As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrew Malec
Security Patch/KB Install Date - Arsenal Recon
Check out Arsenal Recon’s post - Krzysztof Gajewski at CyberDefNerd
Easy way to prove that a file was downloaded by a web browser, having only $UsnJrnl logs. - Digital Forensics Myanmar
- Joseph Moronwi at Digital Investigator
Image OSINT Investigations - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
In a Galaxy Far Far Away - Vladimir Katalov at Elcomsoft
Apple TV 4K Keychain and Full File System Acquisition - Forensafe
Investigating Machine SID - Howard Oakley at ‘The Eclectic Light Company’
How to find it in the log: 1 An introduction - Adithya Thatipalli at InfoSec Write-ups
TryHackMe — Antivirus - Md. Abdullah Al Mamun
Threat Hunting Like A Detective - Muhammed Aygün
PowerShell Forensics - Nashid P
- RAT In Mi Kitchen
The Mystery of the HeapLeakDetection Registry Key - Simson Garfinkel
19 new DFIR CTF Scenarios at DigitalCorpora
THREAT INTELLIGENCE/HUNTING
- Vitali Kremez, Yelisey Boguslavskiy, and Marley Smith at Advanced Intelligence, LLC
Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion - Anton Chuvakin
The Best Way to Detect Threats In the Cloud? - Jan Vojtěšek at Avast Threat Labs
The Return of Candiru: Zero-days in the Middle East - Avertium
TIR-20220718 Everything You Need to Know About the APT, Fancy Bear - AWS Security
- Bitdefender
Bitdefender Threat Debrief | July 2022 - Bill Toulas at BleepingComputer
New Redeemer ransomware version promoted on hacker forums - Brad Duncan at Malware Traffic Analysis
- Matt Lembright at Censys
Russian Ransomware C2 Network Discovered in Censys Data - CERT Ukraine
Кібератака на державні організації України з використанням теми ОК “Південь” та шкідливої програми AgentTesla (CERT-UA#4987) - CERT-AGID
- Resoconto del primo semestre 2022: raddoppiano le campagne malware rispetto al 2021
- Analisi e approfondimenti tecnici sul malware Coper utilizzato per attaccare dispositivi mobili
- Tecniche per semplificare l’analisi del malware GuLoader
- Sintesi riepilogativa delle campagne malevole nella settimana del 16 – 22 luglio 2022
- Check Point Research
18th July – Threat Intelligence Report - Cisco’s Talos
- Anthony M. Freed at Cybereason
Ransomware Attacks by the Numbers – and How to Defend Against Them - Cyberknow
DeaDNet Diary: A conversation with a Pro-Russian Hacktivist Group Leader. - Cyberwarzone
XakNet claims hack on Ukrainian Metal Company - Cyble
- Darktrace
- Dragos
Six Months Later: Assessing the OT and ICS Risks of the Log4j Vulnerability - EclecticIQ
Save More Analyst Time and Effort with EclecticIQ Intelligence Center 2.13 - Abdelwahhab Satta at Elastic
How to build a Managed Detection and Response Service with Elastic XDR and Corelight - Esentire
eSentire Threat Intelligence Malware Analysis: Gootloader and IcedID - Fortinet
Ransomware Roundup: Protecting Against New Variants - Billy Leonard at Google Threat Analysis Group
Continued cyber activity in Eastern Europe observed by TAG - Hornet Security
Email Threat Review Juni 2022 - HP Wolf Security
The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back - Matt Anderson at Huntress
Behind the Scenes: Crushing Cybercriminals with MAV - InfoSec Write-ups
The more predictable you are, the less you get detected — hiding malicious shellcodes via Shannon… - Intel471
Using cybercrime as cover: How Conti operators are lying low - Intrusion Truth
- Jamf
CloudMensis malware stealing your joy? Jamf’s got you covered! - Jason Ostrom at Jason Ostrom
A Lab for Practicing Azure Service Principal Abuse - Keysight
Looking into WebSocket Traffic in HAR Capture - Kostas
Threat Hunting Series: The Threat Hunting Process - Lacework
Identifying detection opportunities in cryptojacking attacks - Lina Lau at Inversecos
Hunting for APT Abuse of Exchange - Mandiant
Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities - Dominic Chell at MDSec
PART 1: How I Met Your Beacon – Overview - Michael Haag
Top 5 reasons Atomic Red Team is for the 99% + 1% - MITRE Engage™
Demand More From Engage than Just a Gold Star - NTT Security Japan
- Palo Alto Networks
- Recorded Future
Amid Rising Magecart Attacks on Online Ordering Platforms, Recent Campaigns Infect 311 Restaurants Report - Red Canary
- ReversingLabs
- Joshua Wright at SANS
- Month of PowerShell – Working with the Event Log, Part 4 – Tweaking Event Log Settings
- Month of PowerShell: Solving Problems (DeepBlueCLI, Syslog, and JSON)
- Month of PowerShell – Using The Grouping Operator (a.k.a. What are all these ()?)
