As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni
Identifying the Android Operating System Version thru UsageStats - Didier Stevens
Quickpost: Decrypting Cobalt Strike Traffic - Forensafe
- Kyle Song
Blog #28: IPv6 in TeamViewer(v15) part 2. [EN] - Jamie McQuaid at Magnet Forensics
Virtualizing Your Forensics Lab in the Cloud Part 5: Securing Your Evidence in Microsoft Azure - Meisam Eslahi at ‘Cyber Security Hub’
Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process… - Ryan Benson at dfir.blog
Unfurl Plugin and “Site Characteristics” Artifact Added in Hindsight - Pieces0310
Best GPS Tracker – Smartphones – Pieces0310
THREAT INTELLIGENCE/HUNTING
- 4rchib4ld Victory Road
Your attribution appears to have been applied to your life - Vitali Kremez & Danny Aga at Advanced Intelligence
Pro View: Redefining Threat Intelligence Mission: From Reactive to Proactive - Brent Sleeper at Agari
Newly-Enhanced Agari Splunk App Integrates Phishing Threat Data into Splunk SIEM Solutions - Alex Teixeira
Detecting network beacons via KQL using simple spread stats functions - Anomali
Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More - Anton Chuvakin
What Are Your NOT Detecting? - Arch Cloud Labs
Threat Intelligence in the Homelab - Azure Sentinel
- Victor Vrabie And Bogdan Botezatu at Bitdefender Labs
New Nebulae Backdoor Linked with the NAIKON Group - Check Point Research
26th April – Threat Intelligence Report - Cisco’s Talos
Threat Roundup for April 23 to April 30 - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 14 – atrun - Nimrod Stoler at CyberArk
Breaking Down the Codecov Attack: Finding a Malicious Needle in a Code Haystack - Juliana DeGroot at Digital Guardian
What Are The Most Critical Components of Threat Intelligence and How Do You Take Action on Them? - DomainTools
- Dragos
New ICS Threat Activity Group: TALONITE - Eclypsium
April Firmware Threat Report - Thorben Jändling at Elastic
The essentials of central log collection with WEF and WEC - Fire Eye Threat Research
- Frikkylikeme
The Shuffle automation and detection framework — Open Source SOAR - Pavandeep Singh at Hacking Articles
Active Directory Enumeration: BloodHound - McHugh Security
- Mehmet Ergene
Hunting for Lateral Movement: Local Accounts - Microsoft Security
Center for Threat-Informed Defense teams up with Microsoft, partners to build the ATT&CK® for Containers matrix - Jamie Williams, Jen Burns, Cat Self, and Adam Pennington at MITRE ATT&CK
What’s New in ATT&CK v9?. Data Sources, Containers, Cloud, and more - Nasreddine Bencherchali
Symantec EDR Internals — Criterion - ReaQta
Defending attacks to the SWIFT network - Ben Downing and Matt Graeber at Red Canary
Does signed mean trusted? The Mimikatz dilemma - Renuka Gough at Elastic
Searching through logs with the free and open Logs app in Kibana - Scythe
- Securelist
APT trends report Q1 2021 - Sophie Bovy at Secureworks
Incident Response Life Cycle – Phases for Effective IR - Janus Agcaoili at Trend Micro
Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability - Oddvar Moe at TrustedSec
ADExplorer on Engagements - Corsin Camichel at Vulnerability.CH
Ransomware and Data Leak Site Publication Time Analysis - Prasoon Dwivedi at Walmart
Security monitoring and regulatory compliance in Microsoft Azure
UPCOMING EVENTS
- Belkasoft
BelkaDay America 2021 - Chad Tilbury at SANS
Tech Tuesday Workshop – Cobalt Strike Detection via Log Analysis - Jess Garcia at DS4N6 News
- GreyNoise
GreyNoise Open Forum - Mike Cohen at Velocidex
Check out @Velocidex’s tweet
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.48 – Maddie Brumbelow - Kevin Ripa at SANS
Episode 200: The Final Episode - Andreas Sfakianakis at ‘Tilting at windmills’
Guest Lecture @ DTU: “Welcome to the world of CTI” - Archan Choudhury at BlackPerl
- Black Hat
How Healthcare Can Use Network Data To Detect Threats - Black Hills Information Security
- Breaking Badness podcast
83. Back in Hack - Bret Witt
- Cellebrite
- Cisco’s Talos
Talos Takes Ep. #51: COVID and Tax Day have perfectly aligned for spammers - Detection: Challenging Paradigms
Episode 8: Matt Hand - Digital Forensic Survival Podcast
DFSP # 271 – DREAD and STRIDE - FIRST
Using Sysmon to Improve your Incident Response and Threat Hunting Capabilities - Gerald Auger at Simply Cyber
