As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Bohops
Analyzing and Detecting a VMTools Persistence Technique - Cellebrite
Computer Forensics: What Can You Do About Deleted Data? - Kamala Kannan at Checkmate
Windows Timeline: Putting the what & when together - Craig Wilson at Digital Detective
Forensic Analysis of the Zone.Identifier Stream - Brendan Mccreesh
Swimming in the SRUM - Forensafe
- Forensic-Research
- Dray Agha at Jumpsec Labs
PowerShell Jobs - Kathryn Hedley at Khyrenz
USB connections with no logged-in user - Kevin Pagano at Stark 4N6
- Korstiaan Stam at ‘Invictus Incident Response’
Responding to a Cobalt Strike attack — Part III - Kyle Song
- Nasreddine Bencherchali
Windows 11 “New” ETW Providers — Overview - Amber Schroader at Paraben Corporation
What is Android ADB with smartphone forensics? - Eric Capuano and Whitney Champion at Recon InfoSec
Scaling Enterprise Forensic Timelining - Scott Koenig at ‘The Forensic Scooter’
iOS KnowledgeC.db Notifications - Security Onion
- The DFIR Report
BazarLoader and the Conti Leaks - WhyNotSecurity
A tool to find Windows registry files in a blob of data
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Trololololobin and other lolololocoasters - Anomali
- Blackberry
- Brad Duncan at Malware Traffic Analysis
2021-10-07 – Qakbot (Qbot) obama111 with Cobalt Strike - Greg Gaylor at Censys
Censys Blue Team Series: How to Increase Network Alert Triage Efficiency with Censys ASM’s Outside-In Visibility - Cisco’s Talos
- Countercraft
Five Cool TTPs for Autumn - Cybereason
How Do Initial Access Brokers Enable Ransomware Attacks? - Kit Clelford at Cyjax
Ransomware Review – September 2021 - Flashpoint
REvil Continues Its Reemergence, Joins Groove-led RAMP Forum - Fortinet
- Lina Lau at Inversecos
Hunting for Citrix Netscaler API Abuse: Reconnaissance, SSO and Session Manipulation - Peter Renals at Palo Alto Networks
SilverTerrier – Nigerian Business Email Compromise - Felipe Naves, Adam Mcneil, and Andrew Conway at Proofpoint
Mobile Malware: TangleBot Untangled - Tom Sellers at Rapid7
For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy - ReaQta
Conti Ransomware (RaaS): A New Wage-Paying Affiliate Model - Recorded Future
Illegal Activities Endure on China’s Dark Web Despite Strict Internet Control - Red Alert
Monthly Threat Actor Group Intelligence Report, August 2021 - RiskIQ
Mana Tools: A Malware C2 Panel with a Past - S2W Lab
- SANS Internet Storm Center
- Facebook Outage: Yes, its DNS (sort of). A super quick analysis of what is going on., (Mon, Oct 4th)
- Video: CVE-2021-40444 Maldocs: Extracting URLs, (Sun, Oct 3rd)
- Looking Glasses: Debugging Network Connectivity Issues, (Tue, Oct 5th)
- Who Is Hunting For Your IPTV Set-Top Box?, (Thu, Oct 7th)
- Sorting Things Out – Sorting Data by IP Address, (Fri, Oct 8th)
- Scanning for Previous Oracle WebLogic Vulnerabilities, (Sat, Oct 9th)
- Security Investigation
- Sophos
- Matt Hand and Emily Leidy at SpecterOps
Life is Pane: Persistence via Preview Handlers - Cassie Doemel
SANS Threat Hunting 2021 Start.Me - Team Cymru
Collaborative Research on the CONTI Ransomware Group - Drew Kirkpatrick at TrustedSec
- Vicente Díaz at VirusTotal
Ransomware in a global context
UPCOMING WEBINARS/CONFERENCES
- Griffeye
Webinar: Uncover critical evidence with LACE Carver - Magnet Forensics
Tips & Tricks // Building Streamlined Digital Forensics Workflows with Magnet AUTOMATE
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Incident Response Training Course, Network Forensics, Day 13 - Belkasoft
Step-by-Step of an iOS Agent Based Acquisition—7th episode of BelkaTalk on DFIR - Black Hills Information Security
- Breaking Badness
99. Time to Break a Threat - BSides Singapore
BSides Singapore Conference 2021 - Cellebrite
- Cisco’s Talos
Talos Takes Ep. #71 (NCSAM edition): Reflecting on ransomware in 2021 - Cloud Security Podcast by Google
EP34 Instrumenting Modern Application Stack for Detection and Response - Cybereason
