As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
Daily Blog #703: Looking back at AWS EBS Direct Block access API - ThinkDFIR
I can see and hear you seeing and hearing me! - Alex Caithness at CCL Solutions
Android ABX – Binary XML - Cheeky4n6Monkey and Michael Lacombe
Mike & the Monkey Dumpster Dive Into Samsung Gallery3d App Trash - Doug Metz at Baker Street Forensics
QuickPcap – Capturing a PCAP with PowerShell - Oleg Afonin at Elcomsoft
Targeting Backup Encryption: Acronis, Macrium, and Veeam - Forensafe
Investigating Windows Search Index - Jonathan Johnson
Exploring Token Members Part 1 - Joshua Hickman at ‘The Binary Hick’
Androids & AirTags. Oof. - Matt C. A. Smith
- Michael Koczwara
LetsDefend: Hijacked NPM Package/Supply Chain Compromise - N00b_H@ck3r
Try Hack Me: Conti
THREAT INTELLIGENCE/HUNTING
- More Log4shell!
- 2022-01-03 – Pcap from web server with log4j attempts and lots of other probing/scanning
- Log4Shell (CVE-2021-44228) – What You Need to Know
- Log4J Detector Tool
- Here’s What Happened with Log4Shell While You Were Out
- Quick Malware Analysis: log4j pcap from 2021-12-20
- Quick Malware Analysis: log4j pcap from 2022-01-03
- Apache Log4j: Mitigation for DevOps
- Anomali
Anomali Cyber Watch: $5 Million Breach Extortion, APTs Using DGA Subdomains, Cyberespionage Group Incorporates A New Tool, and More - ASEC
- Guide to Prevent Execution of Excel 4.0 Macro Malware – Microsoft Office 365 Product
- Distribution of Redline Stealer Disguised as Software Crack
- Case of Infection With Lockis Ransomware in a Company, Caused by Not Using Anti-Malware’s Lock Policy
- Hacking Tool Used With Lockis Ransomware
- ASEC Weekly Malware Statistics (December 20th, 2021 – December 26th, 2021)
- ASEC Weekly Malware Statistics (December 27th, 2021 – January 2nd, 2022)
- Analysis Report on Kimsuky Group’s APT Attacks (AppleSeed, PebbleDash)
- Brad Duncan at Malware Traffic Analysis
- CERT AGID
Un caso di studio: l’infrastruttura di una campagna AdWind - Check Point Research
- Cisco’s Talos
Threat Source Newsletter (Jan. 6, 2022) - Cisco’s Talos
Threat Roundup for December 31 to January 7 - Cluster25
North Korean Group “KONNI” Targets the Russian Diplomatic Sector with new Versions of Malware Implants - Cofense
Phishing Campaign Leverages Covid-Induced Adjustments to Banking Practices - Craig Bowser at Shadow Trackers
Some quick thoughts on EDR - Curated Intelligence
The Long Game Of Cyber Threat Intelligence - Dan Verton at Cybereason
Cybereason XDR: 10X Productivity Boost From Unified Investigations - Daniel Roberson at DMFR Security
- Melissa Burpo at Elastic
Gain the upper hand over adversaries with Osquery and Elastic - Flashpoint
Our Top 10 Collective Intelligence Reports of 2021 - Woody Mosqueda at Forcepoint
2021 Malware Report: The Looming Ransomware Threat - Ronnie T at ‘I Heart Malware’
What 6 Years of Success in a Global Takedown Operation Looks Like, and How You Can Do It, Too - INCIBE
Estudio del análisis de Hive - InfoSec Write-ups
- Phil Stokes at SentinelOne
A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022 - Lumen
New Konni Campaign Kicks Off the New Year by Targeting Russian Ministry of Foreign Affairs - MDSec
EDR Parallel-asis through Analysis - Ollie Whitehouse at NCC Group
Detecting anomalous Vectored Exception Handlers on Windows - Nik Alleyne at ‘Security Nik’
- pat_h/to/file
Commandline Cloaking and Sysmon for Linux - ReaQta
Babuk Ransomware (RaaS): Back-up Deletion and how to stop it - Red Alert
Monthly Threat Actor Group Intelligence Report, November 2021 - Red Team & Security Research Notes
- SANS Internet Storm Center
- McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd)
- A Simple Batch File That Blocks People, (Tue, Jan 4th)
- Code Reuse In the Malware Landscape, (Wed, Jan 5th)
- Malicious Python Script Targeting Chinese People, (Thu, Jan 6th)
- Custom Python RAT Builder, (Fri, Jan 7th)
- TShark & jq, (Sat, Jan 8th)
- Sebdraven
La Threat Intel, c’est fini ! - Mark Stone at Security Intelligence
Everything You Need To Know About Ransomware Attacks and Gangs In 2022 - Anusthika Jeyashankar at Security Investigation
Account Manipulation and Access Token Theft Attacks - Sekoia
NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies - Sygnia
Elephant Beetle:UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION - Tareq Alkhatib
Are We Using MITRE ATT&CK Data Sources Wrong? - Telsy
Sidecopy Apt: From Windows To *nix - Andrew Schwartz at TrustedSec
An ‘Attack Path’ Mapping Approach to CVEs 2021-42287 and 2021-42278 - ZecOps
Persistence without “Persistence”: Meet The Ultimate Persistence Bug – “NoReboot”
UPCOMING EVENTS
- Basis Technology
- Cellebrite
- Griffeye
Capture the flag - Brittany Roberts at ADF
Best Digital Forensics Conferences for 2022 | In-Person or Online - SANS
Inside FOR608: Enterprise-Class Incident Response & Threat Hunting – Course Preview - Scott Poley at Cyborg Security
