As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Appalachian4n6
AirTags within iOS File Systems - Belkasoft
Where did this chat come from? The ‘Origin path’ concept in Belkasoft X - Blake’s R&D
Machine Learning and ETW - Cado Security
Technical Indicators of Ukrainian Website Defacements - James Lovato at CrowdStrike
Mind the MPLog: Leveraging Microsoft Protection Logging for Forensic Investigations - Krzysztof Gajewski at CyberDefNerd
Can Windows Update fool you during the investigation? - Digital Forensics Myanmar
Window Forensics With EZ-Tools (Part 1) - Forensafe
Investigating Microsoft Office - ghost$
Sysmon - Ravi Teja at InfoSec Write-ups
Demystifying JA3: One Handshake at a Time - Joshua Hickman at ‘The Binary Hick’
Snooping on Android 12’s Privacy Dashboard - Kevin Pagano at Stark 4N6
- Korstiaan Stam at ‘Invictus Incident Response’
Top 5 Windows Events for Incident Response - Sal Aziz at Magnet Forensics
Anatomy of a Data Exfiltration Investigation - Oxygen Forensics
Android Extraction Updates in Oxygen Forensic® Detective 14.2 - J0wir
Cyberdefenders – Phishy - Jordan Klepser
Uncovering Windows Defender Real-time Protection History with DHParser - Jeffrey Knockel at The Citizen Lab
Cross-country Exposure: Analysis of the MY2022 Olympics app
THREAT INTELLIGENCE/HUNTING
- Log4shell
- Fallout from Log4Shell-related Vietnamese Cryptocurrency Exchange Attack: KYC Data for Sale on Dark Web
- The Analyst Prompt #01: APT35 and AQUATIC PANDA Exploit the Log4j Vulnerability
- Pentesters’ Perspective: Log4Shell
- SOC Talk: Log4Shell
- Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk
- CyberDefenders: DetectLog4j-CTF
- Active Exploitation of VMware Horizon Servers
- Log4Shell Attacks Getting “Smarter”, (Mon, Jan 17th)
- Assess Log4Shell Like an Attacker With Tenable’s Dynamic Detections
- Log4Shell: 5 Steps The OT Community Should Take Right Now
- One in 10 Assets Assessed Are Vulnerable to Log4Shell
- WAFs and the Log4j Vulnerability
- WhisperGate
- PROMIS Malware Analysis (DV2613) – Analysis of WhisperGate malware
- Resources for DFIR Professionals Responding to WhisperGate Malware
- Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation
- Technical Analysis of the WhisperGate Malicious Bootloader
- Elastic Security verifies new destructive malware targeting Ukraine: Operation Bleeding Bear
- Operation Bleeding Bear
- Check out @HuskyHacksMK’s tweet
- What We Know and Don’t Know about the Cyberattacks Against Ukraine
- Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack
- Return of Pseudo Ransomware
- Hackers Were in Ukraine Systems Months Before Deploying Wiper
- WhisperGate: MBR Wiper Malware Analysis.Ukraine Cyber Attack
- Threat Brief: Ongoing Russia and Ukraine Cyber Conflict
- Analysis of Destructive Malware (WhisperGate) targeting Ukraine
- WhisperGate: Not NotPetya
- Disruptive Attacks in Ukraine Likely Linked to Escalating Tensions
- Whispergate Malware – Destructive Malware Targeting Ukrainian Organizations
- State-Sponsored Cyber Attacks Against Ukraine
- Adam at Hexacorn
- Adrian Sanchez Hernandez, Paul Tarter, and Ervin James Ocampo at Mandiant
One Source to Rule Them All: Chasing AVADDON Ransomware - Anomali
- Blackberry
- Brad Duncan at Malware Traffic Analysis
- BushidoToken
Tracking A Renewable Energy Intelligence Gathering Campaign - Check Point Research
- Cisco’s Talos
- Journal of Threat Intelligence and Incident Response
Check out @cnoanalysis’s tweet - Jason Trost at Covert.io
9 Short links on Network Beacon Detection - Lavi Lazarovitz, Shay Nahari, and Arash Parsa at CyberArk
CISA on Ukraine Cyber Attacks: Are You at Risk? - Cybereason
