FOR308 is now available OnDemand, read more about it here!

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Mobile forensics: how to identify suspect network traffic
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  iPhone Pictures
  
  
• Tegan Parsons at First Response
  The evidence shows that…
  
  
• Vishva Vaghela at Hacking Articles
  Comprehensive Guide on Autopsy Tool (Windows)
  
  
• Magnet Forensics Weekly CTF
  • MAGNET WEEKLY CTF CHALLENGE WEEK 11
  • Magnet Weekly CTF: Week 10 Solution Walk Through
  • Magnet Weekly CTF Challenge Week 10 Writeup
  • Magnet Forensics Weekly CTF #10
  • Magnet CTF Week 9: ReMEMORYing How To Do This
  • MAGNET WEEKLY CTF #9
  • Magnet Weekly CTF (Week 10) – Warren’s Memory Redux
  • Week 9 – Magnet Weekly CTF
  • Magnet Weekly CTF – Week 10
    
    
• Mattia Epifani at Zena Forensics
  A journey into IoT Forensics – Episode 1 – Analysis of a Samsung Refrigerator (aka thanks VTO Labs for sharing!)
  
  
• MII Cyber Security Consulting Services
  • Blue Team CTF Competition We’ve Done in 2020
  • Timeline Incident on Digital Forensic Analysis
  • Data Exfiltration Using Google Drive — Forensic Investigation
    
    
• Oxygen Forensics
  Apple iOS file system extraction via checkm8
  
  
• Mobile_DFIR
  Deep Dive into CamScanner — Android
  
  
• Teri Radichel
  What is Packet Sniffing?
  
