As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Lukasz D at Compass Security
Straightforward Mobile Forensics - DS Tools
WhatsApp in Plain Sight: Where and How You Can Collect Forensic Artifacts - DS4N6
- Erik Hjelmvik at Netresec
Analysing a malware PCAP with IcedID and Cobalt Strike traffic - Howard Oakley at ‘The Eclectic Light Company’
How some log entries vanish sooner than others - Kyle Song
Blog #27: IPv6 in TeamViewer(v15) part 1. [EN] - Sandfly Security
Detecting and Investigating OpenSSL Backdoors on Linux - TheHexNinja
Getting hashes to Virus Total from an Isolated Virtual Machine
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Playing CAPAeira with Yara rules - Anastasios Pingios
- Anomali
- Awake Security
Mapping the Attack: Using Situations to Visualize an IcedID / Cobalt Strike Compromise - Tim Rains at AWS
Whitepaper available: Classic intrusion analysis frameworks for AWS environments - Oana Asoltanei, Alin Mihai Barbatei, and Silviu Stahie at Bitdefender Labs
COVID-19 Vaccine Apps Take a Jab at Digital Safety - Blumira
- Brad Duncan at Malware Traffic Analysis
2021-04-23 – IcedID (Bokbot) infection from zipped JS file - Check Point Research
19th April – Threat Intelligence Report - CISA
CISA Identifies SUPERNOVA Malware During Incident Response - Cisco’s Talos
Threat Roundup for April 16 to April 23 - Ashley Atkins at Cofense
Home Buyers Beware – Tax-Themed Phish Hosted on Typeform - Ben Reardon at Corelight
Detect C2 ‘RedXOR’ with state-based functionality - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 13 – Audio Plugins - Cybereason
- Cyberint
CL0P Ransomware - Elastic
- F-secure
- Gianni Castaldi at Kusto King
Time is of the essence - Drew Schmitt at GuidePoint Security
Mount Locker Ransomware Steps up Counter-IR Capabilities, Hindering Efforts for Detection, Response and Investigation - Hacking Articles
- Henri Hambartsumyan at Falcon Force
FalconFriday — Password Spraying with(out) MDI— 0xFF10 - İbrahim Baloğlu
Cobalt Strike Saldırısı, Tespiti ve Analizi - Intel 471
How China’s cybercrime underground is making money off big data - Karlo Licudine at AccidentalRebel
Investigating an FB phishing site - Koen Van Impe
Debugging MISP event publish workflow. And a faulty application gateway - Malwarebytes Labs
- MITRE Engenuity ATT&CK® Evaluations
- MITRE Engenuity ATT&CK® Evaluations Highlight Check Point Software Leadership in Endpoint Security with 100% Detection across All Tested Unique ATT&CK Techniques
- Cybereason Excels in 2020 MITRE Engenuity ATT&CK Evaluations
- MITRE ATT&CK: Cybereason Dominates the Competition
- MITRE Engenuity ATT&CK® Round 3: Carbanak + FIN7 vs. the free and open capabilities in Elastic Security
- MITRE Evaluation Results Showcase Fortinet FortiEDR’s Prevention and Detection Capabilities
- MITRE Engenuity ATT&CK® Evaluation proves Microsoft Defender for Endpoint stops advanced attacks across platforms
- MITRE Engenuity ATT&CK® Evaluation proves Microsoft Defender for Endpoint stops advanced attacks across platforms
- Cortex XDR: Best Combined Prevention and Detection in MITRE Round 3
- Inside Cisco’s performance in the 2020 MITRE Engenuity ATT&CK® Evaluation
- MITRE ATT&Ck Engenuity: AI & Big Data Powered EDR > Human Powered Products
- The Storybook Approach to MITRE ATT&CK
- Measurable Detection & Response: MITRE Engenuity’s ATT&CK Evaluations for Carbanak+FIN7
- VMware Carbon Black Delivers High-Fidelity Insight at Every Step of MITRE Engenuity ATT&CK® Evaluation
- Andrew Cook at Recon InfoSec
Threat Hunting – A Critical Component of High Performing SOCs - Recorded Future
Iran-Linked Threat Actor The MABNA Institute’s Operations in 2020 - Red Alert
SectorA Group’s Threat Landscape in 2020 - Martin Kirk at Secureworks
Post-Intrusion Ransomware Incident Response - Security Art Work
(Ciber) Inteligencia (II) - Trend Micro
UPCOMING EVENTS
- Kevin Ripa and Eric Zimmerman
Kevin Ripa’s 3MinMax Series Wrap Up | LIVE STREAM - Belkasoft
Capture The Flag: Belkaday - Brittany Roberts at ADF
National Child Protection Task Force Virtual Conference | NCPTF 2021 - Cellebrite
- Digital Intelligence in the modern age
- Computer Access and Analysis SolutionsPart 1: On-The-Scene Computer Triage Simplified: Helping You Effectively Tackle Cases
- Computer Access and Analysis SolutionsPart 2: Leverage Key Capabilities to Surface Digital Intelligence From Windows PC Artifacts
- Computer Access and Analysis SolutionsPart 3: Advanced macOS artifacts – Understand and Analyze Unified Logs and KnowledgeC with Inspector
- Nextron Systems
THOR Lite Usage in Mjolnir Security’s Introduction to Incident Response Training - OSDFCon
2021 Call For Presentations - SANS
Call for Presentations – SANS 2021 Security Awareness Summit - Securizame
Cursos online en directo de DFIR y Análisis Forense en Linux 2021
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.47 – Steve Watson - Kevin Ripa at SANS
- Acelab
The ACE Lab Online TechCon 2021: All the Latest Data Recovery Features at a Glance - AhmedS Kasmani
- Anastasios Pingios
BSidesBUD 2020: A gentle introduction to building a threat intelligence team - Basis Technology
Computer Autopsies with María Andrea Vignau [OSDFCon Webinar] - Black Hills Information Security
- Breaking Badness podcast
82. SolarWinds and Losses - Bret Witt
- BSides Canberra 2021
BSides Canberra 2021 - Cisco’s Talos
Talos Takes Ep. #50: Just like us, attackers are using Slack and Discord now more than ever - Didier Stevens
- Digital Forensic Survival Podcast
DFSP # 270 – CAPEC - FIRST
Build Your Own Malware Analysis Pipeline Using New Open Source Tools - Gerald Auger at Simply Cyber
Live Honeypot and Music – Simply Cyber Live Stream; - HackDefend Labs
- John Hubbard at ‘The Blueprint podcast’
Anton Chuvakin: The Current State and Future of Security Operations - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 208 - Nuix
Webinar: Responding CISA Alerts with Nuix - Positivity Blue Team
Transitioning From Offense to Defense - SANS Institute
- Watson Infosec
WazuhSIEM Build Guide Video!
