As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris Vance at ‘D20 Forensics’
- Krzysztof Gajewski at CyberDefNerd
C:\ProgramData\Microsoft\Event Viewer\ExternalLogs – artifacts showing what Windows Event Logs were opened on the suspected device. - Joseph Moronwi at Digital Investigator
Keyword Forensics - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Introducing Hintfo - Elcomsoft
- Forensafe
Investigating ProtonVPN - João Marcelo at InfoSec Write-ups
Try Hack Me: Intro to Digital Forensics Walkthrough - Kevin Pagano at Stark 4N6
It’s All About Semantics, Location History That Is - Magnet Forensics
Collecting Remote Volatile Artifacts and What They Can Tell You - The Security Noob.
[DFIR TOOLS] AmcacheParser, what is it & how to use!
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures
Detecting Beacons by System Name with RITA and AC-Hunter - Adam at Hexacorn
Inserting data into other processes’ address space, part 1a - Alex Teixeira
Threat Detection cost & value: a few lessons from the field. - Anomali
Anomali Cyber Watch: Uber and GTA 6 Were Breached, RedLine Bundle File Advertises Itself on YouTube, Supply-Chain Attack via eCommerce Fishpig Extensions, and More - Assaf Morag at Aqua
Threat Alert: New Malware in the Cloud By TeamTNT - Arch Cloud Labs
Detection Engineering with FLAWS & Falco - Sule Tatar at Arctic Wolf
- AttackIQ
- Avertium
Everything You Need to Know About Callback Phishing - Shanice Jones at Bitdefender
Actionable Threat Intelligence for Cybersecurity - Blackberry
Some Kind of Monster: RaaS Hides Itself Using Traits From Other Malware - Ax Sharma at BleepingComputer
npm packages used by crypto exchanges compromised - Brad Duncan at Malware Traffic Analysis
- Cado Security
Introducing Automated Investigations - Cado Security
Ultimate Guide to Incident Response in Azure - Censys
Databases. EXPOSED! (Redis) - CERT-AGID
- Check Point Research
19th September – Threat Intelligence Report - CISA
AA22-264A: Iranian State Actors Conduct Cyber Operations Against the Government of Albania - Cisco’s Talos
- Cobalt Strike Research and Development
Out Of Band Update: Cobalt Strike 4.7.1 - Cofense
- CTF导航
- Mike at Cyber&Ramen
So Long (Go)Daddy | Tracking BlackTech Infrastructure - CyberArk
Unpacking the Uber Breach - Daniel Chronlund
Microsoft Sentinel SOC Activities - Darktrace
Modern Extortion: Detecting Data Theft from the Cloud - Dragos
- EclecticIQ
Investigating NATO-Themed Phishing Lures With EclecticIQ Intelligence Center and Endpoint Response Tool - Esentire
Redline Stealer and Mozilla Thunderbird - Fraud Intelligence – Gemini Advisory
- Howard Oakley at ‘The Eclectic Light Company’
SnowDrift warnings: are they malware? - Denis Nagayuk and Francisco Dominguez at Hunt & Hackett
Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions - Ash Moran at InfoSec Write-ups
Living Off The Land: Suspicious System32 - Bukar Alibe at INKY
Fresh Phish: Netflix Bad Actors Go Behind the Scenes to Stage a Credential Harvesting Heist - Intel471
- Jamie Collier
Driving Threat Intelligence the Right Way - Phil Muncaster at Barracuda
Intermittent encryption: The latest advance in the ransomware arms race - Kela
Defender-in-the-middle: How to reduce damage from info-stealing malware - Kim Zetter at ‘Zero Day’
Mysterious New Hacking Group Leaves Researchers Baffled - Lexfo
Cobalt Strike Investigation Part 1 - Malwarebytes Labs
- Mandiant
- Microsoft 365 Security
Practical Guidance for IT Admins to respond after Ransomware attacks - Microsoft Security
- Mitiga
Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On? - Morphisec
NFT Malware Gets New Evasion Abilities - Nestori Syynimaa at ‘Office 365 blog’
Exploiting Azure AD PTA vulnerabilities: Creating backdoor and harvesting credentials - ReasonLabs
A Multimillion Dollar Global Online Credit Card Scam Uncovered - Recorded Future