  
• Iria Piyo
  ChromeのMedia Historyについて

THREAT INTELLIGENCE/HUNTING

• Solarwinds was compromised, not many people are talking about it though…
  • SolarWinds Update on Security Vulnerability
  • Detecting Sunburst (AKA the SolarWinds Compromise) With RITA and AI-Hunter
  • FireEye, SolarWinds Hacks Show that Detection is Key to Solid Defense
  • Detecting Supply Chain Threats like SolarWinds / Sunburst
  • SolarWinds Post-Compromise Hunting with Azure Sentinel
  • SUNBURST Back Door knocking on the World’s Front Door
  • Assessing Internet-wide Exposure to the SolarWinds Compromise
  • Using Censys Search to Identify SolarWinds Orion Associated Infrastructure
  • Threat Advisory: SolarWinds supply chain attack
  • SUNBURST SolarWinds Malware – Tools, Tactics and Methods to get you started with Reverse Engineering
  • 2020-12-13 SUNBURST SolarWinds Backdoor samples
  • Finding SUNBURST Backdoor with Zeek Logs & Corelight
  • The SolarWinds Supply Chain Attack and the Limits of Cyber Hygiene
  • Reflections on the recent SolarWinds breach
  • What Do I Need to Know About the SolarWinds Attack?
  • SunBurst Trojan -What You Need to Know
  • Elastic Security provides free and open protections for SUNBURST
  • The SolarWinds Orion breach: 6 ideas on what to do next and why
  • Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise
    Multiple Global Victims With SUNBURST Backdoor
  • SUPERNOVA SolarWinds .NET Webshell Analysis
  • Rapid Response: Supply Chain Exploitation of SolarWinds Orion Software
  • FireEye and SolarWinds Breaches Q&A with Senior SOC Analyst Tony Robinson
  • Security Advisory Regarding SolarWinds Supply Chain Compromise
  • SolarWinds Hack Explained | Lucideus
  • SolarWinds advanced cyberattack: What happened and what to do now
  • Additional Analysis into the SUNBURST Backdoor
  • Ensuring customers are protected from Solorigate
  • Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
  • Customer Guidance on Recent Nation-State Cyber Attacks
  • Reassembling Victim Domain Fragments from SUNBURST DNS
  • Netskope Threat Coverage: SUNBURST & FireEye Red Team (Offensive Security) Tools
  • Threat Brief: SolarStorm and SUNBURST Customer Coverage
  • Palo Alto Networks Rapid Response: Navigating the SolarStorm Attack
  • SUPERNOVA: SolarStorm’s Novel .NET Webshell
  • Sunburst Backdoor, Part II: DGA & The List of Victims
  • Sunburst Backdoor: A Deeper Look Into The SolarWinds’ Supply Chain Malware
  • FireEye Hack Turns into a Global Supply Chain Attack
  • SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know
  • A SecDevOps Perspective on SUNBURST
  • It is the first disclosure of the target of the recruitment: SolarWinds supply chain attack related domain name generation algorithm can be cracked!
  • SunBurst: the next level of stealth
  • SANS Emergency Webcast:  What you need to know about the SolarWinds Supply-Chain Attack
  • What You Need to Know About the SolarWinds Supply-Chain Attack
  • SolarWinds Breach Used to Infiltrate Customer Networks (Solarigate), (Mon, Dec 14th)
  • DNS Logs in Public Clouds, (Wed, Dec 16th)
  • Sunburst: connecting the dots in the DNS requests
  • Solarwinds Supply Chain Attack
  • SolarWinds SUNBURST Backdoor: Inside the APT Campaign
  • Incident response playbook for responding to SolarWinds Orion compromise
  • SolarWinds breach: how to identify if you have been affected
  • Using Splunk to Detect Sunburst Backdoor
  • Sunburst: Supply Chain Attack Targets SolarWinds Users
  • Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)
  • SolarWinds Hack: Retrospective Part 1
  • SolarWinds Hack: Retrospective Part 2
  • SolarWinds Hack: Retrospective Part 3
  • US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor
  • SolarWinds Supply Chain Attack
  • Uh oh, Orion.
  • Overview of Recent Sunburst Targeted Attacks
  • SolarWinds Orion and UNC2452 – Summary and Recommendations
  • SolarWinds Backdoor (Sunburst) Incident Response Playbook
  • Trustwave’s Action Response To the FireEye Data Breach & SolarWinds Orion Compromise
  • Dark Halo Leverages SolarWinds Compromise to Breach Organizations
  • Responding to the SolarWinds Breach: Detect, Prevent, and Remediate the Dark Halo Supply Chain Attack
  • Zscaler Coverage For FireEye Red Team Tools – SolarWinds update
  • Zscaler Coverage for SolarWinds Cyberattacks and FireEye Red Team Tools Theft
  • Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
    
    
• 3CORESec
  Detection as Code (DaC) challenges, automation, maintenance and SIEGMA
  
  
• Azure Sentinel
  • What’s new: Improvements to the Log Analytics Agent
  • Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel
    
    
• Belkasoft
  Whitepaper: Uncovering Lateral Movement with Belkasoft Evidence Center X
  
  
• Brad Duncan at Malware Traffic Analysis
  2020-12-14 – Quick post: Hancitor infection with Cobalt Strike and Ficker Stealer
  
  
• ClearSky Research Team
  Pay2Kitten – Fox Kitten 2
  
  
• David Bisson at Cybereason
  Molerats APT: New Malware and Techniques in Middle East Espionage Campaign
  
  
• Darktrace
  ZeroLogon exploit detected within 24 hours of vulnerability notice
  
  
• Elastic
  • How to bring Jupyter Notebook visualizations to Kibana dashboards with Vega
  • Combining supervised and unsupervised machine learning for DGA detection
    
    
• Expel
  How to investigate like an Expel analyst: The Expel Workbench managed alert process
  
  
• Henri Hambartsumyan at Falcon Force
  FalconFriday — Catching more macros— 0xFF0A
  
  
• HvS-Consulting AG
  Greetings from Lazarus
  
  
• Intel 471
  • More annoying than crippling: Joker’s Stash takedown is temporary
  • TA505’s modified loader means new attack campaign could be coming
    
