As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Digital Forensics Myanmar
- Joseph Moronwi at Digital Investigator
File Signature And Hash Analysis - Oleg Afonin at Elcomsoft
Entering DFU: iPhone 8, 8 Plus, and iPhone X - Forensafe
- Forensics [Insider]
Basic Concepts in Mobile Device Forensics - Felix Guyard at ForensicXlab
📦 Volatility3 Linux Plugin : Inodes - Christopher Vance at Magnet Forensics
iOS 16: What Digital Investigators Need to Know - Elli at Misconfig
MS Teams Desktop Forensic - Passware
Breaking Password Managers: How Easy Is It and What’s Inside? - Salvation DATA
Email Forensics – Definition and Guideline - Scott Koenig at ‘The Forensic Scooter’
Shared with You Syndication Photo Library – Message Attachments & Linked Assets - Semperis
Purple Knight or PingCastle? A Quick Comparison - The DFIR Report
Dead or Alive? An Emotet Story - The Security Noob
[DFIR TOOLS] AmcacheParser, what is it & how to use!
THREAT INTELLIGENCE/HUNTING
- Adepts of 0xCC
Thoughts on the use of noVNC for phishing campaigns - Advanced Intelligence
AdvIntel’s State of Emotet aka “SpmTools” Displays Over Million Compromised Machines Through 2022 - Alex Teixeira
What Threat Detection is NOT about — before they sell it to you! - Anomali
Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More - Anton Chuvakin
On Trust and Transparency in Detection - Arctic Wolf
Chiseling In: Lorenz Ransomware Group Cracks MiVoice And Calls Back For Free - Atomic Matryoshka
Pass the Hash vs Overpass the Hash - AttackIQ
Attack Graph Response to US-CERT Alert (AA22-257A): Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Ransom Operations - Ben Helps and Bhavin Patel at Foregenix
Threat Alert: Magento Intercept Backdoor and Re-Infection - Thu Pham at Blumira
Now Available: Detection Filters For Custom Rules - Censys
2022 State of the Internet Report - CERT-AGID
- Check Point Research
- Cisco’s Talos
- Thomas Etheridge at CrowdStrike
2022 Threat Hunting Report: Falcon OverWatch Looks Back to Prepare Defenders for Tomorrow’s Adversaries - CTF导航
伪猎者APT组织对韩定向攻击:瞄准基金会代表和平昌和平论坛政界人士 - Cybereason
THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence - Cyble
- Cyjax
- Darktrace
A thief in red: Compliance and the RedLine information stealer - David Krivobokov at Otorio
GhostSec Strikes Again in Israel Alleging Water Safety Breach - Francisco Dominguez at DiabloHorn
Lockbit’s bounty: consequences matter - DomainTools
- Esentire
Sorillus RAT Identified in Customer Environment - Flashpoint
Three Types of Threat Intelligence: Defined and Explained - Shunichi Imano and James Slaughter at Fortinet
Ransomware Roundup: Ragnar Locker Ransomware - Drew Schmitt at GuidePoint Security
GRIT Ransomware Report: August 2022 - Tim Kasper at Huntress
Unraveling a Reverse Shell with Process Insights - InfoSec Write-ups
Detecting Log4j & its Remediation - Pedram Amini at InQuest
- Intel471
Pro-Russian Hacktivist Groups Target Ukraine Supporters - Joint Cybersecurity Advisory
Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations - Yael Kishon at Kela
Six months into Breached: The legacy of RaidForums? - James Maclachlan, Mathew Potaczek, Nino Isakovic, Matt Williams, and Yash Gupta at Mandiant
It’s Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp - Mark Mo
Brute force domain cached credentials - Mehmet Ergene
Detecting DLL Hijacking Attacks — Part 1 - Mike Cunningham and Jamie Williams at MITRE-Engenuity
Ahhh, This Emulation is Just Right: Introducing Micro Emulation Plans - Netscout
Revamped Threat Report Reflects Data Analysis, Formatting Improvements - Gustavo Palazolo at Netskope
Attackers Continue to Abuse Google Sites and Microsoft Azure to Host Cryptocurrency Phishing - Olaf Hartong
FalconFriday — Detecting LSASS dumping with debug privileges — 0xFF1F - Jeff White at Palo Alto Networks
OriginLogger: A Look at Agent Tesla’s Successor - PhishLabs
How to Collect Intelligence on Threats Targeting Retail Brands - Joshua Miller, Kyle Eaton and Alexander Rausch at Proofpoint
Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO - Recorded Future
- Red Canary
- Carolynn van Arsdale at ReversingLabs
Iran-backed APT actors utilize CVEs to carry out cyber attacks on critical infrastructure - SANS Internet Storm Center
