As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Christopher Romano and Vaishnav Murthy at CrowdStrike
Cloudy with a Chance of Unclear Mailbox Sync: CrowdStrike Services Identifies Logging Inconsistencies in Microsoft 365 - Krzysztof Gajewski at CyberDefNerd
Why do the battery use and the battery level matter during the investigation? - Oleg Afonin at Elcomsoft
Windows 11 TPM Protection, Passwordless Sign-In and What You Can Do About Them - Forensafe
Investigating RecentDocs MRU - Kevin Pagano at Stark 4N6
BloomCON 0x06 Forensics CTF - Kibaffo33
Decoding Chess.com - Nisarg Suthar
picoCTF 2022 Write-up: TorrentAnalyze - Olaf Schwarz at NVISO Labs
Investigating an engineering workstation – Part 2 - Oxygen Forensics
Extracting Spark Data in Oxygen Forensic® Detective - Scott Koenig at ‘The Forensic Scooter’
Photos.sqlite Query Documentation & Notable Artifacts - Marina Galiano at Security Art Work
DICOMo se hackea: el estándar de los hospitales - Vikas Singh at Sophos
Reconstructing PowerShell scripts from multiple Windows event logs - Alberto Pellitteri at Sysdig
Digital Forensics Basics: A Practical Guide for Kubernetes DFIR - Velocidex
- Zawadi Done
Automating DFIR using Cloud services
THREAT INTELLIGENCE/HUNTING
- MITRE evaluations
- Wizard Spider and Sandworm ATT&CK Evaluation Results: Data Encrypted For Impact (T1486)
- MITRE ATT&CK® Evaluations 2022 – Why Actionable Detections Matter
- BlackBerry Again Demonstrates 100% Prevention Against Wizard Spider and Sandworm Threat Groups Emulated in MITRE ATT&CK Evaluations
- MITRE ATT&CK: Wizard Spider and Sandworm Evaluations Explained
- Cybereason Excels in the 2022 MITRE ATT&CK® Evaluations: 100% Prevention, Visibility and Real-Time Protection
- Undefeated in MITRE ATT&CK Evaluations – Undefeated Against Ransomware
- 2022 MITRE Engenuity ATT&CK® Evaluations Highlight Deep Instinct’s Unique Prevention-First Approach to Cybersecurity
- FortiEDR Blocks 100% of Attacks in MITRE Engenuity ATT&CK® Evaluation for the Second Year in a Row
- MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks
- Microsoft protects against human-operated ransomware across the full attack chain in the 2022 MITRE Engenuity ATT&CK® Evaluations
- MITRE Engenuity ATT&CK Evaluation: InsightIDR Drives Strong Signal-to-Noise
- MITRE Engenuity ATT&CK® Evaluation results showcase Sophos real-world threat prevention and detection
- 2022 MITRE ATT&CK® Evaluations: Spotlight on Ransomware
- Spring4Shell
- Let’s All Calm Down About Spring4Shell
- Threat Advisory: Spring4Shell
- Spring4Shell: CVE-2022-22965
- Trouble on the Horizon – Spring CVE
- spring4shell Capture File
- Mitigating Spring4Shell with Group-IB
- Spring4Shell/SpringShell Spring Remote Code Execution Vulnerability: Impact and Response
- Hunting for Spring Core Exploitation
- Update on Spring4Shell’s Impact on Rapid7 Solutions and Systems
- Securing Your Applications Against Spring4Shell (CVE-2022-22965)
- Java Springtime Confusion: What Vulnerability are We Talking About, (Wed, Mar 30th)
- Spring4Shell: New Zero-day RCE Vulnerability Uncovered in Java Framework
- Detecting and Mitigating CVE-2022-22963: Spring4Shell RCE Vulnerability
- Spring4Shell – Spring Core RCE
- Analysis of Spring Cloud Framework Vulnerabilities
- Zhang Zaifeng at 360 Netlab
俄乌危机中的数字证书:吊销、影响、缓解 - Alex Teixeira
The Shift-Left strategy applied to Threat Detection - Anomali
- Mike Behrmann at Antigen Security
Antigen Security – Cyber Pathogenesis Series – Karakurt and the Efficacy of Data Extortion: A Case Study - APNIC
- Blackberry
Threat Thursday: Malicious Macros Still Causing Chaos - Brad Duncan at Malware Traffic Analysis
