As always, thanks to those who give a little back for their support!
Just a reminder that DFRWS APAC 2021 is happening this week! Because it’s virtual it’s also quite affordable and you can find more details here
FORENSIC ANALYSIS
- Mark Spencer at Arsenal Recon
BitLocker for DFIR – Part III - Belkasoft
Analyzing videos with multiple video streams in digital forensics - Brian Maloney
Your AV is Trying to Tell You Something: seclog.log - Kevin Pagano at Stark 4N6
Files By Google: More Mobile Explorer Artifacts - Magnet Forensics
Remote Acquisition of Apple’s New M1-Based Endpoints with Magnet AXIOM Cyber - Marco Fontani at Amped
Infrared: Don’t Trust the Colors of Most CCTV Footage at Night - Secure N0thing
Adventures in Email Forensics - Antonio Sanz at Security Art Work
- Surya Teja Masanam
Signal for Desktop – A Digital Forensics Perspective - The DFIR Report
All That for a Coinminer?
THREAT INTELLIGENCE/HUNTING
- Still going with Solarwinds!
- Internals of SunBurst Malware.
- Supply-Chain Attack | Let’s Talk SolarWinds Attack | What all you need to know about it
- Use Infinity SOC to find out if you are affected by the Solarwinds Sunburst Hack
- SolarWinds Attacks Highlight Importance of Operation-Centric Approach
- ShadowTalk Update: Sunburst, Sunspot, and more on SolarWinds!
- Change in Perspective on the Utility of SUNBURST-related Network Indicators
- December Knowledge Pack Released – including updates for SolarWinds detections
- Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments
- Using Zero Trust principles to protect against sophisticated attacks like Solorigate
- Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
- The SolarWinds Orion Breach, and What You Should Know
- Raindrop: New Malware Discovered in SolarWinds Investigation
- SolarWinds: How Sunburst Sends Data Back to the Attackers
- Bill Stearns at Active Countermeasures
Espy – Network Monitoring Without a Network Sensor! - Andreas Sfakianakis at ‘Tilting at windmills’
Exceling at Threat Intelligence Platform (TIP) requirements - Austin Clark at C2Defense
Why Windows Time is bad for Logging and Detection: And How to Fix it - Awake Security
Threat Hunting for PAExec - Rijuta Kapoor at Microsoft
Bring Threat Intelligence from IntSights Using TAXII Data Connector - Brad Duncan at Malware Traffic Analysis
- Check Point Software
Cyber Criminals Leave Stolen Phishing Credentials in Plain Sight - Johnny Shaw at CrowdStrike
Herpaderping: Security Risk or Unintended Behavior? - Tim Helming at DomainTools
Using Infrastructure Analysis to Get Ahead of Attacks in Cyber Defense: Part 2 - Michael Barclay, Matthew Kracht and Peter Silberman at Expel
Got workloads in Microsoft Azure? Read this - Mike Burns, Matthew McWhirt, Douglas Bienstock, and Nick Bennett at FireEye
Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 - Florian Roth
Use Personal Activity Reviews (PAR) to Uncover Adversary Activity - Shusei Tomonaga at JPCERT/CC
Commonly Known Tools Used by Lazarus - Samuel Hassine at Luatix
Releasing an integration with the field: OpenCTI + Tanium Platform - Lukasz Olszewski at Cyberush
Analyzing binaries in place with Velociraptor and CAPA - McHugh Security
Exporting Maltego Graphs to MISP - Natalia Godyla and Jake Williams
The dynamic duo: How to build a red and blue team to strengthen your cybersecurity, Part 2 - Nasreddine Bencherchali
Common Tools & Techniques Used By Threat Actors and Malware — Part I - David Cash at NCC Group Research
MSSQL Lateral Movement - Gijs Hollestelle at Falcon Force
FalconFriday — Malicious Scheduled Tasks — 0xFF0B - Brad Duncan at Palo Alto Networks
Wireshark Tutorial: Examining Emotet Infection Traffic - Red Canary
- Red Teaming with a Blue Team Mentaility
A Brief Look At Approaches To Red Team Operations - Resha Chheda at SentinelOne
Six Steps to Successful And Efficient Threat Hunting - Sevickson
Untangling the Osquery❓ tables using Data | Part 2 - Stya Putra Pratama
Leveraging auditd, ELK and Auditbeat to have visibility and detection of lateral movement - Flynn Weeks at The What2Log Blog
The Struggle Is Real: Event Correlation with Logs - Mike Cohen at Velocidex
UPCOMING EVENTS
- Jessica Hyde
Methodology for Testing Forensic Hypothesis and Finding Truth - Cellebrite
How to Collect Data from MDM Devices - Demux
2021 Video Evidence Training Symposium - Magnet Forensics
- SANS
The 2021 SANS DFIR Summit is now accepting proposed presentations! - Virus Bulletin
VB2021 call for papers – now open, to all!
