The why, what, and how of threat research - Jonathan Kirby at SANS
See What You Want to See - Matt Hand at SpecterOps
Adventures in Dynamic Evasion - Joe at Stranded on Pylos
Terrorism or Information Operation? - Strategic Cyber
A Red Teamer Plays with JARM - Michael Rothschild at Tenable
Industrial Attack Vectors: How to Shut Down OT Threats Before An Incident Occurs - Cyberint
Ryuk Crypto-Ransomware - Oddvar Moe at TrustedSec
4 Free Easy Wins That Make Red Teams Harder - Mike Cohen at Velocidex
Velociraptor and OSQuery
UPCOMING EVENTS
- AusCERT2021
AusCERT2021 CFP - Santosh Khadsare
Digital Forensics Sub-Summit | NASSCOM-DSCI Annual Information Security Summit 2020 | Virtual Summit
PRESENTATIONS/PODCASTS
- Kevin Ripa at SANS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.28 – Kathryn Hedley - The Forensic Lunch with Dave Cowen and Matt Seyer
Forensic Lunch 12/11/20 Brian Kellogg - Black Hills Information Security
BHIS | Talkin’ Bout News 2020-12-11 - Breaking Badness podcast
69. It’s Not All Ransomware! - Bret Witt
- Cellebrite
- Allie Mellen at Cybereason
Ever Evolving: Katie Nickels on Incident Response in a Remote World - Digital Forensic Survival Podcast
DFSP # 251 – The Rise of Crypto SIM Swapping - Gerald Auger at Simply Cyber
- Hasherezade
PE-sieve: an open-source scanner for hunting and unpacking malware (2019) - John Hubbard at SecHubb
- Matthew Toussain
RedTeamFit | HackThePlanet - OALabs
Malware Triage Analyzing PrnLoader Used To Drop Emotet - SANS
- Making Order out of Chaos: How to Deal with Threat Group Names | STAR Webcast
- When your forensic tool only tells part of the story finding code injection using memory analysis
- Herramientas rápidas DFIR para respuesta a incidents y caza de amenazas
- SANS Security Awareness – Protect Yourself When Online Shopping
- Virus Bulletin
VB2020 presentation & paper: 2030: backcasting the potential rise and fall of cyber threat intelligence
MALWARE
- 0xthreatintel
- James Quinn at Binary Defense
Qakbot Upgrades to Stealthier Persistence Method - Cybereason
- Robert Neumann at Forcepoint
Part 2 – The Ghost of Ransomware Yet To Come - Igor Skochinsky at Hex Rays
Igor’s tip of the week #19: Function calls - Joakim Kennedy at Intezer
A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy - Josh Stroschein
Maldocs Analysis Exercise – Living Off The Land with Powershell - Linkcabin
Malware Analysis: Stealer – RC4, C2 emulation, dump HTTP POST (Part 3) - Herbie Zimmerman at “Lost in Security”
2020-12-08 Hancitor Malspam - Palo Alto Networks
- Proofpoint
Commodity .NET Packers use Embedded Images to Hide Payloads - Karlo Zanki at ReversingLabs
Rana Android Malware - SANS Internet Storm Center
- Sean Gallagher at Sophos
Egregor ransomware: Maze’s heir apparent - Trend Micro
- Karl Hiramoto at VirusTotal
VirusTotal Multisandbox += Sangfor ZSand - VMRay
VMRay Platform v4.1.0 Release Highlights - Mathieu Tartare at WeLiveSecurity
Operation StealthyTrident: corporate software under attack
MISCELLANEOUS
- SANS
Holiday Hack Challenge - Olga Milishenko at Atola
The importance of ECC RAM in forensic imagers - Brett Shavers at DFIR Training
The DFIR Bookshare Challenge Continues.. - DME Forensics
Product Development - Forensic Focus
- How To Use Nuix Enterprise Collection Center For Targeted File Collections
- Webinar: More Than A Makeover: MacQuisition Is Now Digital Collector
- Apple iOS File System Extraction Via Checkm8 In Oxygen Forensic Detective
- Community In Collaboration: The Scientific Working Group On Digital Evidence
- How To Use The Categories Filter In XAMN
- Forensic Focus Legal Update December 2020: Refining Search & Seizure; New Laws & Guidance
- Troy Bowman at Hex Rays
IDA Pro on Apple Silicon - Ronnie at “I Heart Malware”
BEC Response Guide— Tips for Responding to Business Email Compromise Incidents - Magnet Forensics
- MantaRay Forensics
VirusShare Hash Sets 2020 Q4 - Richard Frawley at ADF
Organizing the Records View for Faster Forensic Investigations | DFIR - Robert M. Lee
What a Record Setting Investment into the ICS/OT Cybersecurity Market Means to Me - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — December 6 to December 12 - SANS
- Jason Schorr
- Brett Shavers at X-Ways Forensics Practitioner’s Guide/2E
THE BOOK IS GETTING CLOSER!
SOFTWARE UPDATES
- Acelab
The new versions of PC-3000 Portable/Express/UDMA Ver. 6.8.8, Data Extractor / Data Extractor RAID Edition Ver. 5.11.5, PC-3000 SSD / PC-3000 SSD Extended Ver. 2.9.5 are available! - Didier Stevens
- Eric Zimmerman
ChangeLog - Griffeye
Release of Analyze 20.4 - RawSec
evtmon - Regipy
1.8.0: Merge pull request #117 from mkorman90/dedup - SalvationData
- MemProcFS
Version 3.6 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 