As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Brandon Lee at 4sysops
Recover deleted emails in Microsoft 365 - Ahmed Musaad
Google Workspace Security Investigation Tool - Belkasoft
iCloud acquisition and analysis with Belkasoft X - Doug Metz at Baker Street Forensics
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Apple and Fraud - Elcomsoft
- Ex Umbra in Solem
التحقيق الجنائي الرقمي (EDD.exe) - Forensafe
- Joshua Hickman at ‘The Binary Hick’
Android 12 Image Now Available! - Magnet Forensics
- Malay Patel
Private Chat Applications: Anything of forensic value beyond manufacturer-claimed encryption? - Nasreddine Bencherchali
Should You Trust Your Admin Tools? - Ryan Benson at dfir.blog
Cookies Database Moving in Chrome 96 - Security Onion
- Quick Malware Analysis: TA551-SHATHAK-ICEDID-BOKBOT with Cobalt Strike and DarkVNC pcap from 2021-12-10
- Quick Malware Analysis: Contact Forms Bazarloader with Cobalt Strike pcap from 2021-12-03
- Quick Malware Analysis: Contact Forms IcedID with Cobalt Strike and DarkVNC pcap from 2021-12-13
- Quick Malware Analysis: Hancitor with Cobalt Strike pcap from 2021-12-16
- Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert at The Citizen Lab
Pegasus vs. Predator: Dissident’s Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware - The DFIR Report
Diavol Ransomware
THREAT INTELLIGENCE/HUNTING
- More Log4Shell resources!
- Ten families of malicious samples are spreading using the Log4j2 vulnerability Now
- 已有10个家族的恶意样本利用Log4j2漏洞传播
- Urgent! Minecraft players are under massive attack
- Ransomware Advisory: Log4Shell Exploitation for Initial Access & Lateral Movement
- How To Detect the Log4Shell Vulnerability (CVE-2021-44228) with Microsoft Endpoint Configuration Manager
- Global outbreak of Log4Shell
- Log4j (Version 2) Vulnerability Notification
- log4j Incident Response, Have You Covered Everything?
- Our New Log4j Scanner to Combat Log4Shell
- Advice for Defenders Responding to the log4j Vulnerability CVE-2021-44228
- Technical Advisory: Zero-day critical vulnerability in Log4j2 exploited in the wild
- Log4Shell – The call is coming from inside the house
- The Log4Shell/ Log4j Vulnerability (CVE-2021-44228) Explained
- An Analysis of The Log4Shell Alternative Local Trigger
- 2021-12-14 – Pcap from web server with log4j attempts and lots of other probing/scanning
- Analysis of Initial In The Wild Attacks Exploiting Log4Shell/Log4J/CVE-2021-44228
- Analysis of Novel Khonsari Ransomware Deployed by the Log4Shell Vulnerability
- CVE-2021-44228: Log4j
- CERT-AgID condivide gli IoC per la mitigazione degli attacchi Log4shell
- The Laconic Log4Shell FAQ
- StealthLoader Malware Leveraging Log4Shell
- Log4j Vulnerability and Cloud Guard AppSec Machine Learning based Approach for Preemptive Prevention
- A deep dive into a real-life Log4j exploitation
- Zero-day vulnerability (aka Log4Shell) in Apache Log4j is being actively exploited
- Protecting against Log4j with Secure Firewall & Secure IPS
- How to Respond to Apache Log4j using Cisco Secure Analytics
- Sanitizing Cloudflare Logs to protect customers from the Log4j vulnerability
- Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration
- LOG4SHELL – A Zero Day you need to protect against TODAY
- Simplifying detection of Log4Shell
- Detecting Log4j via Zeek & LDAP traffic
- Detecting Log4j Exploits via Zeek When Java Downloads Java
- How CrowdStrike Protects Customers from Threats Delivered via Log4Shell
- TellYouThePass ransomware via Log4Shell
- Log4j: What to Know. What to Do. And How to Stay Ahead
- Monitoring with PowerShell: Detecting Log4J files
- How Cybereason Detects and Prevents Exploits Leveraging Log4Shell Vulnerability
- Microsoft Sentinel Log4j Ubiquiti Analytic Rule
- Log4Shell Attack – Explanation and Recommended Steps for Prevention
- Addressing Log4j Vulnerability with Cymulate