- Red Alert
Monthly Threat Actor Group Intelligence Report, July 2022 (ENG) - Red Canary
Intelligence Insights: September 2022 - Kaustubh Jagtap at Safebreach
SafeBreach Coverage for US-CERT Alert (AA22-264A) – HomeLand Justice Threat Group - SANS Internet Storm Center
- Video: Grep & Tail -f With Notepad++, (Sun, Sep 18th)
- Preventing ISO Malware , (Sun, Sep 18th)
- Chainsaw: Hunt, search, and extract event log records, (Mon, Sep 19th)
- Phishing Campaigns Use Free Online Resources, (Wed, Sep 21st)
- RAT Delivered Through FODHelper , (Thu, Sep 22nd)
- Kids Like Cookies, Malware Too!, (Fri, Sep 23rd)
- Downloading Samples From Takendown Domains, (Sun, Sep 25th)
- Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th)
- Sansec
Surge in Magento 2 template attacks - Securelist
- mr.d0x
Stealing Access Tokens From Office Desktop Applications - Juan Andrés Guerrero-Saade at SentinelLabs
The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities - Aaron Linskens at Sonatype
This Week in Malware – Over Five Dozen More Packages Discovered - Stairwell
- Symantec Enterprise
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics - Sysdig
Threat news: TeamTNT targeting misconfigured kubelet - Uptycs
Detecting Anomalous Temporary Sessions in AWS – Part 1 - VMware Security
- Andy Gill at ZeroSec – Adventures In Information Security
HoneyPoC is Dead – Long Live Disinformation
UPCOMING EVENTS
- Arctic Wolf
Calculating the Cost of a Breach - Belkasoft
[WEBINAR] New Belkasoft X: checkm8 for iOS 16 beta, Sim-card cloning, analysis of images stored in Amazon S3, extended agent-based iOS acquisition and Volatility integration for memory analysis, expanded CLI automation, and many more. - Cado Security
nvestigating a Cloud Attack With Cado Community Edition - Cybereason
Webinar October 26th 2022: NGAV Redefined - Dragos
The Dragos Platform – Leading Edge OT Cyber Visibility, Detection, and Response When You Need it Most - Tony Burgess at Barracuda
Threat Spotlight webinar: Ransomware on the rise - PhishLabs
Webinar: Benchmarking from the World’s Largest Phishing Exercise - X1
Social Media Evidence Collection Strategies to Help Win Your Case
PRESENTATIONS/PODCASTS
- 0day in {REA_TEAM}
MustangPanda – Enemy At The Gate - Acelab
RAID Data Recovery Webinar Video - Active Countermeasures
- Ali Hadi
- Black Hat
Black Hat Asia 2022 - Black Hills Information Security
- Brakeing Down Security Podcast
Uber Breach, MFA fatigue, who can help communicate biz risk? - Breaking Badness
132. Here, kiTTY kiTTY - Cellebrite
- Cyborg Security
Episode 2 - Dark Mode
Cybersecurity for industrial controls systems & operational technology environments with Robert Lee - Didier Stevens
Grep & Tail -f With Notepad++ - Digital Forensic Survival Podcast
DFSP # 344 – Mac Spotlight DB - Insane Forensics
How to Respond to Cybersecurity Incidents: Exploring the NIST and SANS Incident Response Models - Jamf
Jamf After Dark: macOS Threat Detection - Jason Killam at Red Canary
The Monica Bellucci Fanclub – Detection and Defense Lessons Learned from the Trickbot Forum - John Hammond
- LetsDefend
How to get a SOC Analyst job? - Magnet Forensics
Collecting Remote Volatile Artifacts in AXIOM Cyber and What They Can Tell You - OALabs
Your VPN Sucks for Malware Analysis [ Twitch Rant ] - Paraben Corporation
- Stephen Hasford
How to Analyse a Windows 10 Workstation for Digital Forensics - Sumuri
RECON ITR Quick Tip: Triage and Extract iOS Backups - The Defender’s Advantage Podcast
Threat Trends: The Security Landscape Facing Manufacturing
MALWARE
- Nathaniel Cole at Any.Run
How We Discovered and Prevented an IMG-Based Malware Attack - ASEC
- Jan Vojtěšek at Avast Threat Labs
Raspberry Robin’s Roshtyak: A Little Lesson in Trickery - c3rb3ru5d3d53c
[49] Malware Lab – Unpacking PE Injection - Check Point Research
- Cyber Geeks
