As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alex Caithness at CCL
Chromium Session Storage and Local Storage - Belkasoft
Belkasoft CTF June 2021: Write-up - CrowdStrike
Response When Minutes Matter: Falcon Complete Disrupts WIZARD SPIDER eCrime Operators - DFIR Review
Upgrade From NULL—Detecting iOS Wipe Artifacts - Forensafe
- Joshua Hickman at ‘The Binary Hick’
Apple’s Find My & iCloud’s Throne of Lies - Kevin Pagano at Stark 4N6
- Microsoft 365 Security
DFIR – Windows and Active Directory persistence and malicious configurations - Nasreddine Bencherchali
Symantec EDR Internals — Event Enrichment Rules [Part I] - Not a kween
CyberDefenders: African Falls - Oxygen Forensics
Screen lock bypass and extraction of Qualcomm-based Huawei devices - Andrew Cook at Recon InfoSec
An Encounter With Ransomware-as-a-Service: MEGAsync Analysis - Arturo Navarro at Security Art Work
Do Math or Windows Dies! Personalizando un ransomware escrito en .NET - The DFIR Report
From Word to Lateral Movement in 1 Hour
THREAT INTELLIGENCE/HUNTING
- Zhang Zaifeng at 360 Netlab
被拦截的伊朗域名的快速分析 - Hannah Cartier at Active Countermeasures
Malware of the Day – dnscat2 DNS Tunneling - Alex Teixeira
How to detect suspicious PowerShell activity with Splunk? - Marcus Hogan at AT&T Cybersecurity
Stories from the SOC – Office 365 Account Compromise and Credential Abuse - Roberto Rodriguez at Azure Sentinel
Testing the New Version of the Windows Security Events Connector with Azure Sentinel To-Go! - Ben Martin at Sucuri
Online Credit Card Theft – A Brief Overview of Online Fraud and Abuse – Part 1 - Brad Duncan at Malware Traffic Analysis
2021-06-21 – BazarCall campaign pushes BazarLoader - Censys
CVE-2018-18472: Western Digital My Book Live Mass Exploitation - Check Point
21st June – Threat Intelligence Report - Cisco’s Talos
Threat Roundup for June 18 to June 25 - Paul Dokas, Keith Jones, Anthony Kasza, Yacin Nadji, & Vern Paxson at Corelight
Corelight Sensors detect the ChaChi RAT - CrowdStrike
The Myth of Part-time Hunting, Part 1: The Race Against Ever-diminishing Breakout Times - Oakley Cox at Darktrace
Crypto-mining on a DNS server - Tim Helming at DomainTools
A New Way to Pinpoint Dangerous Infrastructure - Joe St Sauver at Farsight Security
What’s a UUID? - Flashpoint
Facing Five Types of Ransomware and Cyber Extortion - Lily Teplow at Huntress
Reducing Cyber Risk and Liability with Managed Threat Detection - Jorge Orchilles at Scythe
SCYTHE Presents: Threat Thursday Top Ransomware TTPs - Christine Barry at Journey Notes
PYSA ransomware ramps up attacks on schools - Raj Samani at McAfee Labs
McAfee Labs Report Highlights Ransomware Threats - Microsoft Security
Strategies, tools, and frameworks for building an effective threat intelligence team - Microsoft Security Response Center
- Isabel Tuson and Jon Baker at MITRE-Engenuity
ATT&CK Workbench: A tool for extending ATT&CK - NSA
Nsa Funds Development, Release Of D3FEND - Olaf Hartong at Falcon Force
FalconFriday — Certified Pre-Owned— 0xFF12 - Open Threat Research
- Sam Scholten and Crista Giering at Proofpoint
BEC Taxonomy: Lures and Tasks - Rapid7
- ReaQta
Understanding the Avaddon Ransomware: Is your organization equipped to stop zero-day threats? - Sandor Tokesi at Forensics Exchange
Using Att&ck framework in Azure Sentinel - SANS Internet Storm Center
