As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Amber Schroader at Cyber Social Hub
Expectations of Facebook Data - Dr. Brian Carrier at Cyber Triage
Cyber Triage Lite – Network, Disk Image, and Memory Inputs - Krzysztof Gajewski at CyberDefNerd
- Digital Forensics Myanmar
FTK Imager ကိုဘာလို့နမူနာထားပြတာလဲ - Forensafe
Investigating Windows System Resource Usage Monitor (SRUM) - Olaf Schwarz at NVISO Labs
Amcache contains SHA-1 Hash – It Depends! - Falcon Force
EzETW — Got To Catch Them All…. - Amber Schroader at Paraben Corporation
Expectations of Facebook Data - Passware
A Deep Dive into Apple Keychain Decryption
THREAT INTELLIGENCE/HUNTING
- 360 Netlab
公有云网络安全威胁情报(202202) - Anomali
Anomali Cyber Watch: Daxin Hides by Hijacking TCP Connections, Belarus Targets Ukraine and Poland, Paying a Ransom is Not a Guarantee, and More - ASEC
- Chris Furner at Blumira
Analyzing MITRE’s Top Observed Attacker Techniques - Brad Duncan at Malware Traffic Analysis
2022-02-23 – Traffic Analysis Exercise – Sunnystation - Marco Figueroa, Napoleon Bing, and Bernard Silvestrini at Breachquest
The Conti Leaks | Insight into a Ransomware Unicorn - Check Point Research
- 7th March – Threat Intelligence Report
- Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of
- Lapsus$ Ransomware Gang – A Malware in Disguise
- February 2022’s Most Wanted Malware: Emotet Remains Number One While Trickbot Slips Even Further Down the Index
- Check Point Research Reveals Leaks of Conti Ransomware Group
- Cisco’s Talos
- Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
- Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools
- Talos Threat Source newsletter (March 10, 2022) — Fake social media posts spread in wake of Ukraine invasion
- Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
- Threat Roundup for March 4 to March 11
- Alex Kirk at Corelight
Know your environment: Tenable/Corelight integration for prioritized IDS alerts - Chris Nguyen and Eric Loui at CrowdStrike
PROPHET SPIDER Exploits Citrix ShareFile Remote Code Execution Vulnerability CVE-2021-22941 to Deliver Webshell - Csaba Fitzl at ‘Theevilbit’
Beyond the good ol’ LaunchAgents – 29 – amstoold - Cybereason
- Kit Clelford at Cyjax
Ransomware Review – February 2022 - Dan Lisichkin at Cymulate
Expanding on Existing IoCs to Leverage Immediate Threat Simulations - DeTTECT
v1.6.0 - Dragos
- Elastic
PHOREAL malware targets the Southeast Asian financial sector - Eddy Willems at G Data Security
An attacker’s toolchest: Living off the land - Shane Huntley at Google Threat Analysis Group
An update on the threat landscape - Harshit Rajpal at Hacking Articles
Domain Escalation: Resource Based Constrained Delegation - Roger Kay at INKY
New Phishing Attack Impersonates Ukrainian President, Seeks Cryptocurrency Aid - Korstiaan Stam at ‘Invictus Incident Response’
Set up Splunk for Incident Response in GCP in 15 minutes.. - Lab52
Very very lazy Lazyscripter’s scripts: double compromise in a single obfuscation - Lumen
Emotet Redux - Malwarebytes Labs
- Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, and John Wolfram at Mandiant
Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments - Minerva Labs
Lockbit 2.0 ransomware surges in 2022 - Moath Maharmeh at C99.sh
Hunting for Suspicious DNS Communications - Michael Gough at NCC Group
Microsoft announces the WMIC command is being retired, Long Live PowerShell - NVISO Labs
- Michael Raggi and Myrtus at Proofpoint
The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates - Red Alert
Monthly Threat Actor Group Intelligence Report, December 2021 (ENG) - Paul Roberts at ReversingLabs
Wiper Malware Targeting Ukraine: Evidence of Planning, and Haste - Manju Lalwani at Salesforce Engineering
Detecting Multithreaded Exfiltration in Zeek - SANS Internet Storm Center
- No Bitcoin – No Problem: Follow Up to Last Weeks Donation Scam, (Mon, Mar 7th)
- Microsoft March 2022 Patch Tuesday, (Tue, Mar 8th)
- Infostealer in a Batch File, (Wed, Mar 9th)
- Credentials Leaks on VirusTotal, (Thu, Mar 10th)
- Keep an Eye on WebSockets, (Fri, Mar 11th)
- ICMP Messages: Original Datagram Field, (Sat, Mar 12th)
- YARA 4.2.0 Released, (Sun, Mar 13th)
- Antonio Villalón at Security Art Work
ATT&CK reconnaissance: críticas constructivas - Security Investigation
- What is Port Forwarding and the Security Risks?
