Last weekly post of the year! I’m still planning an end of year wrap up post, and the podcast though so still a bit more work to do 🙂

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Marco Fontani at Amped
  How to Use Amped Authenticate Video PRNU to Check Whether a Video and Some Images Are From the Same Camera
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  • How to boot an Encase (E01) image using VirtualBox
  • How to process recent Windows 10 memory dumps in Volatility 2
    
    
• Mark Spencer at Arsenal Recon
  Arsenal Image Mounter and Virtual Machine Inception
  
  
• Brim Security’s Knowledge Funnel
  What’s better than Brim and Zeek? Brim, Zeek and Suricata!
  
  
• Elcomsoft
  • iPhone Backups: Top 5 Default Passwords
  • NAS Forensics: QNAP Encryption Analysis
    
    
• Kevin Pagano at Stark 4N6
  Google Docs – Cello & DocList DBs
  
  
• Magnet Forensics Weekly CTF
  • Magnet CTF Week 10 – Network analysis in RAM
  • Magnet CTF Week 10: Time To Focus
  • Magnet Weekly CTF, Week 11 Solution Walk Through
  • Magnet Weekly CTF Challenge Week 11 Writeup – Killing Two Birds With One Stone
  • Magnet CTF Week 11: I Can’t Rekall How To Install Plugins
  • Magnet Weekly CTF (Week 11) – Warren’s Memory Part 3
  • Magnet Weekly CTF – Week 11
  • Magnet Forensics Weekly CTF #11
  • Magnet Weekly CTF Challenge Week 12
    
    
• Mattia Epifani at Zena Forensics
  A journey into IoT Forensics – Episode 2 – Analysis of an LG Television (aka thanks VTO Labs for sharing!)
  
  
• Peter Stewart
  Memlabs Memory Forensics Challenges – Lab 6 Write-up
  
  
• Rare Breed 4N6
  • REVIEW: Magnet Forensics – AX100 (OSP): Magnet AXIOM Forensic Fundamentals
  • REVIEW: Magnet Forensics – AX200 (OSP): Magnet AXIOM Examinations
    
    
• ThinkDFIR
  Metaspike CTF – Week 1 – “It’s legit, honest!”
  
  
• Pieces0310
  Mac上的USB存储设备使用痕迹在新版操作系统有所变化 – Pieces0310
  

THREAT INTELLIGENCE/HUNTING

• More Solarwinds stuff! Again, I haven’t gone through it all, but there’s a lot of people talking about it (unlike last week, where there were hardly any people, right?)
  • SolarWinds Security Advisory
  • SolarWinds Orion API authentication bypass allows remote command execution
  • BHIS & WWHF Present: | Discussing Implications of the SolarWinds Breach(es)
  • 70. Gone with the SolarWind
  • Responding to Solarigate
  • SUNBURST, TEARDROP and the NetSec New Normal
  • Best Practice: Identifying And Mitigating The Impact Of Sunburst
  • SolarWinds breach: Insights from the trenches (bonus incident response walkthroughs in description)
  • SUNBURST SolarWinds RECON – Malware Reverse Engineering, OSINT and Identifying Victims
  • Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
  • Spy vs Spy: Thoughts on the SolarWinds Hack
  • The SolarWinds Breach and the Privilege Priority
  • Cybereason vs. SolarWinds Supply Chain Attack
  • Continuous Eruption: Further Analysis of the SolarWinds Supply Chain Incident
  • Responding to the SolarWinds Software Compromise in Industrial Environments
  • SUNBURST Additional Technical Details
  • Analysis of the SolarWinds Supply Chain Attack
  • Cybersecurity Mind Maps
  • After the SolarWinds Hack, Is SUNBURST Malware on Your Network? Find Out.
  • SUNBURST Malware and SolarWinds Supply Chain Compromise
  • Additional Analysis into the SUNBURST Backdoor
  • Check out @megabeets_’s tweet
  • December 21st, 2020 – Solorigate Resource Center
  • How A Cybersecurity Firm Uncovered The Massive Computer Hack
  • A Timeline Perspective of the SolarStorm Supply-Chain Attack
  • Sunburst Backdoor, Part III: DGA & Security Software
  • DNS Tunneling In The SolarWinds Supply Chain Attack
  • SolarWinds: What the Intelligence Tells Us
  • How we protect our users against the Sunburst backdoor
  • SolarWinds | Understanding & Detecting the SUPERNOVA Webshell Trojan
  • Solarwinds Sunbursts a Supernova: Early lessons learned
  • How SunBurst malware does defense evasion
  • SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
  • (Telemetry & toolchains) vs. tradecraft: The SolarWinds hack from a strategic lens
  • The Hitchhiker’s Guide to SolarWinds Incident Response
    