- Daniel Roberson at DMFR Security
- Elastic Security Research
- Falco
Blog: Monitoring new syscalls with Falco - FBI
Indicators of Compromise Associated with Diavol Ransomware - Jonathan Zalman at Flashpoint
Who’s Behind Iranian Cyber Threat Actor Group MuddyWater? - Roger Kay at INKY
Fresh Phish: Phishers Lure Victims with Fake Invites to Bid on Nonexistent Federal Projects - Md. Abdullah Al Mamun at Intarna
2 Crucial Registry Keys For DFIR - Ryan Robinson at Intezer
Make your First Malware Honeypot in Under 20 Minutes - Koen Van Impe
Basic Automation with the VMRay API - Pieter Arntz at Malwarebytes Labs
REvil ransomware gang busted by Russian Federal Security Service - John Hultquist at Mandiant
Anticipating Cyber Threats as the Ukraine Crisis Escalates - Marius Sandbu
Threat Hunting in Microsoft Azure - Martin Sohn
Check out @martinsohndk’s tweet - Michael Haag
Finding .Net Assemblies - Matthew Green at Velocidex
WMI Event Consumers: What Are You Missing? - Palo Alto Networks
Operation Falcon II: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Ring Members - Penetration Testing Lab
Domain Persistence – Machine Account - Jessica Ellis at PhishLabs
Qbot, ZLoader Represent 89% of Payload Volume in Q4 - Recorded Future
- RiskIQ
Jupyter Notebooks Make RiskIQ Data a Digital ‘Mech Suit’ for Threat Intelligence Analysts - S2W Lab
[SoY] 2021 | EN | Story of the Year: Ransomware on the Darkweb - SANS Internet Storm Center
- 10 Most Popular Targeted Ports in the Past 3 Weeks, (Sun, Jan 16th)
- Phishing e-mail with…an advertisement?, (Tue, Jan 18th)
- 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th)
- RedLine Stealer Delivered Through FTP, (Thu, Jan 20th)
- Obscure Wininet.dll Feature? , (Fri, Jan 21st)
- Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd)
- Securelist
- Jonathan Reed at Security Intelligence
Magecart Attacks Continue to ‘Skim’ Software Supply Chains - Anusthika Jeyashankar at Security Investigation
Detect Most Common Malicious Actions in the Linux Environment - Michael Leland and Dave Gold at SentinelOne
PowerQuery Brings New Data Analytics Capabilities to Singularity XDR - Sky Blueteam
HOWTO use msticpy’s process tree with Sysmon? - Sophos
- Symantec Enterprise
The Threat Landscape in 2021 - Sysdig
- Tareq Alkhatib
Detection Design Patterns — Process Creation - Trend Micro
- Ziv Mador at Trustwave SpiderLabs
Dark Web Recon: Cybercriminals Fear More Law Enforcement Action in the Wake of the REvil Takedown - Amir Moin at ZScaler
Active Defense with MITRE Engage
UPCOMING EVENTS
- Allan Carchrie, Paul Scott, and Matt Muir at Cado Security
Ransomware in a Hybrid World: How to Perform a Thorough IR Investigation - Elena Mishkareva and Jared Luebbert at Belkasoft
[WEBINAR] Cloudy Again: Collect and Review Cloud Artifacts with Belkasoft - Cellebrite
- Part 1: Top Five Questions to Engage with the DF Lab for Better Investigative Outcomes
- Part 2: Translation of Foreign Languages – Investigation Response vs Court Production
- Part 3: Disclosure – Current Trends and Issues
- Part 4: Digital Evidence Review – Working Smarter and Not Harder – Investigation Review and Process
- Cellebrite Global Industry Events Schedule for 2022
- Israel Barak, Time Amey, and JJ Cranford at Cybereason
Webinar February 3rd 2022: Live Attack Simulation – Ransomware Threat Hunter Series - Scott Poley and Lee Archinal at Cyborg Security
Begin your hunt: The threat hunting workshop - DFRWS
DFRWS USA 2022 CFP Deadline - Kristian Lars Larsen at Data Narro
Your Guide to Top Digital Forensics Conferences in 2022 - Magnet Forensics
- Andrew Case at Volatility Labs
Malware and Memory Forensics Training in 2022!