- Splunk Commands – Field-value pair matching , Boolean and comparison , Operator and Wildcards
- Hackers Signing Malware With Stolen NVIDIA Certificates
- Conti Ransomware IoC- CyberSecurity & Infrastructure Security Agency updates nearly 100 domain names
- BazarLoader IoC – Actors Initiate Contact via Website Contact Forms
- Sekoia
- Stephen Lawton at Sophos
Minimize the time to detect and respond to threats - SpecterOps
Revisiting Phishing Simulations - SteveD3
Fake AV phishing spikes in Q1 2022 - Cyberknow
- Symantec Enterprise
The Ransomware Threat Landscape: What to Expect in 2022 - Telsy
Legitimate Sites used as Cobalt Strike C2s against Indian Government - The DFIR Report
2021 Year In Review - Ukraine-CERT
Cyberattack on the state authorities of Ukraine using the malicious program Cobalt Strike Beacon (CERT-UA # 4145) - Eric Saraga at Varonis
Is this SID taken? - Vicente Díaz at VirusTotal
Meet our new improved VirusTotal Graph - VMware Security
UPCOMING EVENTS
- Arman Gungor at Metaspike
Email Forensics Workshop — 2022 CTF Solutions - Cellebrite
איך להפיק תוצאות מהירות ובקלות מפתרון ה Digital Intelligence שלכם - Gerald Auger at Simply Cyber
🔴 Practical SOC Analyst Core Skills with John Strand - Magnet Forensics
- Bradford Oliver at ADF
Best 2022 Forensics and Law Enforcement Conferences in the UK - SANS Institute
Join us for the Free SANS New2Cyber Summit 2022! - VMware Security
Learn About the Threats Lurking in Your Linux-Based Multi-Cloud
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Incident Response Training, Essential Malware Analysis- Day 21 - Black Hills Information Security
Talkin’ About Infosec News – Special Ukraine Edition – 3/10/2022 - BlueMonkey 4n6
packet capture tutorial using tcpdump - Breaking Badness
113. Threat Actors DDoS a Line - Detections by SpectreOps
- Digital Forensic Survival Podcast
DFSP # 316 – Cloud Traffic Security - Down the Security Rabbithole Podcast
DtSR Episode 491 – SOAR is Boring - FIRST
2022 FIRST Regional Virtual Symposium & Joint TF-CSIRT Meeting: Europe - Forensic Focus
The EFF’s Eva Galperin on Using DFIR Skills To Help Victims of Stalkerware and Abuse - Gerald Auger at Simply Cyber
Let’s Play ThreatGen Red.V.Blue (Cyber Simulator) - Heather Mahalik at Cellebrite
Different Methods for Creating Reports in Cellebrite Reader - InfoSec_Bret
IR – SOC159-109 – Karma Ransomware Attack - JCyberSec
I Analyzed a Crypto Phishing Kit with a Hidden Secret: A Deep Dive into the World of Crypto Phishing - Justin Tolman at AccessData
FTK Feature Focus – Episode 38 – Field Mode and More Q&A - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 302 - Magnet Forensics
- Paraben Corporation
Processing Locked Android Devices - SANS Cloud Security
- SANS Institute
- SentinelOne
Podcast: Cyber War Elements In The Ukrainian Conflict | Hosted by the Alperovitch Institute for Cybersecurity Studies - Uriel Kosayev
Ardamax Keylogger Part 1 – Malware For Fun - WeLiveSecurity
ESET Research webinar: How APT groups have turned Ukraine into a cyber‑battlefield
MALWARE
- Adam at Hexacorn
- Avast Threat Labs
- Blackberry
Threat Thursday: CryptBot Infostealer Masquerades as Cracked Software - Cluster25