    
• Anton Chuvakin
  New Paper: “Future of the SOC: SOC People — Skills, Not Tiers”
  
  
• Param Singh at Awake Security
  • Network Threat Hunting for Adversary Tactics, Techniques and Procedures
  • Network Threat Hunting to Defend the Broad Attack Surface
  • Network Threat Hunting for the Known Indicators of an Advanced Threat
  • A Network Threat Hunting Playbook for Advanced Attacks
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2020-12-23 (Wednesday) – Quick post: recent Emotet activity
  • 2020-12-23 (Wednesday) – Quick post: Qakbot infection with spambot activity
    
    
• Certego
  Handling a destributed cryptominer AD worm
  
  
• CISA
  Sparrow
  
  
• DomainTools
  Increase the Visibility of Your Linux DNS Servers with Log Collection
  
  
• Etienne Maynie
  Analyzing Cobalt Strike for Fun and Profit
  
  
• HvS-Consulting
  Greetings from Lazarus: Anatomy of a cyber espionage campaign
  
  
• Microsoft Security
  Advice for incident responders on recovery from systemic identity compromises
  
  
• MII Cyber Security Consulting Services
  • 101 Use Case Creation Ideas
  • Thought on Analyzing Malicious Encrypted Traffic for Tracing the Adversaries Network Communication
    
    
• Matt Malone and Adam Pennington at MITRE ATT&CK
  Identifying UNC2452-Related Techniques for ATT&CK
  
  
• Red Team Tips
  A tale of .NET assemblies, cobalt strike size constraints, and reflection.
  
  
• Sygnia
  Detection and Hunting of Golden SAML Attack

UPCOMING EVENTS

• DFRWS APAC 2021
  DFRWS APAC 2021

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.30 – Mary Ellen Kennel
  
  
• Basis Technology
  • OSDFCon Webinar – Identify Malware on Compromised Files and URLs Using the PolySwarm Autopsy Plugin
  • Targeted Automation for Malware Analysis (OSDFCon Webinar)
    
    
• Black Hills Information Security
  BHIS | Talkin’ Bout News 2020-12-21
  
  
• Didier Stevens
  Inspecting Process Explorer Traffic With Fiddler
  
  
• Digital Forensic Survival Podcast
  DFSP # 253 – Network Triage Part 2
  
  
• Dr Ali Hadi
  • Investigating Windows Scheduled Tasks used by Ransomware
  • Download and Run LNK File
    
    
• Gerald Auger at Simply Cyber
  How to Level Up Your SOC Analyst Skill with Power Tool: Sigma
  
  
• Jason Nickola at ‘Trust Me I’m Certified’
  Persistence on the path to career breakthroughs with Jose Barrientos
  
  
• John Hubbard at SecHubb
  • 12 Days of Defense – Day 9: How to Analyze HTTP Traffic in Wireshark
  • 12 Days of Defense – Day 10: How to Analyze HTTP/2 Traffic in Wireshark
  • 12 Days of Defense – Day 11: Prioritizing Detection with MITRE ATT&CK Navigator
  • 12 Days of Defense – Day 12: Should I Get A SOC/Cyber Defense Job?
    
    
• Sumuri
  SUMURI Gives Back 2020 Winner | Forensic Workstation Giveaway

MALWARE

• Dissecting Malware
  Between a rock and a hard place – Exploring Mount Locker Ransomware
  
  
• Cyber Geeks
  Analyzing APT19 malware using a step-by-step method
  
  
• Cybereason
  • Cybereason vs. Clop Ransomware
  • Amazon Gift Card Offer Serves Up Dridex Banking Trojan
    
    
• Josh Stroschein
  Maldocs Analysis Exercise – Living Off The Land with Powershell
  