- Detecting and responding to Log4Shell in the wild
- A Domain Bloom in Progress: log4j Domains
- Implications of Log4j Vulnerability for Operational Technology (OT) Networks
- Analysis of Log4Shell vulnerability CVE-2021-45046
- Ongoing Exploitation of the Log4j Vulnerabilities
- How attackers are trying to exploit Log4Shell
- Log4j Chatter: What Threat Actors Are Sharing About the Log4Shell Vulnerability
- CVE-2021-44228 – Apache Log4j Vulnerability
- Log4Shell: Reconnaissance and post exploitation network detection
- log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
- Germanys National Cybersecurity Agency declares red alert: Wave of attacks possibly imminent due to Log4Shell vulnerability
- How Log4J Works and Detecting It In Your Environment (DEMO AND TOOLS)
- Network Security Monitoring Opportunities and Best Practices for Log4j Defense
- A Detailed Guide on Log4J Penetration Testing
- Warnstufe Rot: Warnung vor kritischer Sicherheitslücke Log4Shell
- CVE-2021-44228: “Yes, Virginia, There Are Such Things as Zero-Days”
- The Year From Hell (Plus Log4Shell): A Tradecraft Tuesday Recap
- SOC Talk: The Log4Shell Vulnerability
- Log4j: Letting the JNDI out of the bottle
- Log4j zero-day vulnerability : Exploitation, Detection & Mitigation
- Log4shell Zero-Day Exploit— Full Guide
- Log4Shell (Log4j RCE): Detecting Post-Exploitation Evidence is Best Chance for Mitigation
- [0x08] Log4shell memos
- Log4J / Log4Shell: Is Your Network Safe? Find Out for Free with Keysight
- Lacework Labs Identifies Log4J Attackers
- Log4J Vulnerability: Using Behavioral Anomaly Detection to Spot Active Attacks
- The Log4Shell Exploit Has Over 60 Mutations—Learn What to Do Next
- Guide: How To Detect and Mitigate the Log4Shell Vulnerability (CVE-2021-44228)
- Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046)
- Understanding Log4Shell via Exploitation and Live Patching (CVE-2021-44228 + CVE-2021-45046)
- Log4Shell Update: Severity Upgraded 3.7 -> 9.0 for Second log4j Vulnerability (CVE-2021-45046)
- How to Discuss and Fix Vulnerabilities in Your Open Source Library
- What SMBs can do to protect against Log4Shell attacks
- Log4Shell Initial Exploitation and Mitigation Recommendations
- Log4j | Why Your Scanners Can’t Find It
- Protecting Against the Log4j (Log4Shell) Vulnerability – What is it & What Actions Can You Take?
- log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
- Log4Shell: Reconnaissance and post exploitation network detection
- Netskope Threat Coverage: Apache Log4j RCE (CVE-2021-44228)
- CVE-2021-45046: New Log4j Vulnerability Discovered
- Khonsari: New Ransomware Delivered Through Log4Shell
- Log4Shell Detection with Nextron Rules
- Nextron Products Unaffected by Log4j Vulnerability CVE-2021-44228
- Log4j Evaluations with ASGARD
- Launch Extended Detection and Response Steps to Manage Log4j Vulnerability
- Log4j Sniffer
- Log4j: It’s worse than you think
- Log4j 2.15.0 stills allows for exfiltration of sensitive data
- Log4j vulnerability: Lessons learned in a week
- Log4Shell & massive Kinsing deployment
- log4jScanner
- Log4Shell: Critical log4j Vulnerability
- Radware Threat Researchers Live: Ep.17
- Update on Log4Shell’s Impact on Rapid7 Solutions and Systems
- Using InsightVM to Find Apache Log4j CVE-2021-44228
- Log4Shell Makes Its Appearance in Hacker Chatter: 4 Observations
- The Everyperson’s Guide to Log4Shell (CVE-2021-44228)
- How to Protect Your Applications Against Log4Shell With tCell
- Testing Applications for Log4j Vulnerability (CVE-2021-44228)
- Recon’s SOAR Playbook to Detect Log4j Exploitation
- Log4Shell: How It’s Being Exploited and How to Mitigate Damage
- Log4j Is Why You Need An SBoM
- Logs of Log4shell (CVE-2021–44228): log4j is ubiquitous [KR]
- Logs of Log4shell (CVE-2021-44228): log4j is ubiquitous [EN]
- What do you need to know about the log4j (Log4Shell) vulnerability?
