As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris Vance at ‘D20 Forensics’
- Kevin Pagano at DFIR Review
Turbo Speed: Parsing Device Health Services from Google - Domiziana Foti
SOC167 — LS Command Detected in Requested URL — Letsdefend.io - Ahmad Muneeb and Muhammad Jasim Waqar at Ebryx
Organized ATM Jackpotting - Forensafe
Investigating Slack for Windows - ForensicXlab
📦 Volatility3 Windows Plugin : AnyDesk - Microsoft’s ‘Security, Compliance, and Identity’ Blog
Forensic artifacts in Office 365 and where to find them - OpenText
- Oxygen Forensics
Location Data: Parsing Semantic Location History in Google Takeout - Rich Plummer
Basic Concepts in Mobile Device Forensics – Part 2 - The DFIR Report
BumbleBee: Round Two - The Security Noob.
[DFIR TOOLS] bstrings, what is it & how to use! - Tyler Williams at Securonix
Insider Threat Case Study [Misaligned Saboteur]: Hacker Leaks Offensive Security Software Data
THREAT INTELLIGENCE/HUNTING
- ProxyNotShell
- Warning: New Attack Campaign Utilized A New 0-day Rce Vulnerability On Microsoft Exchange Server
- Zero-Day Vulnerabilities Found in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082)
- Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server
- Zero-Day Vulnerability – Microsoft Exchange
- ProxyNotShell— the story of the claimed zero day in Microsoft Exchange
- Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082
- Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
- Exchange Server 0-Day Actively Exploited, (Fri, Sep 30th)
- Akamai
- Anomali
Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More - Antonio Piazza
Jumping Over the Gate - Simar Singh at Aqua
Triaging Trivy AWS Alerts with Postee and AWS Security Hub - Arctic Wolf
1H 2022 Incident Response Insights from Arctic Wolf Labs - AT&T Cybersecurity
Stories from the SOC – C2 over port 22 - Avertium
An In-Depth Look at APT35 aka Charming Kitten - Bitdefender
- Hector Diaz at Blackberry
H0lyGh0st Ransomware: Watch This Unholy Threat “Meet Its Maker” (Video) - BushidoToken
Brute Ratel cracked and shared across the Cybercriminal Underground - CERT Ukraine
Щодо невідкладних заходів кіберзахисту - Check Point Software
Hacker Groups take to Telegram, Signal and Darkweb to assist Protestors in Iran - Cisco’s Talos
- Cluster25
In the footsteps of the Fancy Bear: PowerPoint mouse-over event abused to deliver Graphite implants - Corelight
Detecting the Manjusaka C2 framework - CrowdStrike
- Cyberknow
Optus Data Breach Timeline - Dr. Robert Ames at Security Scorecard
Extortion and Adaptability: Ransomware Motives Remain Consistent as Tactics Change - EclecticIQ
- Esentire
Popular Info-Stealing Malware, SolarMarker, is Using Watering Hole Attacks and Fake Chrome Browser Updates to Infect Business Professionals, Warns eSentire - Follow The White Rabbit
[Euskalhack V]: Pentest Active Directory Rocks! Part III - Shunichi Imano and James Slaughter at Fortinet
Ransomware Roundup: Bisamware and Chile Locker - FourCore
Ryuk Ransomware: History, Timeline, and Adversary Simulation - Pavle Culum and Roman Kroshinsky at Gigamon
Investigating Web Shells - GreyNoise
How GreyNoise tags get created and how to use them - Hornet Security
Neue Umfrage: Ransomware-Angriffe nehmen weiter zu: 20% aller gemeldeten Angriffe erfolgten in den letzten 12 Monaten - Nico Agnese, Vikas Parthasarathy, Joao Santos, Adam Sell, and Inna Vasilyeva at Human Security
Poseidon’s Offspring: Charybdis and Scylla - Frank Block at Insinuator
Some experiments with Process Hollowing - John Fokker at Trellix
Dismantling a Prolific Cybercriminal Empire: REvil Arrests and Reemergence - Journey Notes
- Tyler Tracy at Logz.io
Mind the Overspray – Password Spraying Remains a Major Threat - Mandiant
- Michael Haag
Follina for Protocol Handlers - Microsoft Security
ZINC weaponizing open-source software - Moath Maharmeh
Ransomware: Detect & Respond - NCC Group
- Mayuresh Dani at Qualys
Qualys Threat Research Thursday - SANS Internet Storm Center
- Scythe
- mr.d0x
Phishing With Chromium’s Application Mode - Charlie Clark at Semperis
New Attack Paths? AS Requested Service Tickets - Puja Mahendru at Sophos
The State of Ransomware in State and Local Government 2022 - Jared Atkinson at SpecterOps
On Detection: Tactical to Functional – Part 7: Synonyms - Sucuri
- Symantec Enterprise
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East - Michael Clark at Sysdig
Sysdig 2022 Threat Report: Cloud-native threats are increasing and maturing - Team Cymru
Seychelles, Seychelles, on the C(2) Shore - Clément Notin at Tenable
Decrypt “encrypted stub data” in Wireshark - Teri Radichel
VPC Flow Logs Governance - Vicente Díaz at VirusTotal
VT Collections: citius, altius, fortius – communiter - Giovanni Vigna at VMware Security
ESXi-Targeting Ransomware: The Threats That Are After Your Virtual Machines (Part 1)
UPCOMING EVENTS
- Chris Brenton at Active Countermeasures
Cyber Threat Hunting Level 1 | Chris Brenton | Tuesday October 4th, 2022 | 6-Hours - Cybereason
Webinar October 18th 2022: The True Cost of Ransomware – Evaluating Risk and How to Avoid Attacks - Gerald Auger at Simply Cyber
- Pavel Yosifovich
Next Windows Internals Training - Recon InfoSec
Thursday Defensive - SANS Institute
- Magnet Forensics
PRESENTATIONS/PODCASTS
- Chris Brenton at Active Countermeasures
Threat Hunting Shorts – External Target Investigation – Video Blogs - AhmedS Kasmani
Racoon Stealer V2 Malware Analysis - Alexander Adamov at ‘Malware Research Academy’
- ArcPoint Forensics
UNALLOCATED SPACE S1: EP11 ASK US ANYTHING - Black Hills Information Security
- BHIS – Talkin’ Bout [infosec] News 2022-10-03
- BHIS – Talkin’ Bout [infosec] News 2022-09-26
- Constrained Language Mode Bypass When __PSLockDownPolicy Is Used
- AASLR: Job Hunting Like a Hacker with Jason Blanchard
- AASLR: Cyber Range Challenge Walkthrough/Solutions w/ Serena
- Why You Really Need to Stop Disabling UAC
- Chris Stanko at Data Rescue Labs Inc.
