As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Kevin Ripa
The Truth About USB Device Serial Numbers – (and the lies your tools tell) - Belkasoft
Why RAM dumping is so important and what tool to use? - Cellebrite
Isolating Devices to Preserve Evidence - Cheeky4n6Monkey
Monkey Attempts To Digest Some Google Takeout (DetectedActivitys) - Digital Forensics Myanmar
CHFI-V10-Dark Web-Note - Forensafe
Investigating Windows Recycle Bin - Herbie Zimmerman at “Lost in Security”
2022-02-26 Quick Post – Push Notifications And Files Written To Disk - Joshua Hickman at ‘The Binary Hick’
The State of Android Health Data (Part 2) – Google Fit - Matt C. A. Smith
Linux .bash_history: Basics, behaviours, and forensics - Scott Koenig at ‘The Forensic Scooter’
Photos.Sqlite – Update #3 - The DFIR Report
Qbot and Zerologon Lead To Full Domain Compromise
THREAT INTELLIGENCE/HUNTING
- Threat intelligence associated with the Russia-Ukraine conflict
- Anomali Threat Research Provides Russian Cyber Activity Dashboard
- Take Stock of Cyber Risk in Light of Russian Cyber Activity
- Threat Alert: HermeticWiper Malware
- Technical Analysis of the DDoS Attacks against Ukrainian Websites
- Threat Advisory: HermeticWiper
- Ukraine: Analysis of the new disk-wiping malware (HermeticWiper)
- CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks
- Ukraine: Timeline Of Cyberattacks On Critical Infrastructure And Civilian Objects
- HermeticWiper: What We Know About New Malware Targeting Ukrainian Infrastructure (Thus Far)
- Threat Advisory: Escalating geopolitical tensions between Russia, Ukraine and NATO members: Impacts for Australian and New Zealand organisations
- SOC Talk: The Russia-Ukraine Crisis
- Second Wiper Attack Strikes Systems in Ukraine and Two Neighboring Countries
- HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine
- Cyber lures and threats in the context of the war in Ukraine
- Cyber Resources in Support of Ukraine
- Netskope Threat Coverage: HermeticWiper
- Threat Update – Ukraine & Russia conflict
- Preparing for the Cyber Impact of the Escalating Russia-Ukraine Crisis
- Spear Phishing Attacks Target Ukraine Organizations, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
- Russian Invasion of Ukraine – What to Communicate to Your Workforce
- Ukraine-Russia Conflict – Cyber Resource Center
- Russian Cyber Attack Escalation in Ukraine – What You Need To Know!
- Ukraine & Russia Situation From a Domain Names Perspective , (Thu, Feb 24th)
- Secureworks FAQ: Russian Activity in Ukraine
- Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
- IBM Security X-Force Research Advisory: New Destructive Malware Used In Cyber Attacks on Ukraine
- Cyberthreats during Russian-Ukrainian tensions: what can we learn from history to be prepared?
- Ukraine: Disk-wiping Attacks Precede Russian Invasion
- Trustwave’s Action Response: Russia/Ukraine Crisis – Defending Your Organization From Geopolitical Cybersecurity Threats
- HermeticWiper: New data‑wiping malware hits Ukraine
- DiskKill/HermeticWiper, a disruptive cyber-weapon targeting Ukraine’s critical infrastructures
- HermeticWiper & resurgence of targeted attacks on Ukraine
- 360 Netlab
- Bill Stearns at Active Countermeasures
Simulating a Beacon - Vitali Kremez & Yelisey Boguslavskiy at Advanced Intelligence
24 Hours From Log4Shell to Local Admin: Deep-Dive Into Conti Gang Attack on Fortune 500 (DFIR) - Fernando Martinez at AT&T Cybersecurity
BlackCat ransomware - Anomali
Anomali Cyber Watch: EvilPlayout: Attack Against Iran’s State Broadcaster, Microsoft Teams Targeted With Takeover Trojans, ‘Ice phishing’ on the blockchain and More - Anton Chuvakin
Anton and The Great XDR Debate, Part 3 - Atomic Matryoshka
Infographic: APTs in South America - Patrick Olsen at Awake Security
Detecting Security Events Using the MS-SAMR Protocol - Bitdefender
- Brad Duncan at Malware Traffic Analysis
2022-02-25 – Emotet activity - Cado Security