- Video: oledump Cheat Sheet, (Sun, Jun 20th)
- Mitre CWE – Common Weakness Enumeration, (Mon, Jun 21st)
- Executives and Ransomware Webcast: Stop, Collaborate, and Listen! – https://www.sans.org/webcasts/executives-ransomware-stop-collaborate-listen-120150, (Mon, Jun 21st)
- Phishing asking recipients not to report abuse, (Tue, Jun 22nd)
- Standing With Security Researchers Against Misuse of the DMCA, (Wed, Jun 23rd)
- Do you Like Cookies? Some are for sale!, (Thu, Jun 24th)
- Is this traffic bAD?, (Fri, Jun 25th)
- CVE-2019-9670: Zimbra Collaboration Suite XXE vulnerability, (Sat, Jun 26th)
- SentinelOne
DarkRadiation | Abusing Bash For Linux and Docker Container Ransomware - Elad Shamir at SpecterOps
Shadow Credentials: Abusing Key Trust Account Mapping for Takeover - Symantec
Ransomware: Growing Number of Attackers Using Virtual Machines - Boyd White at Tanium
To Fight Insider Attacks, Move Beyond ‘Dead-Box Forensics’ - Thomas Roccia
Security Highlight #2 - WeLiveSecurity
UPCOMING EVENTS
- Preeti_Krishna at Azure Sentinel
Join in the Azure Sentinel Hackathon 2021! - Binalyze
Webinar: Delivering Cyber Resilience with Enterprise Forensics - CERT Polska
CFP Secure 2021 - Cyborg Security
Shining light on the DarkSide – Pt. 3 - Magnet Forensics
- SANS
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.56 – Jason Jordaan - Iron Geek
BSides Cleveland 2021 Videos - AhmedS Kasmani
Analysis of malware dropped by Nobelium. - Archan Choudhury at BlackPerl
Log Analysis Tutorial Detailed Demo in QRadar, 9 Tips to Reduce False Positives in SIEM, Day 9 - Breaking Badness
90. A Whole HOST of Problems - Bret Witt
- Cellebrite
- Cisco’s Talos
Talos Takes Ep. #58: How to approach the partnerships it will take to defend critical infrastructure - Cyber Secrets
- Cyber Security Interviews
#120 – Cimone Wright-Hamor: Cybersecurity Is An Applied Field - Cybereason
Malicious Life Podcast: History of the THOTCON Hacking Conference - Didier Stevens
oledump Cheat Sheet - Digital Forensic Survival Podcast
DFSP # 279 – CSA Cloud Threats 4 - FIRST
- John Hammond
OSED Review – Offensive Security Exploit Developer - Justin Tolman at AccessData
FTK Feature Focus – Episode 15 – Portable Case - Magnet Forensics
Tips & Tricks // Analyzing Linux Artifacts - Medex Forensics
- Positivity Blue Team
Security Operations - SANS Institute
- Securityzed
69 Digital Forensics with Matthew Snoddy - WolfCast
WolfCast – Episode 03 – Recruitment – Leveling Up
MALWARE
- Daniel Beneš at Avast Threat Labs
Crackonosh: A New Malware Distributed in Cracked Software - Bogdan Botezatu at Bitdefender Labs
New Bitdefender Decryptor for Avaddon Infections - Cofense
- Cyble
DJVU Malware of STOP Ransomware Family Back with New Variant - Eli Salem
Dissecting and automating Hancitor’s config extraction - David Maciejak and Joie Salvio at Fortinet
The Ghosts of Mirai - Fumik0_’s box
Lu0bot – An unknown NodeJS malware using UDP - Karsten Hahn at G Data Security
Microsoft signed a malicious Netfilter rootkit - Igor Skochinsky at Hex Rays
Igor’s tip of the week #44: Decompiler types - Mahmoud Morsy
- Ofer Caspi at AlienVault Labs
Darkside RaaS in Linux version - Omri Segev Moyal at ProferoSec
Secrets Behind Ever101 Ransomware - Dennis Schwarz, Matthew Mesa and Crista Giering at Proofpoint
JSSLoader: Recoded and Reloaded - S2W Lab
Deep analysis of REvil Ransomware | Written in Korean - Anton Kuzmenko at Securelist
