As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Joshua James at DFIRScience
- DiabloHorn
Firewall analysis: A portable graph based approach - Didier Stevens
.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021 - Oleg Afonin at Elcomsoft
Unlock WordPerfect and Lotus Documents with Advanced Office Password Recovery - Brian Bahtiarian, David Blanton, Britton Manahan and Kyle Pellett at Expel
Incident report: From CLI to console, chasing an attacker in AWS - Exterro
Forensics collections for E-Discovery - Forensafe
Investigating Adobe Acrobat Reader - Joshua Hickman at ‘The Binary Hick’
Examining A Malware-Infected Android Phone. This Android Is Not Alright. - MuSecTech
Automating Memory Analysis with AChoirX, Volatility, and LOKI - Marina Galiano at Security Art Work
Hacking DICOM: the hospital standard - Mohammed Al-Maskati, Bill Marczak, Siena Anstis, and Ron Deibert at The Citizen Lab
PEACE THROUGH PEGASUS: Jordanian Human Rights Defenders and Journalists Hacked with Pegasus Spyware - The DFIR Report
Stolen Images Campaign Ends in Conti Ransomware - Pieces0310
The impact of Android 12 – Pieces0310
THREAT INTELLIGENCE/HUNTING
- More MITRE evaluations!
- MITRE Engenuity ATT&CK® Evaluations Results Highlight Check Point’s leadership in Endpoint Security with a 100% Detection Across all Attack Steps
- Falcon Platform Identity Protection Shuts Down MITRE ATT&CK Adversaries
- Microsoft 365 Defender demonstrates industry-leading protection in the 2022 MITRE Engenuity ATT&CK® Evaluations
- 2022 MITRE Engenuity ATT&CK Evaluations Results
- MITRE ATT&CK Wizard Spider and Sandworm Evaluation: ReaQta, an IBM company demonstrates Best-in-Class capabilities for Three Years in a row.
- Our Take: SentinelOne’s 2022 MITRE ATT&CK Evaluation Results
- MITRE Engenuity ATT&CK Tests
- Why the Mitre Engenuity ATT&CK Evaluations Matter
- VMware Delivers Comprehensive Endpoint & Network Visibility in Latest MITRE Engenuity ATT&CK® Evaluation
- Ahmed Musaad
18 New Log Sources in Google Workspace Investigation Tool - Anomali
Anomali Cyber Watch: AcidRain Wiped Viasat Modems, BlackMatter Rewritten into BlackCat Ransomware, SaintBear Goes with Go, and More - Awake Security
EverythingIsLife: A Masquerading Cryptocurrency Mining Campaign - Erica Mixon at Blumira
The Return of IcedID and How to Detect It - Brad Duncan at Malware Traffic Analysis
- Bryce Abdo, Zander Work, Ioana Teaca, and Brendan Mckeague at Mandiant
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 - CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 2 – 8 aprile 2022 - Cisco’s Talos
- CrowdStrike
- Curated Intelligence
- Krzysztof Gajewski at CyberDefNerd
The way to run the RunOnce key without any logons/reboots. - Cybereason
Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials - Cyberknow
Update 11. 2022 Russia-Ukraine war — Cyber group tracker. April 4. - Cyble
Inside Lightning Stealer - DomainTools
SPM55: Ascending the Ranks of Indonesian Phishing As A Service Offerings - Anna Skelton at Dragos
Assessing Threats to European Industrial Infrastructure - EclecticIQ
- David Bianco
Stop Using Hashes for Detection (and When You Should Use Them) - Matthew Lucas at F-secure
Detecting Attacks against Azure DevOps - Flashpoint
Top 10 Ransomware Trends: Board Responsibilities, Tracking Ransomware, and Mitigating Risk in 2022 - Jacob Pimental at GoggleHeadedHacker
Analysis of Log4jShell Attack - Yaroslav Kargalev and Daniil Glukhov at Group-IB
Scammers make off with $1.6 million in crypto - Hacking Articles
- InfoSec Write-ups
Pyramid Of Pain - Josiah Smith at InQuest
Calculating Return-on-Investment - Jeffrey Appel
Defender for Identity Response Actions - Lawrence Abrams at BleepingComputer
- Lina Lau at Inversecos
Malicious Registry Timestamp Manipulation Technique: Detecting Registry Timestomping - Michael Koczwara
Spring4Shell/RCE in Spring Core-Simple Analysis - Microsoft Security
SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 - Michael Gerard at Morphisec
The Cyber Threat Landscape for 2022 - Osama Elnaggar
Building a Threat Hunting Lab Using Elastic Stack and Vagrant – Part 1 - PhishLabs
2022 Cyberthreat Defense Report - Red Alert
Monthly Threat Actor Group Intelligence Report, January 2022 (ENG) - Paul Roberts at ReversingLabs.
