As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Marco Fontani at Amped
How To Check Video Integrity By Detecting Double Encoding With VPF Analysis - CCL Solutions
UPDATE – Relativity Processing vs. Nuix Workstation - Dr. Brian Carrier at Cyber Triage
General Purpose vs Specialized Digital Forensics Tools - Forensafe
Investigating Cortana - “Forensics – One Byte at a Time”
Decrypting ‘Secret Calculator Photo Vault’ - Febi Mudiyanto at InfoSec Write-ups
CyberDefenders | Hacked - Mike at ØSecurity
Windows Baseline Logging - Oxygen Forensics
Warrant Returns in Oxygen Forensic® Detective
THREAT INTELLIGENCE/HUNTING
- Anomali
Anomali Cyber Watch: MoonBounce, AccessPress, QR Code Scams and More - Awake Security
Cutting through the noise: chaining activities to detect Cobalt Strike Beacon using Network Detection and Response Solutions - Umesh Ramesh, Anuj Butail, and Mahek Pavagadhi at AWS Security
Analyze AWS WAF logs using Amazon OpenSearch Service anomaly detection built on Random Cut Forests - Kurosh Dabbagh at BlackArrow
AD CS: weaponizing the ESC7 attack - Blackberry
- Bundesamt fur Verfassungsschutz
Cyber attack campaign against German commercial companies - c-APT-ure
Who is “DESKTOP-Group”? - Mark Ellzey, Aidan Holland, Ryan Lindner at Censys
The QNapping of QNAP Devices - Check Point Research
24th January– Threat Intelligence Report - Christophe Tafani-Dereeper
Introducing Stratus Red Team, an Adversary Emulation Tool for the Cloud - Cisco’s Talos
- Andy Mann and Schyler Gallant at Cofense
TrickBot Malware Delivered as Invoices - Corelight
Detecting CVE-2022-21907, an IIS HTTP Remote Code Execution vulnerability - CrowdStrike
- Curated Intelligence
- Cybereason
Ten of the Biggest Ransomware Attacks of 2021 - Cyjax
Darknet Quarterly Review – Q4 2021 - Cynet
Threats Looming Over the Horizon - Daniel Roberson at DMFR Security
- Woody Mosqueda at Forcepoint
2021 Malware Report: The Looming Ransomware Threat, Part 2 - Forensic-Research
CVE-2021-44228 Vulnerability Analysis - Gemini Advisory
Gemini Annual Report 2021: Magecart Thrives in the Payment Card Fraud Landscape - Hacking Articles
- HP Wolf Security
HP Wolf Security Threat Insights Report Q4 2021 - Roger Koehler at Huntress
Threat Recap: Process Insights Trial by Fire - InQuest
- Nathali Cano, Jorge Orchilles, Christopher Peacock at Scythe
- Tony Burgess at Barracuda
MITRE ATT&ACK®: What it is and how it improves security - Kim Zetter at ‘Zero Day’
Wiper in Ukraine Used Code Repurposed From WhiteBlackCrypt Ransomware - Lina Lau at Inversecos
How to Detect and Compromise Azure Blobs and Storage Accounts - LockBoxx
Adversary Emulation vs Simulation - Microsoft Security
Evolved phishing: Device registration trick adds to phishers’ toolbox for victims without MFA - Nasreddine Bencherchali
C2-Matrix-Indicators - Patrick Wardle at ‘Objective-See’
Analyzing OSX.DazzleSpy - Pete Cowman at Hatching
Updates for AgentTesla, GoldDragon, BlackCat and Trickbot NWorm - Suleyman Ozarslan, Phd at Picus Security
Three Key Ransomware Trends in 2022: RaaS, Multiple Extortion, and IABs - ReaQta
Rook Ransomware (RaaS): The latest kid on the block with an attitude. - Red Canary
- Paul Roberts at ReversingLabs
After Russian Arrests, REvil Rolls On - RiskIQ
RiskIQ Threat Intelligence Roundup: C2 and Nation-State Threat Infrastructure - SANS
A Visual Summary of SANS Cyber Threat Intelligence Summit 2022 - SANS Internet Storm Center
- Emotet Stops Using 0.0.0.0 in Spambot Traffic, (Tue, Jan 25th)
- Local privilege escalation vulnerability in polkit’s pkexec (CVE-2021-4034), (Tue, Jan 25th)
- Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th)
- Malicious ISO Embedded in an HTML Page, (Fri, Jan 28th)
- Apple Patches Everything, (Thu, Jan 27th)
- SIEM In this Decade, Are They Better than the Last?, (Sat, Jan 29th)
