As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Cado Security
AWS EC2 Incident Response - Covertshell
DFIR triage and Timeline Analysis - Danus Minimus
The guide for a freeloader Threat Intelligence Analyst and Malware Researcher - Digital Forensic Forest
Blue Team Cheat Sheets - Digital Forensics Myanmar
- Oleg Afonin at Elcomsoft
Low-Level Extraction of iOS 15.2-15.3.1 - Forensafe
- Forensium
Firmware extraction from BT headset - Howard Oakley at ‘The Eclectic Light Company’
Unified log structure and available data - Julian-Ferdinand at ‘Fishing the Internet’
The Rise of LNK Files (T1547.009) and Ways To Detect Them - Magnet Forensics
How to Ingest Mobile Extractions from GrayKey, UFED, XRY, and Oxygen in Magnet AXIOM - Michał Legin at Open Source DFIR
Generate your own hash sets with HashR - pat_h/to/file
Linux cloud memory forensics tutorial - Salvation DATA
Log Forensics: 5 Tips for Investigators - Tyler Brozek
- Shashank Suresh Kumar at Walmart
Packet Analysis
THREAT INTELLIGENCE/HUNTING
- Anomali
Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More - Antoine Cailliau
Hunting on custom log files with Chainsaw - Pavel Novák at Avast Threat Labs
AgentTesla is threatening businesses around the world with a new campaign - Avertium
When Cybercriminal Gangs Go Dark – Avaddon, AstraLocker & Conti - Bitdefender
Bitdefender Threat Debrief | August 2022 - Lawrence Abrams at BleepingComputer
New ‘Donut Leaks’ extortion gang linked to recent ransomware attacks - Bohops
Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion (Part 2) - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 20 – 26 agosto 2022 - Check Point Research
22th August – Threat Intelligence Report - Cisco’s Talos
Threat Roundup for August 19 to August 26 - Cofense
Compromised Microsoft Dynamic 365 Customer Voice account used for Phishing attack - Ari Novick at CyberArk
LockBit 3.0 Ransomware Learns from Defenders, Launches Bug Bounty Program, Begs “Hack Me” - Cyble
- Darktrace
- Fortinet
New Threat Report Highlights Key Ransomware Protection Practices for CISOs - Ajax Bash at Google Threat Analysis Group
New Iranian APT data extraction tool - Roberto Martinez and Rustam Mirkasymov at Group-IB
Roasting 0ktapus: The phishing campaign going after Okta identity credentials - Intel471
Here’s how to use Intel 471 with existing intelligence frameworks - Intezer
CrowdStrike + Intezer: Automation for Alert Triage and Threat Hunting - Fleming Shi at Journey Notes
Threat Spotlight: The untold stories of ransomware - Katie Nickels at ‘Katie’s Five Cents’
A Cyber Threat Intelligence Self-Study Plan: Part 2 - Lina Lau at Inversecos
How to Detect OAuth Access Token Theft in Azure - Adam Kujawa at Malwarebytes Labs
Exploits and TrickBot disrupt manufacturing operations - Marco Ramilli
Windows System Calls For Hunters - Marek Milkovič at Avast Engineering
YaraNG: Reinventing the YARA Scanner - Michel De Crevoisier
Microsoft-eventlog-mindmap - Microsoft Security
- Cyber Signals: Defend against the new ransomware landscape
- MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
- Looking for the ‘Sliver’ lining: Hunting for emerging command-and-control frameworks
- MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
- Mitiga
- Lenny Conway at OpenText
NetSupport Remote Access Trojan (RAT) delivered through fake browser updates by SocGholish threat actors - Amer Elsad at Palo Alto Networks
Threat Assessment: Black Basta Ransomware - Pypi
Check out tweets from @Pypi - Recorded Future
- Carolynn van Arsdale at ReversingLabs
How abuse.ch evolved into an essential threat hunting platform - SANS Internet Storm Center
- 32 or 64 bits Malware?, (Mon, Aug 22nd)
- Who’s Looking at Your security.txt File?, (Tue, Aug 23rd
- Monster Libra (TA551/Shathak) –> IcedID (Bokbot) –> Cobalt Strike & DarkVNC, (Wed, Aug 24th)
- Paypal Phishing/Coinbase in One Image, (Fri, Aug 26th)
