As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alican Kiraz
Threat Hunting for Windows Registry - Blake Regan
Picking the right gear for your DFIR write-blocker kit - Derek Eiri
Assembling a Go-Bag, Re: Write Block Options? - Joseph Moronwi at Digital Investigator
Using The Wayback Machine For OSINT - Forensafe
- Forensium
Firmware extraction from BT headset 2 - InfoSec Write-ups
S3 Bucket: Cloud Trail Log Analysis - Kevin Pagano at Stark 4N6
Audio and App Usage in Apple Health - Lorena Carthy-Wilmot
On Viber.db and Thumbnail Paths - Magnet Forensics
- Alexander Holcomb at Mandiant
Reviewing macOS Unified Logs - Oxygen Forensics
New App Extraction: Skout Dating App - Salvation DATA
SPF Pro Beginner Tutorial – Mobile Forensics (Step-by-Step)
THREAT INTELLIGENCE/HUNTING
- Ben Armstrong, Lauren Pearce, Brad Pittack, Danny Quist at [redacted]
BianLian Ransomware Gang Gives It a Go! - Adam at Hexacorn
Adobe: JSX and JSXBIN files - Alfie Champion
Blue Team Con: Going Atomic - Anomali
Anomali Cyber Watch: First Real-Life Video-Spoofing Attack, MagicWeb Backdoors via Non-Standard Key Identifier, LockBit Ransomware Blames Victim for DDoSing Back, and More - Anton Chuvakin
More SRE Lessons for SOC: Release Engineering Ideas - Avertium
North Korea is the Threat - Martin Zugec at Bitdefender
Deep Dive into a Corporate Espionage Operation - Brad Duncan at Malware Traffic Analysis
- CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 27 agosto – 2 settembre 2022 - Check Point Research
- Cisco’s Talos
- CTF导航
- Cybereason
- Foregenix
ThreatView – Monitor Your Website for Malware, Threats and Risk - Cyble
Cyble – Your go-to Cyber Threat Intelligence partner for the Kingdom of Saudi Arabia’s SAMA Cyber Threat Intelligence Principles. - Cyborg Security
- Jerrod Piker at Deep Instinct
Jedi Mind Tricks to Bypass Endpoint Detection & Response (EDR) - Dragos
Food Processing Special Report Reveals Increasing Concern of Cyber Attacks for Food & Beverage Industry - Esentire
- Shunichi Imano and James Slaughter at Fortinet
Ransomware Roundup: Snatch, BianLian and Agenda - Joe Slowik at Gigamon
Considering Threat Hunting - Howard Oakley at ‘The Eclectic Light Company’
Hunting malware protection in the log - Huntress
Checking the EDR Box: Evolving Endpoint Protection and the Next Iteration of Huntress - Intel471
ERMAC 2.0: Perfecting the Art of Account Takeover - Matan Eli Matalon at Intezer
Threat Hunting Rule Extraction and Use Cases - Jeffrey Appel
Tips for preventing against new modern identity attacks (AiTM, MFA Fatigue, PRT, OAuth) - John F
NanoCore RAT Hunting Guide - Mikhail Moskvin at Kaspersky Lab
What a threat-intelligence platform is for | Kaspersky official blog - Ayan Saha at Keysight
ProxyShell: Deep Dive into the Exchange CVEs - Michael Koczwara
Hunting C2 with Shodan - Vasu Jakkal at Microsoft Security
Cyber Signals: 3 strategies for protection against ransomware - M Dzikri Ramdhani at MII Cyber Security
[Red Series] AMSI Bypass - Nestori Syynimaa at ‘Office 365 blog’
Hunt for the gMSA secrets - Paul Finger at Nettitude Labs
Network Relaying Abuse in a Windows Domain - Pedram Amini at InQuest
- Huseyin Can Yuceel at Picus Security
The Most Used ATT&CK Technique — T1059 Command and Scripting Interpreter - Adam Crosser at Praetorian
NTLMv1 vs NTLMv2: Digging into an NTLM Downgrade Attack - Proofpoint and PwC
