As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrew Rathbun
Windows 10 vs. Windows 11, What Has Changed? - Cyber Triage
What is a Microsoft Office Most Recently Used Artifact “MRU” - Joseph Moronwi at Digital Investigator
Windows Memory Dump Analysis With Volatility - Doug Metz at Baker Street Forensics
Magnet 2022 CTF – iOS15 - Vladimir Katalov at Elcomsoft
checkm8 Extraction: iPhone 7 - Elizabeth McPherson at Hexordia
Jailbreaking iPhone XR with unc0ver - Forensafe
Investigating USN Journal - Howard Oakley at ‘The Eclectic Light Company’
How to find it in the log: 2 Navigation - Rachel Bishop at Huntress
Practical Tips for Conducting Digital Forensics Investigations - Jonathan Johnson and Brian Donohue
Better know a data source: Logon sessions - Muhammed Aygün
Recycle Bin Forensics ($RecyleBin Analizi) - N00b_H@ck3r
CyberDefenders: GrabThePhisher - NixIntel
Six Tools To Help With Geolocation - Oxygen Forensics
Wondershare backup import in Oxygen Forensic® Detective - Scott Koenig at ‘The Forensic Scooter’
How to find iOS Hidden Assets
THREAT INTELLIGENCE/HUNTING
- Anomali
- Antonio Piazza
Careful Who You Colab With: - Atomic Matryoshka
Precious Metals: Golden and Silver Ticket Attacks - AttackIQ
Leveraging the MITRE ATT&CK framework to build a threat-informed defense - Avertium
Healthcare Ransomware Threats – MedusaLocker & Maui - Martin Zugec at Bitdefender
No More Ransom – Six Years of Innovating to Fight Ransomware Together - Bill Toulas at BleepingComputer
QBot phishing uses Windows Calculator sideloading to infect devices - Brad Duncan at Malware Traffic Analysis
- CERT Ukraine
- Масове розповсюдження стілерів (Formbook, Snake Keylogger) та використання шкідливих програм RelicRace/RelicSource як засобу доставки (CERT-UA#5056)
- Кібератаки групи UAC-0010 (Armageddon) з використанням шкідливої програми GammaLoad.PS1_v2 (CERT-UA#5003,5013,5069,5071)
- Онлайн-шахрайство з використанням тематики “допомоги від Червоного Хреста” (CERT-UA#5063)
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 luglio 2022 - Check Point Research
- Cisco’s Talos
- Coveware
Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022 - Cybereason
- Cyberknow
AiDLocker Ransomware: Blurred Lines Between Cyber-Crime And Hacktivists Increasing. - Cyberwarzone
- Cyble
- Darktrace
- Eclypsium
Yet Another Uefi Bootkit Discovered: Meet CosmicStrand - Andrew Pease at Elastic
KNOTWEED Assessment Summary - ENISA
Ransomware: Publicly Reported Incidents are only the tip of the iceberg - Esentire
- Harlan Carvey at Huntress
Threat Advisory: Hackers Are Selling Access to MSPs - Intel471
How cybercriminals are using messaging apps to launch malware schemes - Intrusion Truth
Chinese APTs: Interlinked networks and side hustles - Thibault Van Geluwe De Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, and Keith Lunden at Mandiant
Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers - Dominic Chell at MDSec
PART 2: How I Met Your Beacon – Cobalt Strike - Microsoft Security
- Dr. Desiree Beck, Michael Butt, and Ingrid Skoog at MITRE-Engenuity
Research Partnership explores Cloud Analytics - Nasreddine Bencherchali
Persistence Using Windows Terminal “Profiles” - Palo Alto Networks
- Pavel Shabarkin
GSuite domain takeover through delegation - Proofpoint
How Threat Actors Are Adapting to a Post-Macro World - PwC
Old cat, new tricks, bad habits - Viren Chaudhari at Qualys
New Qualys Research Report: Evolution of Quasar RAT - Mrigank Tyagi at Quick Heal
PowerShell: An Attacker’s Paradise - Red Alert
Monthly Threat Actor Group Intelligence Report, June 2022 (KOR) - Alex Spiliotes at Red Canary
The value of a unified threat timeline - ReversingLabs
New Features for the A1000, version 6.4 - SANS
- Month of PowerShell – The Curious Case of AD User Properties
- Month of PowerShell: Process Threat Hunting, Part 2
- Month of PowerShell – PowerShell Version of Keeper (Save Useful Command Lines)