Intelligence Driven Cloud Incident Response with Cado Response and SophosLabs Intelix - CERT-AGID
Cosa sappiamo di sLoad e perchè è così elusivo? - Check Point Research
- Christopher Peacock at Scythe
SCYTHE Presents: Threat Actor APT35 - Cisco
- Cobalt Strike Research and Development
Incorporating New Tools into Core Impact - Countercraft
{Webinar} Technical Evidence of Attacks on Ukrainian Government Infrastructure - CrowdStrike
- Curated Intelligence
- Dragos
Dragos 2021 Industrial Cybersecurity Year In Review Summary - EclecticIQ
The Dark Side of Web Hosting Services - Elastic
Exploring Windows UAC bypasses: Techniques and detection strategies - Esentire
IcedID to Cobalt Strike In Under 20 Minutes - Flashpoint
Guide to Cyber Threat Intelligence: Elements of an Effective Threat Intel and Cyber Risk Remediation Program - Gustavo Palazolo at Netskope
Microsoft Office: VBA Blocked By Default in Files From the Internet - Daniel Pienica at Intezer
URL Analysis 101: A Beginner’s Guide to Phishing URLs - Jack Crook at ‘DFIR and Threat Hunting’
Hunting for Fakes - Jeffrey Appel
Collecting Security Events into Sentinel with the new AMA agent and DCR - Anton Ovrutsky at Lares
The Lowdown on Lateral Movement - Mandiant
- Marcus Edmonson at ‘Data Analytics & Security’
Dripping a Little Honey in Your Environment - Allen Butler at MaverisLabs
Bash Tricks for Command Execution and Data Extraction over HTTP/S - Mehmet Ergene
Detecting Kerberos Relaying - Jason Ajmo at MITRE ATT&CK
ATT&CK for Mobile: Reintroduction and 2022 Goals - Kellyn Wagner Ramsdell, Mike Cunningham, and Jon Baker at MITRE-Engenuity
Informing Defense with Adversary Sightings - RiskIQ
RiskIQ Intelligence Roundup: Spoofed Sites and Surprising Infrastructure Connections - SANS Internet Storm Center
- A Good Old Equation Editor Vulnerability Delivering Malware, (Tue, Feb 22nd)
- Sending an Email to an IPv4 Address?, (Mon, Feb 21st)
- The Rise and Fall of log4shell, (Wed, Feb 23rd)
- Using Snort IDS Rules with NetWitness PacketDecoder, (Sat, Feb 26th)
- Video: Quick & Dirty Shellcode Analysis – CVE-2017-11882, (Sun, Feb 27th)
- François Labrèche at Secureworks
Automating Threat Intel with Machine Learning - Jamie St. Patrick at Security Investigation
Anatomy of the Crimson RAT - Oliver Rochford and Augusto Barros at Securonix
The Strategy Guide to Threat Hunting - Antonio Pirozzi, Antonis Terefos and Idan Weizman at SentinelOne
Sanctions Be Damned | From Dridex to Macaw, The Evolution of Evil Corp - Andrew Brandt at Sophos
Dridex bots deliver Entropy ransomware in recent attacks - Trend Micro
- VMware Security
- Xavier Mertens at /dev/random
Europol & Interpol Phishing Ahead?
UPCOMING EVENTS
- Michelle Coan at Amped
Amped Webinars: What’s Coming Next? - Belkasoft
[WEBINAR] Locked iPhones investigation: What can you do to acquire data? - Yogesh Khatri at DFRWS
APAC 2022 Submission Guidelines - Magnet Forensics
PRESENTATIONS/PODCASTS
- Jessica Hyde and Ali Hadi on the Forensic Focus podcast
Ali Hadi and Jessica Hyde on Accessible, Affordable Digital Forensics Training - Archan Choudhury at BlackPerl
Timeline Analysis in DFIR, Full Process Explained - Black Hills Information Security
- Breaking Badness
111. Neither Hide nor Malware - Cellebrite
Episode 18: Nothing to see here – I BEG TO DFIR – Back to Basics - Computer Crime Chronicles
Computer Crime Chronicles – Episode 4 - Cybereason
Malicious Life Podcast: Why Do APTs Use Ransomware? - Day Cyberwox
Blue Team Level 1(BTL1) Course Analysis and Syllabus Overview - Down the Security Rabbithole Podcast
DtSR Episode 489 – Crowdstrike Global Threat Report Feb 22 - InfoSec_Bret
IR – SOC158-108 – Hijacked NPM Package - John Hammond
Introducing PurplePanda: AUTOMATED Privilege Escalation IN THE CLOUD - Joshua I. James at DFIRScience
Introduction to Memory Forensics with Volatility 3 - Justin Tolman at AccessData
FTK Feature Focus – Episode 36 – FTK Lab Restricted Data Views - LetsDefend
