As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Belkasoft
Dealing with encryption within digital forensic and cyber incident response investigations - Krzysztof Gajewski at CyberDefNerd
Artifacts that you have never analyzed before… namely ETL files. - Digital Forensics Myanmar
- Michael Karsyan at Event Log Explorer blog
Working with disk images in Forensic Edition - Forensafe
Investigating Windows Run MRU - Kyle Song
Blog #33: Dumping Data from Spycam with ADB - Oleg Afonin at Elcomsoft
- Oxygen Forensics
New to Oxygen Forensic® Detective: Craigslist - Sumuri
Booting Is Back Baby! - The DFIR Report
Quantum Ransomware
THREAT INTELLIGENCE/HUNTING
- 4rchib4ld Victory Road
Turla, the Snake of Attribution - Andy Piazza
Goldilocks CTI: Building a Program That’s Just Right - Anomali
Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More - Anton Chuvakin
20 Years of SIEM Webinar Q&A - Avertium
An In-Depth Look at Data Extortion Group, Lapsus$ - Binary Defense
Detecting Ransomware’s Stealthy Boot Configuration Edits - Martin Zugec at Bitdefender
- Blackberry
Threat Thursday: BoratRAT - BleepingComputer
- Erica Mixon at Blumira
Understanding Microsoft 365 Impossible Travel Rules - Brad Duncan at Malware Traffic Analysis
- Brandon DeVault
Threat Hunting: Network Hunting - CERT Ukraine
- Кібератака групи UAC-0056 з використанням шкідливих програм GraphSteel і GrimPlant та тематики COVID-19 (CERT-UA#4545)
- Дослідження DDoS-атак, що здійснюються в результаті ураження веб-сайтів за допомогою шкідливого JavaScript-коду BrownFlood (CERT-UA#4553)
- Malicious JavaScript-code BrownFlood injected into web-sites used for DDoS attacks (CERT-UA#4553)
- Кібератака групи UAC-0098 на державні органи України із застосуванням фреймворку Metasploit (CERT-UA#4560)
- Щодо обміну інформацією про кіберзагрози
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 aprile 2022 - Check Point
- Cisco’s Talos
- Cluster25
THE LOTUS PANDA IS AWAKE, AGAIN. ANALYSIS OF ITS LAST STRIKE. - Cofense
- Janani Nagarajan at CrowdStrike
Falcon Fusion Accelerates Orchestrated and Automated Response Time - Cybereason
- Cyble
Emotet Returns With New TTPs And delivers .lnk files to its victims - Cyborg Security
Tarrak Malware - David Barroso at Countercraft
Mapping ATT&CK techniques to Engage activities - Dragos
Responding to CHERNOVITE’s PIPEDREAM with Dragos Global Services - Elastic
- FourCore
Colibri Loader’s Unique Persistence Technique Using Get-Variable Cmdlet - Harshit Rajpal at Hacking Articles
Process Herpaderping (Mitre:T1055) - Intel471
Conti and Emotet: A constantly destructive duo - Intezer
Top Cyber Threats to the Manufacturing Sector - Lina Lau at Inversecos
Defence Evasion Technique: Timestomping Detection – NTFS Forensics - Mandiant
- McHughSecurity
Feeding Analysis Information Leak (AIL) Framework - Microsoft Security
Microsoft finds new elevation of privilege Linux vulnerability, Nimbuspwn - Adam Pennington and Jason Ajmo at MITRE ATT&CK
ATT&CK Goes to v11 - Stanley Barr Ph.D., Dylan Hoffmann, and Maretta Morovitz at MITRE Engage™
The Process of Adversary Engagement - Kellyn Wagner Ramsdell and Ingrid Skoog at MITRE-Engenuity
Building a Threat-Informed Defense at ATT&CKcon 3.0 - David Brown, Michael Matthews and Rob Smallridge at NCC Group
LAPSUS$: Recent techniques, tactics and procedures - Lenny Conway at OpenText