2022-03-29 – Emotet E4 with Cobalt Strike - CERT Ukraine
- CERT-AGID
- Check Point Research
- Maria Jose Erquiaga, Onur Erdogan and Adela Jezkova at Cisco
Emotet is Back - Cisco’s Talos
- Kyle Duncan and Dylan Main at Cofense
RAT Campaign Looks to take Advantage of the Tax Season - CrowdStrike
Who is EMBER BEAR? - Mike at Cyber&Ramen
Detecting COM Object Tasks by DarkHotel - Sam Curry at Cybereason
Lapsus$ Activity Betrays Nation-State Motivation - Cyble
Russia – Ukraine Cyberwarfare:A Review of the ongoing Conflictin Cyberspace - Cyborg Security
CONTI Ransomware - Cymulate
- Dragos
- Elastic
- Esentire
- Falco
Blog: Analyze Okta Log Events with a Falco Plugin - Flashpoint
Breach Forums Is Marketing Itself as a Raid Forums Successor - Fortinet
- Billy Leonard at Google Threat Analysis Group
Tracking cyber activity in Eastern Europe - Ilia Rozhnov at Group-IB
Empty Box - Harshit Rajpal at Hacking Articles
Lateral Movement: Remote Services (Mitre:T1021) - InfoSec Write-ups
- Roger Kay at INKY
- Joakim Kennedy and Ryan Robinson at Intezer
New Conversation Hijacking Campaign Delivering IcedID - Jack Humphries at ASOS
Automating Brand Abuse Detection and Takedowns - Jan Geisbauer at Empty Datacenter
MDE Hunting 101 - John Fokker and Jambul Tologonov at Trellix
Conti Leaks: Examining the Panama Papers of Ransomware - Kim Zetter at ‘Zero Day’
- Jared Stroud at Lacework
Actionable Threat Intel in The Cloud - Geoff Ackerman, Tufail Ahmed, James Maclachlan, Dallin Warne, John Wolfram, and Brandon Wilbur at Mandiant
Forged in Fire: A Survey of MobileIron Log4Shell Exploitation - Allen Butler at MaverisLabs
Data Exfiltration using RedDrop - Michael Koczwara
LAPSUS$ TTP’s - Mike at “CyberSec & Ramen”
Detecting COM Object Tasks by DarkHotel - Selena Larson at MITRE ATT&CK
Intelligence Failures of Lincoln’s Top Spies: What CTI Analysts Can Learn From the Civil War - MITRE Engage
Part Two: A Deeper Dive into Russian ICS Threats: Sandworm, Dragonfly, and XENOTIME - Laura Keenan and Jason Kikta at Modern War Institute
How To Avoid Tripping Over Russia’s Ransomware Threat - Nikolaos Pantazopoulos, Alex Jessop and Simon Biggs at NCC Group
Conti-nuation: methods and techniques observed in operations post the leaks - Ryan Olson at Palo Alto Networks
Ransomware Trends: Higher Ransom Demands, More Extortion Tactics - Caitlin Condon at Rapid7
Analyzing the Attack Landscape: Rapid7’s 2021 Vulnerability Intelligence Report - Recorded Future
- Red Alert
Hacking activity of SectorA Group in 2021 - RiskIQ
- SANS Internet Storm Center
- Video: Maldoc Cleaned by Anti-Virus, (Sun, Mar 27th)
- Wireshark 3.6.3 Released, (Sun, Mar 27th)
- BGP Hijacking of Twitter Prefix by RTComm.ru, (Mon, Mar 28th)
- More Fake/Typosquatting Twitter Accounts Asking for Ukraine Crytocurrency Donations, (Tue, Mar 29th)
- Quickie: Parsing XLSB Documents, (Wed, Mar 30th)
- Apple Patches Actively Exploited Vulnerability in macOS, iOS and iPadOS,, (Thu, Mar 31st)
- curl 7.82.0 Adds –json Option, (Sat, Apr 2nd)
- Christopher Peacock and Shawn Edwards at Scythe
SCYTHE Presents: FIN13 - Dawn Allcot at Security Intelligence
2022 Banking & Finance Security Intelligence Roundup - Carlos Perez at ‘Shell is Only the Beginning’
Tracking WMI Activity with PSGumshoe - Gabor Szappanos at Sophos
Horde of miner bots and backdoors leveraged Log4J to attack VMware Horizon servers - Ben Martin at Sucuri
- Christiaan Beek & John Fokker at Trellix
Executive Summary: Organizations and Nation-State Cyber Threats - Justin Vaicaro at TrustedSec
Simplifying Your Operational Threat Hunt Planning - Koos Goossens at Wortell
