As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andy Smith
Forensic Analysis of Citymapper for Android - Belkasoft
- Forensafe
Investigating Logon Banner - Geri at ‘4n6 Ninja’
(Air)Dropping some Knowledge: Using RLEAPP to Identify the Phone Number Used in an AirDrop Transfer - Google Workspace Updates
View more information on email delegate activity in the Security Investigation Tool - iNPUT-ACE
Forensic Video: 10 Things Every Investigator Should Know - Kevin Pagano at Stark 4N6
Belkasoft CTF – March 2022 - Nik Alleyne at ‘Security Nik’
Beginning Volatility3 Memory Forensics - Olaf Schwarz at NVISO Labs
Investigating an engineering workstation – Part 1 - Williams Kosasi
Belkasoft CTF:Kidnapper Case 2022 Writeup
THREAT INTELLIGENCE/HUNTING
- Katherine Mansted and Chris Horlyck at CyberCX
Squeezing a balloon: How Australia’s new ransomware laws will affect businesses - Anomali
- Brad Duncan at Malware Traffic Analysis
- Caprico’s Cave
How I accidentally researched Conti for 4 years… - CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 05 marzo – 11 marzo 2022 - Check Point Research
14th March – Threat Intelligence Report - Chronicle
- Cisco’s Talos
- Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion
- Threat Advisory: CaddyWiper
- Preparing for denial-of-service attacks with Talos Incident Response
- From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
- Threat Source newsletter (March 17, 2022) — Channelling productive worry to help Ukraine
- Threat Roundup for March 11 to March 18
- Cloudflare
- CrowdStrike
Falcon OverWatch Threat Hunting Uncovers Ongoing NIGHT SPIDER Zloader Campaign - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
To Russia with LOL - Josh Hanrahan at Dragos
Suspected Conti Ransomware Activity in the Auto Manufacturing Sector - EclecticIQ
- Elastic
Detecting and responding to Dirty Pipe with Elastic - Vlad Stolyarov and Benoit Sevens at Google Threat Analysis Group
Exposing initial access broker with ties to Conti - Harshit Rajpal at Hacking Articles
- Shane Rose at Huntress
What Is Endpoint Detection and Response? - Avigayil Mechtinger at Intezer
Scale Incident Response With Detection Engineering: Detect & Hunt with Intezer - Christopher Peacock at Scythe
SCYTHE Presents: Summiting the Pyramid of Pain: The TTP Pyramid - Mathew Potaczek, Takahiro Sugiyama, Logeswaran Nadarajan, Yu Nakamura, Josh Homan, Martin Co, and Sylvain Hirsch at Mandiant
Have Your Cake and Eat it Too? An Overview of UNC2891 - Mattias Wåhlén at Truesec
Anticipating a Russian Cyber Response to Economic Sanctions - Microsoft Security
Uncovering Trickbot’s use of IoT devices in command-and-control infrastructure - Matt Zorich at Microsoft Sentinel 101
Maintaining a well managed Azure AD tenant with KQL - Roy Golombick at Minerva Labs
Malware Evasion Techniques – Living off the Land - Nasreddine Bencherchali
- Matt Stafford and Sherman Smith at Prevailion
What Wicked Webs We Un-weave: Wizard Spider once again proving it isn’t you, it isn’t me; we search for things that you can’t see - Recorded Future
- Red Alert
Monthly Threat Actor Group Intelligence Report, JANUARY 2022 (KOR) - Red Canary
- RiskIQ
RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure - SANS
Shifting from Penetration Testing to Red Team and Purple Team - SANS Internet Storm Center
- Curl on Windows, (Mon, Mar 14th)
- Look Alike Accounts Used in Ukraine Donation Scam impersonating Olena Zelenska, (Mon, Mar 14th)
- Clean Binaries with Suspicious Behaviour, (Tue, Mar 15th)
- Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th)
- Scans for Movable Type Vulnerability (CVE-2021-20837), (Fri, Mar 18th)
- SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5), (Sat, Mar 19th)
- MGLNDD_* Scans, (Sun, Mar 20th)
- Amitai Ben Shushan Ehrlich at SentinelOne
Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software - Thibault Seret and John Fokker at Trellix
Suspected DarkHotel APT activity update - Homer Pacag at Trustwave SpiderLabs
The Attack of the Chameleon Phishing Page - Vicente Díaz at VirusTotal
YARA “dotnet” module now available for Livehunt and Retrohunt - Vitaly Kamluk at Apinic
Threat hunting with Yara: Measuring distance between any three elements - VMware Security
Managed Detection and Response: The First Big Win - WeLiveSecurity
UPCOMING EVENTS
- Cellebrite
A Blueprint for Success: Make Correctional Facilities and Communities Safer with Digital Intelligence - Cybereason
Webinar March 31st: Live Attack Simulation – XDR vs. Modern Ransomware - DFRWS
DFRWS APAC 2022 CFP - Gerald Auger at Simply Cyber
🔴 How To Reverse Engineer Like A Boss - Magnet Forensics
- Pavel Yosifovich
Registration is open for the Windows Internals training - SANS Institute
Emerging Cyber Guidance to the Ukraine-Russia War
PRESENTATIONS/PODCASTS
- ArcPoint Forensics
UNALLOCATED SPACE S1: EP05: BRETT SHAVERS - Arman Gungor at Metaspike
Email Forensics Workshop — 2022 CTF Solutions - Breaking Badness
114. Domains of our Lives - Heather Mahalik at Cellebrite
How to Use Image Similarity in Cellebrite Pathfinder - Cisco’s Talos
Beers with Talos, Ep. #118: Reflecting on the current situation in Ukraine - Computer Crime Chronicles
Computer Crime Chronicles – Episode 5 - Cyberspatial
How Building a Cyber Security Startup Ruined My Life (why I’d do it again!) - Day Cyberwox
BTL1 VS CYSA || Which is better? - Digital Forensic Survival Podcast
DFSP # 317 – UserAssist - Gerald Auger at Simply Cyber
CISA Alert (AA22-074A) - InfoSec_Bret
IR – SOC162-112 – Pwnkit (CVE-2021-4034) Detected – Auditd (pkexec) - Lee Reiber’s Forensic Happy Hour
Forensic Happy Hour Episode 303 - Magnet Forensics
Magnet AXIOM and GrayKey: Uncover What You’re Missing - Marcus Hutchins
Most Destructive Cyberattacks Ever (Part 1) – BlackEnergy - MSAB
- SANS
- Keynote – Journey to the Center of CTI: Story, Systems, and Self
- Tecnología, Expresividad y Contexto en la Observación de Amenazas
- What is new in FOR585: Smartphone Forensic Analysis In-Depth
- Inside the Persistent Mind of a Chinese Nation-State Actor
- Is Sharing Caring? A Deeply Human Study on CTI Networking
- We’re in Now, Now: The Tyranny of Current Intelligence and How to Manage It
- Mind Your Gaps: Leveraging Intelligence Gaps to Drive Your Intelligence Activities
- Secureworks
- Securizame
Una caña con Lawwait – Episodio 2 – Juan Garrido - Amitai Ben Shushan Ehrlich at SentinelOne
Behind the Scenes of BlackShadow APT with Amitai Ben Shushan Ehrlich - Uriel Kosayev
Ardamax Keylogger Part 2 – Malware for Fun - VMware Security
Podcast: Exposing Malware in Linux-Based Multi-Cloud Environments – Chad Skipper, Karen Worstell (SecurityWeekly) - Zeek in Action
Zeek in Action, Video 14, Comparing Zeek Connection Logs with NetFlow Records
MALWARE
- Marius Genheimer at DissectingMalwa.re
Quick revs: Pandora Ransomware – The Box has been open for a while… - Alex Turing and Hui Wang at 360 Netlab
New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel - ASEC
- Atomic Matryoshka
What is fuzzy hashing? - Avast Threat Labs
- Blackberry
- Erik Pistelli at Cerbero
String Decrypter Package - Chuong Dong
LockBit Ransomware v2.0 - Max Gannon at Cofense
Emotet Spoofs IRS in Tax Season-Themed Phishing Campaign - Abdallah Elnoty
IcedID Loader analysis (Part1) - Val Saengphaibul at Fortinet