- VirusTotal Result Comparisons for Honeypot Malware, (Mon, Sep 12th)
- Easy Process Injection within Python, (Wed, Sep 14th)
- Malicious Word Document with a Frameset, (Thu, Sep 15th)
- Word Maldoc With CustomXML and Renamed VBAProject.bin, (Fri, Sep 16th)
- Video: Analyzing Obfuscated VBS with CyberChef, (Sat, Sep 17th)
- Sansec
Magento vendor Fishpig hacked, backdoors added - Secureworks
Opsec Mistakes Reveal COBALT MIRAGE Threat Actors - Felipe Duarte at Security Joes
Dissecting PlugX to Extract Its Crown Jewels - Sekoia
PrivateLoader: the loader of the prevalent ruzki PPI service - SentinelOne
Endpoint, Identity and Cloud | Top Cyber Attacks of 2022 (So Far) - Chester Wisniewski at Sophos
Six months on: Looking back at the role of cyberattacks in the Ukraine War - Brandon Lee at Specops Software
Ransomware attacks continue to rage on government entities - Sucuri
- Oren Biderman, Shani Adir Nissim, Noam Lifshitz, Eran Liloof, and Or Zuckerman Farkash at Sygnia
Vice Society: The Ransomware Group that the Health and Education Sectors Should Look Out For - Symantec Enterprise
- Trend Micro
- Esteban Rodriguez at TrustedSec
Practical Attacks against NTLMv1 - Trustwave SpiderLabs
Retaliation by the Pro-Russian Group KillNet - Masha Garmiza at Varonis
PAC_Requestor and Golden Ticket Attacks
UPCOMING EVENTS
- Belkasoft
Free On-demand Сourse – Corporate Investigations With Belkasoft - CrowdStrike
Coming Soon to Las Vegas: Fal.Con 2022 Event Highlights and Special Guests - Cyborg Security
Threat Hunting Workshop – Hunting for Execution! - Digital Threats: Research and Practice
Call for papers – Special Issue on Memory-based Malware and Other Unconventional Threats - Daniel Michaud-Soucy at Dragos
Don’t Miss the Dragos Capture the Flag (CTF) Event at DISC 2022 - Magnet Forensics
Magnet Virtual Summit: Get Your Presentation Submissions in for the 2023 Call for Papers! - Mandiant
Developing Your Ransomware Playbook - Paul Lorentz at Cellebrite
Unlock Flexibility With Premium as a Service - SANS Institute
- Secureworks
Global Threat Intelligence Summit 2022: Because We’re All in This Together - X1
How to Win Your Case with Effective Social Media Evidence Collection: Case Studies and Recent Case Law
PRESENTATIONS/PODCASTS
- Active Countermeasures
- Black Hills Information Security
- BHIS – Talkin’ Bout [infosec] News 2022-09-12
- AASLR: The Pilot’s Guide to Getting Started in Cybersecurity | Josh Mason
- Talkin’ About Infosec News – 9/13/2022
- Linux System Call Monitoring
- Coercions & Relays: The First Cred is the Deepest | Gabriel Prud’homme
- AASLR: FlashCTF Solution Walkthroughs | Serena & John
- BHIS | Coercions and Relays – The First Cred is the Deepest with Gabriel Prud’homme | 1.5 Hours
- Breaking Badness
131. XMRing A Ding Ding - Day Cyberwox
Is the BTL1 an Entry Level Certification? - DFIRScience
Starting with Velociraptor Incident Response - Didier Stevens
Analyzing Obfuscated VBS with CyberChef - Digital Forensic Survival Podcast
DFSP # 343 – Registry aka The Dungeon Maze - InfoSec_Bret
ISO Malware Investigation - Insane Forensics
How to Discover Windows Run Key Persistence When Threat Hunting - John Hammond
- John Hubbard at ‘The Blueprint podcast’
Brandon Evans: Cloud Security – Threats and Opportunities - Justin Tolman at AccessData
- MalGamy
Manual Unpacking Erbium Stealer - RickCenOT
Schneider Electric M221 OT-Cyber-Security: Angriff auf deine Industriesteuerung (ICS) - Sumuri
- The Defender’s Advantage Podcast
Skills Gap: Expanding Diversity in Cyber Security - The Ransomware Files
The Adult Boutique - TrustedSec
Video Blog: Using DLL Persist to Avoid Detection - Uptycs
osquery@scale Best Of: Detection and Incident Response - Uriel Kosayev
Real World Phishing Attacks Explained - Velocidex Enterprises
- VeloCON 2022: Digging Deeper Together
- Mac Response – The Good, the Bad, and the Ugly – Mike Pilkington
- Velocistack Swiftly Configuring a Streamlined Investigation Environment – Wes Lambert
- Using DinoSOARLab to Uncover Adversary Actions and Orchestrate Rapid Response – Wes Lambert
- Cloud Native Velociraptor – Mike Cohen
- Purple Teaming with ARTifacts – Wes Lambert
- Notebook & VQL Data munging your way to victory! – Matt Green
- Velociraptor and Law enforcement – Luke Fardell
- Velocon 2022 Year in Review – Mike Cohen