ConversingLabs Ep. 2: Conti pivots as ransomware as a service struggles - RiskIQ
RiskIQ Threat Intelligence Roundup: Trickbot, Magecart, and More Fake Sites Targeting Ukraine - SANS Internet Storm Center
- jo, (Sun, Apr 3rd)
- Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?, (Mon, Apr 4th)
- Windows MetaStealer Malware, (Wed, Apr 6th)
- WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th)
- What is BIMI and how is it supposed to help with Phishing., (Thu, Apr 7th)
- Method For String Extraction Filtering, (Sat, Apr 9th)
- Video: Method For String Extraction Filtering, (Sun, Apr 10th)
- Securelist
- Anusthika Jeyashankar at Security Investigation
Azure Sentinel for IT Security and its SIEM Architecture - Securonix
- Pedro Tavares at Segurança Informática
Phishing bancário? Sim é mesmo real, e com ‘callcenter’ renovado - Sekoia
- Symantec Enterprise
Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity - Josh Hopkins at Team Cymru
MoqHao Part 2: Continued European Expansion - Trend Micro
- UnderDefense
Russian Сybercriminals Spreading New Tricky Phishing Emails - Stephane List and Abby Costin at VMware Security
How to hunt for Spring4Shell and Java Spring Vulnerabilities
UPCOMING EVENTS
- Cybereason
Webinar April 27th: Solving the Incident Response Data Problem - WSDF 2022
The 15th International Workshop on Digital Forensics (WSDF 2022)
PRESENTATIONS/PODCASTS
- Ali Hadi
- Archan Choudhury at BlackPerl
Threat Hunting Tutorial- Day3, Hunt for LoLbas in Splunk, Intezer - Black Hills Information Security
- BlueMonkey 4n6
Tips and Tricks – screen captures - Brakeing Down Security Podcast
- Breaking Badness
117. Fire in the Wall! - Cellebrite
Exodus Road: Modernizing the Investigative Workflow - Day Cyberwox
AWS Security Labs 5 – Stress Testing EC2 Instance to trigger CloudWatch Alarms - Didier Stevens
- Digital Forensic Survival Podcast
DFSP # 320 – Lateral MM and Event Logs - Down the Security Rabbithole Podcast
DtSR Episode 495 – Analyzing Russia’s Offensive Cyber Ops - Hacker Valley Blue
Hacker Valley Blue – Intelligence At All Levels with John Stoner and Andy Piazza - Heather Terry, Tom Kopchak and Meredith Kasper at Hurricane Labs
SOC Talk: Red Teaming for NECCDC - InfoSec_Bret
SA – SOC164-114 – Suspicious Mshta Behavior - John Hammond
- Magnet Forensics
- Marcus Hutchins
Tips for Getting Started in Cybersecurity - MSAB
- Nextron Systems
Aurora Getting Started – Short 1 - NVISO Belgium
Analyzing a “multilayer” Maldoc: A Beginner’s Guide - OALabs
What is a Breakpoint – Debugging Explained - Radware
Threat Researchers Live: Ep 19 - SANS
- 10 años de inteligencia sobre ciberamenazas: De Berkeley Lab y IEEE/ACM Supercomputing a Google
- Lone Wolf Actors: How Ransomware Evolved into Freelance Work
- Integrated Intelligence
- CTI Summit Wrap Up Panel
- Cloud Security for Beginners Part 3 Defending the Cloud
- Black Swans, Gray Rhinos, and Pink Elephants: Why We Should Think More Slowly About Cybersecurity
- Promoted from CISO to CIO
- Hiring and Mentoring in 2022 | Seat at the Table
- Sumuri
RECON ITR Quick Tip: How the Heck do I Image this Mac? - Tech & Main Presents
The Best Definition of Ransomware Ever | Ryan Chapman - The ./havoc Podcast
The ./havoc Podcast – ModifiedElephant APT - The Ransomware Files
Kaseya and REvil - Uriel Kosayev
Ardamax Keylogger (Keylogger) – Part 3 - Watson Infosec
- Women Speak Cyber
Sharing Your Knowledge with special guest Shanna Daly - Zeek in Action
Zeek in Action, Video 15, Revisiting NetFlow and Zeek Data
MALWARE
-
- Any.Run
MITM proxy and Fake net - ASEC
- Atomic Matryoshka
Basic Static and Dynamic Analysis of Amadey Loader - Blackberry
- Matt Muir at Cado Security
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda - Alex Shamshur and Raman Ladutska at Check Point Research