- Taking Apart URL Shorteners, (Thu, Aug 25th)
- HTTP/2 Packet Analysis with Wireshark, (Fri, Aug 26th)
- Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01, (Sun, Aug 28th)
- Christopher Von Reybyton, Kristen Cotten, Christopher Peacock, and Jake Williams at Scythe
SCYTHE Presents: Threat Emulation: GootLoader - Securelist
- Limor Kessem at Security Intelligence
The Ransomware Playbook Mistakes That Can Cost You Millions - Security Investigation
- SentinelOne
- Ian at Shells.Systems
Protected: Bypassing AppLocker by abusing HashInfo - Sean Gallagher at Sophos
An open-source ML toolkit for automatically generating YARA rules - Splunk
- Sucuri
- Teri Radichel
Querying CloudTrail with CloudTrailLake - Thomas Roccia
Jupyter Collection - Adithya Chandra and Sushant Kumar Arya at Trellix
Demystifying Qbot Malware - Trend Micro
- Jason Villaluna at Trustwave SpiderLabs
2022 Trustwave SpiderLabs Telemetry Report - Jason Hill at Varonis
Anatomy of a Solidbit Ransomware Attack
UPCOMING EVENTS
- Amped
Amped Webinars: Join Us for the Upcoming Sessions - Arman Gungor at Metaspike
Forensic Email Collector — Power User Workshop - Cellebrite
4 Quick Steps to Scale Up & Modernize Investigations - Magnet Forensics
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Threat Hunting Tutorial- Day 12, Hunting PowerShell With Splunk - Black Hills Information Security
- BHIS – Talkin’ Bout [infosec] News 2022-08-22
- AASLR: Replicating Directory Changes Set of Rights in AD | Eric Kuehn
- AASLR: Active Response With Wazuh and OSSEC | Richard Fifarek
- BHIS – Talkin’ Bout [infosec] News 2022-08-29
- Talkin’ About Infosec News – 8/26/2022
- AASLR: Crush Your Interviews & Negotiate Your Salary | Kip Boyle
- BlueMonkey 4n6
Linux memory forensics – memory capture with LiME and AVML - Cellebrite
- How to Use the Snapchat Features Built Into the New Version of Physical Analyzer
- How to Use New Access Features Built Into UFED
- Auto-Open Extractions in UFED
- How to Use the Android Debug Console in UFED to Collect More Data About a Mobile Device
- How to Get Started With UFED
- How to Use the New Access Features Built Into UFED
- How To Get the Most from The Cellebrite Community Portal – Part 1
- How To Get the Most Out Of The Support Area Of The Cellebrite Community Portal – Part 2
- Different Methods for Creating Reports in Cellebrite Reader
- Explaining Timestamps Associated with Carved Locations In Cellebrite Physical Analyzer
- Exploring Additional Features Built Into Cellebrite UFED
- How to View the Keychain Dump in Cellebrite Physical Analyzer
- How to Create Sysdiagnose Logs for Bug Reporting on iOS Devices
- How to Use the Media Tags View in the Cellebrite Pathfinder Dashboard
- Images and Export Options in Cellebrite Physical Analyzer
- New Feature Built into Cellebrite UFED Cloud Within Physical Analyzer
- When to Use the Android APK Downgrade Feature in Cellebrite UFED
- Cellebrite Reader Overview
- How to Filter Chat Conversations to Find Specific Information in Cellebrite Physical Analyzer
- Modernizing Investigations: Episode 2 – Why Digital Intelligence is Important to a Prosecutor
- How to Use the Keychain Dump in Cellebrite Physical Analyzer 2
- Cloud Security Podcast by Google
EP80 CISO Walks Into the Cloud: Frustrations, Successes, Lessons … And Does the Risk Change? - Digital Forensic Survival Podcast
DFSP # 340 – PSEXEC, ready or not - Dump-Guy Trickster
In-Memory ZipArchive object creation from HTTP Stream - Gerald Auger at Simply Cyber
Static Kitten aka MuddyWater Threat Actor LIVE Simulation - John Dwyer
- John Hubbard at ‘The Blueprint podcast’
Jaron Bradley: Securing Enterprise macOS - Magnet Forensics
- RickCenOT
Realistic Pentest of a Schneider Electric Industrial Control System M221 PLC (open Source Tools) - SANS
The Godfather of Forensics: How to Leverage Your “Year One” to Get an Offer You Cannot Refuse - SANS Cloud Security
