As always, thanks to those who give a little back for their support!
Nominations for the 4Cast Awards have opened again! Get your nominations in early!
Lee has done a fantastic job for over a decade getting this together and his work is very much appreciated.
Please make sure you nominate everyone who had an impact on you throughout 2020 to show your appreciation for them!
2021 Forensic 4:cast Awards – Nominations are OPEN
FORENSIC ANALYSIS
- Brian Maloney
Your AV is Trying to Tell You Something: VBN’s Part 2
- Chris Vance at ‘D20 Forensics’
Android – Samsung Smart Switch // iOS Transfer Artifacts
- Cyber Forensicator
Find out what happened during a ransomware attack on computer
- Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Nothing’s DKIMpossible – Manually Verifying DKIM, a CTF Solution, and Implications
- Kyle Song
Blog #25: Importance of Drive Trim in Forensic Imager part 1. [EN]
- Mattia Epifani
Check out @mattiaep’s Tweet
- Passware
3 Steps to Acquire Memory and Bypass Encryption
- Peter Stewart
- The DFIR Report
Laravel Apps Leaking Secrets
THREAT INTELLIGENCE/HUNTING
- Exchange/HAFNIUM!
- Blue Team Blog
Microsoft Exchange Zero Day’s – Mitigations and Detections. - Check Point Software
Attacks Targeting Microsoft Exchange: Check Point customers remain protected - Cisco’s Talos
Threat Advisory: HAFNIUM and Microsoft Exchange zero-day - Devon Kerr at Elastic
Detection and Response for HAFNIUM activity - Matt Bromiley, Chris DiGiamo, Andrew Thompson, and Robert Wallace at Fire Eye Threat Research
Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities - Tony Robinson at Hurricane Labs
Security Advisory Regarding Exchange Marauder / HAFNIUM - Microsoft
HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft
Multiple Security Updates Released for Exchange Server - NCC Group
Exchange - Nextron Systems
Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity - Nextron Systems
Scan for HAFNIUM Exploitation Evidence with THOR Lite - SentinelOne
SentinelOne and HAFNIUM / Microsoft Exchange 0-days - Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster at Volexity
Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
- Blue Team Blog
- Chris Brenton at Active Countermeasures
Questions From a Beginner Threat Hunter
- Adam at Hexacorn
Beyond good ol’ Run key, Part 133
- Alex Teixeira
Different SIEMs, Same Challenges? Only Time(Generated) will tell…
- Ali Aqeel
SolarWinds Attack Plan A: The Imposter
- Anton Chuvakin
Stop Trying to Take Humans Out of SOC … Except … Wait… Wait… Wait…
- Jose Obando at AWS Security
Automate Amazon EC2 instance isolation by using tags
- Brad Duncan at Malware Traffic Analysis
2021-03-02 – Pcap and malware for ISC diary (Qakbot with Cobalt Strike)
- BushidoToken
The next evolution in Office365 phishing campaigns
- CERT-FR
CERTFR-2021-CTI-007 : 🇬🇧 The Egregor Ransomware (02 mars 2021)
- Cyber_00011011
The Power of AMSI Tracing
- Joe Slowik at DomainTools
Centreon to Exim and Back: On the Trail of Sandworm
- Dragos
- Fire Eye Threat Research
- Group-IB
Ransomware Uncovered 2020/2021
- Jorge Orchilles at Scythe
SCYTHE Presents: Defense Evasion with SCYTHE
- Luke Leal at Sucuri
Trojan Spyware and BEC Attacks
- Malwarebytes Labs
China’s RedEcho accused of targeting India’s power grids
- Marcus Edmonson at ‘Data Analytics & Security’
Windows Persistence Mechanics – DLL Search Order Hijacking
- Mehmet Ergene
Hunting for the Behavior: Scheduled Tasks
- Microsoft Security
XLM + AMSI: New runtime defense against Excel 4.0 macro malware
- Ollie Whitehouse at NCC Group Research
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
- PWC
Cyber Threats 2020: Report on the Global Threat Landscape
- Brandon Jackson at Red Canary
Identifying suspicious code with Process Memory Integrity
- Bob Rudis
Brimming With Possibilities: Query zqd & Mine Logs with zq from R
- Victor Chebyshev at Securelist
Mobile malware evolution 2020
- Stephen O’Leary at Sophos
How to query a Sophos EDR forensic snapshot using Amazon Athena
- Greg Darwin at Strategic Cyber
Cobalt Strike 4.3 – Command and CONTROL
- Trend Micro
- Wes Lambert
Zero Dollar Detection and Response Orchestration with n8n, Security Onion, TheHive, and…
UPCOMING EVENTS
- Andrew Rathbun at Kroll
Enhancing Event Log Analysis with EvtxECmd using KAPE
- Elan at DFIR Diva
DFIR Related Events For Beginners – March, 2021
- First
2021 FIRST CTI SIG Summit
- Magnet Forensics
- Xavier Mertens at /dev/random
Next OSSEC Training Scheduled @ 44Con
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.40 – Chad Tilbury
- Kevin Ripa at SANS
- Arman Gungor at Metaspike
Email Forensics Workshop – CTF Edition – Part 2 - AccessData
- Black Hills Information Security
- Breaking Badness podcast
77. Baby Cams and Crimeware Scams
- Bret Witt
- SOC123 EventID: 56 (Enumeration Tool Detected) [Feb. 13, 2021, 4:47 p.m.]