MALWARE
- David Zimmer at Avast Threat Labs
Binary Data Hiding in VB6 Executables - Eli Salem
Dancing With Shellcodes: Cracking the latest version of Guloader - Dan Perez, Sarah Jones, Greg Wood, and Stephen Eckels at Fire Eye Threat Research
Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass
Techniques and Pulse Secure Zero-Day - Fortinet
Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part II - Igor Skochinsky at Hex Rays
Igor’s tip of the week #36: working with list views in IDA - InfoSec Write-ups
- Joakim Kennedy at Intezer
HabitsRAT Used to Target Linux and Windows Servers - John Hammond
HTA JScript to PowerShell – Novter Malware Analysis - Lordx64
Initial analysis of PasswordState supply chain attack backdoor code - Mahmoud Morsy
- Hossein Jazi at Malwarebytes Labs
Lazarus APT conceals malicious code within BMP image to drop its RAT - Jeroen Beckers at NVISO Labs
How to analyze mobile malware: a Cabassous/FluBot Case study - RiskIQ
For Threat Actors, Shadow Z118 is the Kit That Keeps on Giving - SANS Internet Storm Center
- Decoding Cobalt Strike Traffic, (Sun, Apr 18th)
- Hunting phishing websites with favicon hashes, (Mon, Apr 19th)
- A Case for Lockdown and Isolation (and not the Covid kind), (Wed, Apr 21st)
- How Safe Are Your Docker Images?, (Thu, Apr 22nd)
- Malicious PowerPoint Add-On: “Small Is Beautiful”, (Fri, Apr 23rd)
- Base64 Hashes Used in Web Scanning, (Sat, Apr 24th)
- Securelist
- Security Intelligence
Internet of Threats: IoT Botnets Drive Surge in Network Attacks - Marco Figueroa, Amitai Ben, and Shushan Ehrlich at SentinelLabs
A Deep Dive into Zebrocy’s Dropper Docs - Sophos
Nearly half of malware now use TLS to conceal communications - Virus Bulletin
New article: Run your malicious VBA macros anywhere! - Jason Reaves and Joshua Platt at Walmart
CobaltStrike Stager Utilizing Floating Point Math
MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 4/19/2021 - 4n6lady
Digital Forensics Course Development — Phase 2 - Craig Ball at ‘Ball in your Court’
The Great Pandemic Leap Forward - Didier Stevens
Lua CSV Wireshark Dissector - Digital Corpora
Download Reports - disrupt:Ops
Sending CloudWatch (Like Guard Duty) to Lambda - Forensic Focus
- Marco Fontani at Amped
Cognitive Bias: Steering Conclusions Irrationally - Moxie Marlinspike at Signal
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective - Olaf Hartong at Falcon Force
Sysmon 13.10 FileDeleteDetected - Matt Hastings at Red Canary
Respond and remediate faster with Red Canary’s new Splunk Phantom integration - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — April 18 to April 24 - SANS
- Teru Yamazaki at Forensicist
NSRLJP_202104 - Mike Cohen at Velocidex
The Next Phase of Velociraptor - Sam Adams at Rapid7
Rapid7 and Velociraptor Join Forces
SOFTWARE UPDATES
- Acelab
The new PC-3000 Flash Software Ver. 7.5.11 is available! - Belkasoft
Belkasoft X v. 1.6: Wickr Me decryption, APK downgrade for multiple platforms, and other improvements - Cellebrite
Now Available: Cellebrite Pathfinder Desktop 8.5 - Cellebrite
Cellebrite Launches Endpoint Inspector: A Cloud-First Remote Collection Solution - Cyber Triage
Cyber Triage 2.14.4 Exchange-Server Specific Features that Detect WebShells - Didier Stevens
- DME Forensics
DVR Examiner 3.0.1 - ExifTool
ExifTool 12.25 - FIR
Python 3 Update - MISP
MISP 2.4.141 released (Many improvements from email notification, UI, API and installation scripts) - radare2
5.2.1 – Bugfix release after 5.2.0 - Xways
X-Ways Forensics 20.3 Preview 2b
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
fantastic forensic blog: DS Tools
Thanks for all the shares!
LikeLike