Google is on guard: sharks shall not pass! - ClearSky Cyber Security
EvilNominatus Ransomware - Esentire
- Fortinet
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #84: Array indexes - Joakim Kennedy at Intezer
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations - Mahmoud Morsy
- Ankur Saini, Hossein Jazi and Jérôme Segura at Malwarebytes Labs
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique - Mars
WannaHusky Malware Analysis w/ YARA + TTPs - Naufal Arkaan at MII Cyber Security
Deobsfucated Webshell Backdoor - Michael Dereviashkin at Morphisec
CaddyWiper Analysis: New Malware Attacking Ukraine - Nettitude Labs
Repurposing Real TTPs for use on Red Team Engagements - Didier Stevens at NVISO Labs
Analyzing a “multilayer” Maldoc: A Beginner’s Guide - OALABS Research
Emotet Deobfuscation - Shimi Cohen, Inbal Shalev and Irena Damsky at Palo Alto Networks
New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns - Pete Cowman at Hatching
Configuration Extractor Updates - James Wilson and Andrew Mundell at Sophos
AMA #3: A look behind the curtain at SophosLabs - ThreatFabric
Look out for Octo’s tentacles! A new on-device fraud Android Banking Trojan with a rich legacy - Trend Micro
- Nipun Gupta at Zimperium
The State of Browser Extension Malware - Avinash Kumar and Niraj Shivtarkar at ZScaler
FFDroider Stealer Targeting Social Media Platform Users
###MISCELLANEOUS
- Surender Kumar at 4sysops
icacls: List, set, grant, remove, and deny permissions - Anastasios Pingios
Ideas for Software Supply-Chain Attacks Simulation by Red Teams - Belkasoft
These Chats are Not Mine! How Our Test Engineer Almost Went Crazy - Blumira
- Bryantcabantac
Deploying Velocriptor in AWS using CloudFormation — Scaling forensic acquisition - Chris Doman at Cado Security
Cado Security Extends Support To Serverless Environments - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 4/9/22 - Brian Dye at Corelight
Don’t trust. Verify with evidence. - CrowdStrike
CrowdStrike’s First Employee and Pride ERG Executive Sponsor Hyacinth Diehl on International Transgender Day of Visibility - Dragos
Upskill ICS/OT Cybersecurity in an IT world with Splunk’s BOTS Virtual Challenge - Eric Conrad
untitled - Forensic Focus
- Authors Graeme Horsman and Brett Shavers on Defining Digital Forensics Expertise
- eDiscovery Investigations in the Age of Remote Work
- 20 Hidden Gems in Amped FIVE
- MSAB Announces the First Major Release for 2022: XRY 10.1, XAMN 7.1 and XEC 7.1
- Magnet Forensics Awards Scholarships to Help Advance Careers of Digital Investigators
- New Free Tool from Magnet Forensics: MAGNET Apple Warrant Return Assistant
- Python Scripting for File Filtering With FTK
- MSAB
MSAB offers accessible digital evidence tech with consent-based authorization to collect data at crime scenes - Nik Alleyne at ‘Security Nik’
Installing & configuring Elasticsearch 8 and Kibana 8 on Ubuntu - Marc Lean at Red Canary
Stay curious: Advice from infosec mentors - SANS
- John Patzakis at X1
ILTA eDiscovery Survey Highlights Targeted ESI Collection as the Preferred Methodology - NekochanSecurity555
【資格試験】Microsoft Security Operations Analyst(SC-200)に合格しました
- Any.Run
MISCELLANEOUS
- Any.Run
MITM proxy and Fake net - ASEC
- Atomic Matryoshka
Basic Static and Dynamic Analysis of Amadey Loader - Blackberry
- Matt Muir at Cado Security
Cado Discovers Denonia: The First Malware Specifically Targeting Lambda - Alex Shamshur and Raman Ladutska at Check Point Research
Google is on guard: sharks shall not pass! - ClearSky Cyber Security
EvilNominatus Ransomware - Esentire
- Fortinet
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #84: Array indexes - Joakim Kennedy at Intezer
Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations - Mahmoud Morsy
- Ankur Saini, Hossein Jazi and Jérôme Segura at Malwarebytes Labs