A Brief History of The Evolution of Malware - Herbie Zimmerman at “Lost in Security”
2022-03-14 Emotet Malspam - Shusei Tomonaga at JPCERT/CC
Anti-UPX Unpacking Technique - Chris Thompson, Free Wortley, Forrest Allison at LunaSec
Protestware – How node-ipc turned into malware - Malwarebytes Labs
Double header: IsaacWiper and CaddyWiper - Nicklas Keijser at Truesec
Analysis of CaddyWiper – Wiper Targeting Ukraine - OALABS Research
BlackCat Ransomware - Chris Navarrete, Durgesh Sangvikar, Andrew Guan, Yu Fu, Yanhui Jia and Siddhart Shibiraj at Palo Alto Networks
Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect - Pete Cowman at Hatching
Maldoc Handling Updates and Family Detections - Huseyin Can Yuceel at Picus Security
The Most Prevalent Ransomware Technique – MITRE ATT&CK Data Encrypted for Impact - Ryan Campbell at ‘Security Soup’
Decoding a DanaBot Downloader - Security Intelligence
- Pedro Tavares at Segurança Informática
Rook ransomware analysis - Sophos
- Thomas Roccia
[Reverse Engineering Tips] — Unpacking InnoSetup - Feike Hacquebord, Stephen Hilt, and Fernando Merces at Trend Micro
Cyclops Blink Sets Sights on Asus Routers - Trend Micro
Attacks Abound in Tricky Threat Terrain: 2021 Annual Cybersecurity Report
MISCELLANEOUS
- Anton Chuvakin
How to SLO Your SOC Right? More SRE Wisdom for Your SOC! - Yulia Samoteykina at Atola
When TaskForce’s integration into your automation solution is a game changer - Breachquest
Introducing…..Abbey Mirelli - Brett Shavers at DFIR.Training
- James Campbell at Cado Security
Cado Response Platform Now Available to Enterprises in AWS Marketplace - Andy Thompson at CyberArk
Ransomware Rewind: From Floppy Disks to Ransomcloud Attacks - Digital Forensics Myanmar
Social Media Investigation သို့မဟုတ် Social Media Intelligence - EclecticIQ
Deconstructing R in an EDR - Lee Whitfield at Forensic 4cast
The Strength of a Tree - Forensic Focus
- Dealing With Multiple Data Sources: A Panel Discussion
- Machine Learning Based Approach to Analyze File Metadata for Mobile Phone Triage
- Techno Security Returns to Myrtle Beach – One Month Early
- Checkm8 Acquisition Method in Oxygen Forensic Detective 14.3
- AI-Based Video Recognition in FTK
- Detego Global’s Field Triage Solution Selected as a Finalist for UK’s ADS Security Innovation Award
- Malware Family Classification Via Efficient Huffman Features
- Gianluca Tiepolo
iOS Forensics for Investigators - InfoSec Write-ups
Securing your Linux Servers Part 3 - Jason Jordaan at ITWeb
- Magnet Forensics
How EDR Complements DFIR - MuSecTech
Using Netcat, Metasploit, and AChoirX for Remote Forensic Collection - Ryan Campbell at ‘Security Soup’
- Anusthika Jeyashankar at Security Investigation
Splunk Commands – Append , Chart and Dedup - Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.3.110! - Scott J Roberts
Mentoring - John Patzakis at X1
Post Pandemic, Corporate eDiscovery Undergoes a Permanent Paradigm Shift
SOFTWARE UPDATES
- AWS Labs
Automated Incident Response and Forensics Framework - Brian Maloney
OneDriveExplorer v2022.03.11-r1 - Cellebrite
- Elcomsoft
Elcomsoft Phone Viewer 5.33 updated with Windows 11, macOS 12 Monterey support - Malwoverview
Malwoverview 5.0.0 - Metaspike
Forensic Email Collector (FEC) Changelog – v3.70.1.5 – Released on 3/17/2022 - MISP
MISP 2.4.156 released including a new synchronisation event signing mechanism and many new features - Oxygen Forensics
iOS 15 or above? We’ve got you! New checkm8 extraction method in Oxygen Forensic® Detective v. 14.3 - Volatility Foundation
Volatility 3 2.0.1 - Nabil Adouani at StrangeBee
TheHive 5.0 is now available
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 