- Month of PowerShell: Fileless Malware with Get-Clipboard
- Month of PowerShell – PowerShell Remoting, Part 1
- Month of PowerShell – Renaming Groups of Files
- Month of PowerShell – PowerShell Remoting, Part 2
- SANS Internet Storm Center
- PowerShell Script with Fileless Capability, (Mon, Jul 25th)
- How is Your macOS Security Posture?, (Tue, Jul 26th)
- ISC Stormcast For Tuesday, July 26th, 2022 https://isc.sans.edu/podcastdetail.html?id=8102, (Tue, Jul 26th)
- IcedID (Bokbot) with Dark VNC and Cobalt Strike, (Wed, Jul 27th)
- Exfiltrating Data With Bookmarks, (Thu, Jul 28th)
- PDF Analysis Intro and OpenActions Entries, (Fri, Jul 29th)
- Wireshark 3.6.7 Released, (Sat, Jul 30th)
- Kristen Cotten. Jake Williams, and Christopher Peacock at Scythe
SCYTHE Presents: Threat Emulation: Qakbot - Securelist
APT trends report Q2 2022 - Vignesh Bhaaskaran at Security Investigation
Qbot TTP Compilation – External Old Emails Hijacking to New Malicious LNK Files - Sekoia
SEKOIA.IO Mid-2022 Ransomware Threat Landscape - Julio Dantas, James Haughom and Julien Reisdorffer at SentinelOne
Living Off Windows Defender | LockBit Ransomware Sideloads Cobalt Strike Through Microsoft Security Tool - Sucuri
- Eric Carter at Sysdig
Hunting malware with Amazon GuardDuty and Sysdig - Tanium
Russian APT29 Hackers Use Google Drive and Dropbox to Evade Detection: Cyber Threat Intelligence Roundup - Satnam Narang at Tenable
The Ransomware Ecosystem: In Pursuit of Fame and Fortune - Karla Agregado and Katrina Udquin at Trustwave SpiderLabs
IPFS: The New Hotbed of Phishing - Yoroi
On the FootSteps of Hive Ransomware
UPCOMING EVENTS
- Cellebrite
Modernize your digital investigations with crypto insights - Cybereason
Webinar August 11th 2022: Ransomware Labs - Cyborg Security
Episode 1: Know Your Group, Your Pack, and Your Quarry - Magnet Forensics
Putting Your DFIR Lab in the Cloud: Lessons Learned
PRESENTATIONS/PODCASTS
- Jessica Hyde at 1Jessica Hyde at Hexordia
What is Digital Forensics? - ArcPoint Forensics
Atrio Feature Highlight: Custom File Ext - Black Hills Information Security
- BlueMonkey 4n6
Linux forensics – locations of interest – Magnet Forensics Quick Reference Guide part 2 - Cellebrite
Increasing Efficiencies for Modern Data Collection & Preservation with Unified Collection Workflows - Cloud Security Podcast by Google
EP76 Powering Secure SaaS … But Not with CASB? Cloud Detection and Response? - Joshua I. James at DFIRScience
- Didier Stevens
Maldoc: non-ASCII VBA Identifiers - Digital Forensic Survival Podcast
DFSP # 336 – BAM! - Gerald Auger at Simply Cyber
Head to Head Cybersecurity Action! Don’t Fear the Beard! - InfoSec_Bret
Malware Analysis – PDF Analysis - John Hammond
POWERSHELL – Automating RANDOM Local Admins (Active Directory #07) - John Hubbard at ‘The Blueprint podcast’
Tony Turner: Securing the Cyber Supply Chain - Justin Tolman at AccessData
FTK Over the Air – Episode 11 – Digital Sandwiching with Gus Dimitrelos - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Using Hybrid Analysis for Initial Malware Assessment - Magnet Forensics
- Standardize Your Team’s Hash Sets Database With Hash Set Manager
- Magnet AUTOMATE Overview
- Magnet AXIOM Surfaces Deleted Data From Windows, Macs, Linux, and Chromebooks
- Magnet AXIOM Acquires and Analyzes Cloud Data
- Magnet AXIOM Recovers Evidence From iOS and Android Devices
- NICE and Magnet Forensics Partner to Digitally Transform Police Case Building and Investigations
- RAM is King: Analyzing RAM in AXIOM and AXIOM Cyber
- Tips & Tricks // Distribute and Manage Hash Sets
- Marcus Hutchins
Things I Wish I knew Starting Out In Cybersecurity - SANS Institute
“Crime Time” | Rethinking Ransomware and How to Disrupt It - Security Conversations
Down memory lane with Snort and Sourcefire creator Marty Roesch - The Defender’s Advantage Podcast
Threat Trends: Securing the Vote in 2022 - Velocidex Enterprises