- Month of PowerShell: Working with Kilobytes, Megabytes, and Gigabytes
- Month of PowerShell – Recording Your Session with Start-Transcript
- Month of PowerShell: Process Threat Hunting, Part 1
- SANS Internet Storm Center
- Python: Files In Use By Another Process, (Sun, Jul 17th)
- Adding Your Own Keywords To My PDF Tools, (Mon, Jul 18th)
- Malicious Python Script Behaving Like a Rubber Ducky, (Wed, Jul 20th)
- Requests For beacon.http-get. Help Us Figure Out What They Are Looking For, (Tue, Jul 19th)
- Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st)
- An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd)
- Analysis of SSH Honeypot Data with PowerBI, (Sat, Jul 23rd)
- Video: Maldoc: non-ASCII VBA Identifiers, (Sun, Jul 24th)
- Security Investigation
- Shodan filters to Hunt Adversaries Infrastructure and C2
- UEFI Persistence via WPBBIN – Detection & Response
- Russia-linked APT29 uses Google Drive, and Dropbox to Evade – Detection & Response
- New Luna ransomware targets Windows, Linux and ESXi systems
- CVE-2022-33891- Apache Spark Shell Command Injection – Detection & Response
- Securonix
Securonix Threat Labs Initial Coverage Advisory: STIFF#BIZON Detection Using Securonix – New Attack Campaign Observed Possibly Linked to Konni/APT37 (North Korea) - Sekoia
Ongoing Roaming Mantis smishing campaign targeting France - Shinigami
Empathy: The Way to Win Hearts and Minds in CTI - Sucuri
- Symantec
LockBit: Ransomware Puts Servers in the Crosshairs - Claire Tills at Tenable
Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group - That Intel Blog
Actor types - John Scott-Railton, Bill Marczak, Irene Poetranto, Bahr Abdul Razzak, Sutawan Chanprasert, and Ron Deibert at ‘The Citizen Lab’
GeckoSpy: Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement - Trellix
The Threat Report: Summer 2022 - Joelson Soares, Buddy Tancio, Erika Mendoza, Jessie Prevost, Nusrath Iqra at Trend Micro
Analyzing Penetration-Testing Tools That Threat Actors Use to Breach Systems and Steal Data - UnderDefense
Russian APT vs CrowdStrike + MDR + Zimbra - Thomas Roccia and Jean-pierre Lesueur at Unprotect project
Unprotect project - Alvin Mwambi at Varonis
What Is SQL Injection? Identification & Prevention Tips - Vicente Díaz at VirusTotal
Threat-landscape of Financial attacks - Sneha Shekar at VMware Security
How Push Notifications are Abused to Deliver Fraudulent Links - Zach Stanford
Hunting Windows Error Reporting
UPCOMING EVENTS
- Cellebrite
- Grayshift
Get Ready for the Next Big Reveal From Grayshift - Magnet Forensics
- PhishLabs
Webinar: Quarterly Threat Trends & Intelligence – August 2022 - ResponderCON
Ransomware DFIR Con Agenda is Out
PRESENTATIONS/PODCASTS
- AhmedS Kasmani
Qakbot Dropper Analysis - ArcPoint Forensics
- Black Hills Information Security
- BHIS | Stopping Attacks With Cookies w/ BB King | 1-Hour
- BHIS – Talkin’ Bout [infosec] News 2022-07-18
- AASLR: LinkedIn Profile Reviews | Jason & Serena
- AASLR: Intro to DLL Sideloading – Take 2
- AASLR: Backdoors & Breaches Live w/ Ean Meyer
- Talkin’ About Infosec News – 7/18/2022
- BHIS | Stopping Attacks With Cookies | BB King | 1 Hour
- Breaking Badness
127. Like Shooting Phish in a Barrel - Chris Sienko at the Cyber Work podcast
Keeping your inbox safe: Real-life BEC attacks and email fraud careers | Guest John Wilson - Cloud Security Podcast by Google
EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil - Computer Crime Chronicles
Computer Crime Chronicles – Episode 6 - Cybereason
Malicious Life Podcast: Kurtis Minder – Ransomware Negotiations - Digital Forensic Survival Podcast
DFSP # 335 – CRON - Jess Garcia at DS4N6
[BLOG] Cursos de Verano de la UMA – Ciberamenazas inteligentes e inteligencia frente a ciberamenazas: Aplicación de IA/ML en Threat Hunting, by Jess Garcia - Gerald Auger at Simply Cyber
🔴 Let’s Play Red v Blue, Head 2 Head Action! - InfoSec_Bret
SA – SOC115-47 – Wscript.exe Usage as Dropper - John Hubbard at ‘The Blueprint podcast’
Mark Orlando: Building a Stronger Blue Team - LetsDefend
Web Application Security Career - Linkcabin
Thoughts on future online manipulation - Magnet Forensics