- What do you need to know about the log4j (Log4Shell) vulnerability?
- Log4Shell exploited to implant coin miners, (Mon, Dec 13th)
- Log4j 2.15.0 and previously suggested mitigations may not be enough, (Tue, Dec 14th)
- Log4j: Getting ready for the long haul (CVE-2021-44228), (Tue, Dec 14th)
- SCYTHE Presents: Porting the Log4J CVE PoC to SCYTHE
- CVE-2021-44228 vulnerability in Apache Log4j library
- Log4j: What We’ve Learned so Far
- Log4Shell: Easy to Launch the Attack but Hard to Stick the Landing?
- Log4j Vulnerability FAQs
- Log4Shell: Apache Log4j 2 CVE-2021-44228
- Log4Shell Vulnerability Risks for OT Environments — and How You Can Better Protect Against Them
- Apache Log4j Vulnerability – Detection and Mitigation
- Log4Shell Hell: anatomy of an exploit outbreak
- Inside the code: How the Log4Shell exploit works
- Log4Shell Response and Mitigation Recommendations
- Simulating, Detecting, and Responding to Log4Shell with Splunk
- Log4Shell – Detecting Log4j 2 RCE Using Splunk
- Log4Shell – Detecting Log4j Vulnerability (CVE-2021-44228) Continued
- Log4j Vulnerability: The Perfect Holiday Present that Nobody Wants
- Mitigating log4j with Runtime-based Kubernetes Network Policies
- Exploiting and Mitigating CVE-2021-44228: Log4j Remote Code Execution (RCE)
- Apache Log4j Flaw: A Fukushima Moment for the Cybersecurity Industry
- Apache Log4j Flaw Puts Third-Party Software in the Spotlight
- Log4Shell: 5 Steps The OT Community Should Take Right Now
- CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities
- log4j: The Aftermath
- Analyzing a Log4Shell log4j Exploit from Muhstik
- Patch Now: Apache Log4j Vulnerability Called Log4Shell Actively Exploited
- Are Endpoints at Risk for Log4Shell Attacks?
- Log4j Detection and Response Playbook
- Trustwave’s Action Response: Log4j Zero-Day Vulnerability CVE-2021-44228
- Remediating Log4J using osquery: a quick reference guide of tables and actions
- Log4j/Log4Shell vulnerability scanning and exploit detection in Uptycs osquery
- Log4Shell vulnerability: What we know so far
- Log4J/LogShell IOC search
- Attacchi Log4J in the wild
- CVE-2021-45105: Denial of Service via Uncontrolled Recursion in Log4j StrSubstitutor
- Prevent the Apache Log4j Java Library Vulnerability With a Zero Trust Architecture
- Neutralizing Apache Log4j Exploits with Identity-Based Segmentation
- Threatlabz analysis – Log4shell CVE-2021-44228 exploit attempts
- Mitigate Log4Shell and remote code execution risk with deception
- Weekly Roundup: What We’ve Learned About the Log4j Vulnerability
- Log4Shell / Apache Log4j Injection Vulnerability CVE-2021-44228: Impact and Response
- Log4j / Log4Shell Explained – All You Need to Know
- A. Boukar
XXE Attacks Explained - Alex Teixeira
Splunk IOC Scanner: a use case every-single-SOC needs - Sean Fernandez at Binary Defense
Threat Hunting AWS CloudTrail with Microsoft Sentinel: Part 4 - Andrei Pisau at Bitdefender
Tactical Threat Intelligence: How to shield data from advanced attacks - Blackberry
- Brad Duncan at Malware Traffic Analysis
- Charlie Bromberg
The Hacker Tools - Check Point Research
- Jon Munshaw at Cisco’s Talos
Threat Source Newsletter (Dec. 16, 2021) - Cobalt Strike Research and Development
- Kian Mahdavi at Cofense