Malicious Life Podcast: Inside the MITRE ATT&CK Framework - DFIR.Science
- Dr Ali Hadi
- Gerald Auger at Simply Cyber
Exactly What Job SPEAKS to You in Cybersecurity? (Find your Passion) - InfoSec_Bret
- John Hammond
SnykCon CTF – “Invisible Ink” Prototype Pollution - MSAB
New release: XRY 9.6, XAMN 6.2, XEC 6.5 and KTE (our frontline solutions) - NTCore
20-Seconds Excel Malware Analysis - OALabs
Analyzing Hancitor DLL Live – Let’s Build A Config Extractor! - SANS Institute
- Security Onion
Security Onion Conference 2021 recordings are now available! - This Week In 4n6
This Month In 4n6 – September – 2021
MALWARE
- 0xjxd
SquirrelWaffle – From Maldoc to Cobalt Strike - Abdallah Elshinbary
WinDbg Cheat Sheet - Erik Pistelli at Cerbero
Video: 20-Seconds Excel Malware Analysis - Chuong Dong at 0ffset
SQUIRRELWAFFLE – Analysing The Main Loader - Tom Fakterman, Daniel Frank, Chen Erlich, and Assafassaf Dahan at Cybereason
Operation GhostShell: Novel RAT Targets Global Aerospace and Telecoms Firms - Cyberint
Vidar Stealer Abuses Mastadon Social Network - Igor Skochinsky at Hex Rays
Igor’s tip of the week #59: Automatic function arguments comments - Shusei Tomonaga at JPCERT/CC
Malware Gh0stTimes Used by BlackTech - MWLab
- Gustavo Palazolo and Ghanashyam Satpathy at Netskope
SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot - nullteilerfrei
Using Windows Sandbox for Malware Analysis - Runa Sandvik at Objective-See
Made In America: Green Lambert for OS X - Paolo Luise at Any.Run
Using a Sandbox for Incident Response: Containment Strategy - Fedor Sinitsyn and Yanis Zinchenko at Securelist
Ransomware in the CIS - Pedro Tavares at Segurança Informática
Malware analysis: Details on LockBit ransomware - Muthamil Mudhalvan
PE Format - Siddharth Sharma at Uptycs
Team TNT Deploys Malicious Docker Image On Docker Hub - Vladislav Hrčka at WeLiveSecurity
FontOnLake: Previously unknown malware family targeting Linux
MISCELLANEOUS
- Amped
- Vitaliy Mokosiy at Atola
Locate Sectors in Atola Insight Forensic 5.1 - ArcPoint Forensics
Installing Autopsy on macOS Big Sur - Binary Recon
BitLocker – AD setup for BitLocker Recovery Key Management - Cassie Doemel at AboutDFIR
AboutDFIR Content Update 10/09/2021 - Forensic Focus
- Using Network Capture with Binalyze AIR
- LogExtractor: Extracting Digital Evidence From Android Log Messages Via String & Taint Analysis
- Detego Delivers Exceptional Airport Security with Unified Digital Investigations
- New release from MSAB: XRY 9.6, XAMN 6.2 and XEC 6.5
- Password Protecting XRY Files
- Streamlining the FTK Workflow With Portable Cases
- Insider Threat Prediction Based on Unsupervised Anomaly Detection Scheme for Proactive Forensic Investigation
- Access Achieved: Keep the Integrity of your Mobile Evidence
- iNPUT-ACE
What does a Forensic Video Analyst really do for a Police Agency? - Magnet Forensics
Kick Off Cybersecurity Awareness Month with Our New White Paper! - Oxygen Forensics
Innovative data recovery - Derya Yavuz at Praetorian
How to Write and Execute Great Incident Response Playbooks - Carlos Canto at Rapid7
Velociraptor to Announce Winners of Its 2021 Contributor Competition - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — October 3 to October 9 - SANS
- SentinelOne
- Pieter Arntz at Malwarebytes Labs
At long last, Microsoft is disabling Excel 4.0 macros by default
SOFTWARE UPDATES
- Amped
Amped Replay Update 22229: New Timestamp Functions, Annotation Options, and Increased Admin Settings - ANSSI DFIR-ORC
v10.0.21 - Belkasoft
Belkasoft Releases Belkasoft T v.1.1 - Brim
v0.26.0 - Costas K
- Digital Detective
- Eric Zimmerman
ChangeLog - Maxim Suhanov
dfir_ntfs 1.0.10 - Mihari
v3.9.2 - MSAB
New release: XRY 9.6, XAMN 6.2 and XEC 6.5 - Security Onion
Introducing Security Onion Solutions Response-Ready (R2) Appliances! - SOF-ELK
SOF-ELK® Virtual Machine Changelog
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 