As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Patrick Bennett at CrowdStrike
The Call Is Coming from Inside the House: CrowdStrike Identifies Novel Exploit in VOIP Appliance - Cyber Social Hub
How To Use ExifTool To Look At Metadata - Digital Forensics Myanmar
- Elcomsoft
- Emma at ‘The Forgotten Nook’
Magnet Forensics June 2022 CTF – Linux - Michael Karsyan at Event Log Explorer blog
Event Log Explorer Forensic Edition – working with damaged logs or disks - Falcon Guard
Acquiring Forensic Artifacts with Falcon Uploader and Amazon S3 Buckets - Forensafe
- Heather Mahalik at Cellebrite
Part 1: CTF 2022 Write Up – Marsha’s PC - Kevin Pagano at Stark 4N6
- Microsoft 365 Security
How do I approach a technical topic? – Packet Capture (Part 1) - Shanna Daly at ‘Fancy Forensics’
ACSC BSides IR Challenge 2021 – 08 – Alternate Persistence
THREAT INTELLIGENCE/HUNTING
- Anastasios Pingios
The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP - Anomali
- AttackIQ
Response to US-CERT Alert (AA22-174A): Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems - Avertium
An In-Depth Look at Chinese APT, Aoqin Dragon - Brad Duncan at Malware Traffic Analysis
2022-06-21 – aa distribution Qakbot with DarkVNC and Cobalt Strike - CERT Ukraine
- Кібератака групи APT28 з використанням шкідливої програми CredoMap (CERT-UA#4843)
- Кібератака групи UAC-0098 на об’єкти критичної інфраструктури України (CERT-UA#4842)
- Кібератаки груп, асоційованих з Китаєм, у відношенні російських науково-технічних підприємств та державних органів (CERT-UA#4860)
- Кібератака у відношенні операторів телекомунікацій України з використанням шкідливої програми DarkCrystal RAT (CERT-UA#4874)
- Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 giugno 2022
- Check Point Research
- Cisco’s Talos
- Cleafy
BRATA is evolving into an Advanced Persistent Threat - Greg Darwin at Cobalt Strike Research and Development
Arsenal Kit Update: Thread Stack Spoofing - Covertshell
Threat Hunting | Qbot (a.k.a Qakbot or Quakbot or Pinkslipbot) - CyberCX
Threat Advisory. Russian travel sanctions against an additional 121 Australians: Impacts for Australian organisations’ cyber risk - Cybereason
- Cyble
- Cyborg Security
Qakbot - Kevin Libby at DomainTools
Timing Is Everything - Eclypsium
May Firmware Threat Report - Esentire
Socgholish to Cobalt Strike in 10 Minutes - Gianni Castaldi at Kusto King
Detecting the DFSCoerce attack - Benoit Sevens and Clement Lecigne at Google Threat Analysis Group
Spyware vendor targets users in Italy and Kazakhstan - Drew Schmitt at GuidePoint Security
- Intel471
The 7 common traits among highly successful cybercriminals: Part I - Lacework
Kubernetes tools are helpful for your team and sadly, your attacker - Lina Lau at Inversecos
Detecting Linux Anti-Forensics Log Tampering - LockBoxx
Bootcamp #24: Writing an Alert - Marco Ramilli
Cyber Threats Tracker: Status Update - Matt Zorich at Microsoft Sentinel 101
KQL lessons learnt from #365daysofKQL - Evgeny Bogokovsky and Andrey Karpovsky at Microsoft Security
Detecting malicious key extractions by compromised identities for Azure Cosmos DB - MITRE-Engenuity
- NVISO Labs
Cortex XSOAR Tips & Tricks – Creating indicator relationships in automations - PhishLabs
Q1 Phishing Volume Consistent, Up Over Q4 - Praetorian
- Proofpoint
How Threat Actors Hijack Attention: The 2022 Social Engineering Report - Harshal Tupsamudre at Qualys
Defending Against Scheduled Task Attacks in Windows Environments - Red Canary
Intelligence Insights: June 2022 - Justin Palk at Red Siege Information Security
Creating a Simple Windows Domain for Offensive Testing: Part 4 - SANS Internet Storm Center
- Malicious PowerShell Targeting Cryptocurrency Browser Extensions, (Wed, Jun 22nd)
- Experimental New Domain / Domain Age API, (Tue, Jun 21st)
- FLOSS 2.0 Has Been Released, (Thu, Jun 23rd)
- Python (ab)using The Windows GUI, (Fri, Jun 24th)
- Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th)
- Securelist
- Security Investigation
- Weird Trick to Block Password-Protected Files to Combat Ransomware
- Anatomy Of An Advanced Persistent Threat Group
- New Aggah Campaign returns with new TTPS – Detection & Response
- Russia’s APT28 Launches Follina Exploit Campaign
- IcedID Banking Trojan returns with new TTPS – Detection & Response
- MITRE D3FEND Knowledge Guides to Design Better Cyber Defenses
- Vikram Navali at SentinelOne
Detecting Unconstrained Delegation Exposures in AD Environment - John Shier at Sophos
Active Adversary Playbook 2022 Insights: Web Shells - Stefano Chierici at Sysdig
