As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Jessica Hyde at Magnet Forensics
Android Motion Photos in Magnet AXIOM - Doug Metz at Baker Street Forensics
Forensic Imaging a Microsoft Surface Pro - Brian Maloney
Your AV is Trying to Tell You Something: tralog.log - Matt Goeckel at Cellebrite
How to Use The Project Tree and Analyzed Data in Cellebrite Physical Analyzer to Find Data Fast - Chris Vance at ‘D20 Forensics’
Android – Roles and Permissions (Android 10/11) - Digital Forensics Myanmar
Digital Forensics Investigator Hypothesis -1 - Florian Bausch at Insinuator
ERNW Whitepaper 71 – Analysis of Anti-Virus Software Quarantine Files - Jaron Bradley at The Mitten Mac
Getting Stepped on by Runningboards - Josh Brunty
Writing DFIR Reports- A Primer - Joshua Hickman at ‘The Binary Hick’
Android’s “Dangerous” Permissions - Kevin Pagano at Stark 4N6
Chrome Media History Tracking Your Viewing Habits - Malware Musings
Recovering from a WordPress Plugin Exploit - Secure N0thing
Volatility – TryHackMe
THREAT INTELLIGENCE/HUNTING
- Aon
- Sreedhar Ande at Azure Sentinel
Protecting your DocuSign Agreements with Azure Sentinel - Ben Bornholm at HoldMyBeer
IR Tales: The Quest for the Holy SIEM: Elastic stack + Sysmon + Osquery - Blue Team Blog
- Brad Duncan at Malware Traffic Analysis
- Check Point Software
- Warren Mercer at Cisco’s Talos
Nation State Campaign Targets Talos Researchers - ClearSky Cyber Security
‘Lebanese Cedar’ APT - CrowdStrike
Detecting and Preventing Kernel Attacks - Foregenix
How to test centralised logging - Deep Instinct
Lsass Memory Dumps are Stealthier than Ever Before - Tim Helming at DomainTools
Using Infrastructure Analysis to Get Ahead of Attacks in Cyber Defense: Part 3 - Flashpoint
Ransomware Retrospective: Analyzing 1,100 Attacks, Nov 2019 to Dec 2020 - Adam Weidemann at Google
New campaign targeting security researchers - Drew Schmitt at GuidePoint Security
Accellion FTA Targeted by File Downloading Web Shell - Intel 471
Emotet takedown is not like the Trickbot takedown - Shusei Tomonaga at JPCERT/CC
Operation Dream Job by Lazarus - Microsoft Security
ZINC attacks against security researchers - Michael Peck at MITRE ATT&CK
Mitigating Abuse of Android Application Permissions and Special App Accesses - Erik Hjelmvik at NETRESEC
Twenty-three SUNBURST Targets Identified - Richard Hicks at Nettitude Labs
Introducing FComm – C2 Lateral Movement - Dennis Schwarz, Axel F., and Brandon Murphy at Proofpoint
New Year, New Version of DanaBot - PwC-IR
PwC Business Email Compromise Guide - Caitlin Condon and Bob Rudis at Rapid7
State-Sponsored Threat Actors Target Security Researchers - Recorded Future
Keyloggers and Stealers Help Harvest Lifeblood Data of Criminal Activities - Red Alert
Monthly Threat Actor Group Intelligence Report, November 2020 - Brian Donohue at Red Canary
Hindsight is 2020: gearing up for the Threat Detection Report - RedDrip Team
Target defense industry: Lazarus uses recruitment bait combined with continuously updated cyber weapons - RiskIQ
LogoKit: Simple, Effective, and Deceptive - Emily Blades at SANS
A Visual Summary of SANS Cyber Threat Intelligence Summit - SecurityJosh
Detecting HTML smuggling attacks using Sysmon and Zone.Identifier files - Flynn Weeks at The What2Log Blog
Event ID 4672: Special Privileges Assigned to a New Logon - Trend Micro
