As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- DFIR Review
Validation of X-Ways Forensics Evidence File Containers - Kibaffo33
At the roundabout, take the second exit… - Daniela Elmi
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Sharing Research - Elcomsoft
- Forensafe
- Hal Pomeranz at Righteous IT
- Heather Mahalik at Smarter Forensics
Android and iOS acquisition Recommendations - InfoSec Write-ups
Forensics — Memory Analysis with Volatility - Frank Block at Insinuator
Release of PTE Analysis plugins for Volatility 3
THREAT INTELLIGENCE/HUNTING
- More log4shell!
- HTB: LogForge
- Detection of Log4j Vulnerability (CVE-2021-44228) Using V3 Network Detection
- 2021-12-20 – Pcap from web server with log4j attempts and lots of other probing/scanning
- OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt
- Malicious Life Podcast: Logout4Shell – A Digital Vaccine for Log4Shell
- Log4jShell Mindmap
- Log4jscanner
- Log4Shell Simplified : All you need to know about CVE-2021-44228
- IR – SOC161-111 – Log4j RCE Exploit
- Log4Shell
- Log4J Does What?!!!
- Why Haven’t We Seen a Devastating Log4j Worm Yet?
- Incident Response Log4j RCE Exploit Analysis-LetsDefend
- JNDI Attack Logs
- Log4j 2 Security Vulnerabilities Update Guide, (Wed, Dec 29th)
- A Holiday Story, Internet Edition: The Impact Of Assessing And Addressing Log4j Installations Proactively
- Log4Shell: How to Mitigate Log4j Vulnerability
- Log4j2 CVE-2021-44228 | Software Architect’s Solution
- 360 Netlab
用DTA照亮DNS威胁分析之路 (1) - Anomali
Anomali Cyber Watch: Equation Group’s Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More - Martin Zugec at Bitdefender
Bitdefender Threat Debrief | December 2021 - Blake’s R&D
Cobalt Strike DFIR: Listening to the Pipes - Check Point Research
- Jon Munshaw at Cisco’s Talos
2021: Looking back on the year in malware and cyber attacks, from SolarWinds to Log4j - Compuquip Cybersecurity
The 2021 Cybersecurity Round Up You Need to Stay Informed - CrowdStrike
- Daniel Roberson at DMFR Security
- 100 Days of YARA – Day 7: SHA256
- 100 Days of YARA – Day 8: Salsa20
- 100 Days of YARA – Day 9: Berkeley Sockets
- 100 Days of YARA – Day 10: WinSock
- 100 Days of YARA – Day 11: UPX
- 100 Days of YARA – Day 12: Neshta
- 100 Days of YARA – Day 48: gscript
- 100 Days of YARA – Day 13: Quasar RAT
- 100 Days of YARA – Day 14: shc Generic Shell Script Compiler
- Dragos
Asset Visibility Maps Relationships and Communication Pathways in OT Environments - InfoSec Write-ups
How Intrusion Prevention Systems (IPS) Work in Firewall - Kirtar Oza
Shooting Up: On-Prem to Cloud — Detecting “AADConnect” Creds Dump - Koen Van Impe
Send malware samples from MISP to MWDB (Malware Repository) - Marcus Edmonson at ‘Data Analytics & Security’
PrintNightmare and SSH Tunnels for Fun - Marius Sandbu
Protection against Ransomware – 2021 - Michael Koczwara
Active Directory Penetration Testing & THM VulnNet: Roasted - Roy Golombick at Minerva Labs
2021 Was the Year Ransomware Protection Accelerated Enterprise Security Maturity - Zhanhao Chen, Daiping Liu, Wanjin Li and Jielong Xu at Palo Alto Networks
Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends - Josh Rickard at Red Canary
Introducing Atomic Operator: a cross-platform Atomic Red Team execution framework - ReversingLabs
- SANS Internet Storm Center
- TShark Tip: Extracting Field Values From Capture Files, (Sat, Dec 25th)
- Quicktip: TShark’s Options -e and -T, (Sun, Dec 26th)
- Attackers are abusing MSBuild to evade defenses and implant Cobalt Strike beacons, (Mon, Dec 27th)
- LotL Classifier tests for shells, exfil, and miners, (Tue, Dec 28th)
- Agent Tesla Updates SMTP Data Exfiltration Technique, (Thu, Dec 30th)
- Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st)
- Expect Regressions, (Sat, Jan 1st)
- Exchange Server – Email Trapped in Transport Queues, (Sun, Jan 2nd)
- Stefan Grimminck at Security Intelligence
Intelligent Adversary Engagement: Deceiving the Attacker - Madhukar Raina at Securonix Tech
Decoding encoded Powershell commands using Securonix SNYPR - Stranded on Pylos
- Yoroi
Wiper Silenti in Firmware HP Proliant Server
UPCOMING EVENTS
- Belkasoft
Who Stole the Tarts? Gather more evidence with Belkasoft - Detego Digital Forensics
Detego Global and HI2 Consulting celebrates continued success in Sweden with two specialist events - Gerald Auger at Simply Cyber
Disrupting Cyber Education with John Strand
PRESENTATIONS/PODCASTS
- Amped
Why Trust Is the Foundation of Everything We Do at Amped Software - Archan Choudhury at BlackPerl
SOC Open Source, Build own SOAR with Shuffle, ELK-TheHive-Cortex-Teams Full Automation, Part 2 - Didier Stevens
MSBuild & Cobalt Strike - Gerald Auger at Simply Cyber
How I Analyze Malware In My Day To Day (Manual and Automated Tooling) - HackDefend Labs
- SANS Institute
- Sumuri
MALWARE
- Chuong Dong at 0ffset
HANCITOR: Analysing The Main Loader - ASEC
- APT Attack Cases of Kimsuky Group (PebbleDash)
- Redline Stealer Targeting Accounts Saved to Web Browser with Automatic Login Feature Included
- ASEC Weekly Malware Statistics (December 13th, 2021 – December 19th, 2021)
- Dridex Distributed with “Merry Christmas!” Excel File
- North Korea-related Hangul Word Processor (HWP) File Being Distributed
- Atomic Matryoshka
“Cracking Open the Malware Piñata” Series: Intro to Static Analysis with Kazy Trojan - Ben Lee
Process Injection in Malware - CERT-AGID
- Cofense
- Daniel Roberson at DMFR Security
- Didier Stevens
VBA: __SRP_ Streams - Hex Rays
- Yuvarajan at InfoSec Write-ups
Analysis of Poetrat malware - Josh Stroschein
Automating Download URL Extraction with Python - Marco Ramilli
APT28 SKINNYBOY: Cheat Sheet - Hiroki Hada at NTT Security Japan
Flagpro: The new malware used by BlackTech - Security Onion
- Tony Lambert
Analyzing an IcedID Loader Document - بانک اطلاعات تهدیدات بدافزاری پادویش
Implant.ARM.iLOBleed.a
MISCELLANEOUS
- A. Boukar
HTTP Request Smuggling Explained - Anastasios Pingios
Guide on Offensive Operations for Companies - Atola
2021 Year in Review - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 1/1/22 - Christa Miller
The year I learned to be where I am - Doug Metz at Baker Street Forensics
Using WSL Profiles for Frequent Applications - Olga Koksharova at Elcomsoft
Season’s Greetings and 2021 in Review - Elcomsoft
Season’s Greetings and Happy New Year 2022 - Forensic Focus
New Binalyze DFIR features to help organizations build a cyber-resilient environment in 2022 - H-11 Digital Forensics
The Best Digital Forensic, Smartphone, Mobile Device, IoT, and Chip-Off Tools and SOo - Martin Boller at InfoSec Worrier
How to build CyberChef - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (1/1/2022) - ADF
- Ryan Campbell at ‘Security Soup’
- This Week In 4n6
2021 Wrap Up
SOFTWARE UPDATES
- Alexis Brignoni
RLEAPP 1.0.21 - Airbus Cybersecurity
IRIS Web v1.2.1-alpha.1 - Belkasoft
Belkasoft releases a fix for log4j vulnerability - Berla
iVe Software v3.5 Release - Didier Stevens
- Elcomsoft
Elcomsoft adds support for BestCrypt Volume Encryption 5 - Griffeye
Release of Analyze 21.3 - LimaCharlie
December Developer Roll Up - Matt Turner
DFIRlogbook - Maxim Suhanov
dfir_ntfs 1.1.2 - MobilEdit
MOBILedit Forensic (Express) 8.0 released! - Open Source DFIR
Plaso 20211229 released
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 