As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Jordan Drysdale at Black Hills Information Security
A Sysmon Event ID Breakdown - Brian Maloney
Your AV is Trying to Tell You Something: Log Lines - Deagler’s 4n6 Blog
An Android Casting (Device) Story: “cast.db” - Kovar & Associates
- Magnet Forensics Weekly CTF
- Maxim Suhanov
$STANDARD_INFORMATION vs. $FILE_NAME - Patrick J. Siewert at ‘Pro Digital Forensic Consulting’
Cellebrite Reader: You Don’t Know What You’re Missing! - Tristan Jenkinson
Metaspike Email Forensics CTF – More than one way to skin a cat… - Yogesh Khatri at ‘Swift Forensics’
THREAT INTELLIGENCE/HUNTING
- Solarwinds stuff!
- How to Detect & Protect Against the SUNBURST Backdoor
- Security Advisory Regarding SolarWinds Supply Chain Compromise
- Security Advisory Regarding the Recent FireEye Breach Reports
- Finding Targeted SUNBURST Victims with pDNS
- Update on SolarWinds Threat: Identity is the New Perimeter
- SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
- SolarWinds Orion API LFI
- 0xEvilC0de
Network Analysis with Arkime is now Live on Pluralsight! - Adam at Hexacorn
aMus(ing)Notification - Brian Carter and Vitali Kremez at Advanced Intelligence
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
How to detect Cobalt Strike Beacons using Volatility - Hesham Saad at Azure Sentinel
Azure Defender for IoT Raw-Data and ICS MITRE ATT&CK Matrix Mapping via Azure Sentinel - Ben Bornholm at HoldMyBeer
Getting started with FleetDM v3.6.0 - Brad Duncan at Malware Traffic Analysis
- Brad Duncan at Palo Alto Networks
TA551: Email Attack Campaign Switches from Valak to IcedID - BushidoToken
Analysis of the NetWire RAT campaign - Check Point Research
- ClearSky Cyber Security
Operation ‘Kremlin’ - Ivan Buetler at Compass Security
.CH Zone Lookup Tool - DomainTools
- Dragos
Self-Reflection Time: The OSINT Collection Risk Framework - Henri Hambartsumyan at Falcon Force
The missing verclsid.exe documentation - Gianni Castaldi at Kusto King
- Intezer
Proactive Hunting with Intezer - Joel Rudman at Keysight
Are Network Packets really becoming increasingly difficult to collect? - Marco Ramilli
C2 Traffic Patterns: Personal Notes - Marcus LaFerrera at Splunk
A Golden SAML Journey: SolarWinds Continued - Menasec
How to Design Abnormal Child Processes Rules without Telemetry - Michael Haag
Malleable C2 Profiles and You - Michael Koczwara
Awesome-CobaltStrike-Defence - Steve Vandenberg at Microsoft Security
Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact - Arnold Osipov at Morphisec
The Evolution of the FIN7 JSSLoader - Nextron Systems
THOR Process Memory Matches with Surrounding Strings - Omri Segev Moyal at ProferoSec
APT27 Turns to Ransomware - NCC Group
Pybeacon - ReaQta
Leonardo S.p.A. Data Breach Analysis - Eric Capuano at Recon InfoSec
Detecting Threats with Graylog Pipelines – Part 2 - Recorded Future
Adversary Infrastructure Report 2020: A Defender’s View - Tony Lambert at Red Canary
Hunting for GetSystem in offensive security tools - Mike Saunders at Red Siege Information Security
Threading the Needles: Why Defense in Depth Still Matters - Sandfly Security
Investigating Linux Process File Descriptors for Incident Response and Forensics - Sucuri
- Cyberint
Phishing for Lumens: A Stellar Stealing Campaign - Flynn Weeks at What2Log
The Struggle is Real - Trustwave SpiderLabs
- Vulnerability.CH
Introducing “Yara Scan Service” – Test Your Yara Rules Online - Mohd Sadique and Pradeep Kulkarni at ZScaler
Ransomware Delivered Using RDP Brute-Force Attack
UPCOMING EVENTS
- AccessData
What the Tech? Using FTK Imager - Belkasoft
Acquiring encrypted chat applications with Belkasoft X: Signal & WickrMe - HTCIA
Hindsight is 20/20 – How a Community of Investigators Navigated 2020 - Kristian Lars Larsen at Data Narro
The List of (Mostly Virtual) eDiscovery Conferences for 2021 - Magnet Forensics
- Alex Chatzistamatis at Nuix
Take Control of Microsoft O365 Data with Nuix - Infosec Consult Con
Check out @teddemop’s tweet
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.32 – Jamie Levy - Kevin Ripa at SANS
- Black Hills Information Security – YouTube
BHIS | Talkin’ Bout News 2021-01-06 - Bret Witt
- SOC101 EventID: 34 (Phishing Mail Detected) [Dec. 5, 2020, 10:33 p.m.]
