As always, thanks to those who give a little back for their support!
I ran a webcast last month on getting started in DFIR by testing, and walked through a few different scenarios. Minor bump at the beginning with my VM dying, but at least we knew it was live! I took some parts of my FOR308 and FOR500 material to create this talk, where the premise is looking at what evidence our interactions leave behind using free tools and freely available virtual machines.
Getting started in DFIR: Testing 1,2,3 | Phill Moore
FORENSIC ANALYSIS
- Belkasoft
Belkasoft CTF March 2021: Write-up - Brian Maloney
Your AV is Trying to Tell You Something: VBN’s Part 4 - CQURE Academy
PowerShell Forensics. Techniques to Gather the Evidence and Tricks - Meisam Eslahi at Cyber Security Hub
Blue Team-System Live Analysis [Part 7]- Windows: User Account Forensics- Categorization and… - Oleg Afonin at Elcomsoft
Breaking the iPhone 12: Forensic Extraction of iOS 14 Devices - Kyle Song
Blog #26: Importance of Drive Trim in Forensic Imager part 2. [KR] - Mike Brewer at DFW Forensics
Container Forensics
THREAT INTELLIGENCE/HUNTING
- More Exchange-related blogposts!
- Cyber Defender REACTS to THEFT of Microsoft Exchange Server ZERO DAYS used by HAFNIUM
- Cry Me A River oh DearCry
- HAFNIUM Response: Cybereason is Dedicated to Defending Our Customers
- HAFNIUM- Microsoft Exchange Server Vulnerability
- The Mechanics of The APT Attack on Microsoft Exchange, Now Available for Validation
- Steps to Defend Against DearCry Ransomware
- How to guard against Zerologon and possible analogs
- A look at the ProxyLogon Microsoft Exchange vulnerability (CVE-2021-26855)
- Automatic on-premises Exchange Server mitigation now in Microsoft Defender Antivirus
- One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021
- Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
- Netskope Threat Coverage: DearCry Ransomware
- How Quickly Are We Patching Microsoft Exchange Servers?
- How to Prevent, Detect and Remediate ProxyLogon
- Detecting HAFNIUM Exchange Exploitation Campaign with ReaQta-Hive
- DearCry ransomware attacks exploits Exchange server vulnerabilities
- MTR in Real-Time: Exchange ProxyLogon Edition
- How to Identify Compromised Microsoft Exchange Server Assets Using Tenable
- HAFNIUM, China Chopper and ASP.NET Runtime
- Anton Chuvakin
2021 Threat Intelligence Use Cases - Alex Tomic and Cameron Worrell at AWS Security
Automatically block suspicious traffic with AWS Network Firewall and Amazon GuardDuty - Azure Sentinel
- Bohops
Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion - Brad Duncan at Malware Traffic Analysis
- Check Point Research
Check Point Research Evasions Encyclopedia gets important updates - Vince Stoffer at Corelight
Translating query into action - Cyberint
Qakbot Ransomware - Deep Instinct
Cobalt Strike – Post-Exploitation Attackers Toolkit - Dragos
New ICS Threat Activity Group: VANADINITE - Elastic
- Jan Geisbauer at Empty Datacenter
Alertrule from github to Azure sentinel - Flashpoint
Mobile Apps and Chat Services Key to Flourishing Chinese Cybercrime - Jaron Bradley at The Mitten Mac
Hurdling the Runningboards - Koen Van Impe
Creating a MISP Object, 101 - David Nides at KPMG
SolarWinds explainer - Luatix
OpenCTI platform performances - McAfee Labs
- McHugh Security
- Microsoft 365 Security
Incident Response Series: Reviewing data in Azure AD for investigation - Digit Oktavianto at MII Cyber Security
Malicious Powershell Deobfuscation Using CyberChef - Amy L. Robertson at MITRE ATT&CK
ATT&CK 2021 Roadmap - Rich Warren and Sander Laarhoven at NCC Group
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986 - Nextron Systems
New Detection Rules for Exchange Exploitation Activity - Palo Alto Networks
- New Mirai Variant Targeting New IoT Vulnerabilities, Including in Network Security Devices
- Satori: Mirai Botnet Variant Targeting Vantage Velocity Field Unit RCE Vulnerability