- David Bisson at Security Intelligence
What CISA Incident Response Playbooks Mean for Your Organization - SentinelOne
- Sky Blueteam
Delegate to KRBTGT service - Andrew Brandt at Sophos
Windows services lay the groundwork for a Midas ransomware attack - Steve Miller at Stairwell
Hunting with weak signals - Josh Hopkins at Team Cymru
Analysis of a Management IP Address linked to Molerats APT - The DFIR Report
Cobalt Strike, a Defender’s Guide – Part 2 - Nitesh Surana at Trend Micro
How to detect Apache Log4j vulnerabilities - Reegun Jayapaul at Trustwave SpiderLabs
Trustwave Threat Hunting Guide: Identifying PwnKit (CVE-2021-4034) Exploitation - Vesta Matveeva and Iaroslav Polianskii at Group IB
Shedding light on the dark web - Pavankumar Chaudhari at VMware Security
BlackSun Ransomware – The Dark Side of PowerShell - Xorhex
Day 9 and 10 of 100 Discontiguous Days of YARA
UPCOMING EVENTS
- Michelle Coan at Amped
Register to Getting Started With Amped FIVE - Cellebrite
- Magnet Forensics
- John LaCour at PhishLabs
Webinar: Quarterly Threat Trends & Intelligence – February 2022 - SANS
SANS Threat Analysis Rundown - Studio d’Informatica Forense
Convegno di Diritto Penale sulla Digital Forensics - Sygnia
Sygnia to Host Webinar on Actionable Incident Response Strategies for 2022
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Incident Response Training, Decoding Powershell- Day 18 - Black Hat
Past as Prologue: What Users Can Except with 2022 Cyber Threats - Black Hills Information Security
Talkin’ About Infosec News – 1/27/2022 - BlueMonkey 4n6
Tips and Tricks – 05 – chaining operators – (;) (&) (|) (&&) (||) (\) - Breaking Badness
109. The Big REvil - Cellebrite
- Cisco’s Talos
Beers with Talos, Ep. #115: Everybody’s measured by quarters — even threat actors - Joshua I. James at DFIRScience
Intro to Windows Registry Artifact Analysis – TryHackMe Walkthrough - Digital Forensic Survival Podcast
DFSP # 310 – Cloud Network Segmentation - Down the Security Rabbithole Podcast
DtSR Episode 485 – YGHT Beating Ransomware at Its Game - Forensic 4cast
We Didn’t Start DFIR - Gerald Auger at Simply Cyber
Lets Build a HoneyPot - InfoSec_Bret
- Justin Tolman at AccessData
FTK Shareable – Cross Case Searching - LetsDefend
Being a Threat Analyst: Responsibilities and Daily routine - Magnet Forensics
- Using Magnet AXIOM Cyber to support eDiscovery
- Using Magnet AXIOM Cyber for Employee Misconduct Investigations
- Using Magnet AXIOM Cyber for Incident Response Investigations
- Forensic Analysis of iCloud Backups up to iOS15 in Magnet AXIOM
- Customer Story | Stephen Boyce, Director of Magnet Digital Investigation Suite, Former FBI
- Ransomware: Current Trends and Updates
- The Basics of Forensic Video Recovery with DVR Examiner
- Tips & Tricks // Acquiring WhatsApp Data: There’s More Than One Way to Get the Data
- Justin Connors at Red Siege Information Security
SiegeCast: How Red Siege Stole Christmas - Watson Infosec
Beginners Home Lab How To Guide - X-Force
Analyzing PowerShell Payloads – Part 5
MALWARE
- 0day in {REA_TEAM}
- Adam at Hexacorn
Delphi API monitoring with Frida - Ofer Caspi at ATT Cybersecurity
BotenaGo strikes again – malware source code uploaded to GitHub - ASEC
- Atomic Matryoshka
Malware Headliners: LokiBot - Avast Threat Labs
- Ben Lee
Malware Analysis Report: NotPetya - Bitdefender
New FluBot and TeaBot Global Malware Campaigns Discovered - Cleafy
How BRATA is monitoring your bank account - Cryptax
BianLian C&C domain name - Simon Kenin at Deep Instinct
The Ukrainian Government Cyberattack – What You Need to Know - Eclypsium
And the Moon Bounced Over a Dumpster Fire - Gameel Ali
- Gameel Ali
Deep Analysis Agent Tesla Malware - Hex Rays
- Yuvarajan at InfoSec Write-ups
How I ended up downloading a malware - Kryptos Logic
