As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Irfan Shakeel at AT&T Cybersecurity
Network traffic analysis using Wireshark - Amina Zilic at Binalyze
August 2021 Binalyze Product Updates - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
The Bayer Method - Elcomsoft
- Forensafe
- Inginformatico
- James Lovato at CrowdStrike
SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing - Mathias Stuhlmacher
Awesome Event IDs - N00b_H@ck3r
Protected: Security Blue Team Labs: Phishing Analysis 2 (This will be unlocked once the challenge is retired) - Oxygen Forensics
Android App Downgrade - Michael Zinn at Paraben Corporation
Forensically Imaging Bitlocker - Scott Koenig at ‘The Forensic Scooter’
- Security Onion
- Quick Malware Analysis: Qakbot and Cobalt Strike pcap from 2021-03-02
- Quick Malware Analysis: SquirrelWaffle and Cobalt Strike pcap from 2021-09-20
- Quick Malware Analysis: Resume Themed Malspam pcap from 2021-09-21
- Quick Malware Analysis: SquirrelWaffle, Qakbot, and Cobalt Strike pcap from 2021-09-22
- Quick Malware Analysis: Qakbot pcap from 2021-09-20
- Vikas Singh
Create a Super Timeline with TACTICAL/IREC Triage Image
THREAT INTELLIGENCE/HUNTING
- Brad Duncan at Malware Traffic Analysis
- 2021-09-20 – TA551 (Shathak) pushes BazarLoader
- 2021-09-21 – Brazil – currículo (resume) themed malspam
- 2021-09-20 – Squirrelwaffle Loader with Cobalt Strike
- 2021-09-22 – Squirrelwaffle Loader with Qakbot and Cobalt Strike
- 2021-09-21 – Squirrelwaffle Loader with Cobalt Strike
- 2021-09-20 – Qakbot (Qbot) returns after 2 month absence
- 2021-09-24 – Squirrelwaffle Loader with Qakbot and Cobalt Strike
- 2021-09-23 – Squirrelwaffle Loader with Qakbot and Cobalt Strike
- Censys
VMware CVE-2021-22005 Technical & Impact analysis - Check Point Research
20th September – Threat Intelligence Report - Cisco’s Talos
Threat Roundup for September 17 to September 24 - Max Gannon at Cofense
Phishing as a Ransomware Precursor - Countercraft
Escaping Docker Privileged Containers for Mining Crypto Currencies - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 20 – Terminal Preferences - Cybereason
Threat Analysis Report: PrintNightmare and Magniber Ransomware - Moshe Hayun at Deep Instinct
LockBit 2.0 Ransomware Becomes LockFile Ransomware with a Never-Before-Seen Encryption Method - Pasquale Stirparo at Dragos
Cyber Threats to Global Electric Sector on the Rise - Eclypsium
Everyone Gets a Rootkit - Neel Mehta at Google Threat Analysis Group
Financially motivated actor breaks certificate parsing to avoid detection - Drew Schmitt at GuidePoint Security
A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike - Herjavec Group
Herjavec Group BlackMatter Ransomware Profile - Huntress
The Top Four CVEs Attackers Exploit - Intrusion Truth
Hello Lionel Richie - Malwarebytes Labs
MSHTML attack targets Russian state rocket centre and interior ministry - Michael Koczwara
Monitoring Threat Actors C2 Infrastructure with Shodan - Microsoft Security
- Michael Gough at NCC Group Research
Detecting and Hunting for the PetitPotam NTLM Relay Attack - Carol Hildebrand at Netscout
The Long Tail of Attacker Innovation - Pete Cowman at Hatching
SquirrelWaffle and Other Detection Updates - ReaQta
Remote code execution vulnerability CVE-2021-40444 could become the next prolific cyber crime tool. Here’s how to stay ahead of such exploits. - Recorded Future
- Red Canary
Intelligence Insights: September 2021 - RiskIQ
“Bom” Skimmer is Magecart Group 7’s Latest Model - SANS Internet Storm Center
- Video: Simple Analysis Of A CVE-2021-40444 .docx Document, (Sun, Sep 19th)
- An XML-Obfuscated Office Document (CVE-2021-40444), (Wed, Sep 22nd)
- Excel Recipe: Some VBA Code with a Touch of Excel4 Macro, (Thu, Sep 23rd)
- Keep an Eye on Your Users Mobile Devices (Simple Inventory), (Fri, Sep 24th)
- Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)
- Video: Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)
- Alexander Rodchenko at Securelist
Detection evasion in CLR and tips on how to detect such attacks - Security Investigation
- Sky Blueteam
Scanning VirusTotal’s firehose - Sophos
- Trend Micro
UPCOMING EVENTS
- Emmy Gamble at Cellebrite
Cellebrite Digital Collector: Collecting Data from Live Macs - Cybereason
Webinar: Inside the REvil Ransomware – Pick Your Path
PRESENTATIONS/PODCASTS
- Belkasoft
Preserving Evidence - Black Hat
- Black Hills Information Security
- Breaking Badness
97. The Skies Are All Kinds of Blue - Cellebrite
- Chewing the FAT
Episode 5 - Cisco’s Talos