    
• Jonny Johnson
  Check out @Jsecurity101’s tweet
  
  
• Mike Vizard at Barracuda
  MountLocker ransomware illustrates how attacks are evolving
  
  
• Luatix
  Your Cyber Threat Intelligence Knowledge in a Magic Box
  
  
• Pieter Arntz at Malwarebytes Labs
  Threat profile: Egregor ransomware is making a name for itself
  
  
• National Security Agency
  NSA Cybersecurity Advisory: Malicious Actors Abuse Authentication Mechanisms to Access Cloud Resources
  
  
• Mike Wetherbee and Carol Hildebrand at Netscout
  Threat Actors Target Remote Learning During COVID-19
  
  
• Pat at pat_h/to/file
  Experimenting with ELAM, PPL, and Threat-Intelligence
  
  
• RiskIQ
  Skimming a Little Off the Top: ‘Meyhod’ Skimmer Hits Hair Loss Specialists
  
  
• Joe Levy at Sophos
  Sharing Threat Intelligence Gives Defenders an Edge
  
  
• Cesar Anjos at Sucuri
  Why You Should Monitor Your Website
  
  
• The DFIR Report
  Defender Control
  
  
• Trend Micro
  • Egregor Ransomware Launches String of High-Profile Attacks to End 2020
  • Backdoors Are Hard to Spot, But Not Who Is Using ThemWho is the Threat Actor Behind Operation Earth Kitsune?
    
    

UPCOMING EVENTS

• Magnet Forensics
  • December 22 2:00PM KST: Android 애플리케이션 아티팩트 및 분석
  • January 6 8:00AM ET: Reverse Engineering Android for Examiners, An Introduction
  • January 7 11:00AM ET: Tips & Tricks // Recovering and Analyzing Deleted Data in AXIOM
    
    

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.29 – Richard Davis
  
  
• Kevin Ripa at SANS
  • Episode 151: Story Time 3
  • Episode 152: Apple Acquisition – Non T2 Security Chip
  • Episode 153: Apple Acquisition – T2 Security Chip
    
    
• Black Hat
  • With the Evolving Threat Landscape, How Does Reveal(x) Address Talent Shortages?
  • Turning the Tide: How to Gain Against An Elusive Adversary
    
    
• Black Hills Information Security
  • Talkin’ About Infosec News – 12/14/2020
  • Talkin’ About Infosec News – 12/11/2020
    
    
• Breaking Badness podcast
  Voices from Infosec with Olga Jilani
  
  
• Bret Witt
  • SOC101 EventID: 27 (Phishing Mail Detected) [Oct. 29, 2020, 7:25 p.m.]
  • SOC102 EventID 26 (Proxy – Suspicious URL Detected)
  • SOC105 EventID: 28 (Requested T.I. URL address) [Oct. 29, 2020, 7:34 p.m.]
  • SOC103 EventID: 33 (Malicious APK Detected) [Dec. 1, 2020, 3:12 a.m.]
  • SOC102 EventID: 32 (Proxy – Suspicious URL Detected) [Dec. 1, 2020, 5:50 a.m.]
    
    
• Cellebrite
  Deep Carving for SQLite enhances your view of deleted data that may exist in databases.
  
  
• Allie Mellen at Cybereason
  Ever Evolving: Jake Williams on Running an Infosec Consultancy Remotely
  
  
• Digital Forensic Survival Podcast
  DFSP # 252 – Werfault
  
  
• John Hubbard at SecHubb
  • 12 Days of Defense – Day 4: How to Analyze Email Headers and How Spoofed Email Works
  • 12 Days of Defense – Day 5: How Windows Security Logging Works
  • 12 Day of Defense – Day 6: How DNS over HTTPS (DoH) Works / DNS Privacy
  • 12 Days of Defense – Day 7: Detecting Malware Without TLS Decryption / TLSv1.2 vs TLS1.3
  • 12 Days of Defense – Day 8: How Encrypted SNI works (and How It Will Blind Your Security Team)
    