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.34 – Nicole Odom - Kevin Ripa at SANS
- AccessData
What the Tech? Using FTK Imager - Black Hills Information Security
- Breaking Badness podcast
72. Europols Their Own Weight - Bret Witt
- Cellebrite
- Cyber Security Interviews
#110 – Ryan Louie: Security Starts In the Mind - CyberDefenders
QRadar101 Challenge Setup Walkthrough - CySecK
Webinar on Threat Modelling Samgacchadhwam Series – 35 - Detection: Challenging Paradigms
Episode 1: Olaf Hartong - Digital Forensic Survival Podcast
DFSP # 257 – Supply Chain Attacks - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 202 - Magnet Forensics
- Security Unlocked
Tracking Nation State Actors
MALWARE
- 0xthreatintel
Internals of FASTCash: Unit180 tool - 360 Netlab
Necro is going to version 3 and using PyInstaller and DGA - Arch Cloud Labs
Introduction to Ghidra Scripting for Embedded ELFs and UPX - Patrick Schläpfer at Bromium
Dridex Malicious Document Analysis: Automating the Extraction of Payload URLs - Didier Stevens
Video: Maldoc Analysis With CyberChef - Andrew Davis at FireEye
Emulation of Kernel Mode Rootkits With Speakeasy - Follow The White Rabbit
Introducción al Reversing – 0x10 Baby’s RE from FlareON con amor ❤️ - Igor Skochinsky at Hex Rays
Igor’s tip of the week #23: Graph view - Ian Gallagher at Intezer
Swat Away Pesky Cryptominers in Runtime - Johannes Bader
Yet Another Bazar Loader DGA - Lifars
Common Techniques by Which Malware Makes Itself Persistent - NCC Group Research
RIFT: Analysing a Lazarus Shellcode Execution Method - Guilherme Thomazi Bonicontro
Linux.Midrashim: Assembly x64 ELF virus - Sandfly Security
Linux Malware Investigation Myth: You Don’t Need a Debugger - SANS Internet Storm Center
- New Release of Sysmon Adding Detection for Process Tampering, (Sun, Jan 17th)
- Doc & RTF Malicious Document, (Mon, Jan 18th)
- Security Detection & Response Alert Output Usability Survey https://www.surveymonkey.com/r/TAOvsVAO, (Tue, Jan 19th)
- Gordon for fast cyber reputation checks, (Tue, Jan 19th)
- The CIS Benchmark for Cisco Nexus (NX-OS) 1.0 went live last week, find it here: https://www.cisecurity.org/cis-benchmarks/, (Mon, Jan 18th)
- Qakbot activity resumes after holiday break, (Wed, Jan 20th)
- Powershell Dropping a REvil Ransomware, (Thu, Jan 21st)
- Another File Extension to Block in your MTA: .jnlp, (Fri, Jan 22nd)
- CyberChef: Analyzing OOXML Files for URLs, (Sat, Jan 23rd)
- Gabor Szappanos and Andrew Brandt at Sophos
MrbMiner: Cryptojacking to bypass international sanctions - Luke Leal at Sucuri
Magento PHP Injection Loads JavaScript Skimmer - Thomas Barabosch at 0xC0DECAFE
The malware analyst’s guide to PE timestamps - Trend Micro
- WeLiveSecurity
Vadokrist: A wolf in sheep’s clothing - Xavier Mertens at /dev/random
Be Careful When Using Images Grabbed Online In Your Documents - ZScaler
DreamBus Botnet – Technical Analysis
MISCELLANEOUS
- Acelab
The PC-3000 Data Recovery Training: NOW ONLINE! - Brendan McCreesh
My GIAC Certified Forensic Examiner Certification [GCFE] - Adam Jaffe at Cellebrite
Digital Intelligence Experts Discuss Why Training Is the Best Investment Agencies Can Make - Chris Sanders
Come Join Me at AND - Ian Stevenson at Cyan Forensics
Cyan’s 2020 Achievements and 2021 Aspirations - David Bisson at Cybereason
Last Hurrah: Executive Order to Protect IaaS Platforms from Malicious Actors - Cheryl Biswas
SANS Cyber Threat Intelligence Summit - Rodrigo Sagastegui at DME Forensics
Meet Sean - Shay Banon at Elastic
License Change Clarification - Elcomsoft
- Elizabeth Wharton at Scythe
SCYTHE Presents: Parsing an Executive Order: Streaming on Your TV Soon - Forensic Focus
- Digital Forensics Standards Update: Calls For Training And Public Comment
- How To Perform iOS Full Filesystem Extraction Via Checkm8 With Oxygen Forensic Detective
- How To Timeline Login Information From Windows Event Logs
- How To Convert Proprietary Video Files With The Amped Conversion Engine
- Amanda Mahan, Instructor And Technical Writer, Oxygen Forensics
- Estee Ranson
How I Passed the GCFE Exam - InfoSec Write-ups
- Jorge Orchilles at Scythe
SCYTHE Presents: Why you should embrace Purple Team today - David Kovar at URSA
- Rare Breed 4N6
Mobile Forensics: Navigating the T-Mobile / Sprint Merger - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — January 17 to January 23 - SANS
Things Community Said About Chris Krebs CTI Keynote
SOFTWARE UPDATES
- ALEAPP
v1.7.0: Merge pull request #102 from stark4n6/master - Didier Stevens
- Elcomsoft
Elcomsoft Forensic Disk Decryptor 2.17 supports RAM imaging on Windows 10 (20H2) - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.16 (production release) - MSAB
XRY V9.3 From MSAB - Ryan Benson
Hindsight 2021.01.16 - MISP
MISP 2.4.137 released (New exclusion module for the correlation engine, many improvements and security vulnerabilities resolved) - Ryan Benson at dfir.blog
New Hindsight Release: Better LevelDB parsing, New Web UI View, & More! - Sandfly Security
Sandfly 2.8.2 – Over 1,000 Linux Compromise Detection Modules and More - TheHive Project
TheHive 4.0.4 and TheHive4py 1.8.1: alerts got more APIs - Velociraptor
Release 0.5.5
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 