PRESENTATIONS/PODCASTS
- ArcPoint Forensics
Unallocated Space: S1: Ep03: Jason Hogan - Black Hills Information Security
- BlueMonkey 4n6
Write-protect USB and hard drives on Windows - Breaking Badness
- Heather Mahalik at Cellebrite
- ProtonMail Built-in Parser – Cellebrite Physical Analyzer
- Top 10 Tip Tuesday for Cellebrite Physical Analyzer
- Introduction to Cellebrite Guardian – One Solution for Digital Evidence Management
- Network Usage – Cellebrite Physical Analyzer
- Streamline your Investigative Workflow with Cellebrite Guardian
- Chris Sienko at the Cyber Work podcast
- Cybersecurity Meg
Cybersecurity | How To Get Into An Incident Response Career - Day Cyberwox
- Detection: Challenging Paradigms
S2 – Episode 7: Steve Miller - DFIRHub
04 Windows DFIR – Registry | Digital Forensics & Incident Response - Joshua I. James at DFIRScience
Software supply chain and vulnerability assessment with syft and grype - Digital Forensic Survival Podcast
DFSP # 309 – Insider Threats - Dump-Guy Trickster
Decryption of Midas Ransomware – based on thanos ransomware builder - Gerald Auger at Simply Cyber
Cyber Career Day 2022 - InfoSec_Bret
IR – SOC128-106 – Malicious File Upload Attempt - John Hammond
DON’T call yourself a hacker… - Justin Tolman at AccessData
FTK Feature Focus – Episode 33 – Export File List Info - LASCON
LASCON 2021 - Magnet Forensics
PowerShell Tools for IR Forensics Collection - Matt Danner
How to Provide Effective Expert Witness Testimony - OALabs
Why Is The PE Entry Point Not The Same As Main SEH and The _security_init_cookie [Patreon Unlocked] - Recorded Future
Attack Lifecycle: How Attackers Harvest Credentials & Gain Initial Access - SANS Institute
- 5 Ways to Ensure Your Security Awareness Stays Ahead of this Year’s Threats
- Jumpstart your cybersecurity career with SEC301 Introduction to Cyber Security
- Break Boxes and Build Teams
- SANS Instructors are Approachable and Adaptable
- I choose SANS because…
- The ROI of a SANS Training
- Excel in Incident Handling with SANS
- Helping the Greater Good with SANS Training
- SANS Training in One Word
- It’s easy to get approval to take a SANS course
- The Value of a SANS Training & GIAC Certification
- Why is SANS the Best Cyber Security Training available?
- The Best Part of a SANS Course
- How does SANS help someone in Cyber Defense?
- Concepts learned in a SANS Training will help you ace an Interview!