Automate your Sentinel incident triage - Krishna Kona and Lidor Pergament at ZScaler
Analysis of Domain Fronting Technique: Abuse and Hiding via CDNs
UPCOMING EVENTS
- Cellebrite
- Monica Harris and Bob Keeney at Cellebrite
Uncovering Windows Registry Data and the Latest Mac Artifacts - Cyborg Security
- Gerald Auger at Simply Cyber
🔴 Defending the Attack! - Magnet Forensics
- The Cyber Social Hub
Tips to get fast answers from digital media during your on-scene investigations
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
- Black Hills Information Security
- Talkin’ About Infosec News – 3/29/2022
- Talkin’ About Infosec News – 3/30/2022
- BHIS | How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity, with Jason
- BHIS | How to Use Backdoors & Breaches to do Tabletop Exercises – Jason Blanchard & Others
- Talkin’ About Infosec News – 3/31/2022
- BlueMonkey 4n6
mount and backup iOS devices with Linux - Breaking Badness
116. A Breach? I’m Afraid SSO - Chewing the FAT
Episode 11 - Cisco’s Talos
Beers with Talos, Ep. #119: If it walks like a BlackCat, smells like a BlackCat… - Cloud Security Podcast by Google
EP58 SOC is Not Dead: How to Grow and Develop Your SOC for Cloud and Beyond - Colin Hardy
Detect, Hunt & Analyze Threats with INTEZER - Didier Stevens
Maldoc Cleaned by Anti-Virus - Digital Forensic Survival Podcast
DFSP # 319 – Shellbags - Down the Security Rabbithole Podcast
DtSR Episode 494 – Forensics The Art of the Science Plus a Cat - Hacker Valley Blue
Hacker Valley Blue – In The Cyber Fast Lane with Marcus Bowie - InfoSec_Bret
SA – SOC163-113 – Suspicious Certutil.exe Usage - John Hammond
- SANS Holiday Hack Challenge 007: Hash Extension Part1
- SANS Holiday Hack Challenge 008: Finish Objective7
- SANS Holiday Hack Challenge 009: Fail2ban Configuration
- PicoCTF 2022 #01 – WELCOME & Basic File Exploit
- Python Scripting Modular Arithmetic – PicoCTF 2022 #02 basic-mod1
- Ransomware Attacks #shorts
- Magnet Forensics
- MalGamy
- Mitre Att&ckon 3.0
Would you rather have telemetry into 2 attacks or 20? - Nextron Systems
Aurora Pre-Release Session - Paraben Corporation
Patented Faraday Protection - Red Canary
- SANS
- I Award You No Points, and May God have Mercy Upon your Soul: Feedback in CTI
- Applied Forecasting: Using Forecasting Techniques to Anticipate Cyber Threats
- TypoDetect, Detectando trampas para engañar tu cerebro
- Threat Actor of in-Tur-est: Unveiling Balkan Targeting
- Mark Your Calendars: Why Dates Matter to Adversaries
- Técnicas CTI para la caracterización de un ataque con ransomware
- Building Strategic Return on Investment Through Cyber Intelligence
- The First Purpose: Rediscovering Warning Analysis for CTI
- The Defender’s Advantage Podcast
MALWARE
- Any.Run
Malware configuration - ASEC
- VBS Script Disguised as PDF File Being Distributed (Kimsuky)
- BitRAT Disguised as Officer Installer Being Distributed
- ASEC Weekly Malware Statistics (March 21st, 2022 – March 27th, 2022)
- Malicious Word File Targeting Corporate Users Being Distributed
- ASEC Weekly Malware Statistics (March 14th, 2022 – March 20th, 2022)
- APT Attacks Using Word File Disguised as Donation Receipts for Uljin Wildfire (Kimsuky)
- APT Attack Disguised as Resume Template for North Korean Defectors (VBS Script)
- Avast Threat Labs
Avast Finds Compromised Philippine Navy Certificate Used in Remote Access Tool - Cyber Geeks
A step-by-step analysis of the Russian APT Turla backdoor called TinyTurla - Cyble
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #82: Decompiler options: default radix - Dmitry Melikov at InQuest
Cloud Atlas Maldoc - Lab52