- SOC102 EventID: 35 (Proxy – Suspicious URL Detected) [Dec. 6, 2020, 1:33 p.m.]
- SOC109 EventID: 39 (Emotet Malware Detected) [Jan. 1, 2021 4:45 p.m.]
- SOC108 EventID: 38 (Malicious Remote Access Software Detected) [Jan. 1, 2021, 5:36 p.m.]
- Check Point Research
War on All Fronts: Rampant Kitten - Chris Sienko at the Cyber Work podcast
Running a digital forensics business - Didier Stevens
Maldoc Analysis With CyberChef - Digital Forensic Survival Podcast
- Gerald Auger at Simply Cyber
Pick the RIGHT Offensive Cybersecurity Certification – The Cyber Mentor Interview - Magnet Forensics
Tips & Tricks // Targeted Processing - MSAB
XAMN: Investigates Part One - The Cyber5
Episode 37: Exploring the Intelligence Differentiator: The Nisos Dogpile - Virus Bulletin
VB2020 localhost videos available on YouTube
MALWARE
- 0xC0DECAFE
The malware analyst’s guide to aPLib decompression - Josh Stroschein at 0xEvilC0de
Creating an IDA Python Plugin for Static XOR String Deobfuscation - 0xthreatintel
F-droid Malware Internals - Ofer Caspi and Fernando Martinez at AT&T
Malware using new Ezuri memory loader - Chuong Dong
Babuk Ransomware - Ron Ben Yizhak at Deep Instinct
Emotet: Returns for Christmas - Igor Skochinsky at Hex Rays
Igor’s tip of the week #21: Calculator and expression evaluation feature in IDA - Intezer
Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets - Kyle Cucci at SecurityLiterate
Hiding Virtual Machines from Malware – Introducing VMwareCloak & VBoxCloak - Lenny Zeltser
How You Can Start Learning Malware Analysis - Hossein Jazi at Malwarebytes Labs
Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat - MWLab
IDC Python – Executing external programs from IDA - Patrick Wardle at Objective-See
- R3mrum
Manual analysis of new PowerSplit maldocs delivering Emotet - SANS Internet Storm Center
- Irshad Muhammad and Holger Unterbrink at Cisco’s Talos
A Deep Dive into Lokibot Infection Chain - SentinelLabs
- Trend Micro
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics
Announcing the Magnet Custom Artifact Challenge - Mark Spencer at Arsenal Recon
Arsenal Educational Program Extended to Law Enforcement and Military Training - Belkasoft
Belkasoft X review by Lorenzo Martínez Rodríguez (Securízame) - David Kennedy & Randy Pargman at Binary Defense
Cybersecurity predictions for 2021 after an unpredictable 2020 - SOC Survey
Check out @CCrowMontance’s tweet - Dr. Brian Carrier and Brian Moran at Cyber Triage
How to Get Your Data & Services Back Online: Ransomware Recovery 2021 - Data Forensics
- Joey Beyda and Ross Delinger at Dropbox
Lessons learned in incident management - Elcomsoft
- Forensic Focus
- Magnet Forensics
Magnet AXIOM Cyber: A Year in Review - Natalia Godyla at Microsoft Security
The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 1 - Marie Tully at SANS
Where Do I Start to Learn Cybersecurity? - Shelby Perry at Active Countermeasures
Introducing AC-Hunter - ThinkDFIR
Metaspike CTF – Week 3 – “PS(s)T, Can you keep a secret message?” - John Patzakis at X1
eDiscovery Collection of Large File Shares: An Unaddressed Major Pain Point
SOFTWARE UPDATES
- Binalyze
IREC Release Notes – Version 2.5.7 - Brim
v0.22.0 - Didier Stevens
- Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.14 - IntelOwl
Happy First Birthday IntelOwl! - RecuperaBit
Version 1.1.2 – Ported to Python 3 - Ulf Frisk
Version 3.7 - Xways
X-Ways Forensics 20.1 SR-2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 