As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
Android version without the build.props file - SANS
FOR509: Enterprise Cloud Forensics and Incident Response - Barnaby Skeggs
LSASS.DMP… Attacker or Admin? - James Smith at DFIR Madness
Case 001 Super Timeline Analysis - Kevin Pagano at Stark 4N6
- Marco Fontani at Amped
Compression Artifacts: Hiding or Adding Details to the Scene - Oxygen Forensics
TikTok Data Extraction - Peter Stewart
Hack The Box – Keep Tryin’ (Forensics Challenge) - Rare Breed 4N6
Parsing that Pesky BFU Extraction - Lionel Faleiro at SandmaxPrime
Stalkerware – Is Somebody Watching You?
THREAT INTELLIGENCE/HUNTING
- Vitali Kremez, Al Calleo, and Yelisey Boguslavskiy at Advanced Intelligence
Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021 - Thorsten Sick at Avast Threat Labs
Purple Dome Project on Attacks Without Malware - Yevgeniy Ilyin at AWS Security
How to use AWS IAM Access Analyzer API to automate detection of public access to AWS KMS keys - Ely Abramovitch at Azure Sentinel
What’s new: Incident timeline - Arris Huijgen
Spying on users using Remote Desktop Shadowing – Living off the Land - Brad Duncan at Malware Traffic Analysis
- 2021-04-12 – Guildma (Astaroth) activity from Brazil-based malspam
- 2021-04-14 – BazaLoader (BazarLoader) activity
- 2021-04-15 – BazaLoader (BazarLoader) activity
- 2021-04-12 – IcedID (Bokbot) infection from zipped JS file
- 2021-04-16 – BazaLoader (BazarLoader) activity
- 2021-04-16 – TA551 (Shathak) German-template Word docs push Ursnif (Gozi/ISFB)
- Cisco’s Talos
Threat Roundup for April 9 to April 16 - Cybereason
Five Clear Steps to Enhance SecOps with MITRE ATT@CK - Dragos
April 2021 Knowledge Pack Released - Calum Hall and Luke Roberts at F-secure
- Fire Eye Threat Research
- Dmitry Melikov at InQuest
Unearthing Hancitor Infrastructure - Ben Martin at Sucuri
WordPress Continues to Fall Victim to Carding Attacks - Malwarebytes Labs
How ransomware gangs are connected, sharing resources and tactics - Raj Samani at McAfee Labs
McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges - Mehmet Ergene
Building a Custom UEBA with KQL to Hunt for Lateral Movement - Microsoft 365 Security
Incident Response in a Microsoft cloud environment - Mike Cohen at Velocidex
Digging into process memory - MikeCyberSec
Splunk Attack Range W/ Docker & AWS - Carol Hildebrand at Netscout
Latest NETSCOUT Threat Intelligence Report Highlights Unprecedented DDoS Attack Activity - Kirk Hayes at Nettitude Labs
PoshC2 – Introducing Native macOS Implants - Red Alert
Monthly Threat Actor Group Intelligence Report, February 2021 - Thomas Gardner at Red Canary
Research ATT&CK techniques from the comfort of your VSCode editor - Jean Maes at Red Team Tips
Basic operational security when dropping to disk - Sandor Tokesi at Forensics Exchange
Ways of phishing 2 – HTML smuggling - SANS Internet Storm Center
- Example of Cleartext Cobalt Strike Traffic (Thanks Brad), (Mon, Apr 12th)
- April 2021 Forensic Quiz: Answers and Analysis, (Wed, Apr 14th)
- Why and How You Should be Using an Internal Certificate Authority, (Thu, Apr 15th)
- HTTPS Support for All Internal Services, (Fri, Apr 16th)
- Querying Spamhaus for IP reputation, (Fri, Apr 16th)
- Scythe
- Resha Chheda and Grant Moerschel at SentinelOne
MITRE Mania: Your Guide to Understanding Vendor Positioning and Why It All Matters - Sophos
- Raphael Centeno, Don Ovid Ladores, Lala Manly, Junestherry Salvador, and Frankylnn Uy at Trend Micro
A Spike in BazarCall and IcedID Activity Detected in March - Adam Todd at TrustedSec
BITS for Script Kiddies - Siddharth Sharma at Uptycs
Mirai code re-use in Gafgyt - Wes Lambert
Monitoring Adversaries at Your Trapdoor with Security Onion - xorl
UPCOMING EVENTS
- Belkasoft
[WEBINAR] Meet the new Belkasoft R! - Cybereason
MITRE ATT&CK Evaluations – Unpacking the Emulation - Magnet Forensics
April 21 1:00PM ET: Learnings from Real World Cloud Data Breaches - Will Elder at ADF
2021 National Cybercrime Conference Virtual Law Enforcement Training - SANS Institute
SANS New to Cyber Summit 2021
PRESENTATIONS/PODCASTS
- Andrew Rathbun at Kroll
Enhancing Event Log Analysis with EvtxEcmd using KAPE - Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.46 – Aury M. Curbelo-Ruiz - Kevin Ripa at SANS
- AhmedS Kasmani