- SOC131 EventID: 67 (Reverse TCP Backdoor Detected) [March 1, 2021, 3:15 p.m.]
- SOC132 EventID: 68 (Same Malicious File Found on Multiple Sources) [March 1, 2021, 3:16 p.m.]
- SOC124 EventID: 57 (Scheduled Task Created) [Feb. 14, 2021, 11:17 a.m.]
- Cellebrite
- Understanding Data That is Not Parsed by Cellebrite Physical Analyzer
- Cellebrite Technical Support Overview: Comprehensive Customer Support You Can Trust
- Release Highlights: Selective Decoding in Cellebrite Physical Analyzer
- Ask the Expert: How to Analyze Unparsed Data in Cellebrite Physical Analyzer by Matt Goeckel
- How to leverage the Dashboard features in Cellebrite Pathfinder
- Paula at CQURE Academy
“Dear User”: Sorting Real Emails from Socially Engineered Phishing Attacks
- Cyber Security Interviews
#116 – Jennifer Brown: This Is A Wakeup Call
- Cybereason
Malicious Life Podcast: Inside NotPetya, Part 1
- Detection: Challenging Paradigms
Episode 4: Joe Vest
- Gerald Auger at Simply Cyber
Think like a Cybersecurity Pro (It’s more thank just skills)
- John Hammond
- Life has no CTRL ALT DEL with Heather Mahalik
Developing Digital Forensic Practitioners
- Magnet Forensics
- Malware Must Die!
MMD-067-2021 – Recent talks on Linux process injection and shellcode analysis series at R2CON-2020, ROOTCON-14 2020 from HACK.LU-2019
- Nothing to See Here? I Beg to DFIR by Cellebrite
Episode 12: iBeg to DFIR – Exploring Cellebrite Physical Analyzer’s Chat Capture Feature
- NTCore
- Positively Blue Team
Network Forensics and Zeek w/ Aaron Soto
- Radware
Radware Threat Researchers Live: Episode 8
- Rasta Mouse
SharpC2 – Episode 2
- SANS
- Hack Your Stakeholder: Eliciting Intelligence Requirements with Design Thinking | SANS CTI Summit
- Asleep at the wheel? The effects of sleep on CTI professionals | SANS CTI Summit 2021
- ICS / OT Concepts – New video Series hosted by Don C. Weber
- Better Than Binary: Elevating State Sponsored Attribution via Spectrum of State Responsibility
- xStart When You’re Ready | John Southworth | SANS CTI Summit 2021
- Metrics for Managing Human Risk
- Part 1: Rekt Casino Hack – Vulnerability Management Gone Wrong
- This Month in 4n6
This Month In 4n6 – February – 2021
MALWARE
- 0xthreatintel
Reversing HiddenTear Ransomware !