Beware: Purchase Order Scam Carries Phishing Link - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 25 – Apache2 modules - Dan Fein at Darktrace
9 Days of Ransomware: How AI responds at every stage - EclecticIQ
2021’s Challenges Highlight the Need for Intelligence-Based Cyber Defense - Flashpoint
2021 Intel Wrap-Up: COVID-19 Fraud By The Numbers—Pricing and Geographic Analysis - Aarti Singh at Hacking Articles
Windows Privilege Escalation: Scheduled Task/Job (T1573.005) - Hornet Security
Email Threat Review November 2021 - Jared Atkinson
Check out @jaredcatkinson’s Tweet - Ben Finke at Scythe
SCYTHE Presents: #ThreatThursday – UNC2452 - Lina Lau at Inversecos
How to Detect Malicious Azure Persistence Through Automation Account Abuse - Mandiant
- Rob Lefferts at Microsoft Security
The final report on NOBELIUM’s unprecedented nation-state attack - Jos van der Peet at Falcon Force
FalconFriday —Monitoring for public shares — 0xFF1A - Matt Stafford and Sherman Smith at Prevailion
DarkWatchman: A new evolution in fileless techniques. - Proofpoint
- Recorded Future
- Brian Donohue at Red Canary
Run Atomic Red Team tests with Microsoft Defender for Endpoint - RiskIQ
“Offshore” Shinjiru Provides Bulletproof Services to Cyberattackers - SANS Internet Storm Center
- Securelist
- Secureworks
noPac: A Tale of Two Vulnerabilities That Could End in Ransomware - Melissa Frydrych, Charlotte Hammond, Richard Emerson, and Claire Zaboeva at Security Intelligence
Nation State Threat Group Targets Airline with Aclip Backdoor - Splunk
- SteveD3
Phishing 2021 – A Year in Review - Ashley Sand at Sucuri
How Malware Gets On Your Website - Symantec Enterprise
- Trend Micro
- Vicente Díaz at VirusTotal
- Sahil Antil and Sudeep Singh at ZScaler
New DarkHotel APT attack chain identified
UPCOMING EVENTS
- Cellebrite
4 Best Practices For Curbing the Contraband Phone Crisis In Corrections Facilities - Cybereason
Webinar January 11th 2022: Live Attack Simulation – Ransomware Threat Hunte - Magnet Forensics
Magnet User Summit 2022 is Coming Back to Nashville on April 11-13! - Security Onion
10% Early Bird discount for 4-day Security Onion 2 Fundamentals for Analysts and Admins
PRESENTATIONS/PODCASTS
- ArcPoint Forensics
Unallocated Space S1: Ep02: John Pizzuro - Belkasoft
iCloud backups downloading and other improvements of the latest Belkasoft X v.1.11 release - Black Hills Information Security
- Cisco’s Talos
Beers with Talos, Ep. #112: A new host approaches! - Cybereason
Malicious Life Podcast: Ransomware Attackers Don’t Take Holidays - Day Cyberwox
- Joshua I. James at DFIRScience
- Dump-Guy Trickster
Deobfuscation SmartAssembly 8+ and recreating Original Module SAE+DnSpy - FIRST
Welcome Remarks & Opening Address - John Hammond
ACTIVE DEFENSE & Cyber Deception – with John Strand! - Magnet Forensics
- MSAB
- Nuix
Introduction to Nuix Automation - OALabs
Dumpulator – Using Binary Emulation To Automate Reverse Engineering - Radware
Radware Threat Researchers Live: Ep.16 - Richard Frawley at ADF
ICAC Investigations with ADF Tools - SANS
- SANS STAR Live Stream
- Top 5 Things CISOs Need to Know About Privacy
- Evolution Over Iteration: Security as a Business Enabler and Business Accelerator
- Your Calling Card: Building Your Cybersecurity Leadership Brand: Part 1
- Your Calling Card: Building Your Cybersecurity Leadership Brand: Part 2