1- Click Malware Analysis: IcedID JS Dropper - Andrew Malec
Identification and analysis of suspicious network connections - Archan Choudhury at BlackPerl
Learn Cloud Security | Incident Response in AWS with Alexa | Incident Response Training Free | Day-5 - Black Hills Information Security
Talkin’ About Infosec News – 4/12/2021 - Breaking Badness podcast
81. It’s Not All Zoom And Gloom - Bret Witt
- Cellebrite
- Chris Sienko at the Cyber Work podcast
What does a digital forensic investigator do in the government? | Cyber Work Podcast - Cisco’s Talos
- Colin Hardy
I bought a PHISHING website from the DARKWEB. Here’s what I found… - Detection: Challenging Paradigms
Episode 7: Thomas Kinsella - Didier Stevens
Decoding Cobalt Strike Traffic - Digital Forensic Survival Podcast
DFSP # 269 – Svchost Revisited - Gerald Auger at Simply Cyber
- John Hubbard at ‘The Blueprint podcast’
Rob van Os: Maturing your Cyber Defense - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Theory – Imphash algorithm explained - Trey Amick at Magnet Forensics
Building a Seamless Workflow with Magnet AUTOMATE & REVIEW - Positivity Blue Team
SOC X – The Special
MALWARE
- AlienVault Labs
The rise of QakBot - Romana Tesařová at Avast Threat Labs
HackBoss: A cryptocurrency-stealing malware distributed through Telegram - Eduard Budaca and Bogdan Botezatu at Bitdefender Labs
From Cracks to Empty Wallets – How Popular Cracks Lead to Digital Currency and Data Theft - Michał Praszmo at CERT Polska
Keeping an eye on CloudEyE (GuLoader) – Reverse engineering the loader - CISA Analysis Reports
- Xiaopeng Zhang at Fortinet
Deep Analysis: New FormBook Variant Delivered in Phishing Campaign – Part I - Igor Skochinsky at Hex Rays
Igor’s tip of the week #35: Demangled names - Fernando Ruiz and Carlos Castillo at McAfee Labs
BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain - Nikhil Rathor at 0xthreatintel
Internals of Babuk Ransomware - Doel Santos at Palo Alto Networks
Threat Assessment: Clop Ransomware - Luigi Martire and Luca Mella at Yoroi
Ransomware micro-criminals are still out here (and growing) - Atinderpal Singh, Rohit Chaturvedi, and Tarun Dewan at ZScaler
A look at HydroJiin campaign
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics
Magnet Virtual Summit CTF Prizes Announced - Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
How to sort and organize files recovered by PhotoRec - Belkasoft
Belkasoft X review by Takaya Kawasaki - Brett Shavers
- Cellebrite
- Elcomsoft
- Esentire
What is Digital Forensics and How Does it Relate to Incident Response? - Forensic Focus
- HancomWITH: 2021 1Q MD-Series Release Note Highlights
- How To Perform A Digital Forensic Acquisition In Under 10 Mins With Binalyze AIR
- Modern Digital Forensics: Speed, Automation and Rapid Evidence Collection with Binalyze AIR
- Grayshift INSIGHTS – April 28 – Registration Open
- Endpoint Isolation: A new feature of AIR that brings an investigation under your control
- Harry Taheem at StealthBay
Passing the GCFA exam - Jason Wilkins at ‘Noob to Pro Forensics’
Testing, testing, 1, 2, 3… - Gail Ow at Keysight
Stuxnet, Sunburst, and Covid-19 - Magnet Forensics
- Matt Bromiley
- Bob Rudis
Quick Hit: Processing macOS Application Metadata Weirdly Fast with mdls and R - Sandfly Security
Check out @CraigHRowland’s tweet - SANS
- The Leahy Center for Digital Forensics & Cybersecurity
Top Tech Podcasts Of April 2021
SOFTWARE UPDATES
- Amped
Amped FIVE Update 20532: Introducing Variable Motion Deblurring, Freeze Frame, Annotation Keyframing and Much, Much More - Belkasoft
Belkasoft announces the launch of Belkasoft R - Bundesamt für Sicherheit in der Informationstechnik
RdpCacheStitcher v1.1 - Capa
v1.6.2 - Elcomsoft
Elcomsoft Wireless Security Auditor supports NVIDIA Ampere boards - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.24 - IntelOwl
API docs, 7 new analyzers, dependency upgrades and other adjusts - Magnet Forensics
- Metaspike
Forensic Email Collector v3.60 Release Notes - Mihari
v2.3.0 - Open Source DFIR
Plaso 20210412 released - Passware
Passware Kit 2021 v2 Now Available - radare2
5.2.0 – codename: “morens” - Sandfly Security
Sandfly 2.9.0 – Protect Five Linux Hosts Free Instantly - Velociraptor
Release 0.5.8 - Xways
X-Ways Forensics 20.3 Preview 2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 