As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Android Triage: a really useful forensic tool by Mattia Epifani - Belkasoft
Investigating the Dropbox Desktop App for Windows with Belkasoft X - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
All Spam All The Time - Oleg Afonin at Elcomsoft
Breaking RAR5 and 7Zip Passwords - Kevin Pagano at Stark 4N6
BloomCon 0x05 Forensics CTF - Marco Fontani at Amped
Timestamps: Not Always Showing the Right Time - Meisam Eslahi at ‘Cyber Security Hub’
Blue Team-System Live Analysis [Part 8]- Windows: User Account Forensics- Profile Folder, AppData… - Peter Stewart
Protected: Hack The Box – oBfsC4t10n (Forensics Challenge) - We are OSINTCurio.us
Ten Minute Tip: Image Geolocation Part 2
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Yara & maldoc pics - Analyst1
Ransom Mafia – Analysis of the World’s First Ransomware Cartel - Anton Chuvakin
Today, You Really Want a SaaS SIEM! - Awake Security
Breaking the Ice: Detecting IcedID and Cobalt Strike Beacon with Network Detection and Response (NDR) - Azure Sentinel
- Ben Bornholm at HoldMyBeer
IR Tales: The Quest for the Holy SIEM: Splunk + Sysmon + Osquery + Zeek - Brian Laskowski at Blumira
How to Detect Web Shells With a SIEM - Brad Duncan at Malware Traffic Analysis
- Check Point Research
- Vijit Nair at Corelight
Extending NDR visibility in AWS IaaS - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 12 – QuickLook Plugins - Cyberint
Malware Campaign Impersonating Large Retailers, Targeting Social Media Influencers - John Conwell and Tim Helming at DomainTools
Exposing Possible Campaigns with DomainCAT - F-secure
- Alex Holland at HP Threat Research
Nation States, Cyberconflict and the Web of Profit - InfoSec Write-ups
How SolarWinds happened? Here’s what you were told but what actually happened! - Intel 471
EtterSilent: the underground’s new favorite maldoc builder - Jorge Orchilles at Scythe
SCYTHE Presents: Adversary Emulation Metrics Time to Detect - Koen Van Impe
Interactive usage of MISP - McAfee Labs
- Microsoft 365 Security
Incident Response Series: Analyzing large amount of On-Premises Active Directory data with Azure Data Explorer - Emily Hacker and Justin Carroll at Microsoft Security
Investigating a unique “form” of email delivery for IcedID malware - Henri Hambartsumyan at Falcon Force
FalconFriday — Process Injection revisited — 0xFF0F - Brad Duncan at Palo Alto Networks
Wireshark Tutorial: Examining Traffic from Hancitor Infections - Sam Straka at Red Canary
Automatically block IPs and domains with Red Canary + Microsoft - RiskIQ
Yanbian Gang Malware Continues with Wide-Scale Distribution and C2 - Daniel Lunghi and Kenney Lu at Trend Micro
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware - Homer Pacag at Trustwave SpiderLabs
HTML Lego: Hidden Phishing at Free JavaScript Site - Ashwin Vamshi and Abhijit Mohanta at Uptycs
IcedID campaign spotted being spiced with Excel 4 Macros
UPCOMING WEBINARS/CONFERENCES
- AceLab
The Agenda for the ACE Lab TechCon 2021 is Live! - Dr Brian Carrier at Cyber Triage
Cyber Triage Demo Webinar - Ivan Kwiatkowski
Check out @JusticeRage’s tweet - SANS
NEW FOR509: Enterprise Cloud Forensics & Incident Response – Beta coming June 2021
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.45 – Matt Mitchell - Kevin Ripa at SANS
- AccessData
- AhmedS Kasmani
Malware Analysis: IcedID Banking Trojan JavaScript Dropper - Black Hills Information Security
- Breaking Badness podcast
80. Plenty of Phish in the Sea - Bret Witt
- Cellebrite
- Thinking Like an Investigator: Lessons Learned