Deep Dive into Trickbot’s Web Injection - Lab52
New TransparenTribe Operation: Targeting India with weaponized COVID-19 lure documents - Malwarebytes Labs
- Marc Elias at Trellix
Prime Minister’s Office Compromised: Details of Recent Espionage Campaign - Mike at “CyberSec & Ramen”
Analysis of a DLL Downloader - Michael Dereviashkin at Morphisec
New Threat Campaign: AsyncRAT Introduces a New Delivery Technique - Gustavo Palazolo at Netskope
- Palo Alto Networks
- Proofpoint
DTPacker – a .NET Packer with a Curious Password - Recorded Future
WhisperGate Malware Corrupts Computers in Ukraine - Rolf Rolles at ‘Möbius Strip Reverse Engineering’
An Exhaustively Analyzed IDB for ComLook - Michael Gal, Segev Fogel, Itzik Chimino, Limor Kessem and Charlotte Hammond at Security Intelligence
TrickBot Bolsters Layered Defenses to Prevent Injection Research - Security Onion
- Pedro Tavares at Segurança Informática
WastedLocker malware analysis - SentinelOne
What is Malware (Malicious Software)? - Threat Lab Indonesia
Malware Analysis Emotet Infection - Tony Lambert
- Trend Micro
- Jason Hill at Varonis
ALPHV (BlackCat) Ransomware | Varonis - Vicente Díaz at VirusTotal
VIrusTotal Multisandbox += SecneurX - Marc-Etienne M.Léveillé and Anton Cherepanov at WeLiveSecurity
Watering hole deploys new macOS malware, DazzleSpy, in Asia - Zimperium
MISCELLANEOUS
- Andrew Rathbun and Eric Zimmerman
.net 4 vs .net 6 EZ Tool Benchmarks - Andrew Rathbun and Cassie Doemel at AboutDFIR
A Conversation about Transitioning to Incident Response - Belkasoft
Preserving chain of custody in digital forensics - Brett Shavers
- Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 1/29/22 - Cellebrite
Cellebrite’s Training, Certification, and Advisory Programs Upskill Customers to Resolve Digital Investigation Challenges through Continuous Capabilities Development - Keith Towndrow at First Response
Incident Response and Digital Forensics - Forensic Focus
- Lecturer Jade James on Her DFIR Career Transition From Lab to Academia
- Year In Review: 2021 MD-Series Product Highlights
- Register For Webinar: Grayshift Insights
- What Do Incident Response Practitioners Need To Know? A Skillmap for the Years Ahead
- Detego Global’s Trevor Wooding on Investigative Challenges and How Detego’s Products Help Overcome Them
- Seance: Forensic Divination
- Intaforensics
Incident Response to a Cryptocurrency Attack - Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
SANS CTI Summit 2022 - Kevin at Cyber Social Hub
Cyber Social Hub 2022 - Magnet Forensics
Agent Visibility Updates for AXIOM Cyber - Marcus Edmonson at ‘Data Analytics & Security’
Pivoting with SSH Tunnels and Plink - MSAB
Interim Report October – December, Q4 - Nikola at ‘Reversing Fun’
SANS Holiday Hack Challenge 2021 - Passcovery
Passcovery Programs for Password Recovery, version 22.01: Windows 11, Microsoft Office 2021, and AMD APUs and GPUs - ADF
- Ryan Campbell at ‘Security Soup’
Weekly News Roundup — January 23 to January 29 - SANS
- Ashley Sand at Sucuri
Everything You Need to Know About Web Application Firewalls - Sumuri
Let SUMURI help you grow your DFIR business - Hans Lakhan at TrustedSec
Recovering Randomly Generated Passwords
SOFTWARE UPDATES
- Binary Defense
beacon-fronting - Cado Security
Rip Raw - Canadian Centre for Cyber Security
Assemblyline - Cellebrite
- Eric Zimmerman
ChangeLog - Hasherezade
Pe-bear 0.5.5.3 - Hayabusa by Yamato Security
v1.0.0 Initial Public Release 2 - Magnet Forensics
- Maxim Suhanov
dfir_ntfs 1.1.4 - Mehmet E
RITA (Real Intelligence Threat Analytics) in Jupyter Notebook - Ninoseki
Mihari v4.1.1 - Nextron Systems
ASGARD v2.12 Released - OpenText
TX1 Forensic Imager – version 22.1 - OSForensics
V9.1 Build 1008 25th January 2022 - Velociraptor
Release v0.6.3 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 