Talos Takes Ep. #69: Our armadillo in shining armor - DEFCON
DEF CON 29 ICS Village - Detection: Challenging Paradigms
S2 – Episode 3: Jared, Jonathan, and Luke - DFIR Science
- Didier Stevens
Simple Analysis Of A CVE-2021-40444 .docx Document - Digital Forensic Survival Podcast
- Esentire
Ep. 4: Evidence & Building a Case - Gerald Auger at Simply Cyber
- LetsDefend
Demo of Endpoint Analysis with Incident Responder Module - LimaCharlie
Running Detection & Response Rules Against Historical Telemetry - Magnet Forensics
- NTCore
Emotet MS Office Malware 150-Seconds Analysis - Paraben Corporation
- Brad Stowers at ADF
Learn Digital Forensics Online | ADF Best Practices Webinars of 2021 - SANS
- Security Weekly
Velociraptor – Digging Deeper – Mike Cohen, Wes Lambert – PSW #711 - Uriel Kosayev
Malware Analysis – Unpacking ASPack Manually
MALWARE
- Ali Aqeel
dissecting binaries from unknown threat actor - Anh Ho at Avast Threat Labs
BluStealer: from SpyEx to ThunderFox - Blackberry
Threat Thursday: BlackMatter RaaS – Darker Than DarkSide? - Cerbero
Video: Emotet MS Office Malware 150-Seconds Analysis - CERT-AGID
Campagna Ursnif veicolata tramite falsa mail BRT - Cisco’s Talos
- DiabloHorn
CSAW 2021, binary ninja & a haystack - Eli Salem
The Squirrel Strikes Back: Analysis of the newly emerged cobalt-strike loader “SquirrelWaffle” - HashDB
Check out @herrcore’s tweet - Igor Skochinsky at Hex Rays
Igor’s tip of the week #58: Keyboard modifiers - John Hammond
Snip3 Crypter/RAT Loader – DcRat MALWARE ANALYSIS - Jared Stroud and Tom Hegel at Lacework
HCRootkit / Sutersu Linux Rootkit Analysis - Mahmoud Morsy
Phishing Attacks 25_9_2021 - Thomas Reed at Malwarebytes Labs
New Mac malware masquerades as iTerm2, Remote Desktop and other apps - Anuradha M at McAfee Labs
Malicious PowerPoint Documents on the Rise - Nadav Lorber at Morphisec
New Jupyter Evasive Delivery through MSI Installer - Ghanashyam Satpathy and Gustavo Palazolo Eiras at Netskope
BazarLoader: Using LoLBins through Office Documents to Deliver Payloads - Secureworks
REvil Ransomware Reemerges After Shutdown; Universal Decryptor Released - Nir Somech at Security Intelligence
New ZE Loader Targets Online Banking Users - SentinelOne
- Syed Hasan
Reversing with IDA: Cross-references - Telsy
REMCOS and Agent Tesla loaded into memory with Rezer0 loader - Tahseen Bin Taj and Matthieu Faou at WeLiveSecurity
FamousSparrow: A suspicious hotel guest - Yoroi
Hunting the LockBit Gang’s Exfiltration Infrastructures
MISCELLANEOUS
- Cassie Doemel at AboutDFIR
AboutDFIR Content Update 9/25/2021 - Any.Run
How to Protect Banks from Cyberattacks - Doug Metz at Baker Street Forensics
Forensic Imaging Station – Steampunk Edition - Errata Security
That Alfa-Trump Sussman indictment - Forensic Focus
- New in Binalyze AIR v1.8.0: Multi-organization support
- Android App Downgrade in Oxygen Forensic Detective
- Grayshift Co-Founders David Miles, Chief Executive Officer & Braden Thomas, Chief Product Officer
- Grayshift Accelerates Forensic Access And Extends GrayKey To LG Mobile Devices And MediaTek Chipsets
- Register For Webinar: Photo Analysis And Tampering Detection With Amped Authenticate
- Register For Webinar: Binalyze AIR-DRONE Integration
- AIR From Binalyze
- Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
- Joe at Stranded on Pylos
Critical Commentary Considering the Zero Day - Marco Fontani at Amped
How Can I Redact (Blur or Pixelate) a Video With Amped Replay? - NVISO Labs
Building an ICS Firing Range – Part 2 (Defcon 29 ICS Village) - Junhyeong Lee at Plainbit
[TIP#6] NLBrute with Event Logs - Derya Yavuz at Praetorian
Incident Response Best Practices: Building an Evidence Wiki - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — September 19 to September 25 - SANS
- Secureworks
Integrating Your Cyber Insurance Into Your Incident Response Efforts - Alya Gomaa at Stratosphere IPS
Create and Test Your Own TAXII Server - Lesley Carhart
Ask Lesley: How Much Should SOC Work Suck? - Pieces0310
Better late than never~ Oxygen Forensic Detective supports APK Downgrade Extraction now~ – Pieces0310
SOFTWARE UPDATES
- Belkasoft
What’s new in Belkasoft X v.1.10 - Costas K
MFTBrowser.exe (x64) - Didier Stevens
Update: re-search.py Version 0.0.18 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.31 - Griffeye
Release of Analyze 21.2 - Harel Segev
INDXRipper - Magnet Forensics
New in AXIOM Cyber 5.5: Deploy One Agent to Multiple Endpoints - Mihari
v3.9.0 - radare2
5.4.2 - Xways
X-Ways Forensics 20.4 Beta 1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!