- Adam Chester at TrustedSec
Tailoring Cobalt Strike on Target - Mike Cohen at Velocidex
Disabled Event Log files - Vicente Díaz at VirusTotal
Building towards the richest and most interconnected malware ecosystem - xorl %eax, %eax
UPCOMING EVENTS
- Belkasoft
Forensic analysis of video files and pictures with Belkasoft X - Griffeye
Webinar: Introducing the Griffeye Workflow Checklist
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.35 – Yogesh Khatri - Kevin Ripa at SANS
- Arman Gungor at Metaspike
Email Forensics Workshop — CTF Edition - Basis Technology
OSDFCon Webinar- Supporting Digital Forensics Practitioners with Academic Research & Degree Programs - Belkasoft
Webinar: Analyzing encrypted chat applications with Belkasoft X: Signal & WickrMe - Black Hills Information Security
Talkin’ About Infosec News – 1/25/2021 - Breaking Badness podcast
73. SUNBURST on the Scene - Bret Witt
SOC102 EventID: 5 (Proxy – Suspicious URL Detected) [Aug. 29, 2020, 10:50 p.m.] - Heather Mahalik and Andrew Martin at Cellebrite
Cellebrite Virtual Community Roadshow Scandinavia & UK - Colin Hardy
- Cyber Security Interviews
#111 – Danny Akacki: Work Worth Doing - Detections podcast
Tuning up Our Tool Set - Didier Stevens
Decoding a Payload Using a Dynamic XOR Key - Digital Forensic Survival Podcast
DFSP # 258 – Network Triage Part 4 - Gerald Auger at Simply Cyber
You MUST understand Cyber Threat Intelligence to Blue Team w/Samuel Kimmons - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Fileless Gozi/Ursnif static analysis and unpacking - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 203 - Magnet Forensics
- Neil Fox
#11 Analysing Obfuscated Functions Using x64dbg - OALabs
IDA Pro Decompiler Basics Microcode and x86 Calling Conventions - SANS
- SentinelOne
Inside the Mind of the SUNBURST Adversary - Virus Bulletin
The Bagsu banker case – presentation
MALWARE
- 0xthreatintel
- Ofer Caspi at AlienVault Labs
TeamTNT delivers malware with new detection evasion tool - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Karsten Hahn: fileless Ursnif/Gozy static analysis and unpacking - Andreas Klopsch at ‘Malware and Stuff’
Catching Debuggers with Section Hashing - CISA Analysis Reports
AR21-027A: MAR-10319053-1.v1 – Supernova - Paula at CQURE Academy
How to Bury Risk in the Sand? Configure Windows Sandbox for malware analysis - Cyber Geeks
A detailed analysis of ELMER Backdoor used by APT16 - Cybereason
- Cyberint
Babuk Locker - DannyDodds
Maze Ransomware - Bernard Sapaden, Mohammed Mohsin Dalla, Rahul Mohandas, Sachin Shukla, Srini Seethapathy, and Sujnani Ravindra at Fire Eye Threat Research
Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication - Igor Skochinsky at Hex Rays
Igor’s tip of the week #24: Renaming registers - Aditya Rana at InfoSec Write-ups
Finding a malware in a cracked software - InQuest
- Luke Leal at Sucuri
Phishing & Malspam with Leaf PHPMailer - Hasherezade and Jérôme Segura at Malwarebytes Labs
Cleaning up after Emotet: the law enforcement file - MITRE
Malchive - One Night in Norfolk
DPRK Malware Targeting Security Researchers - Aviv Sasson at Palo Alto Networks
Pro-Ocean: Rocke Group’s New Cryptojacking Malware - SANS Internet Storm Center
- Video: Doc & RTF Malicious Document, (Sun, Jan 24th)
- Fun with NMAP NSE Scripts and DOH (DNS over HTTPS), (Mon, Jan 25th)