- Semantics 21
LASERi-X v2.2, Whats New? - Watson Infosec
WatsonInfoSec Year 2022 Outlook! - X-Force
Analyzing PowerShell Payloads – Part 4
MALWARE
- ASEC
- CERT-AGID
Individuata una nuova variante di Chaos Ransomware di matrice italiana - Cofense
Cyber Gang Targets Users with Password Expiration Scam - Cryptax
- James Slaughter at Fortinet
New STRRAT RAT Phishing Campaign - Karsten Hahn at G Data Security
Malware vaccines can prevent pandemics, yet are rarely used - Igor Skochinsky at Hex Rays
Igor’s tip of the week #73: Output window and logging - InfoSec Write-ups
MalDoc101 — Malicious Macros Analysis with OLETOOLS - Mario Henkel
Dissecting Redline Infostealer traffic — a SOAPy endeavour - Mike at “CyberSec & Ramen”
Info-Stealing Tool Posing As Naver OTP - Mostafa Yahia
Malware Sandboxing (Build your own Sandbox) - Nikhil Rathor at 0xthreatintel
Internals of TA428 Operation LagTime IT - Pete Cowman at Hatching
Emotet Epoch 5 and other version updates - Security Onion
Quick Malware Analysis: IcedID Bokbot with Cobalt Strike and DarkVNC pcap from 2022-01-12 - Jim Walter at SentinelOne
BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims - The Qi’anxin Red Raindrop team
False flag or upgrade? Suspected sea lotus uses the Glitch platform to reproduce the attack sample - Tony Lambert
- Facundo Muñoz and Matías Porolli at WeLiveSecurity
DoNot Go! Do not respawn! - ZScaler
- بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Win32.NetWire
MISCELLANEOUS
- Acelab
Meet the PC-3000 Forensic Expert Online Training! - Brett Shavers at DFIR.Training
- Craig Ball at ‘Ball in your Court’
Six Powerful Points for Better Presentations - Deriving Cyber Threat Intelligence and Driving Threat Hunting
Proposed Structure for Pakistan NCERT - First Response
Incident Response for Ransomware - Forensic Focus
- Major Features of MD-Series Released in 2021 4Q
- Amped Software Interviews Dr. Cecilia Pasquini (University of Trento) About Deepfakes
- How Human Factors Confound and Enrich Digital Forensics: The November-December Research Roundup
- Time Well Spent: Precision Timing, Monotonic Clocks, and the PowerLogs Database for iOS
- Passware Kit 2022 v1: Full Support for Windows 11, macOS Monterey, and Acronis Backup Passwords
- John Graham, Director of Sales and Business Development, Atola Technology
- How Detego Helped Airport-Based Counterterrorism Units Speed Up Investigations With Rapid Data Extraction and Triage Tools
- Coffee Forensics: Reconstructing Data in IoT Devices Running Contiki OS
- Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
PancakesCon 3 + CTF - Magnet Forensics
- Marius Sandbu
New Book Project: Windows Ransomware Protection and Detection - MSAB
MSAB’s Net Sales and Operating Result in the Fourth Quarter of 2021 are expected to exceed market expectations - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — January 16 to January 22 - SANS
SANS DFIR courses – Justify your training - Security Art Work
Así que quieres dedicarte a la ciberseguridad - David Bisson at Security Intelligence
What It Takes to Build the Blue Team of Tomorrow - Ashley Sand at Sucuri
What Should You do if Your WordPress Site was Hacked? - Adam Todd at TrustedSec
WMI for Script Kiddies - Iryna Yamborska at UnderDefense
Splunk ES vs. Elastic (ELK) Stack: Comparison from the SOC Analyst - Brett Shavers
Finally?
SOFTWARE UPDATES
- Alexis Brignoni
ALEAPP 2.0.03 - AccessData
FTK Imager Version 4.7.1 - Active Countermeasures
Version 6.0.0 of AC-Hunter Has Been Released! - Adam at Hexacorn
Dexray v2.32 - Northloop Forensics
Bitlocker_Key_Finder v3.1 - CCL Solutions
CCL releases latest RabbitHole version, further raising the bar for forensic data exploration tools - Eric Zimmerman
ChangeLog - Hex Rays
IDA 7.7 Service Pack 1 released - IntelOwl
v3.2.4 - Jonathon Poling
The CERT Linux Forensics Tools Repository – LiFTeR - Matt Turner
DFIR Logbook 0.33 - Mihari
v4.0.0 - Sean Mcfeely
ThreatFox API - Trufflepig Forensics
Trufflepig Nexus Version 1.1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 