How to detect the containers’ escape capabilities with Falco - Satnam Narang at Tenable
Understanding the Ransomware Ecosystem: From Screen Lockers to Multimillion-Dollar Criminal Enterprise - David Harrington at Varonis
Ryuk Ransomware: Breakdown and Prevention Tips - Josue Ledesma at Varonis
Evil Twin Attack: What It Is, How to Detect & Prevent It - Andy Gill at ZeroSec
Azure Attack Paths: Common Findings and Fixes (Part 1)
UPCOMING EVENTS
- Celeste Bishop and Charles Goldberg at AWS Security
AWS re:Inforce 2022: Threat detection and incident response track preview - CCL Solutions
RabbitHole webinars – Registration now open - Fitri Talhah and Frederick Huang at Cellebrite
Exclusive upgrades that will dramatically speed up investigations - Countercraft
{Webinar} BPFDoor and So Much More: An Analysis of Linux Network Passive Backdoors - Magnet Forensics
- Alexa Rzasa at Mandiant
Attack Surface Management Identifies Critical Issues - Rianna MacLeod at Sucuri
2021 Threat Report Webinar
PRESENTATIONS/PODCASTS
- Jessica Hyde at Hexordia
What is Digital Forensics - Ali Hadi
- Archan Choudhury at BlackPerl
Linux Memory Analysis with Volatility- 101, Compromised Linux System - Black Hat
- Black Hills Information Security
- Cloud Security Podcast by Google
EP71 Attacking Google to Defend Google: How Google Does Red Team - InfoSec_Bret
SA – SOC167-117 – LS Command Detected in Requested URL - John Hammond
TEARING DOWN the DOMAIN CONTROLLER (Active Directory #04) - Magnet Forensics
- Paraben Corporation
- SANS Cloud Security
- SANS Institute
- Sumuri
How Apple Metadata Can Help Your Investigations - The Defender’s Advantage Podcast
Skills Gap: Bridging the Skills Gap - The Ransomware Files
Travelex - Uriel Kosayev
Red Team – Supply Chain Edition
MALWARE
- ASEC
- CISA Analysis Reports
- Cryptax
Tracking Android/Joker payloads with Medusa, static analysis (and patience) - Didier Stevens
- Esentire
eSentire Threat Intelligence Malware Analysis: PINGPULL RAT - Igor Skochinsky at Hex Rays
Igor’s tip of the week #95: Offsets - Pedram Amini at InQuest
Follina, the Latest in a Long Chain of Microsoft Office Exploits - Lab52
MuddyWater’s “light” first-stager targetting Middle East - Malware Hell
- Malwarebytes Labs
- Lakshya Mathur at McAfee Labs
Rise of LNK (Shortcut files) Malware - OALABS Research
Matanbuchus Triage Notes - Mark Lim and Riley Porter at Palo Alto Networks
There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families - Pete Cowman at Hatching
BumbleBee Fix and New Extractors - petikvx
- Giampaolo Dedola at Securelist
APT ToddyCat - Ax Sharma at Sonatype
- Mohamed Ashraf at XJunior
MISCELLANEOUS
- Adrian at ‘Agood cloud’
Docker Config: Thehive5 with Cortex and n8n - Anton Chuvakin
Does the World Need Cloud Detection and Response (CDR)? - Breachquest
Introducing…..Percy Alexander - Brett Shavers
The spark of a book - Cloudflare
- Forensic Focus
- A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems
- Detego Global and Forensic Computers Inc. Team Up to Deliver Two Specialist Webinars
- Register for Webinar: GrayKey Passcode History File and Hashcat (Law Enforcement Only)
- Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS
- Digital Forensics Research Update: May 2022
- Magnet REVIEW 4.0: Helping You Bring Investigators and Their Evidence Together
- Jamf
What is Endpoint Detection and Response (EDR)? - Elli at Misconfig
- ADF
- Robert Giczewski
How to install yara from source on macOS Monterey (M1) - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — June 12 to June 18 - Michelle Petersen at SANS
That’s a Wrap! Looking Back on SANS at RSAC 2022
SOFTWARE UPDATES
- ANSSI DFIR-ORC
v10.1.1 - Atola
Atola Insight Forensic 5.2.1 - Cado Security
Cado Security Unveils Cross Cloud Support to Streamline Cloud Investigations - Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.0 beta 9 adds checkm8 extraction of 14 iPad and iPod Touch devices - Eric Zimmerman
ChangeLog - Foxton Forensics
Browser History Examiner — Version History – Version 1.16.9 - Hasherezade
pe-bear 0.5.5.4 - Magnet Forensics
Magnet REVIEW 4.0: Helping You Bring Investigators and Their Evidence Together - William Ballenthin, Moritz Raabe, and Blaine Stancill at Mandiant
FLOSS Version 2.0 - radare2
radare2 5.7.2 - Rapid7
Velociraptor Version 0.6.5: Table Transformations, Multi-Lingual Support, and Better VQL Error-Handling Let You Dig Deeper Than Ever - Martin Korman
Regipy 2.5.4 - Rizin
cutter v2.1.0-rc2 - Xways
X-Ways Forensics 20.6 Preview 7
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 