As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Arman Gungor at Metaspike
Investigating Message Read Status in Gmail & Google Workspace - Brian Maloney
Your AV is Trying to Tell You Something: Registry - CCL Solutions
Updated RabbitHole software sets new standard for forensic data exploration tools - David Via and Scott Runnels at Fire Eye Threat Research
Back in a Bit: Attacker Use of the Windows Background Intelligent Transfer Service - Jaco at ‘The Swanepoel Method’
Introducing SocVel (DFIR CTF) - Korstiaan Stam at Cloud Response
CyberDefenders – Series (Malware Traffic Analysis 1 – Packet Analysis) - Marco Fontani at Amped
Receiving Video Evidence: Usually It’s Not the Original - Matt C. A. Smith
File carving: Recovering a deleted file from a Windows disk image - Mattia Epifani at Zena Forensics
Triaging modern Android devices (aka android_triage bash script) - Oxygen Forensics
Discord Forensics - The DFIR Report
Sodinokibi (aka REvil) Ransomware - Veronica Schmitt
The five philosophies of designing logs
THREAT INTELLIGENCE/HUNTING
- Eric Welling, Jeff Beley, and Ryan Leininger at Accenture
It’s getting hot in here! Unknown threat group using Hades ransomware to turn up the heat on their victims - Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov at Anomali
Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign - Anton Chuvakin
Anton’s Security Blog Quarterly Q1 2021 - Awake Security
The Unseen One: Hades Ransomware Gang or Hafnium - Brad Duncan at Malware Traffic Analysis
2021-04-01 – Quick post: IcedID (Bokbot) activity - Check Point Research
29th March – Threat Intelligence Report - Csaba Fitzl at ‘Theevilbit’
- Max Heinemeyer at Darktrace
“I’m sorry, we’re closed”: Why most ransomware attacks happen out of hours - Joe Slowik at DomainTools
COVID-19 Phishing With a Side of Cobalt Strike - Josh Day at Gigamon
Dialing in Your Detection Coverage with MITRE ATT&CK - Google Threat Analysis Group
Update on campaign targeting security researchers - Drew Schmitt at GuidePoint Security
Yet Another Cobalt Strike Loader: GUID Edition - Heather Terry at Hurricane Labs
Designing a SOC Part 2: Successful partnerships with MSSPs - InQuest
InQuest & MalwareBazaar Integration - Microsoft Security
Automating threat actor tracking: Understanding attacker behavior for intelligence and contextual alerting - Nicolas Bareil at ‘Just Another Geek’
Unit-testing the Splunk Processing Language - Brad Duncan at Palo Alto Networks
- Proofpoint
BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns - Red Alert
- Red Canary
- Sebdraven
RedEcho Infrastructure - Patrick Barnett And John Hollenberger at Secureworks
The Importance of Network Inventories and Diagrams - Security Intelligence
Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing and Energy - Shadowserver
Shadowserver Special Report – Exchange Scanning #5 - Jakub Adamczyk at Trustwave SpiderLabs
You Just Received 25k USD in Your BTC Account! A Practical Phishing Defense Tutorial
UPCOMING EVENTS
- Belkasoft
[WEBINAR] macOS Forensics with Belkasoft X - Credence Security and Sumuri
Mac Forensics Best Practices and Introduction to SUMURI’s RECON Solutions - Elan at DFIR Diva
DFIR Related Events for Beginners – April, 2021 - Tra Tran at Hex Rays
2021 IDA Training Course: Registration is now open! - Magnet Forensics
April 7 1:00PM ET: Grants 101: Tips for Leveraging Grants to Get Funding for Your Agency - Securizame
Curso online en directo de DFIR y Análisis Forense en Windows 2021
PRESENTATIONS/PODCASTS
- Alexis Brignoni
So you found a python script. Now what? - Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.44 – Brian Hussey - Kevin Ripa at SANS
- Episode 190: Forensic 4Cast Awards
- Episode 191: SANS DFIR Summit 2021 Call For Papers
- 3MinMax Series Topic Review – Apple Acquisition
- 3MinMax Series Topic Review – Using KAPE in Forensics
- 3MinMax Series Topic Review – What is a Forensic Expert’s Role in Court?