Tech Users Group 2022
MALWARE
- ASEC
- Erik Pistelli at Cerbero
AbuseCH Intelligence 2.1 Package - CISA
MAR-10386789-1.v1 – Log4Shell - Aarushi Koolwal at CloudSEK
Social Media Nexus Spreads Color Prediction Games that Defraud Users - Cyber Geeks
How to analyze Linux malware – A case study of Symbiote - Doug Burks at Security Onion
Quick Malware Analysis: IcedID with DarkVNC and Cobalt Strike pcap from 2022-07-26 - EclecticIQ
Emotet Downloader Document Uses Regsvr32 for Execution - Igor Skochinsky at Hex Rays
Igor’s tip of the week #100: Collapsing pseudocode parts - David Ledbetter at InQuest
A Convoluted Infection Chain Using Excel - Bill Cozens at Malwarebytes Labs
Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR - Dexter Shin at McAfee Labs
New HiddenAds malware affects 1M+ users and hides on the Google Play Store - Md. Abdullah Al Mamun
How Attackers Obfuscate Batch Script - Muhammad Hasan Ali at muha2xmad
PDF Analysis Lokibot malware - N00b_H@ck3r
LetsDefend: PDF Analysis - Yaron Samuel at Palo Alto Networks
dotnetfile Open Source Python Library: Parsing .NET PE Files Has Never Been Easier - Pete Cowman at Hatching
Triage Thursday Ep. 82 - petikvx
- Tom Caiazza at Rapid7
To Maze and Beyond: How the Ransomware Double Extortion Space Has Evolved - ReversingLabs
- Securelist
- John Zorabedian at Security Intelligence
What’s New in the 2022 Cost of a Data Breach Report - Ax Sharma at Sonatype
StringJS Typosquat Deploys Discord Infostealer Obfuscated Five Times - Telsy
The FTCode Ransomware - James Sebree at Tenable
Extracting Ghidra Decompiler Output with Python - Trend Micro
- Uptycs
Qbot Reappears, Now Leveraging DLL Side Loading Technique To Bypass Detection Mechanisms - Paul Rascagneres and Thomas Lancaster at Volexity
SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” - Sarthak Misraa at ZScaler
Raccoon Stealer v2: The Latest Generation of the Raccoon Family
MISCELLANEOUS
- Jessica Hyde at 1Jessica Hyde at Hexordia
First Mobile Forensics Fundamentals Courses Posted! - Adam at Hexacorn
Week of Data Dumps, Part 4 – games-related strings - Kyle Dickinson at AWS Security
Welcoming the AWS Customer Incident Response Team - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 7/30/22 - Cellebrite
- Fabian Bader at Cloudbrothers
Gradual rollout process for Microsoft Defender - Derek Eiri
Enterprise Cloud Forensics and Incident Response, Re: SANS FOR509 OnDemand Experience - Digital Corpora
- Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
The Uber Files – Kill Switch Engaged - Jackson Evans-Davies and Markus Mueller at Dragos
Building the SANS ICS Summit Capture the Flag (CTF) Competition - Forensic Focus
- Jeffrey Appel
Microsoft Defender for Endpoint series – Configure Defender for Endpoint – Part2 - Magnet Forensics
Standardize Your Team’s Hash Sets Database With Hash Set Manager - Marius Sandbu
Streaming of audit logs from Oracle Cloud to Microsoft Sentinel - Martino Jerian at Amped
A Survey on the Industry Trends - Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’
Finding Your Voice - Romaissa Adjailia
Diving in AppLocker for Blue Team - Salvation DATA
Top 10 Free eDiscovery Software for 2022 - The Leahy Center for Digital Forensics & Cybersecurity
DFIR & Threat Intelligence Post II
SOFTWARE UPDATES
- Mike Cohen at Rapid7
CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED) - Acelab
The New PC-3000 Flash Software Ver. 8.0.10 has been released - Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.0 beta 12 improves iPhone 7 extraction - Magnet Forensics
- Mark Spencer at Arsenal Recon
Quick Tour Of New Features In Arsenal Image Mounter v3.9.218 - Manabu Niseki
Mihari v4.7.4 - Nextron Systems
New Analysis Cockpit 3.5 - Passware
Passware Kit 2022 v3 Now Available - Sandfly Security
Sandfly 4.0 – SSH Credential Auditing and eBPF Rootkit Detection - Xways
X-Ways Forensics 20.6 released
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 