Colibri Loader combines Task Scheduler and PowerShell in clever persistence technique - Mars
WannaHusky Malware Analysis w/ YARA + TTPs - Naufal Arkaan at MII Cyber Security
Deobsfucated Webshell Backdoor - Michael Dereviashkin at Morphisec
CaddyWiper Analysis: New Malware Attacking Ukraine - Nettitude Labs
Repurposing Real TTPs for use on Red Team Engagements - Didier Stevens at NVISO Labs
Analyzing a “multilayer” Maldoc: A Beginner’s Guide - OALABS Research
Emotet Deobfuscation - Shimi Cohen, Inbal Shalev and Irena Damsky at Palo Alto Networks
New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns - Pete Cowman at Hatching
Configuration Extractor Updates - James Wilson and Andrew Mundell at Sophos
AMA #3: A look behind the curtain at SophosLabs - ThreatFabric
Look out for Octo’s tentacles! A new on-device fraud Android Banking Trojan with a rich legacy - Trend Micro
- Nipun Gupta at Zimperium
The State of Browser Extension Malware - Avinash Kumar and Niraj Shivtarkar at ZScaler
FFDroider Stealer Targeting Social Media Platform Users
###MISCELLANEOUS
- Surender Kumar at 4sysops
icacls: List, set, grant, remove, and deny permissions - Anastasios Pingios
Ideas for Software Supply-Chain Attacks Simulation by Red Teams - Belkasoft
These Chats are Not Mine! How Our Test Engineer Almost Went Crazy - Blumira
- Bryantcabantac
Deploying Velocriptor in AWS using CloudFormation — Scaling forensic acquisition - Chris Doman at Cado Security
Cado Security Extends Support To Serverless Environments - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 4/9/22 - Brian Dye at Corelight
Don’t trust. Verify with evidence. - CrowdStrike
CrowdStrike’s First Employee and Pride ERG Executive Sponsor Hyacinth Diehl on International Transgender Day of Visibility - Dragos
Upskill ICS/OT Cybersecurity in an IT world with Splunk’s BOTS Virtual Challenge - Eric Conrad
untitled - Forensic Focus
- Authors Graeme Horsman and Brett Shavers on Defining Digital Forensics Expertise
- eDiscovery Investigations in the Age of Remote Work
- 20 Hidden Gems in Amped FIVE
- MSAB Announces the First Major Release for 2022: XRY 10.1, XAMN 7.1 and XEC 7.1
- Magnet Forensics Awards Scholarships to Help Advance Careers of Digital Investigators
- New Free Tool from Magnet Forensics: MAGNET Apple Warrant Return Assistant
- Python Scripting for File Filtering With FTK
- MSAB
MSAB offers accessible digital evidence tech with consent-based authorization to collect data at crime scenes - Nik Alleyne at ‘Security Nik’
Installing & configuring Elasticsearch 8 and Kibana 8 on Ubuntu - Marc Lean at Red Canary
Stay curious: Advice from infosec mentors - SANS
- John Patzakis at X1
ILTA eDiscovery Survey Highlights Targeted ESI Collection as the Preferred Methodology - NekochanSecurity555
【資格試験】Microsoft Security Operations Analyst(SC-200)に合格しました
SOFTWARE UPDATES
- Brian Maloney
OneDriveExplorer v2022.04.06 - Cyber Triage
Cyber Triage 3.2.0 - DFIR IRIS
v1.4.1 - Didier Stevens
New Tool: myjson-filter.py - Doug Metz at Baker Street Forensics
CSIRT-Collect Summit Edition - Elcomsoft
Advanced Office Password Recovery: WordPerfect Office and Lotus SmartSuite support - Erik Hjelmvik at Netresec
NetworkMiner 2.7.3 Released - ExifTool
ExifTool 12.41 - Magnet Forensics
MAGNET Apple Warrant Return Assistant: Download Our Free Tool - Maxim Suhanov
dfir_ntfs 1.1.13 - Metaspike
Forensic Email Intelligence v1.5 - MSAB
New release: XRY 10.1, XAMN 7.1 and XEC 7.1 - OSForensics
V9.1 Build 1012 6th April 2022 - Brittany Roberts at ADF
ADF launched more MacOS Forensics Capabilities to speed Triage - Security Onion
Security Onion 2.3.110 20220407 Hotfix Now Available! - Sigma
Sigmatools 0.20 - Christopher Maddalena at SpecterOps
Ghostwriter v2.3.0 & 2022 Road Map
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 