GHOSTWRITER / UNC1151 ADOPTS MICROBACKDOOR VARIANTS IN CYBER OPERATIONS AGAINST UKRAINE - Cryptax
Live reverse engineering of a trojanized medical app — Android/Joker - FBI
RagnarLocker Ransomware Indicators of Compromise - Xiaopeng Zhang at Fortinet
MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part I - Gourav Dhar
How I created a Trojan Malware — Ethical Hacking - Igor Skochinsky at Hex Rays
Igor’s tip of the week #80: Bookmarks - Febi Mudiyanto at InfoSec Write-ups
How to Make Ransomware with Python - McAfee Labs
Come Join the Scam Party - Microsoft DART
- Gustavo Palazolo at Netskope
New Formbook Campaign Delivered Through Phishing Emails - Pete Cowman at Hatching
Greater Filetype Support, Family Updates, and New Coniguration Extractors - Ghanshyam More at Qualys
AvosLocker Ransomware Behavior Examined on Windows & Linux - Secureworks
Excel Add-ins Deliver JSSLoader Malware - Security Onion
Quick Malware Analysis: Asteroth/Guildma pcap from 2022-02-16 - Pedro Tavares at Segurança Informática
- Steeve Gaudreault at Sophos
Qakbot injects itself into the middle of your conversations - Symantec Enterprise
- Trend Micro
- Jason Reaves and Joshua Platt at Walmart
Diavol the Enigma of Ransomware - Willi Ballenthin
Biodiff - Yoroi
Conti Ransomware source code: a well-designed COTS ransomware
MISCELLANEOUS
- Bill Stearns at Active Countermeasures
Building a Global Ignore Filter - Adam Svoboda
Password Cracking in the Cloud with Hashcat and Vast.ai - Belkasoft
[Free On-demand Сourse] Mobile Forensics With Belkasoft X - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 3/12/22 - Greg Darwin at Cobalt Strike Research and Development
Cobalt Strike Roadmap Update - JJ Cranford at Cybereason
DFIR Demystified: Understanding Digital Forensics Incident Response - ENISA
Incidents Handling and Cybercrime Investigations - Forensic Focus
- DFRWS-EU Open to Both Physical and Online Attendees in First-Ever Hybrid Event
- A Deep Dive into Apple Keychain Decryption
- E-Discovery Business Takes New Approach to Collecting and Preparing Digital Evidence to Spur Growth
- Emiliano Polito, Trainer, Amped Software
- Computer Forensic Reference Data Sets For Digital Evidence
- New Challenge of Drone Forensics, MD-DRONE
- Aner Izraeli at Intezer
How You Can Use Our New Open-Source Database Access Control Tool - Magnet Forensics
- MantaRay Forensics
VirusShare_0-410 - Oxygen Forensics
Hex Search in Oxygen Forensic® Detective - SANS
- Michael Kavka at Silicon Shecky
Do well, not be “popular” - Xavier Mertens at /dev/random
In-Person Infosec Conferences Are Back
SOFTWARE UPDATES
- Brian Maloney
OneDriveExplorer v2022.03.11 - Eric Zimmerman
ChangeLog - Kroll
Kape Changelog - F-Response
F-Response 8.3.1.12 Released – Updates to Collect, Classic, and Universal - Matt Borgerson
mdec - MobilEdit
MOBILedit Forensic 8.0.1 just released - net-protect
Google Filestream Forensic Tool - Nir Sofer
Windows Defender Detected Threats Log - Security Onion
Security Onion 2.3.110 now available including Intrusion Detection Honeypot and MFA! - YARA
v4.2.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 