Begin you hunt: the threat hunting workshop
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Learn Maltego, Enhance Incident Response Process, Investigate Smart - Black Hills Information Security
Talkin’ About Infosec News – 1/7/2021 - BlueMonkey 4n6
Day in the Life of DFIR – skills needed for a career in Digital Forensics and Incident Response. - Day Cyberwox
Cybersecurity Certification Study Session – Blue Team Level 1 (BTL1) - Gerald Auger at Simply Cyber
Whats Next in 2022 for SimplyCyber? (Annual Retro/Planning) - InfoSec_Bret
IR – SOC154-102 – Service Configuration File Changed by Non Admin User - Justin Tolman at AccessData
FTK Feature Focus – Episode 32 – Support Tickets and Email Filters - Matthew Toussain
2021 | The Worst Year In Hacking History - Nicolas Brulez at Hexorcist
Retro Crackme : Reverse Engineering for Beginners - OALabS
- Bypassing BlackMatter Anti-Debug With x64dbg [Patreon Unlocked]
- Debugging a DLL Export With x64dbg [Patreon Unlocked]
- View Disassembly and Pseudocode Windows Side-by-Side In IDA Pro [ Patreon Unlocked ]
- Setup IDA Pro Type Libraries For Windows Malware Analysis [ Patreon Unlocked ]
- [ Patreon ] How To Identify Dynamic Imports In Malware
- Richard Davis at 13Cubed
Accessing Mounted Images from WSL #shorts - Russ Taylor at Hats Off Security
HatsOffSecurity on YouTube - SANS
- Applying DS/ML to Forensics and Incident Response: An Interview with Jess Garcia
- SANS Threat Analysis Rundown
- Year in Cyber Review 2021 – Keynote Panel with Panel Chair Rob T. Lee (Indonesian)
- Year in Cyber Review 2021 – Keynote Panel with Panel Chair Rob T. Lee (Japanese)
- Year in Cyber Review 2021 – Keynote Panel with Panel Chair Rob T. Lee (Thai)
- 패널 위원장Rob T. Lee 과 함께하는 SANS – Year in Cyber Review 2021 – Keynote Panel
- Catching the Cloud
- All-Around Defenders: New Year, New Start
- What Keeps You Up At Night?
- Retrospectiva Cyber 2021 – Painel Principal como Presidente do Painel Rob T. Lee
- SANS – Retrospectiva Cyber 2021 – Panel Principal con el Presidente del Panel Rob T. Lee
MALWARE
- Amged Wageh
Analysis Of An AutoIT Script That Wraps A Remcos RAT - Atomic Matryoshka
“Cracking Open the Malware Piñata” Series: Intro to Dynamic Analysis with RedLineStealer - Blackberry
Threat Thursday: Emotet Update - Chuong Dong
Rook Ransomware - Udi Yavo at Fortinet
From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278/CVE-2021-42287 - hasherezade’s 1001 nights
Python scripting for WinDbg: a quick introduction to PyKd - Igor Skochinsky
Igor’s tip of the week #71: Decompile as call - Md. Abdullah Al Mamun at Intarna
Interesting njRAT Malware With Deep Obfuscation - Avigayil Mechtinger at Intezer
Malware Reverse Engineering for Beginners – Part 1: From 0x0 - Malwarebytes Labs
- Natalie Zargarov at Minerva Labs
Malicious Telegram Installer Drops Purple Fox Rootkit - Taojie Wang, Jin Chen and Tao Yan at Palo Alto Networks
A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain - Patrick Wardle at ‘Objective-See’
The Mac Malware of 2021 - Security Onion
Quick Malware Analysis: Remcos RAT pcap from 2022-01-04 - Tony Lambert
MISCELLANEOUS
- 0xdf
2021 SANS Holiday Hack Challenge, featuring KringleCon 4: Calling Birds - Matthew Warner at Blumira
5 Reasons Why We ❤️ Sysmon - Cellebrite
- Chapin Bryce at Pythonic Forensics
3 ways I improved my Python code last year - Craig Ball at ‘Ball in your Court’
A Dozen Nips and Tucks for E-Discovery - Forensic Focus
- Short Bitcoin Heist: Topological Data Analysis For Ransomware Investigations
- Investigate Media More Efficiently with Smarter Tools – From Magnet.AI to OCR
- TRUST: How This Single Word Underpins Everything We Do at Amped Software With Video and Image Evidence
- Duck Hunt: Memory Forensics of USB Attack Platforms
- Jai Minton
Check out CyberRaiju’s tweet - Koen Van Impe
Incident response case management, DFIR-IRIS and a bit of MISP - LimaCharlie
DFIR Expert Interview: Mike Behrmann - Mike Cohen at Velocidex
Searching For Files - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — January 2 to January 8 - Michiel Lemmens at SANS
Password Hash Cracking in Amazon Web Services: Burning Your Way to Success
SOFTWARE UPDATES
- ANSSI DFIR-ORC
v10.0.23 - Costas K
EvtxLogBrowser - Elcomsoft
Elcomsoft targets backup encryption, recovers Acronis, Macrium, and Veeam passwords - Eric Zimmerman
ChangeLog - Foxton Forensics
Browser History Examiner — Version History – Version 1.16.6 - Hashlookup Forensic Analyser
hashlookup-forensic-analyser version 0.8 released including a report functionality - Jordan Klepser
Defender Detectionhistory Parser - Mihari
v3.12.0 - Nirsoft
Recover DPAPI-encrypted passwords created under Microsoft account from external drive - RecuperaBit
Version 1.1.6 - Securizame
Nueva versión de Wintriage: v.02012022 - Ulf Frisk
MemProcFS Version 4.6 - Velociraptor
v0.6.3-rc1 - Xways
X-Ways Forensics 20.4 SR-3
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 
One thought on “Week 02 – 2022”