    
• KringleCon 2020
  KringleCon 2020
  
  
• Magnet Forensics
  • All Your Case Data in Magnet AXIOM: Computer
  • Using Optical Character Recognition (OCR) with AXIOM 4.8 & AXIOM Cyber 4.8
  • Using the Geolocation Data Filter in Magnet AXIOM & AXIOM Cyber
  • New in Magnet AXIOM 4.8: Optical Character Recognition and Facebook Comments Support
  • New in AXIOM Cyber 4.8: Off-Network Collection & Run AXIOM Cyber in AWS
  • How to Perform Off Network Collections with AXIOM Cyber
  • Deploying AXIOM Cyber to an AWS EC2 Instance
    
    
• Richard Davis at 13Cubed
  Hashcat for Forensics – How Did They Get In?
  
  
• SANS
  • Behind The Scenes Of Law Enforcement And Private Industry Cooperation | STAR Webcast
  • SANS Security Awareness – Secure the Holidays
    
    

MALWARE

• 0xthreatintel
  • Cerberus Malware Internals
  • Reversing Conti Ransomware
  • Reversing APT Tool : SManager
  • Reversing APT-28 64-bit Keylogger [Zebrocy Nim] [ TLP: White ]
    
    
• BushidoToken
  Analysis of ‘Meyhod’ JavaScript Web Skimmers
  
  
• Chuong Dong
  Conti Ransomware v2
  
  
• Andrea Marcelli and Holger Unterbrink at Cisco’s Talos
  Talos tools of the trade
  
  
• Click All the Things!
  Snake/404 Keylogger, BIFF, and Covering Tracks?: An unusual maldoc
  
  
• Alan Ross at Forcepoint
  Indicators of Behavior (IOBs) – With 2020 Vision
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #20: Going places
  
  
• Hiroki Hada at NTT Security
  Panda’s New Arsenal: Part 3 Smanager
  
  
• Johannes Bader
  Next Version of the Bazar Loader DGA
  
  
• Musings of a cat torturer
  CAPE Sandbox With Wireguard VPN Tunnels
  
  
• Palo Alto Networks
  PyMICROPSIA: New Information-Stealing Trojan from AridViper
  
  
• Suleyman Ozarslan at Picus Security
  Tactics, Techniques and Procedures of FireEye Red Team Tools
  
  
• Didier Stevens at SANS Internet Storm Center
  Analyzing FireEye Maldocs, (Tue, Dec 15th)
  
  
• Kasif Dekel at SentinelLabs
  Introducing SentinelOne’s Ghidra Plugin for VirusTotal
  
  
• Sophos
  • Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor
  • Fishy French COVID contact tracing app is a data thief pest
    
    
• Cyberint
  Phishing for OTP
  
  
• Trend Micro
  • Credential Stealer Targets US, Canadian Bank Customers
  • TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger
    
    
• VinCSS
  • [RE017-1] Phân tích kỹ thuật dòng mã độc mới có nhiều dấu hiệu liên quan tới nhóm tin tặc Panda (Phần 1)
  • [RE017-2] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 2)
  • [RE018-1] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority – Part 1
    
    
• VMRay
  Malware Analysis Spotlight – Hentai Oniichan Ransomware (Berserker Variant)
  
  
• WMC Global
  Kr3pto Puppeteer Kits: Dynamic Phishing Kit Targeting UK Banking Customers
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  • Introducing AboutDFIR’s MFT Explorer/MFTECmd Guide
  • AboutDFIR Content Update 12/18/2020
    
    
• Belkasoft
  How to analyze different types of devices and find connections between them
  
  
• Brett Shavers
  White Paper: The Susceptibility of Interconnected Devices in a Global Concept as Surveillance Affects the Consumer-user
  
  
• Cyber Forensicator
  PC3000 Portable III in Digital Forensics
  
  
• Didier Stevens
  Decrypting TLS Streams With Wireshark: Part 1
  
  
• Garry Dukes at DME Forensics
  Feature Fridays – Clip Lists
  
  
• Elcomsoft
  • Recovering Screen Time Passwords
  • Breaking Passwords with NVIDIA RTX 3080 and 3090
  • New Privacy Features: iOS 14.0 through 14.3
    