- Ransomware Threat Assessments: A Companion to the 2021 Unit 42 Ransomware Threat Report
- Highlights from the 2021 Unit 42 Ransomware Threat Report
- Daniel Smith at Radware
IoT Botnets: Perspectives from a Residential Router - Recorded Future
China-linked TA428 Continues to Target Russia and Mongolia IT Companies - Sophos
- Jonathan Johnson and Matt Hand at SpecterOps
Abstracting Scheduled Tasks
UPCOMING WEBINARS/CONFERENCES
- Belkasoft
[WEBINAR] Where DF meets IR: an incident response case, which turned out to be a criminal one - Cyber Social Hub
The Digital Evidence that Can Kill You - Cybereason
Webinar: Protecting Against IT Infrastructure Attacks from HAFNIUM to SolarWinds - Magnet Forensics
- Erik Hjelmvik at Netresec
Live Online Training – PCAP in the Morning - SANS
Check out @DFIRSummit’s Tweet - Virus Bulletin
VB2021 localhost call for papers: a great opportunity
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.42 – Alexandra Van Dan Heuvel - Kevin Ripa at SANS
- AccessData
FTK Feature Focus – Episode 4 – Optimizing Your Processing Options - Archan Choudhury at BlackPerl
INCIDENT RESPONSE TRAINING FREE | DFIR in AWS & Cloud, Collab with Gerald Auger-Simply Cyber | Day 4 - Black Hills Information Security
- Breaking Badness podcast
Voices from Infosec with Niamh Muldoon - Bret Witt
- Cellebrite
Episode 13: I Beg to DFIR – Long Load Times Cramping Your Style? - CQURE Academy
[RSA Conference Asia Pacific & Japan 2019] Fatal signs: 10 symptoms when you think you’ve been hacked - Cyber Security Interviews
#117 – Sara Avery: Go After What You Want - Detection: Challenging Paradigms
Episode 5: Andrew Morris - Digital Forensic Survival Podcast
DFSP # 265 – CSA Cloud Threats 1 - Doug Metz at Baker Street Forensics
Enterprise Pulse // PowerShell Tools for IR Forensics Collection - Down the Security Rabbithole Podcast
DtSR Episode 439 – TPA Open Source Endpoint Defense - Gerald Auger at Simply Cyber
Key SOC Analyst Skills in Cloud Security (Be an IR Cloud Pro) - John Hammond
NahamCon CTF 2021 – My Perspective (Data, Feedback, & More) - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 205 - Life has no CTRL ALT DEL with Heather Mahalik
Know Your Enemy – Detection and Response with Offensive Digital Forensics - Magnet Forensics
Let’s Talk About the State of Corporate Digital Forensics - Malwarebytes Labs
The Malwarebytes 2021 State of Malware report: Lock and Code S02E04 - Positivity Blue Team
How to Get Your Resume Seen - Rasta Mouse
- SANS
- Data matters: More effective threat hunting and defense with internet scan data
- Full Cycle: Blending Intelligence Requirements and Custom Dissemination Tools to Drive Operations
- Day 1 Wrap-Up Panel | SANS CTI Summit 2021
- FOR585A: iOS Forensic Analysis Stay Sharp course | Interview with Domenica “Lee” Crognale
- FOR610A: Introduction to Malware Analysis Stay Sharp course | Interview with Lenny Zeltser
- FOR572A: Lethal Network Forensics Stay Sharp course | Interview with Phil Hagen
- FOR498A: Forensic Data Acquisition Stay Sharp course | Interview with Kevin Ripa
- VERISIZE your way into CTI | David Thejl-Clayton | SANS CTI Summit 2021
- Six CTI Challenges and Their Solutions – Reaching CTI’s Full Potential | SANS CTI Summit 2021
- SANS ICS Concept Videos – Industrial Protocol Interactions Using Modbus
- Still thinking about your Ex(cel)? Here are some TIPs
- Quantifying Intelligence: Increasing Executives IQ | Colin Conner | SANS CTI Summit 2021
- SANS Institute Stay Sharp Training
- Part 3: Rekt Casino Hack – Security Operations Center Ill-equipped and Unprepared
- SANS Data Science Lightning Summit
- Security Unlocked
Re: Tracking Attacker Email Infrastructure - Sumuri
CARBON Demos – Get yours now! | SUMURI Forensics - TrustedSec
Sysmon Guides: Install Basics - Watson Infosec
WatsonInfoSec Studio & Network Tour
MALWARE
- 360 Netlab
Necro再次升级,使用Tor+动态域名DGA 双杀Windows&Linux - 360 Core Security