How to Become a SOC Analyst? - Magnet Forensics
- Nicolas Brulez at Hexorcist
IDA Python Tutorial : Importing IDA comments and names in x64dbg - NTCore
API Solver Package - SANS Institute
- Simson Garfinkel
Keeping Forensics Tools Sharp: A case study of updating bulk_extractor 1.6 to 2.0 (AAFS 2022) - Sumuri
New feature! RECON LAB Examiner Space. - Watson Infosec
How To Network Forensics Cyberdefense VM
MALWARE
- 0day in {REA_TEAM}
[QuickNote] Techniques for decrypting BazarLoader strings - Adam at Hexacorn
Delphi API monitoring with Frida, Part 3 - Aon
Yours Truly, Signed AV Driver: Weaponizing an Antivirus Driver - ASEC
- Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
- Modified CryptBot Infostealer Being Distributed
- APT Attack Attempts Disguised as North Korea Related Paper Requirements (Kimsuky)
- Checking and Remediating Stealthy Malware, PurpleFox
- Increased Phishing Attacks Disguised as Microsoft
- Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers (2)
- LockBit Ransomware Being Distributed Using Resume and Copyright-related Emails
- New Infostealer ‘ColdStealer’ Being Distributed
- ASEC Weekly Malware Statistics (February 14th 2022 – February 20th, 2022)
- Atomic Matryoshka
Ousaban MSI Installer Analysis - Ben Lee
Analyzing a .Net Sample: ziraat_limpi.exe - CISA Analysis Reports
MAR–10369127–1.v1 – MuddyWater - Cofense
- Cybersecurity & Infrastructure Security Agency
New Sandworm Malware Cyclops Blink Replaces VPNFilter - Fortinet
- Giyoon Kim, Soram Kim, and Jongsung Kim at Kookmin University
A Method for Decrypting Data Infected with Hive Ransomware - Igor Skochinsky at Hex Rays
Igor’s tip of the week #78: Auto-hidden messages - InfoSec Write-ups
- Dmitry Melikov at InQuest
Dangerously thinBasic - LIFARS Cybersecurity
How to Decrypt the Files Encrypted by the Hive Ransomware - National Cyber Security Centre
Cyclops Blink - Sander Forrer at NVISO Labs
Kernel Karnage – Part 9 (Finishing Touches) - Palo Alto Networks
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors - Pangu Lab
The Bvp47 – a Top-tier Backdoor of US NSA Equation Group - Tatyana Shishkova and Anton Kivva at Securelist
Mobile malware evolution 2021 - Security Intelligence
- Pedro Tavares at Segurança Informática
The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years - Thomas Roccia
My Top Books to Learn Malware Analysis and Reverse Engineering - ThreatFabric
Xenomorph: A newly hatched Banking Trojan - Markel Picado and Carlos Rubio from Threatray Labs
Threat updates – A new IcedID GZipLoader variant - Varonis
- ZScaler
MISCELLANEOUS
- Belkasoft
- Cassie Doemel at AboutDFIR
AboutDFIR Site Update 2/26/22 - Todd Adams at Cellebrite
Modernizing the Investigative Workflow is the key to Regaining Public Trust - Forensic Focus
- Passware Kit Mobile Now Supports iOS 15.3 and Exports Data as DAR Archives
- Using Micro-Services and Artificial Intelligence to Analyze Images in Criminal Evidences
- Binalyze Secures $10.4 Million in Seed Funding to Develop Its Real-Time Enterprise Forensics Platform
- How to Estimate the Speed of a Vehicle with Amped FIVE
- Meet the New FTK Family for Modern Forensics
- Accuracy of Geolocation Metadata on Pictures Taken Using a Mobile Phone
- Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
Training: Cyber5w + DFIR Training - Magnet Forensics
- Ryan Campbell at ‘Security Soup’
Weekly News Roundup — February 13 to February 19 - SANS
- Brett Shavers
The live course nears its end…but the ON-DEMAND XWF COURSE IS NEAR!
SOFTWARE UPDATES
- ANSSI DFIR-ORC
- Brian Maloney
Sharing is caring - Cellebrite
Now Available: Cellebrite UFED and Responder v7.53 - Didier Stevens
- Eric Zimmerman
ChangeLog - Griffeye
Release of Analyze 22 - IntelOwl
v3.3.0 - Magnet Forensics
- Mark Woan
etw-event-dumper - Maxim Suhanov
dfir_ntfs 1.1.11 - Oddvar Moe at TrustedSec
User-Behavior-Mapping-Tool
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 