- Your Calling Card: Building Your Cybersecurity Leadership Brand: Part 3
- Sumuri
New Booting Options for M1 Macs
MALWARE
- Any.Run
- Avast Threat Labs
Avast Finds Backdoor on US Government Commission Network - Aleksandar Milenkoski and Kotaro Ogino at Cybereason
THREAT ANALYSIS REPORT: Inside the LockBit Arsenal – The StealBit Exfiltration Tool - Jacob Pimental at GoggleHeadedHacker
Reverse Engineering Crypto Functions: AES - Igor Skochinsky at Hex Rays
Igor’s tip of the week #69: Split expression - Lab52
Cuba Ransomware Analysis - Mahmoud Morsy
Phishing Attacks 15_12_2021 - Sriram P & Lakshya Mathur at McAfee Labs
HANCITOR DOC drops via CLIPBOARD - John LaCour at PhishLabs
Stolen Card Data Leads Dark Web Threats - Qi’anxin Threat Intelligence Center
Analysis of attack samples using similar obfuscation techniques as OceanLotus - Jake Baines at Rapid7
Driver-Based Attacks: Past and Present - Hrvoje Samardžić at ReversingLabs
Get Smart: Leveraging Threat Intel To Detect Ransomware - Phil Stokes at SentinelOne
Top 10 macOS Malware Discoveries in 2021 | A Guide To Prevention & Detection - Luigi Martire, Carmelo Ragusa, and Luca Mella at Yoroi
Serverless InfoStealer delivered in Est European Countries - Dennis Schwarz at ZScaler
Return of Emotet: Malware Analysis
MISCELLANEOUS
- Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 12/18/21 - Marco Fontani at Amped
Amped Funds a 3-Years Research Grant at the University of Florence - Autopsy
Autopsy and Log4J Vulnerability - Cellebrite
- Dragos
Dragos CEO Robert M. Lee Keynote at Fortinet Operations Technology (OT) Energy Symposium 2021 - Forensic Focus
- Eoghan Casey on the CASE Ontology for Digital Forensics Practice & Process
- The Use of Object Traces in a Connected World
- Selective File Extraction With XRY
- Fighting the Threat of Human Trafficking with Detego’s Digital Forensic Solutions
- Image Enhancement Is an Essential Part of Forensic Video Analysis
- Linux Remote Acquisition and More Now in Magnet AXIOM Cyber 5.8
- Remote Acquisition With Magnet AXIOM Cyber
- How Forensic Investigators Can Find Meaningful Data From ‘Factory Reset’ Devices
- Adam Belsher, CEO, Magnet Forensics: Year in Review
- Forecasting Developments in Crime and Terrorism
- Griffeye
Capture the flag - Geoffrey Czokow at Hex Rays
Hex-rays is moving to a Subscription model ! - Magnet Forensics
Police Funding for Digital Investigations Technology - Microsoft Security
Your guide to mobile digital forensics - Nextron Systems
ASGARD: Check your Signature Versions - Paraben Corporation
- SANS
SOFTWARE UPDATES
- Apache Tika
Release 2.2.0 – 12/13/2021 - Belkasoft
What’s new in Belkasoft X v.1.11 - Cellebrite
Now Available: Cellebrite Digital Collector 3.3 - Didier Stevens
- Elcomsoft
Elcomsoft Explorer for WhatsApp 2.80 improves compatibility and fixes bugs - Hindsight
v2021.12 - IntelOwl
v3.2.3 - Magnet Forensics
- Metaspike
Forensic Email Intelligence v1.2.8021 - MSAB
New release: XRY 10.0, XAMN 7.0 and XEC 7.0 - Oxygen Forensics
Oxygen Forensic® Detective v.14.2 - Passware
Passware Kit 2022 v1 Now Available - radare2
5.5.4 – stability release - Security Onion
Security Onion 2.3.90 20211213 Hotfix Now Available to Fully Mitigate All Known log4j Attack Vectors!
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 