针对印度锡克教分离主义运动的攻击活动 - Jakub Kaloč at Avast Threat Labs
Hidden menace: Peeling back the secrets of OnionCrypter - Cerbero
Video: 3-Minutes Self-Decrypting Excel Malware Analysis - Cesar Anjos at Sucuri
Server Side Data Exfiltration via Telegram API - Daniel Frank at Cybereason
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware - Claire Trimble at Illusive Networks
Ransomware Incognito: 5 Tools Targeted Ransomware Groups Use to Disguise Themselves - Intezer
Top 10 Cloud Malware Threats - John Hammond
Discord Malware – “i hacked MYSELF??” - Karlo Licudine at AccidentalRebel
Maldoc101 Writeup (Part 1) - Jovi Umawing at Malwarebytes Labs
HelloKitty: When Cyberpunk met cy-purr-crime - Marco Ramilli
Malware Family Surface 2021 (Q1) - Marcus Edmonson at ‘Data Analytics & Security’
Data Driven Analysis – My Approach - Nadav Lorber at Morphisec
Tracking HCrypt: An Active Crypter as a Service - Proofpoint
Now You See It, Now You Don’t: CopperStealer Performs Widespread Theft - Sandor Tokesi at Forensics Exchange
Ways of phishing 1 – Remote Template Injection - SANS Internet Storm Center
- Wireshark 3.4.4 Released, (Sun, Mar 14th)
- Finding Metasploit & Cobalt Strike URLs, (Mon, Mar 15th)
- 50 years of malware? Not really. 50 years of computer worms? That’s a different story…, (Tue, Mar 16th)
- Simple Python Keylogger , (Thu, Mar 18th)
- Defenders, Know Your Operating System Like Attackers Do!, (Wed, Mar 17th)
- Pastebin.com Used As a Simple C2 Channel, (Fri, Mar 19th)
- YARA Pre-release v4.1.0, (Sat, Mar 20th)
- Video: Finding Metasploit & Cobalt Strike URLs, (Sun, Mar 21st)
- Ilya Mogilin and Mikhail Kuzin at Securelist
Convuster: macOS adware now in Rust - Phil Stokes at SentinelLabs
New macOS malware XcodeSpy Targets Xcode Developers with EggShell Backdoor - Thomas Barabosch at 0xC0DECAFE
Detect API hashing with YARA - Trend Micro
- VinCSS
[RE021] Qakbot analysis – Dangerous malware has been around for more than a decade
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics
Announcing the Fourth Annual Magnet Virtual Summit CTF! - Marco Fontani at Amped
Proprietary CCTV/DVR Players: Often Not Showing the Original Pixels - Belkasoft
BelkaCTF March 2021: Results - Jack Ziv at Cellebrite
Tapping into the Mind of a Digital Investigator - Dragos
Dragos Expands Market Presence in Australia and New Zealand - Heather Mahalik at Smarter Forensics
Forensic 4:Cast Awards – nominations are open - Tom Kopchak at Hurricane Labs
How to Generate a Diag in Splunk - Nihal Umar at InfoSec Write-ups
How to Organize a CTF on ctfd for free? - Ken Pryor
Feeling kinda blue (team) - Kevin Pagano at Stark 4N6
My 2021 Forensic 4Cast Awards Nominations - Magnet Forensics
Virtualizing Your Forensics Lab in the Cloud Part 1: Leveraging IaaS for Your Lab - Matt Graeber
Check out @mattifestation’s Tweet - MSAB
Vote for MSAB in the 2021 Forensic 4:Cast Awards - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — March 14 to March 20 - T3K-Forensics
T3K is proud to be partnering up with Project VIC - Lesley Carhart
Ask Lesley: From Ops to DFIR, a Tough Transition - TrustedSec
TrustedSec Incident Response Team Slack AMA 02.17.2021 - John Patzakis at X1
Why Post-Level Parsing is Critical for Effective Social Media Evidence Collection
SOFTWARE UPDATES
- ANSSI-FR
DFIR-O365RC - SEParser
Check out @bmmaloney97’s Tweet - CISA
CHIRP - Costas K
Clippy - Elcomsoft
Elcomsoft iOS Forensic Toolkit 7.0: low-level extraction without a jailbreak for iPhone 12, iOS 14.x - KAPE
Kape Changelog – 1.0.0.0 2021-03-15 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.22 - Graeme Meyer
Power-Cbr - IntelOwl
New logos, New API endpoints - Magnet Forensics
Magnet OUTRIDER 2.2: Save More Time With Faster Scans* - Malwoverview
Malwoverview 4.3.1 - TheHive Project
TheHive Reloaded: 4.1.0 is out - Velociraptor
Release 0.5.7 - Xways
X-Ways Forensics 20.2 Beta 6 - YARA
YARA v4.1.0-rc1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 