- The Ransomware Files
Guest Episode: The Storm - Vishal Thakur
Living with Ransomware
MALWARE
- ASEC
- Axelarator
Bumblebee - Matt Ehrnschwender at Binary Defense
Digging through Rust to find Gold: Extracting Secrets from Rust Malware - Ioan Iacob and Iulian Madalin Ionita at CrowdStrike
The Anatomy of Wiper Malware, Part 2: Third-Party Drivers - Cybereason
THREAT ALERT: HavanaCrypt Ransomware Masquerading as Google Update - Cyble
- Cyril François at Elastic
QBOT Malware Analysis - Deep Instinct
The Dark Side of Bumblebee Malware Loader - Doug Burks at Security Onion
- Shunichi Imano and Fred Gutierrez at Fortinet
A Tale of PivNoxy and Chinoxy Puppeteer - Gabriele Orini at 0ffset Training Solutions
Reversing Golang Developed Ransomware: SNAKE - Igor Skochinsky at Hex Rays
Igor’s tip of the week #104: Immediate search - Aaron Stratton at InfoSec Write-ups
Redline Stealer Malware Static Analysis - Mike Hunhoff at Mandiant
Ghidrathon: Snaking Ghidra with Python 3 Scripting - Muhammad Hasan Ali at muha2xmad
Technical analysis of IRATA android malware - OALABS Research
SmokeLoader Triage - Triskele Labs
Investigating a Monero Coin Miner
MISCELLANEOUS
- Belkasoft
5 MORE Bloopers of a Digital Forensic Investigator - Bill Stearns at Active Countermeasures
Changing Zeek’s Log Rotation Time - Ax Sharma at BleepingComputer
An encrypted ZIP file can have two correct passwords — here’s why - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 8/27/22 - Cellebrite
- Craig Ball at ‘Ball in your Court’
Labels: Not Just for People Anymore! - Max Julian Hofmann and Hanno Heinrichs at CrowdStrike
Adversary Quest 2022 Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges - Tim Helming at DomainTools
DomainTools APIs Have More Swagger - Forensic Focus
- DGForensiks’ Cindy Vasquez on Developing Digital Forensics Capacity in Mexico
- Prudent Design Principles for Digital Tampering Experiments
- DFIR Digital Transformation
- Learn Useful Features of MD-LIVE That Can Shorten Your Investigation Time!
- Identifying Document Similarity Using a fast Estimation of the Levenshtein Distance
- Event Recap: Forensics Europe Expo
- Rachel Bishop at Huntress
How Progressive Computing Combated a Large-Scale Cyberattack - Jaco at ‘The Swanepoel Method’
Att&cking The Engenuity Evals (Mitre by Mitre) - Magnet Forensics
Automating Root Cause Analysis With EDR Integration in Magnet AUTOMATE Enterprise - Oxygen Forensics
User searches: New Feature to Oxygen Forensic® Detective - Palantir
A Typical Day on Palantir’s Incident Response Team - Rapid7
Incident Reporting Regulations Summary and Chart - Katie Nickels at Red Canary
4 hiring tips for building a cyber threat intelligence team - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — August 1 to August 27 - Keith Palmgren at SANS
Cyber Security Expertise – Where Should You Begin? - The Leahy Center for Digital Forensics & Cybersecurity
DFIR & Threat Intelligence Post III - John Patzakis at X1
Proportionality Focus Presents Challenges and Opportunities for eDiscovery Service Providers
SOFTWARE UPDATES
- Berla
iVe Software v4.0 Release - Didier Stevens
Update: 1768.py Version 0.0.16 - Security Onion
Security Onion 2.3.150 now available including Elastic 8.3.3, CyberChef 9.46.0, and much more! - Elcomsoft
Elcomsoft iOS Forensic Toolkit 7.60 extends agent-based full file system extraction - Foxton Forensics
Browser History Examiner — Version History – Version 1.16.11 - Manabu Niseki
Mihari v4.8.0 - MSAB
XRY 10.2.1 Released today – Uncover more vital digital evidence and speed up investigations - Nir Sofer
Application resources usage on Windows 10 and Windows 11 (From SRUDB.dat database) - Samuel Zurowski
Go Memory Forensics Toolkit - WithSecure Labs
Chainsaw v2.0.0 - Xways
Excire PhotoAI
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 