- TriOp – tool for gathering (not just) security-related data from Shodan.io (tool drop), (Wed, Jan 27th)
- TA551 (Shathak) Word docs push Qakbot (Qbot), (Tue, Jan 26th)
- Emotet vs. Windows Attack Surface Reduction, (Thu, Jan 28th)
- Sensitive Data Shared with Cloud Services, (Fri, Jan 29th)
- Wireshark 3.2.11 is now available which contains Bug Fixes – https://www.wireshark.org, (Sat, Jan 30th)
- PacketSifter as Network Parsing and Telemetry Tool, (Sat, Jan 30th)
- Nir Shwarts at Security Intelligence
TrickBot’s Survival Instinct Prevails — What’s Different About the TrickBoot Version? - Michael Heller at Sophos
Nefilim Ransomware Attack Uses “Ghost” Credentials - Thomas Barabosch at 0xC0DECAFE
Learn how to fix PE magic numbers with Malduck - WeLiveSecurity
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 1/29/2021 - Shelby Perry at Active Countermeasures
The Gap Filled By Threat Hunting - Marco Fontani at Amped
Aspect Ratio: Be Sure Your Image Is Not Stretched in Either Direction - Oktay Yildiz at Binalyze
Complicated and slow digital forensics solutions cost your business millions of dollars - LetsDefend Academy
LetsDefend Academy - Valentina Palacín
Practical Threat Intelligence and Data-Driven Threat Hunting - BushidoToken
AnyRun Christmas CTF - Angela Yi-Chun Chuang at Elastic
How to export and import Timelines and templates from Elastic Security - Forensic Focus
- How To Investigate The Source Camera Of Digital Videos
- Bobby Balachandran, CEO, Exterro
- How To Extract Text From Files Using OCR In Magnet AXIOM
- Introduction Of MD-VIDEO (Ep.1): How To Select And Analyze Various Types Of Video Files
- Enriching Nuix Processing And Nuix Investigate For Information Governance
- Virtual Forensic Computing (VFC)
- Ronnie at ‘I Heart Malware’
What it Means to Truly Understand BEC - Magnet Forensics
- Microsoft
Extensible-Storage-Engine - MuSecTech
AChoirX – Why? Part III - Oxygen Forensics
Email Investigations with Oxygen Forensic® Cloud Extractor - Brittany Roberts at ADF
Get Android and iOS Evidence Fast! Smartphone Investigations | Triage - Ossi Herrala at SensorFu
Internet Protocol Next Header escape - Soji256
How to install ImHex on Ubuntu 20.04 - Andrew Case at Volatility Labs
Malware and Memory Forensics Training Goes Virtual! - Simson Garfinkel
Check out this tweet by @Xchatty
SOFTWARE UPDATES
- ALEAPP
v1.7.2 Fix Zip bug fix & new artifacts - iLEAPP
v1.9.4 – New artifacts & bug fixes - Amped
Amped Replay Update 19677: Keyframing, Dynamic Text Size and Enhanced Reporting - Brim
v0.23.0 - BruteShark
Improve Exporting Of BruteSharkCli - Cellebrite
Cellebrite Physical Analyzer 7.42: Take Action, Make an Impact, Save Lives - Cyber Triage
Cyber Triage 2.14.2 Adds Features Based on SolarWinds Orion Incident - Didier Stevens
- DME Forensics
DVR Examiner 2.9.4 is now available! - Eric Zimmerman
ChangeLog - Griffeye
Release of Analyze 20.5 - IntelOwl
several fixes + 2 new analyzers - Magnet Forensics
- Metaspike
Forensic Email Collector Changelog – v3.55.1.0 - MSAB
Released today: XRY 9.3.1 - OSForensics
V8.0 build 1006 28th January 2021 - radare2
5.1.0 – codename lasagna - Ahmed Khlief at Shells.Systems
Introducing APT-Hunter : Threat Hunting Tool via Windows Event Log - Velociraptor
Release 0.5.5-1 - Xways
X-Ways Forensics 20.1 SR-4 - YARA
v4.0.4
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 