- 360 Netlab
- Asheer Malhotra at Cisco’s Talos
ObliqueRAT returns with new campaign using hijacked websites
- Jamie at ‘Click All the Things!’
oleObject1.bin – OLe10nATive – shellcode
- Cyber Geeks
Revealing Lamberts/Longhorn malware capabilities using a step-by-step approach (cyberespionage group linked to Vault 7)
- Cyber_00011011
Word DDE Malware
- Robert Neumann and Kurt Natvig at Forcepoint
Advancements in Invoicing – A highly sophisticated way to distribute ZLoader
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #29: Color up your IDA
- Joakim Kennedy at Intezer
When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?
- Jai Minton
Check out CyberRaiju’s Tweet
- Josh Stroschein at 0xEvilC0de
- Pieter Arntz at Malwarebytes Labs
Ryuk ransomware develops worm-like capability
- Ramin Nafisi and Andrea Lelli at Microsoft
GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
- Karlo Zanki at ReversingLabs
Malware in images
- SANS Internet Storm Center
- Maldocs: Protection Passwords, (Sun, Feb 28th)
- Qakbot infection with Cobalt Strike, (Wed, Mar 3rd)
Security Detection & Response Alert Output Usability Survey: https://www.surveymonkey.com/r/TAOvsVAO, (Tue, Mar 2nd)- Adversary Simulation with Sim, (Tue, Mar 2nd)
- Fun with DNS over TLS (DoT), (Mon, Mar 1st)
- From VBS, PowerShell, C Sharp, Process Hollowing to RAT, (Thu, Mar 4th)
- Spam Farm Spotted in the Wild, (Fri, Mar 5th)
- Spotting the Red Team on VirusTotal!, (Sat, Mar 6th)
- Marco Figueroa at SentinelLabs
A Guide to Ghidra Scripting Development for Malware Researchers
- Sophos
- Sygnia
Lazarus Group’s MATA Framework Leveraged to Deploy TFlower Ransomware
- Taha Karim
How to extract Python source code from Py2App packed Mach-O Binaries
- Tim Blazytko
Automated Detection of Control-flow Flattening
- Junestherry Salvador, Don Ovid Ladores, and Raphael Centeno at Trend Micro
New in Ransomware: AlumniLocker, Humble Feature Different Extortion Techniques
- Virus Bulletin
New article: Excel Formula/Macro in .xlsb?
- WMC Global
The Compact Campaign
MISCELLANEOUS
- Belkasoft
Paul A. Henry’s review of Belkasoft X
- Brett Shavers at DFIR Training
- Garry Dukes at DME Forensics
Feature Fridays – 3.0 Overview
- Flynn Weeks at ‘The What2Log Blog’
The Struggle is Real: Log Analysis
- Forensic Focus
- InfoSec Worrier
Book Review: Intrusion Detection HoneyPots, Detection through Deception
- Magnet Forensics
- McHugh Security
Building TheHive4 (4.0.5) and configuring MISP, Cortex and Webhooks.
- Henrik Tjernberg at MSAB
Our Sense of Purpose
- Ryan Campbell at ‘Security Soup’
- Joe Sullivan at SANS
Rekt Casino Revisited: Transformational Series Part 4
- SANS
Industrial Control Systems Library
- Patricia Cifuentes at Security Art Work
Kroll Artifact Parser and Extractor (KAPE) – II: Utilización con terminal
- StealthBay
InfoSec-Jobs.com – A rare Cyber Security job listings site
- Will Elder at ADF
The Best Smartphone Triage: Fast Field or Lab Investigations
- John Patzakis at X1
Full Disk Imaging Not Required for eDiscovery Collections
SOFTWARE UPDATES
- Belkasoft
Belkasoft X v. 1.4: iOS crash log extraction, .DAR image support, and other improvements
- Cellebrite
Review Data Faster and More Efficiently With Cellebrite Physical Analyzer 7.43
- Ciphey
Added support for Python 3.9, fixed a bunch of bugs
- Didier Stevens
- Eric Zimmerman
ChangeLog
- mac_apt
20210228
- Magnet Forensics
Securely Collaborate & Empower Investigators with Magnet REVIEW
- MSAB
Released today: XRY 9.3.2
- Tableau
Tableau Firmware Update Revision History for 21.1
- Security Onion
Security Onion 2.3.30 now available!
- Sigma
sigmatools 0.19.1
- Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
Great bblog I enjoyed reading
LikeLike