A technical analysis of the leaked LockBit 3.0 builder - Cyble
- Cyborg Security
Emotet Malware Update and Development - Doug Burks at Security Onion
Quick Malware Analysis: ASTAROTH (GUILDMA) pcap from 2022-09-21 - Fortinet
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #107: Multiple return values - David Ledbetter at InQuest
What’s your name? … My how you have changed. - Muhammad Hasan Ali at muha2xmad
- Netscout
DDoS Threat Intelligence Report Reveals Troubling Attacker Behavior in 1H 2022 - Allen Funkhouser at Netskope
Understanding Cyber Threat Intelligence - Wouter Stinkens at NVISO Labs
Cortex XSOAR Tips & Tricks – Creating indicator relationships in integrations - OALABS Research
Clipboard Hijacker Detection - Janos Szurdi, Rebekah Houser and Daiping Liu at Palo Alto Networks
Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime - Pete Cowman at Hatching
Triage Thursday Ep. 86 - Poncho
Cobalt Strike Analysis (PwSh) - Praetorian
Developing a Hidden Virtual File System Capability That Emulates the Uroburos Rootkit - Karlo Zanki at ReversingLabs
Threat analysis: Malicious npm package mimics Material Tailwind CSS tool - S2W Lab
Quick Overview of Leaked LockBit 3.0 (Black) builder program - Karsten Hahn at G Data Software
Identifying file manipulation in system files - Squiblydoo.blog
SolarMarker Bloat - Trend Micro
- Romain Dumont at ZScaler
Technical Analysis of Crytox Ransomware
MISCELLANEOUS
- Marco Raffaelli at Akamai
EDR vs. Segmentation: Understanding the Differences - Erica Mixon at Blumira
Incident Detection Engineer Spotlight: Emily Eubanks - Brett Shavers
- Cado Security
Cado Security Now Available in the Microsoft Azure Marketplace - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 9/24/22 - Cellebrite
- Shelley Jones and Duc Nguyen at Cloudflare
Store and retrieve your logs on R2 - Bret at Cyber Gladius
Creating Fun Cybersecurity Tabletop Exercises - Kali Fencl at DomainTools
DomainTools Employee Spotlight – Tracie Winslow - Flashpoint
COURT DOC: USA v. Mansour Ahmadi, Ahmad Khatibi, Amir Hossein Nickaein Ravari - Forensic Focus
- The Great Resignation in DFIR
- Exterro Launches FTK® Suite 7.6 and Gets Evidence Into the Hands of Investigators Faster Than Ever
- Magnet AUTOMATE Enterprise and How It Can Streamline Workflow for the Corporate World
- Digital Forensics Key to Preserving the Victim’s Right to Privacy
- Dan Dollarhide, Sales Engineer, Oxygen Forensics
- Magnet Forensics
- Oxygen Forensics
Advanced Analytics: Facial Categorization - Ashlie Blanca at Palo Alto Networks
7 Tips to Improve Your Existing Incident Response Plan - Nuris Rodriguez at ADF
3 Reasons Why You Need Police Evidence Management Software - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — September 18 to September 24 - Salvation DATA
Investigating the Dark Web: What Law Enforcement Personnel Should Know - SANS
NEW SANS DFIR COURSE | FOR577: LINUX Incident Response & Analysis - Semperis
Protecting Healthcare Organizations from Ransomware Attacks - Florian Perret at StrangeBee
Leveraging TheHive5 notification capabilities (2/2) - Sumuri
macOS & Windows – Apples & Oranges - The Taggart Institute
Python for Defenders, Pt. 1 - John Patzakis at X1
The Traditional Workplace is Not Coming Back, with Major Implications for eDiscovery
SOFTWARE UPDATES
- Amped
Amped DVRConv Update 25916: New Formats and Codec Variations - Cado Security
Varc Release v1.0.0 - Crowdstrike
Falconpy Version 1.2.2 - Didier Stevens
- Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.0 brings forensically sound bootloader-based extraction for select iPhone & iPad models - Eric Zimmerman
ChangeLog - Magnet Forensics
- Metaspike
Forensic Email Collector v3.80 Release Notes - Nir Sofer
View the battery history of your laptop with the BatteryHistoryView tool - Xways
X-Ways Forensics 20.7 Preview 1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 