What are Yara Rules (and How Cybersecurity Analysts Use Them) - John Hubbard at ‘The Blueprint podcast’
Mick Douglas & Flynn Weeks: Simplifying your Logging Strategy with the What2Log Project - Malwarebytes Labs
Breaking free from the VirusTotal silo: Lock and Code S02E07 - Positivity Blue Team
Governance, Risk, and Compliance - Recorded Future
Malware Party Tricks and Cybersecurity Trends
MALWARE
- 360 Netlab
- David Zimmer at Avast Threat Labs
VB6 P-Code Obfuscation - BushidoToken
Mo Money, Mo Magecart - Umesh Wanve at CrowdStrike
Blocking Fileless Script-based Attacks Using CrowdStrike Falcon’s Script Control Feature - Cybereason
Cybereason vs. Avaddon Ransomware - F-secure
- Flashpoint
A Second Iranian State-Sponsored Ransomware Operation “Project Signal” Emerges - Xiaopeng Zhang at Fortinet
Deep Analysis: FormBook New Variant Delivered in Phishing Campaign – Part III - Igor Skochinsky at Hex Rays
Igor’s tip of the week #37: Patching - Karlo Licudine at AccidentalRebel
Emprisa Maldoc Writeup - lab52
Chimera APT updates on its OwlProxy malware - Mahmoud Morsy
- Marco Ramilli
MuddyWater: Binder Project (Part 1) - Ray Canzanese at Netskope
Cloud and Threat Report: Cloudy with a Chance of Malware - Maxime Thiebaut
Anatomy of Cobalt Strike’s DLL Stager - Joshua Dunn at Open Threat Research Blog
Malware Analysis Series – Setting Up a Basic Malware Analysis Virtual Lab - Robert Falcone and Simon Conant at Palo Alto Networks
New Shameless Commodity Cryptocurrency Stealer (WeSteal) and Commodity RAT (WeControl) - Patrick Wardle at ‘Objective-See’
All Your Macs Are Belong To Us - Crista Giering, Fnaves, Andrew Conway, and Adam Mcneil at Proofpoint
FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon - Karlo Zanki at ReversingLabs
Spotting malicious Excel4 macros - SANS Internet Storm Center
- Wireshark 3.4.5 Released, (Sun, Apr 25th)
- Sysinternals: Procmon and Sysmon update, (Sun, Apr 25th)
- Deeper Analyzis of my Last Malicious PowerPoint Add-On, (Wed, Apr 28th)
- Diving into a Singapore Post Phishing E-mail, (Tue, Apr 27th)
- CAD: .DGN and .MVBA Files, (Mon, Apr 26th)
- From Python to .Net, (Thu, Apr 29th)
- Qiling: A true instrumentable binary emulation framework, (Fri, Apr 30th)
- YARA Release v4.1.0, (Sat, May 1st)
- WMC Global
Hermes SMS Courier Scam
MISCELLANEOUS
- Jessica Hyde and Tarah Melton at Magnet Forensics
Forensic 4:cast Nomination Picks from Magnet Forensics Examiners - Agari
- Anastasios Pingios
OSAC NL Chapter: Cyber Threat Briefing - Amina Zilic at Binalyze
New in Binalyze AIR v1.7.40: IBM QRadar integration, improved Linux package distribution, and ultimate control over user access with 70+ privileges - Cellebrite
Our Mission Remains Clear - Chris Sanders
Building Intrusion Detection Honeypots Online Course - Craig Ball at ‘Ball in your Court’
Final Exam Review: How Would You Fare? - Cyberwox Academy
Building a Cybersecurity Homelab - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
- Forensic Focus
- Estee Ranson at ‘Hello DFIR’
Day 1 in DFIR: Thoughts and Tips for Beginners - Jamesspi
Check out @jamesspi’s tweet - Jason Wilkins at ‘Noob to Pro Forensics’
Forensic 4:Cast 2021 Nominations - Katie Nickels at ‘Katie’s Five Cents’
My Reflections on Combating Ransomware - LMG Security
Late to Proactive Threat Hunting? It’s Time to Get Started. - Matt C. A. Smith
Installing Splunk Free in a virtual machine for log analysis - Mike Cohen at Velocidex
Scaling Velociraptor - ADF
- Sandor Tokesi at Forensics Exchange
Hiding the Referrer - SANS
- Pieces0310
How to root Samsung M11 running Android Q – Pieces0310
SOFTWARE UPDATES
- Binalyze
Binalyze AIR Release Notes 1.7.40 - Yulia Samoteykina at Atola
AFF4 support in Atola TaskForce 2021.4 - Acelab
- Capa
v1.6.3 - Foxton Forensics
Browser History Examiner — Version History (Version 1.15.3) - Ryan Benson
Hindsight 2021.04.26 - Hex Rays
IDA 7.6 Service Pack 1 released - Malwoverview
Malwoverview 4.3.5 - MISP
MISP 2.4.142 released (with new correlation features, UI sync functionality improved and new dashboard widgets) - Oxygen Forensics
Oxygen Forensic® Detective v.13.5 - Bob Rudis
A Small macOS (Big Sur+) to Extract Indicators of Compromise - Security Onion
Security Onion 2.3.50 now available! - Ulf Frisk
MemProcFS Version 3.10 - Velociraptor
Release 0.5.9-rc1 - Xways
X-Ways Forensics 20.2 SR-2 - YARA
YARA v4.1.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 