Complete dissection of an APK with a suspicious C2 Server - Mahmoud Morsy
Phishing Attacks 24_3_2022 - Malwarebytes Labs
- Minerva Labs
- Morphisec
- Netskope
Catching A Wave, Standing Up on My Surfboard: How Cloud Threat Exchange Saves My SOC From Drowning (For Now) - Nettitude Labs
Introducing PoshC2 v8.0 - OALABS Research
Angr Control Flow Deobfuscation - Pete Cowman at Hatching
ssdeep Support, General Improvements & Family Updates - Securelist
Lazarus Trojanized DeFi app for delivering malware - Pedro Tavares at Segurança Informática
Alerta: Phishing bancário com novo template a circular em Portugal - Juan Andres Guerrero-Saade and Max van Amerongen at SentinelLabs
AcidRain | A Modem Wiper Rains Down on Europe - Symantec Enterprise
Verblecon: Sophisticated New Loader Used in Low-level Attacks - Tony Lambert
An AgentTesla Sample Using VBA Macros and Certutil - Max Kersten, Marc Elias, Leandro Velasco, and Alexandre Mundo Alguacil at Trellix
PlugX: A Talisman to Behold - Vladislav Hrčka at WeLiveSecurity
Under the hood of Wslink’s multilayered virtual machine - Oleg Boyarchuk and Jason Zhang at VMware Security
Emotet C2 Configuration Extraction and Analysis - Jason Reaves
CobaltStrike UUID stager - Mitesh Wani and Kaivalya Khursale at ZScaler
Analysis of BlackGuard – a new info stealer malware being sold in a Russian hacking forum
MISCELLANEOUS
- Jessica Hyde at Magnet Forensics
Magnet Summit 2022 Mentorship Day - Lillian Peterson at Active Countermeasures
Threat Hunting Over the Network With Zeek and RITA - Belkasoft
How Memory Analysis Helped to Fight Against “Designer Drugs” - Bitdefender
The Clock is Ticking: What to do immediately after a ransomware attack - Cobalt Strike Research and Development
Building Upon a Strong Foundation - Craig Timberg, Matt Viser and Tom Hamburger at The Washington Post
Here’s how The Post analyzed Hunter Biden’s laptop - CyberDrain
Automating with PowerShell: Shipping your logs - Forensic Focus
MSAB’s Simon Crawley on the Importance of Frontline Forensics - Intezer
Security ROI: Time & Resource Savings for IR/SOC Teams - Joshua James at DFIRScience
A new look for DFIR Science - Kevin Pagano at Stark 4N6
- Magnet Forensics
Meet the Recipients of the 2021 Magnet Forensics Scholarship Award! - Gijs Hollestelle at Falcon Force
Debugging the undebuggable and finding a CVE in Microsoft Defender for Endpoint - Ryan Weeks and Chris Henderson at Rapid7
4 Fallacies That Keep SMBs Vulnerable to Ransomware, Pt. 2 - Brittany Roberts at ADF
5 Reasons Why You Need to Invest in Computer Forensics Software - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — March 27 to April 2 - SANS
- Security Investigation
- StealthBay
- Brett Shavers
The X-Ways Forensics Practitioner’s Guide/2E OnDemand Course is ONLINE NOW! Sign up today! - Zack Whittaker at Tech Crunch
Lapsus$ found a spreadsheet of accounts as they breached Okta, documents show
SOFTWARE UPDATES
- Belkasoft
Belkasoft X v.1.12: Massive update of file-based decryption, SQLite forensics improvements based on NIST testing, iOS agent-based acquisition and checkm8-based acquisition improvements, new powerful eDiscovery features, Semantics 21 integration and many more - Berla
iVe Software v3.6 Release - Brim
Version 0.29.0 - CyberChef
v9.37.0 - Didier Stevens
- Malwoverview
Malwoverview 5.0.2 - Ninoseki
Mihari v4.4.1 - Nextron Systems
Aurora Lite Agent v1.0 Release - Nir Sofer
Extract passwords from external disk with ExtPassword! tool - Regipy
2.3.0 - Stratosphere IPS
New Slips version 0.8.5 is here! - Velocidex
Velociraptor 0.6.4 Release - Xways
X-Ways Forensics 20.5 Beta 2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 