- Episode 13: iBeg to DFIR – Selective Decoding
- SQLite Databases Part 2: Understanding Location Data and Timestamps
- How Deep Carving for SQLite helps uncover data you may be missing
- iOS Advanced Logical Extractions
- How To Incorporate Cloud Evidence Into Your Investigations For Maximum Results
- Cisco’s Talos
- Cybereason
Malicious Life Podcast: The Story of L0pht Heavy Industries, Part 1 - Didier Stevens
- Digital Forensic Survival Podcast
DFSP # 268 – CSA Cloud Threats 2 - John Hubbard at ‘The Blueprint podcast’
AppSec, DevOps and DevSecOps - NVISO
Defeating EDR’s using D/Invoke - SANS
iOS Third Party Apps Analysis how to use the new reference guide poster - Scythe
Unicon 2021 - Watson Infosec
Malware Setup Lab
MALWARE
- Ali Aqeel
IcedID Analysis - Igor Skochinsky at Hex Rays
Igor’s tip of the week #34: Dummy names - InfoSec Write-ups
- Nicole Fishbein at Intezer
Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys - Joe Security
Joe Sandbox I – Deep Malware Analysis on iOS 13 - John Hammond
$60,000 STOLEN in Bitcoin/Ethereum – JScript Malware Analysis - Igor Golovin at Kaspersky Lab
APKPure is not safe, distributes Trojans | Kaspersky official blog - Mahmoud Morsy
- Malwarebytes Labs
- Mubbashir Shaikh at Network Intelligence
Technical Analysis of DearCry Ransomware - Palo Alto Networks
- SANS Internet Storm Center
- YARA and CyberChef: ZIP, (Sun, Apr 4th)
- Video: YARA and CyberChef, (Sat, Apr 3rd)
- Malspam with Lokibot vs. Outlook and RFCs, (Tue, Apr 6th)
- Simple Powershell Ransomware Creating a 7Z Archive of your Files, (Thu, Apr 8th)
- WiFi IDS and Private MAC Addresses, (Wed, Apr 7th)
- No Python Interpreter? This Simple RAT Installs Its Own Copy, (Fri, Apr 9th)
- Building an IDS Sensor with Suricata & Zeek with Logs to ELK, (Sat, Apr 10th)
- Securelist
- Virus Bulletin
New article: Dissecting the design and vulnerabilities in AZORult C&C panels - Walmart
- WeLiveSecurity
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 4/10/2021 - Olga Milishenko at Atola
RAID configuration detection in Atola TaskForce - Brett Shavers at DFIR Training
Excuses to Avoid DFIR Training - Cellebrite
Cellebrite, The Leading Digital Intelligence Solutions Provider, to List on Nasdaq Through Merger with TWC Tech Holdings II Corp. - Dr. Brian Carrier at Cyber Triage
Our 100% Unbiased 4:cast Awards Nominations - Deepak Kumar
DIGITAL FORENSICS SKILLSETS - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
A Conflicted Expert and Holiday Illness Claims - Forensic Focus
- Heather Mahalik
Validation 101: How to Document Links Between Suspects and Digital Intelligence - IntaForensics
Opening New Doors in Forensic Casework Management - Lee Holmes at ‘Precision Computing’
BinShred–Parsing Arbitrary Binary Data in PowerShell - Max Julian Hofmann and Hanno Heinrichs at CrowdStrike
Adversary Quest Walkthrough, Part 2: Four SPACE JACKAL Hacktivist Challenges - ParaFlare
- Rare Breed 4N6
Commonly Used Passcodes - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — April 4 to April 10 - SANS
Cyber42 Cybersecurity Leadership Simulation Games - John Patzakis at X1
On TAP: Targeted, Automated, and Proportional Collection for Modern e-Discovery
SOFTWARE UPDATES
- Capa
v1.6.1 - Cellebrite
- Elcomsoft
- Eric Zimmerman
ChangeLog - F-Response
F-Response Collect v 2.0.1.3 Released - Malwoverview
Malwoverview 4.3.4 - Mihari
v2.2.0 - MobilEdit
MOBILedit Forensic Express 7.4 released! - MSAB
Released today: XRY 9.4, XAMN 6.0 and XEC 6.3 - wagga40
Zircolite 1.1.2 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 