How to Conduct an eDiscovery Investigation - Magnet Forensics
Respond to Security Events Faster with the Magnet Forensics Product Ecosystem - MalGamy
Manual Unpacking QuasarRAT - SANS Cloud Security
- SANS Institute
- Detection-In-Depth: Out of Band Monitoring for Critical Process Parameters-Gus Serino
- I Can’t Get That Out of My Memory! A PLC’s Story About Love, Loss, and Triumph- Jeffrey Shearer
- Making Use of All Those SBOMs-Eric Byrnes
- Board Room Decisions: How to Use Threat-Informed Industrial Risk Management-Jason Christopher
- The Anatomy of a Targeted Industrial Ransomware Attack
- The Defender’s Advantage Podcast
Skills Gap: Looking Beyond the Unicorn Candidate - Velocidex Enterprises
DFRWS USA 2022 - X-Ways Software Technology
Excire PhotoAI for X-Ways Forensics
MALWARE
- ASEC
- Axelarator
- Xusheng Li at Binary Ninja
Reverse Engineering a Cobalt Strike Dropper With Binary Ninja - CISA Analysis Reports
MAR-10382580-r2.v1 – RAT - Dominik at R136a1
A look into APT29’s new early-stage Google Drive downloader - Doug Burks at Security Onion
Quick Malware Analysis: Emotet with Cobalt Strike pcap from 2022-07-07 - Xiaopeng Zhang at Fortinet
New Variant of QakBot Being Spread by HTML File Attached to Phishing Emails - Igor Skochinsky at Hex Rays
- Ryan Robinson at Intezer
Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware ⚡ - Johannes Bader
A DGA Seeded by the Bitcoin Genesis Block - Malwarebytes Labs
Google ads lead to major malvertising campaign - Didier Stevens and Sasja Reynaert at NVISO Labs
Analysis of a trojanized jQuery script: GootLoader unleashed - Pete Cowman at Hatching
Triage Thursday Ep. 81 - petikvx
- Dmitry Galov, Jornt Van Der Wiel, Marc Rivero, and Sergey Lozhkin at Securelist
Luna and Black Basta — new ransomware for Windows, Linux and ESXi - Jim Walter & Aleksandar Milenkoski at SentinelLabs
LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques - Colin Cowie and Gabor Szappanos at Sophos
OODA: X-Ops Takes On Burgeoning SQL Server Attacks - SpecterOps
- Łukasz
- Marc-Etienne M.Léveillé at WeLiveSecurity
I see what you did there: A look at the CloudMensis macOS spyware - Viral Gandhi and Himanshu Sharma at ZScaler
Joker, Facestealer and Coper banking malwares on Google Play store - بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Android.SmsSpy.Sinab
MISCELLANEOUS
- Jessica Hyde at Hexordia and Magnet Forensics
DFIR: What is Digital Forensics and Incident Response? - Adam at Hexacorn
- Any.Run
How to Use a Sandbox for Malware Analysis Training - Belkasoft
Sneak peek of Belkasoft X v.1.14 - Brett Shavers at ‘The X-Ways Forensics Practitioner’s Guide/2E’
Getting bang for your buck - Jean Schaffer at Corelight
The best defense is great evidence - Doug Burks at Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.3.140! - Doug Metz at Baker Street Forensics
AXIOM, YARA, GitHub – Oh My! - Dragos
OT Cybersecurity for IT Professionals: 5 Things OT Wants IT to Know - Elan at DFIR Diva
Site Updates, Events, and My Myeloma Diagnosis - Emma at ‘The Forgotten Nook’
- Forensic Focus
- Inginformatico
- Kim Zetter at ‘Zero Day’
Is the Secret Service’s Claim About Erased Text Messages Plausible? (Updated) - Magnet Forensics
- MSAB
Interim Report Q2, April – June 2022 - Robin Moffatt
How to Write a Good Tech Conference Abstract – Learn from the Mistakes of Others - Ryan Campbell at ‘Security Soup’
- Salvation DATA
- Vishal Thakur
AWS CLI
SOFTWARE UPDATES
- Acelab
The PC-3000 Mobile Software Update Ver. 2.2 is Available - ANSSI
DFIR-ORC v10.1.2 - Cellebrite
Now Available: Cellebrite Inspector 10.6 - Costas K
PrefetchBrowser - Didier Stevens
- Doug Burks at Security Onion
- Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.0 beta 11 adds iOS 15.6 RC support - ExifTool
ExifTool 12.44 - Matthew Turner
DFIR-OpenVHD - Metaspike
Forensic Email Intelligence v1.8 Release Notes - Mihari
v4.7.3 - MobilEdit
MOBILedit Forensic 9.0 released! - OSForensics
V10.0 Build 1001 22nd July 2022 - Oxygen Forensics
Oxygen Forensic® Detective v.14.6 - Regipy
3.0.2 - Xways
- Yamato Security
Hayabusa v1.4.2 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 