    
• Forensic Focus
  • How To Use Nuix Promote To Discover
  • Marco Fontani, R&D Engineer, Amped Software
  • What the Tech? FTK Features That Might Surprise You
  • Leveraging Cloud Computing Provision To Solve Problems In Digital Forensics
  • DVRConv Now With New Video Formats, Codec Variations And Increased Date/Time Decoding
    
    
• Jorge Orchilles at Scythe
  SCYTHE Presents: No Rest for the Weary: Breaches are Inevitable
  
  
• Koen Van Impe
  Difference between MISP REST API search for events and attributes
  
  
• Magnet Forensics
  • Harnessing the Cloud to Collect Off-Network Endpoints using AXIOM Cyber
  • Three Reasons to License AXIOM Cyber in the Cloud
  • Using the Geolocation Data Filter in Magnet AXIOM & AXIOM Cyber
  • Using Optical Character Recognition (OCR) with AXIOM 4.8 & AXIOM Cyber 4.8
    
    
• Marco Fontani at Amped
  Learn How to Create Your Own Amped FIVE Assistant Scripts, It’s a Game Changer!
  
  
• MuSecTech
  AChoirX – Why?  Part II
  
  
• Paraben Corporation
  Interview by Safety Detectives
  
  
• Passware
  The new NVIDIA RTX 3080 has double the number of CUDA cores, but is there a 2x performance gain?
  
  
• Patrick Siewert at Pro Digital Forensic Consulting
  Keys to Success in Digital Forensics Series:  Knowing the Justice System
  
  
• Rare Breed 4N6
  • 404 Error: Blog Not Found
  • REVIEW: NW3C – DF100: Basic Digital Forensic Analysis
  • REVIEW:  NW3C – DF201: Intermediate Digital Forensic Analysis
  • REVIEW: Magnet Forensics – AX301: Magnet AXIOM + GrayKey Examinations
  • REVIEW: Magnet Certified Forensic Examiner
    
    
• Richard Frawley at ADF
  Using Regular Expressions to Speed Digital Forensic Investigations
  
  
• SANS
  • SANS Cybersecurity Leadership Curriculum
  • Cybersecurity Leadership Triads
    
    
• Xavier Mertens at /dev/random
  pfSense Firewall Configuration Audit with pfAudit
  
  

SOFTWARE UPDATES

• Amped
  Amped Authenticate Update 19348: PRNU Camera Identification and Tampering Detection for Video, and Much More!
  
  
• Brim
  v0.21.0
  
  
• Didier Stevens
  Update: strings.py Version 0.0.6
  
  
• Elcomsoft
  Elcomsoft breaks BestCrypt containers, supports NVIDIA Ampere cards
  
  
• KAPE
  0.9.6.0 2020-12-21
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Intezer
  8 Reasons to Try Intezer Protect Community Edition
  
  
• Magnet Forensics
  Get Off-Network Collection & Run AXIOM Cyber 4.8 in AWS Along With OCR and Facebook Comments Support in AXIOM & AXIOM Cyber 4.8
  
  
• MSAB
  New release: XRY 9.3, XAMN 5.3 and XEC 6.2
  
  
• Nextron Systems
  • THOR 10 Legacy for Windows XP and Windows 2003
  • Performance Refactoring in THOR v10.5.9 and THOR TechPreview v10.6.2
    
    
• Oxygen Forensics
  Oxygen Forensic® Detective v.13.2
  
  
• Passware
  Passware Kit 2021 v1 Now Available
  
  
• IsoBuster
  IsoBuster 4.7 released
  
  
• Xways
  • X-Ways Forensics 19.9 SR-12
  • X-Ways Forensics 20.0 SR-9
  • X-Ways Forensics 20.1 Beta 4b
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!