  
• Kyle Cucci at SecurityLiterate
  “VBoxCloak” – Hiding VirtualBox from Malware
  
  
• Malwarebytes Labs
  Emotet returns just in time for Christmas
  
  
• SANS Internet Storm Center
  • Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working, (Sun, Dec 20th)
  • Malware Victim Selection Through WiFi Identification, (Tue, Dec 22nd)
  • What’s the deal with openportstats.com?, (Mon, Dec 21st)
  • Analysis Dridex Dropper, IoC extraction (guest diary), (Wed, Dec 23rd)
  • Malicious Word Document Delivering an Octopus Backdoor, (Thu, Dec 24th)
  • base64dump.py Supported Encodings, (Sat, Dec 26th)
  • Quickie: String Analysis & Maldocs, (Fri, Dec 25th)
    
    
• Seongsu Park at Securelist
  Lazarus covets COVID-19-related intelligence
  
  
• The Citizen Lab
  The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit
  
  
• Cyberint
  Trickbot Malware-as-a-service
  
  
• VinCSS
  • [RE017-3] Phân tích kỹ thuật dòng mã độc mới được sử dụng để tấn công chuỗi cung ứng nhắm vào Ban Cơ yếu Chính phủ Việt Nam của nhóm tin tặc Panda Trung Quốc (Phần 3)
  • [RE018-2] Analyzing new malware of China Panda hacker group used to attack supply chain against Vietnam Government Certification Authority – Part 2
    
    
• ZecOps
  Remote iOS Attacks Targeting Journalists: More Than One Threat Actor?

MISCELLANEOUS

• Brett Shavers at DFIR Training
  From DFIR Training, Happy Holidays!
  
  
• Jon Munshaw at Cisco’s Talos
  2020: The year in malware
  
  
• Forensic Focus
  The New NVIDIA RTX 3080 Has Double The Number Of CUDA Cores, But Is There A 2x Performance Gain?
  
  
• Henri Nurmi at F-secure
  Sniff, there leaks my BitLocker key
  
  
• Jase IT
  How to Install Volatility 2.6 in Kali 2020.4
  
  
• Matthew D Green
  Check out @matthew_d_green’s tweet
  
  
• Nextron Systems
  New Features: Progress Bar and HTML Report Filter Functions
  
  
• Oxygen Forensics
  2020 in Review: A Highlight of our Year
  
  
• Brian Greunke and Bob Drobish at Recon InfoSec
  The Training Secrets of Great Security Operations Teams
  
  
• Richard Frawley at ADF
  Dropbox Forensics for iOS Cloud Storage Capture | Smartphone Forensics
  
  
• Signal v Cellebrite
  • Moxie at Signal
    No, Cellebrite cannot ‘break Signal encryption.’
  • Mattia Epifani
    Check out @mattiaep’s tweet
  • Shahar Tal
    Check out @jifa’s tweet
    
    
• Velocidex
  Slack and Velociraptor
  
  
• VMware Carbon Black
  Enterprise EDR Expands New Linux Coverage to SUSE, OpenSUSE, Ubuntu, Oracle & Amazon Linux

SOFTWARE UPDATES

• Brim
  v0.21.1
  
  
• Didier Stevens
  • Update: translate.py Version 2.5.11
  • Update: cut-bytes.py Version 0.0.13
  • Video: Using number-to-strings.py To Analyze FireEye Maldocs
  • Update: byte-stats.py Version 0.0.8
  • Update: zipdump.py Version 0.0.21
  • Update: base64dump.py Version 0.0.13
  • Update: 1768.py Version 0.0.4
    
    
• KAPE
  0.9.6.0 2020-12-21
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.13
  
  
• MISP
  MISP 2.4.135 released (galaxy 2.0)
  
  
• MobilEdit
  MOBILedit Forensic Express 7.3.1 released!
  
  
• Oxygen Forensics
  Oxygen Forensic Detective 13.2
  
  
• radare2
  r2-5.0.0 – phoenix bins
  
  
• Security Onion
  • Security Onion 16.04.7.2 ISO image now available featuring Zeek 3.0.11, Suricata 5.0.5, Snort 2.9.17.0, Elastic 7.9.3, and more!
  • Security Onion 2.3.21 now available!
    
    
• TheHive Project
  Xmas Release: TheHive 4.0.3
  
  
• Velociraptor
  Release 0.5.4
  
  
• Xways
  X-Ways Forensics 20.1

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!