- When Dinosaurs Ruled the Blue Team Retrieving triage images with EDR – Dan Banker
- Machine Learning for DFIR with Velociraptor – Christian Hammerschmidt
- WeLiveSecurity
SparklingGoblin deploys new Linux backdoor – Week in security, special edition
MALWARE
- Alexandre Borges at ‘Exploit Reversing’
Malware Analysis Series (MAS) – Article 5 - ASEC
- Breachquest
Top Malware Variants in 2022 - c3rb3ru5d3d53c
[48] Malware Lab – Shellcode Injection Unpacking and Extraction - Anandeshwar Unnikrishnan at CloudSEK
Recordbreaker: The Resurgence of Raccoon - Docguard
New Evasion Technique Using Powerpoint - Igor Skochinsky at Hex Rays
Igor’s tip of the week #106: Outlined functions - Aaron Stratton at InfoSec Write-ups
Raccoon Stealer v2 Malware Analysis - Shusei Tomonaga at JPCERT/CC
F5 BIG-IP Vulnerability (CVE-2022-1388) Exploited by BlackTech - Malware Hell
- SangRyol Ryu and Yukihiro Okutomi at McAfee Labs
Fake Security App Found Abuses Japanese Payment System - Mohamed Adel
Raccoon Stealer - OALABS Research
PrivateLoader Triage - Pete Cowman at Hatching
Triage Thursday Ep. 85 - Oleg Kupreev at Securelist
Self-spreading stealer attacks gamers via YouTube - Pedro Tavares at Segurança Informática
URSA trojan is back with a new dance - Jim Walter at SentinelOne
From the Front Lines | Slam! Anatomy of a Publicly-Available Ransomware Builder - Aaron Linskens at Sonatype
This Week in Malware – Almost 100 Packages - VMRay
The evolution of GuLoader - Vladislav Hrčka, Thibaut Passilly, and Mathieu Tartare at WeLiveSecurity
You never walk alone: The SideWalk backdoor gets a Linux variant
MISCELLANEOUS
- Any.Run
Expert Q&A: John Hammond, 19 Questions to the YouTube Blogger - Belkasoft
EVEN 5 MORE Bloopers of a Digital Forensic Investigator - Breakpoint Forensics
Certificate Authorities, ADFS, and the Griffeye Intelligence Database Part 1: - Brett Shavers
There I was, just getting ready for work…. - Cellebrite
Lake Jackson Police Department, Texas: Cyber Tip from NCMEC and Cellebrite Solutions Accelerate Justice - Francisco Dominguez at DiabloHorn
Generating network connection information for experimentation purposes - Florian Roth
About Detection Engineering - Lee Whitfield at Forensic 4cast
Moving On - Forensic Focus
- Welcome to the 14th Forensic Technology Days 2022
- Digital Evidence Review and Collaboration: A Roundtable Discussion
- University of Adelaide’s Dr. Matthew Sorell on Evidentiary Health Data at DFRWS-APAC 2022
- What’s Happening at the International HTCIA Conference: September 27-30
- How To Do Context Analysis of Digital Images in Amped Authenticate
- How Law Firms and Litigation Specialists Are Using Detego’s Technology to Fast-Track Investigations
- Foxton Forensics
Analysing browser site settings - Alex Petrov at Hex Rays
Hex-Rays launches a Beta Program! - Jonathan Johnson
WMI Internals Part 3 - Malwarebytes Labs
Cyber threat hunting for SMBs: How MDR can help - MISP
- Amber Schroader at Paraben Corporation
23 Years of Innovations from Small Business - Kevin Gee at Red Canary
Dark Canary Rises - Ryan Collins
Forensics Workstation Build - Sumuri
Belkasoft Case Study - SUMURI
Belkasoft Case Study - Nick Gilberti at TrustedSec
How Your Team’s Culture Determines the Value of Your Tabletop Exercise
SOFTWARE UPDATES
- AccessData
Forensic Tools 7.6.0 - Apache
Release 1.28.5 – 9/8/2022 - CCL Solutions
CCL releases RabbitHole 2.2 with support for more data formats - Crowdstrike
Falconpy Version 1.2.1 - CyberChef
v9.46.5 - Didier Stevens
Update: virustotal-search.py Version 0.1.7 - ExifTool
ExifTool 12.45 - Foxton Forensics
Browser History Examiner — Version History – Version 1.17.0 - Hasherezade
PE-Bear v0.6.0 - Logan Wolfe at Orna
Introducing ORNA 2.0 for Stress-Free Cyber Incident Response - MantaRay Forensics
/VirusShare_Hash_Sets/Autopsy/VirusShare_0-437_MR4n6_Hash_Sets_Autopsy_2022_Q3.zip - Metaspike
Forensic Email Collector v3.80 Release Notes - MISP
MISP 2.4.162 released with a new periodic notification system, workflow updates and many improvements - Oxygen Forensics
Oxygen Forensic® Detective v.15.0 - radare2
5.7.8 - Rizin Organization
cutter 2.1.2 - WithSecure Labs
Chainsaw v2.1.0 - xRET2pwn
Teamsniper - Yamato Security
Hayabusa v1.6.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 