Dissecting Netwire Remote Access Trojan (RAT) behavior on an infected endpoint - PhishLabs
Qbot Payloads Dominate Q1 - Proofpoint
- Red Alert
Hacking activity of SectorD Group in 2021 - SANS Internet Storm Center
- WSO2 RCE exploited in the wild, (Tue, Apr 26th)
- MITRE ATT&CK v11 – a small update that can help (not just) with detection engineering, (Wed, Apr 27th)
- Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th)
- A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809, (Thu, Apr 28th)
- Christopher Peacock and Jorge Orchilles at Scythe
SCYTHE Presents: Operationalizing Red Canary’s 2022 Threat Detection Report - Securelist
APT trends report Q1 2022 - Secureworks
BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX - Security Intelligence
- Security Investigation
- SOC Fortress
Observability and Security Monitoring in Containers and Containerized Applications - Sally Adam at Sophos
The State of Ransomware 2022 - Steve Miller and Silas Cutler at Stairwell
The origin story of APT32 macros: The StrikeSuit Gift that keeps giving - Symantec Enterprise
- Tareq Alkhatib
An Introduction To The Current Threat Landscape - That Intel Blog
Post #2 Intelligence Life Cycle – Collection - Edwin David at TrustedSec
Defending the Gates of Microsoft Azure With MFA - Trustwave SpiderLabs
Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine - Darshan Rana at VMware Security
Serpent – The Backdoor that Hides in Plain Sight
UPCOMING EVENTS
- Brian DiPisa and Mark DiMinico at Cado Security
Cado Response In Action: Investigating ECS Fargate - Cellebrite
How Open-source Intelligence is Key to Your Investigations. Cellebrite OSINT Solutions - Cybereason
Cybereason and Google Cloud: This is XDR Tour - Griffeye
Webinar: Weeding out the noise – Part 1 (The power of intelligence databases) - Magnet Forensics
Key Findings from Magnet Forensics’ Annual Survey of Enterprise DFIR Professionals - Arman Gungor at Metaspike
Email Forensics Workshop — 2022 CTF Solutions — Part 2
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Threat Hunting Tutorial- Day 4, Hunting in Memory and @Scale - Black Hills Information Security
- BlueMonkey 4n6
Redundant Array of Independent Disks (RAID) – forensic imaging and re-assembly - Cybereason
Malicious Life Podcast: MITRE Attack Flow Project - Digital Forensic Survival Podcast
DFSP # 323 – SRUM - Dump-Guy Trickster
VoiceC2 POC – Using Speech Recognition - Hacker Valley Blue
Hacker Valley Blue – First ATT&CK, Now MITRE D3FEND With Tyson Supasatit - InfoSec_Bret
SA – SOC114-45 – Malicious Attachment Detected – Phishing Alert - Justin Tolman at AccessData
FTK Feature Focus – Episode 41 – Project CAID - Kevin Pagano at Stark 4N6
Forensic Happy Hour – Pour Me Another Round - Logz.io
Accelerating Your Incident Response Workflow - Magnet Forensics
- Paraben Corporation
Processing iOS Device-iPhone 13 - Richard Frawley at ADF
Logical AFF4 Imaging: Triage and Logical Image of Mac M1 - Salvation DATA
Using SPF Pro For Corrections - SANS Cloud Security
CloudWars: Episode III – Revenge of the Hacks - SANS Institute
- SecurityNinja
ThreatGEN Red vs Blue 1.8 Revisit - Sumuri
- The Ransomware Files
The Ransomware Files (Trailer)
MALWARE
- 0day in {REA_TEAM}
A Deep Dive into Zloader – the Silent Night - ASEC
- Atomic Matryoshka
Emotet DLL Part 1: Static Analysis - CISA Analysis Reports
- CodeColorist
Photographers WannCry (2017) - Cyber Geeks