Rising Tide: Chasing the Currents of Espionage in the South China Sea - Recorded Future
Combating Human Trafficking With Threat Intelligence — Prosecution Report - Resecurity
EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web - SANS Internet Storm Center
- Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons, (Sun, Aug 28th)
- Update: VBA Maldoc & UTF7 (APT-C-35), (Mon, Aug 29th)
- Two things that will never die: bash scripts and IRC!, (Tue, Aug 30th)
- Underscores and DNS: The Privacy Story, (Wed, Aug 31st)
- Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers (CVE-2022-37021), (Thu, Sep 1st)
- James Webb JPEG With Malware, (Fri, Sep 2nd)
- Video: James Webb JPEG With Malware, (Sat, Sep 3rd)
- Security Investigation
- Securonix
Securonix Threat Labs Security Advisory: New Golang Attack Campaign GO#WEBBFUSCATOR Leverages Office Macros and James Webb Images to Infect Systems - Sekoia
Traffers: a deep dive into the information stealer ecosystem - Sapir Federovsky and Tomer Nahum at Semperis
SMTP Matching Abuse in Azure AD
UPCOMING EVENTS
- Cado Security
Investigating a Cloud Attack With Cado Community Edition - Cellebrite
We’re Not in Document Land Anymore: Modern Data Collections for Litigation Technology Professionals - Cybereason
Webinar Thursday September 8th 2022: Ransomware Impact on Incident Response Strategies - Cyborg Security
Out of the woods: the threat hunting podcast – episode 2 - Magnet Forensics
- The Basics of Forensic Video Recovery with Magnet DVR Examiner
- Format Matters: DD Outperform E01s for DVR Hard Drives
- PowerShell Tools for IR Forensics Collection
- Conducting Corporate Investigations with Magnet AXIOM Cyber
- Tips & Tricks // Remotely Collect from Off-Network Endpoints Using AWS and AXIOM Cyber
- Mandiant
Developing Your Ransomware Playbook - Tim Woolford at Microsoft Security
Stop Ransomware with Microsoft Security digital event presents threat intelligence in action - Palo Alto Networks
Face Off Against Ransomware - SANS
Anatomy of a Ransomware Operation
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Parsing iOS 15 User Notification Events - Active Countermeasures
- Black Hills Information Security
Cyber Range Challenge Solutions with Serena @shenetworks - Brakeing Down Security Podcast
Manual Code reviews/analysis, post-infosec Campout discussion - Breaking Badness
130. Bigger Phish To Fry - Cellebrite
- CySecK
Beware of Vishing Frauds - Didier Stevens
1768.py’s Sanity Check - Digital Forensic Survival Podcast
DFSP # 341 – Those other taskers - Dump-Guy Trickster
- Gerald Auger at Simply Cyber
How to Analyze Malware Like a Pro (Practical Guidance) - HackDefend Labs
Automation for SOCs with N8N - John Hammond
- John Hubbard at ‘The Blueprint podcast’
Rob Lee: Training and Reskilling in Cyber Security - LockBoxx
Helpful Principles in Adversarial Operations - Magnet Forensics
- Magnet Forensics
Collecting Data From Google Workspace - OALabs
Career / Interview Advice for Reverse Engineers [ Twitch Clip ] - Richard Davis at 13Cubed
What’s on My DFIR Box? - RickCenOT
Python Exploit Script vs Beckhoff Industrial Control System CX9001 PLC - SANS Cloud Security
Multicloud Security is Inevitable: Fact or Fiction - SANS Institute
48-Hour SANS Netwars Global Preview #Shorts - Sumuri
New to RECON LAB: Daily Out Plugin!