Malicious spam campaigns delivering banking Trojans - Itzik Chimino at Security Intelligence
Ursnif Leverages Cerberus to Automate Fraudulent Bank Transfers in Italy - Marco Figueroa at SentinelLabs
Evasive Maneuvers | Massive IcedID Campaign Aims For Stealth with Benign Macros - Kamila Babayeva and Sebastian Garcia at Stratosphere IPS Research
Dissecting a RAT. Analysis of the Saefko RAT. - Diana Lopera at Trustwave SpiderLabs
Yet Another Archive Format Smuggling Malware
MISCELLANEOUS
- Amina Zilic at Binalyze
The Second Step to Forensic Readiness: Types & Sources of Digital Evidence - Check Point
Global Surge in Ransomware Attacks: To pay or not to pay is not the only question - Jurgen at Correlated Security
A Cyber Security Analyst Maturity Curve - CrowdStrike
- Joep Gommers at EclecticIQ
Introducing Our New Platform and Our Intelligence at the Core Philosophy - Forensic Focus
- How To Detect Tampered Images On Social Media Via Shadows Analysis
- FTK Feature Focus: Optimizing FTK Processing Options Part 1
- Register For Webinar: Going on a Bear Hunt AKA A Safari Through Safari
- Detect, Classify, Summarize And Review With Intelligence Features In MD-VIDEO AI
- Nuix’s Aidan Jewell On Mac Forensics And Cross-Border Case Collaborations
- Gerald Auger at Simply Cyber
How This Org is Using OSINT To Find Missing Persons (Cybersecurity For Good) - IntaForensics
Lima Q&A: Your Frequently Asked Questions about Lima Answered - James Smith at DFIR Madness
InfoSec-Fortress - John Lukach at Cloud 4n6ir
BLAKE3 a new normal for hashes - Josh Brunty
Thoughts on Atomic Habits (Chapters 9-14) - LIFARS Cybersecurity
Automation in Incident Response: Identifying and Responding to Potential Security Threats and Incidents - Magnet Forensics
A “Thank You” from the Training Team - Marco Fontani at Amped
How Can I Trim a Small Part of a Large Video Without Losing Quality? - Nextron Systems
Visit the New Online Manuals - Red Canary
- Richard Frawley at ADF
Remove an iTunes Password set in ADF Digital Forensics Tools - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — June 20 to June 26 - Shashank Gosavi at NII Consulting
Big Ticket Data Breaches How do they go undetected for so long? - UNODC SHERLOC
The Practical Guide for Requesting Electronic Evidence across Borders - Vignesh Mudliar at 4sysops
Understanding Microsoft 365 Attack simulation training - We are OSINTCurio.us
Companion Post to 2021 NCPTF Conference Talk
SOFTWARE UPDATES
- AceLab
Join ACE Lab on Telegram! - Amped
Authenticate Release 21117: Improved Video PRNU, Customizable JPEG Ghosts Plot, Better Batch Processing, and More! - ANSSI DFIR-ORC
v10.1.0-rc6: Revert “CI: fix README for CI badge on release/main” - Arsenal Recon
Hibernation Recon v1.2.1.79 - Binalyze
DRONE BETA Release v1.3.0: Headless CLI mode - Cellebrite
Now available: Cellebrite Physical Analyzer and Cellebrite UFED Cloud v7.46 - Didier Stevens
Update: oledump.py Version 0.0.61 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.28 - Griffeye
Release of Analyze 21.1.1 - IntelOwl
Darksearch.io and other improvements - Malwoverview
Malwoverview 4.4.1 - IsoBuster
IsoBuster 4.8 released - Velociraptor
Release 0.6.0 - Volexity
Volcano UI Pro v1.3292 & Volcano Server v21.05.31 are now available! - Yeti
1.7.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 