- 3MinMax Series Topic Review – Imaging a Microsoft Surface Pro
- 3MinMax Series Topic Review – Quick Win Data Forensics
- AccessData
FTK Feature Focus Episode 6 – Web Page Category Parsing - Andrew Malec
UMass CTF Forensics challenge; memory analysis with Volatility - Black Hills Information Security
- Breaking Badness podcast
A Year in COVID Cybercrime - Bret Witt
- Cellebrite
Episode 14: I Beg to DFIR – Everyone is Ready for April Showers to Bring May Flowers - Chris Sienko at the Cyber Work podcast
Defending the grid: From water supply hacks to nation-state attacks | Cyber Work Podcast - Detection: Challenging Paradigms
Episode 6: Matt Graeber - Digital Forensic Survival Podcast
DFSP # 267 – Sunscreen - John Hubbard at ‘The Blueprint podcast’
- Karsten Hahn at Malware Analysis For Hedgehogs
Malware Theory – Understanding .NET Streams and Metadata - Magnet Forensics
- Positivity Blue Team
IOT: Things of the Internet - Radware
Radware Threat Researchers Live: Episode 9 - Richard Davis at 13Cubed
Dumping Processes with Volatility 3 - ADF
- SANS Institute
- This Month in 4n6
This Month In 4n6 – March – 2021 - Watson Infosec
MALWARE
- 360 Total Security
A “txt file” can steal all your secrets - 360 Core Security
FluBot:一场席卷欧洲的移动银行木马攻击活动 - Benjamin Grap, Max Julian Hofman, and Lutz Wolf at CrowdStrike
Adversary Quest Walkthrough, Part 1: Four CATAPULT SPIDER eCrime Challenges - Cybereason
- Niall Newman at Foregenix
ModPipe Malware - GoggleHeadedHacker
Anti-Analysis Techniques Used in Excel 4.0 Macros - Igor Skochinsky at Hex Rays
Igor’s tip of the week #33: IDA’s user directory (IDAUSR) - InfoSec Write-ups
- John Hammond
- Mike Hodge at Keysight
Check this Out: Threat Simulator’s MITRE ATT&CK Navigator - Lares
Emails and Malicious Macros – What Can Go Wrong? - Mahmoud Morsy
njRat malware - Michael Gorelik at Morphisec
The “Fair” Upgrade Variant of Phobos Ransomware - NTCore
- PC’s Xcetra Support
SunCrypt, PowerShell obfuscation, shellcode and more yara - Robert Simmons at ReversingLabs
Code Reuse AcrossPackers and DLL Loaders - SANS Internet Storm Center
- TCPView v4.0 Released, (Sun, Mar 28th)
- Jumping into Shellcode, (Mon, Mar 29th)
- Old TLS versions – gone, but not forgotten… well, not really “gone” either, (Tue, Mar 30th)
- April 2021 Forensic Quiz, (Thu, Apr 1st)
- Quick Analysis of a Modular InfoStealer, (Wed, Mar 31st)
- C2 Activity: Sandboxes or Real Victims?, (Fri, Apr 2nd)
- Securelist
- Jim Walter at SentinelLabs
Avaddon RaaS | Breaks Public Decryptor, Continues On Rampage - Shaquib Izhar
Digital investigation of malicious backdoor PDF - Michael Heller at Sophos
Sophos MTR in Real Time: What is Astro Locker Team? - Jessica Ellis at PhishLabs
Breaking Down the Latest O365 Phishing Techniques - Aazim Yaswant at Zimperium
New Advanced Android Malware Posing as “System Update” - Brett Stone-Gross at ZScaler
Ares Malware: The Grandson of the Kronos Banking Trojan
MISCELLANEOUS
- Binalyze
- Amina Zilic at Binalyze
[ISOLATION] Brand new feature in the DFIR market that puts investigation under your control - Ben Bornholm at HoldMyBeer
Implementing Logstash and Filebeat with mutual TLS (mTLS) - Binary Recon
Windows Server Trial License Extension - Brett Shavers at DFIR Training
- DannyDodds
Information Security Blogs - Forensic Focus
- Introduction To MD-VIDEO: How To Recover Files And Frames
- Expanding GrayKey With Exynos Support For Android
- What Changes Do We Need To See In eDiscovery? Part IX
- What’s Happening at Techno Security Myrtle Beach: June 6th-9th, 2021
- Free White Paper: Best Practices In Digital Forensics Automation And Orchestration
- InfoSec Write-ups
- Mitsutaka Hori at JPCERT/CC
ICS Security Conference 2021 - Karlo Licudine at AccidentalRebel
The Emprisa Maldoc Challenge - Ken Pryor
Running Remnux on a Proxmox Server - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (4/1/2021) - LockBoxx
ALCCDC 2021 Regional Review - Magnet Forensics
- Virtualizing Your Forensics Lab in the Cloud Part 2: Benefits of Virtualizing Your Forensics Lab
- Free Guide: A Practical Guide to Virtualizing Your Forensics Workstation: Setting Up an Amazon EC2 Instance for AXIOM Cyber
- How Magnet AUTOMATE Makes Achieving ISO 17025 Accreditation Easier
- Measure & Increase Lab Efficiency and Streamline Collaboration with Magnet ATLAS 2.0
- Making Magnet OUTRIDER Bootable with Windows-To-Go
- McHugh Security
- Musings of a Rube Goldberg blog machine
Import data into Synapse using Python - Paraben Corporation
SC Magazine Names E3:Universal as a Finalist in Best Computer Forensic Software category - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — March 28 to April 3 - SANS
- Securizame
Forensic 4:cast – WinTriage como mejor herramienta no-comercial 2020 - xorl %eax, %eax
BSides Athens 2020: Threat Landscape: Greece - Andy Gill at ZeroSec
Old but Gold – Attack and Defend the Sys Admins
SOFTWARE UPDATES
- Binalyze
Binalyze AIR Release Notes Version 1.7.35 - Apache
29 March 2021: Apache Tika Release - Aurora Incident Response
v0.6.6 - Cellebrite
Cellebrite Expands Industry Leading Enterprise Endpoint Intelligence Platform for eDiscovery and Corporate Investigations - DME Forensics
DVR Examiner 3 is now available! - Elcomsoft
Supporting Sage 50 Accounting and Sage 50cloud Accounts - ExifTool
ExifTool 12.23 - Magnet Forensics
Magnet ATLAS 2.0: New Customizations, Productivity Tracking, and Integration Capabilities - Mattia Epifani
Android Triage - Manabu Niseki
Mihari v2.1.0 - SalvationData
[Software Update] Mobile Forensics: SPF Pro V6.113 New Released now! - Srum-Dump
2.3 TanBlue - Velociraptor
Release 0.5.8-rc1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 