MALWARE
- 360 Netlab
PureCrypter is busy pumping out various malicious malware families - Any.Run
Raccoon Stealer 2.0 Malware analysis - ASEC
- ASEC Weekly Malware Statistics (August 22nd, 2022 – August 28th, 2022)
- ASEC Weekly Malware Statistics (August 15th, 2022 – August 21st, 2022)
- Malicious HWP File Disguised as a Happy Birthday Message (OLE Object)
- Malicious Word Files Targeting Specific Individuals Related to North Korea
- RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github
- Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies
- Fernando Martinez at AT&T Cybersecurity
Crypto miners’ latest techniques - c3rb3ru5d3d53c
- Chuong Dong
PLAY Ransomware - Vanja Svajcer at Cisco’s Talos
ModernLoader delivers multiple stealers, cryptominers and RATs - Cyber Geeks
- Cyble
- Dodo on Security
A FormBook Matryoshka - Doug Burks at Security Onion
Quick Malware Analysis: IcedID / Bokbot with Cobalt Strike pcap from 2022-08-08 - Alberto Segura and Mike Stokkel at Fox-IT
Sharkbot is back in Google Play - Alex Petrov at Hex Rays
Igor’s tip of the week: Season 02 - David Ledbetter at InQuest
Office Files, RTF files, Shellcode and more shenanigans - Paul Kimayong at Juniper Networks
Asbit: An Emerging Remote Desktop Trojan - Luke Leal
united81.com skimmer - Nick Harbour at Mandiant
Announcing the Ninth Annual Flare-On Challenge - Oliver Devane and Vallabh Chole at McAfee Labs
Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users - Michael Gorelik and Hudi Zack at Morphisec
Runtime Attacks In-Memory Require a Different Response - Muhammad Hasan Ali at muha2xmad
Technical analysis of SOVA android malware - Gustavo Palazolo at Netskope
AsyncRAT: Using Fully Undetected Downloader - petikvx
Purga Ransomware - Kevin Henson and Emmy Ebanks at Security Intelligence
Raspberry Robin and Dridex: Two Birds of a Feather - Amitai Ben Shushan Ehrlich at SentinelLabs
PyPI Phishing Campaign | JuiceLedger Threat Actor Pivots From Fake Apps to Supply Chain Attacks - ThreatFabric
Brata – a tale of three families - Vickie Su, Ted Lee, Nick Dai at Trend Micro
Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm - Siddharth Sharma and Nischay Hegde at Uptycs
Another Ransomware For Linux Likely In Development - WMC Global
Threat Actor “Robin Banks” Phishing Kit Revisions - Atinderpal Singh and Brett Stone-Gross at ZScaler
No Honor Among Thieves – Prynt Stealer’s Backdoor Exposed
MISCELLANEOUS
- AccentuSoft
Recording browser sessions with 100 lines of Python - Peggy Kelly at Blackberry
Women Behind the Screen: An Interview with BlackBerry Threat Research & Intelligence Pros - Cellebrite
E-Discovery Business Takes New Approach to Collecting and Preparing Digital Evidence to Spur Growth and Expansion - Sylvain Heiniger at Compass Security
Email spoofing in Office 365 - Brett Shavers at DFIR.Training
The DFIR world is your oyster because… - Doug Burks at Security Onion
Security Onion Enterprise Features and Licensing - Security Onion
Security Onion 2.3.160 now available including Zeek 4.0.8 and much more! - Elan at DFIR Diva
The IR Training Plan Using Free Courses has been Updated - Forensic Focus
- Register for On-Demand Webinar: How Physical Analyzer Ultra Brings Resilience to Your Digital Data Examinations
- A Live Digital Forensics Approach for Quantum Mechanical Computers
- How Detego Helped One of Europe’s Biggest Tax Authorities Fast-Track Investigations and Empower Field-Based Teams
- BlockQuery: Toward Forensically Sound Cryptocurrency Investigation
- Using Magnet IGNITE to Accelerate Breach Response Cases
- Jim Richberg at Fortinet
Examining the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) - Sergey Soldatov at Kaspersky Lab
How to distribute SOC tasks | Kaspersky official blog - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (9/1/2022) - Nextron Systems
Mjolnir Security: Blue Team Incident Response Training - Patrick J. Siewert at ‘Pro Digital Forensic Consulting’
Pro Digital is Joining ArcherHall - Brittany Roberts at Richard Frawley at ADF
Announcing the ADF Cloud Platform: Digital Forensic Token Server and Audit Trail - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — August 28 to September 3 - Susan Darley at Mandiant
Now Available: Mandiant Advantage Threat Intelligence Connector for Microsoft Sentinel - Tcdi
Shedding Light on Shadow IT in eDiscovery – Part 1 - The Security Noob.
- John Patzakis at X1
5 Reasons Why Native Format Collection is Essential for Social Media Evidence
SOFTWARE UPDATES
- Arsenal Recon
NetWireLogDecoder v1.0.0.1 - Didier Stevens
Update: jpegdump.py Version 0.0.10 - Federico Lagrasta
PersistenceSniper v1.5.0 - Hex Rays
IDA 8.0 Service Pack 1 released - John Asmussen
Linux Baseline & Forensic Triage Tool - Magnet Forensics
- MantaRay Forensics
MantaRay Forensics Files 2022 Q2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 