Reverse Engineering PsExec for fun and knowledge - Cyble
Dissecting Saintstealer - Eli Salem
The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection - Erik Hjelmvik at Netresec
Industroyer2 IEC-104 Analysis - Gergely Revay at Fortinet
An Overview of the Increasing Wiper Malware Threat - Herbie Zimmerman at “Lost in Security”
2022-04-22 Emotet Malspam Using Excel 4 Macro - Igor Skochinsky at Hex Rays
Igor’s tip of the week #87: Function chunks and the decompiler - Muhammad Hasan Ali
Full RedLine malware analysis - Mike Stokkel, Nikolaos Totosis and Nikolaos Pantazopoulos at NCC Group
Adventures in the land of BumbleBee – a new malicious loader - Didier Stevens at NVISO Labs
Analyzing VSTO Office Files - Mark Lim at Palo Alto Networks
Defeating BazarLoader Anti-Analysis Techniques - Pete Cowman at Hatching
Emotet x64 and Other Updates - Brenton Morris at ProferoSec
Static unpacker and decoder for Hello Kitty Packer - Security Onion
Quick Malware Analysis: Emotet Epoch 4 with Cobalt Strike and Spambot traffic pcap from 2022-03-01 - James Haughom, Júlio Dantas, and Jim Walter at SentinelLabs
LockBit Ransomware Side-loads Cobalt Strike Beacon with Legitimate VMware Utility - Tony Lambert
Shortcut to Emotet, an odd TTP change - Daniel Lunghi and Jaromir Horejsi at Trend Micro
New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware - VinCSS
- Alexandre Côté Cyr and Matthieu Faou at WeLiveSecurity
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity - ZScaler
MISCELLANEOUS
- Andrew Rathbun at Kroll
KAPE Quarterly Update – Q1 2022 - 3CORESec
3CORESec ONE & MDR are now LIVE! - Any.Run
Expert Q&A: Ali Hadi, Champlain College - Belkasoft
Nominate Belkasoft in the 2022 Forensic 4:cast Awards - Brett Shavers at ‘The X-Ways Forensics Practitioner’s Guide/2E’
- Cisco’s Talos
Researcher Spotlight: Liz Waddell, CTIR practice lead - Joshua I. James at DFIRScience
Chainalysis Crypto Capstone - Flashpoint
Definitive Guide to Ransomware: What It Is and How Your Organization Can Prevent, Detect, and Respond to a Ransomware Attack - Forensic Focus
- Magnet Forensics
Modern Digital Forensic Tools: How New Tools Cut through the Noise to Find Evidence - MSAB
Interim report Q1, January – March 2022 - NVISO Labs
Cortex XSOAR Tips & Tricks – Execute Commands Using The API - Peri Storey at OpenText
The superman of digital investigations - Carlos Canto at Rapid7
Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper - Salvation DATA
How to Set Up a Digital Forensic Lab? - SANS
- Secureworks
SOC Operations: The XDR Attributes that Matter - Security Intelligence
- Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.3.120! - Vishal Thakur
The Science Of Engineering Malware - Xavier Mertens at /dev/random
SOFTWARE UPDATES
- David Spreadborough at Amped
Amped FIVE Update 24474: Undo / Redo, New Encoding Options, Timestamp Playback, and Much More - Belkasoft
Belkasoft Triage T v.1.2 is released! - Didier Stevens
Update: oledump.py Version 0.0.65 - Elcomsoft
iOS Forensic Toolkit Update supports iPhone 13 - Magnet Forensics
Stream_db_I_e4 Filesystem Support Now Available in DVR Examiner 3.1.5 - Joachim Metz at Open Source DFIR
Plaso 20220428 released - Security Onion
Security Onion 2.3.120 now available including improvements for Cases, Analyst Desktop, IDH, and much more! - Xways
X-Ways Forensics 20.5 SR-1 - YARA
YARA v4.2.1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 