Forensic tools and iOS 16 - Dark Mode
Demystifying ransomware leaks and data extortion on the dark web – James Hammond - Digital Forensic Survival Podcast
DFSP # 345 – AutoRuns - Down the Security Rabbithole Podcast
DtSR Episode 519 – Insights From an Industry Leader - Erik Hjelmvik at Netresec
Hunting for C2 Traffic - Fleet
Future of device management episode 6 - Gerald Auger at Simply Cyber
Want to See Blackmatter Ransomware Group in Action? 🔥 - InfoSec_Bret
Malware Analysis – Suspicious Browser Extension - Insane Forensics
How to Threat Hunt For Wireless Network Compromise - MalGamy
- Malwarebytes Labs
Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20 - Magnet Forensics
Roundtable: How Can We Share Digital Evidence Most Effectively? - OALabs
Process Memory Basics for Reverse Engineers – Tracking Memory With A Debugger [ Patreon Unlocked ] - RickCenOT
Pentesting Industrial Control Systems Workshop - SANS Institute
Announcing 2022 SANS Difference Makers Awards - StealthBay
Podcast Episode 4 – Lets talk about Defcon - Sumuri
How to use StoryBoard in RECON LAB! - The Defender’s Advantage Podcast
Threat Trends: Metador, Mercenaries, and LABScon with SentinelOne
MALWARE
- Any.Run
How to Do Malware Analysis. Infographic - ASEC
- Ayedaemon
Fun with Master Boot Record - CISA Analysis Reports
- Anandeshwar Unnikrishnan at CloudSEK
Technical Analysis of MedusaLocker Ransomware - Cyber Geeks
A technical analysis of Pegasus for Android – Part 2 - Bret at Cyber Gladius
LetsDefend’s Malware Analysis: Suspicious Browser Extension Walk-Through - Cyble
- Didier Stevens
Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3 - Igor Skochinsky at Hex Rays
Igor’s tip of the week #108: Raw memory accesses in pseudocode - John Hammond
PowerShell – Observing Inline C# Compilation with Add-Type - Lumen
Chaos is a Go-based Swiss army knife of malware - Muhammad Hasan Ali at muha2xmad
Technical analysis of Alien android malware - Palo Alto Networks
- Pete Cowman at Hatching
Triage Thursday Ep. 87 - John deGruyter at SANS
Emulate Shellcode with Radare2 - Securelist
- Securonix
Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors - Dinesh Devadoss and Phil Stokes at SentinelOne
Lazarus ‘Operation In(ter)ception’ Targets macOS Users Dreaming of Jobs in Crypto - Sonatype
This Week in Malware – 135 Packages Target npm and PyPI Registries - Squiblydoo
Solarmarker: The Old is New - Vlad at ‘Слава Україні — Героям Слава!’
.bl00dy ransomware [EN] - Jason Reaves and Jonathan McCay at Walmart
Diavol resurfaces - Peter Kálnai at WeLiveSecurity
Amazon themed campaigns of Lazarus in the Netherlands and Belgium - Yoroi
Dissecting BlueSky Ransomware Payload - Zhassulan Zhussupov
- Niraj Shivtarkar and Avinash Kumar at ZScaler
Agent Tesla RAT Delivered by Quantum Builder With New TTPs
MISCELLANEOUS
- Andrew Rathbun and Eric Zimmerman
EZ Tools Manuals - 0ut3r Space
Downloading big files from Tor - 4Discovery
Digital Forensics Doesn’t Need To Be Scary - Wolfgang Sommergut at 4sysops
Configuring Defender Antivirus: Exclusions, real-time protection, scans, and remediations - Adam at Hexacorn
Dealing with alert fatigue, Part 1 - Alexander Giles at EC-Council
Why I Recommend the Certified Incident Handler Certification (E|CIH) - Jonathan Nguyen at AWS Security
How to automatically build forensic kernel modules for Amazon Linux EC2 instances - Brett Shavers
- Martin Lee and Richard Archdeacon at Cisco
Cyber Insurance and the Attribution Conundrum - Cryptax
- Derek Eiri
Byte-sized Training - Tim Helming at DomainTools
We Need More Roads Into Infosec - Sam Wilson at Dragos
Updates to the Dragos Platform – Growing Together As We Defend OT Environments Globally - Forensic Focus
- Kelvin Tegelaar at CyberDrain
Monitoring with PowerShell: Monitoring VSS snapshot availability - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (10/1/2022) - Magnet Forensics
Collecting Box.com Activity in Magnet AXIOM Cyber - Russ Taylor at Hats Off Security
PowerShell Basic Introduction (Security Version) - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — September 25 to October 1 - SANS
- The Security Noob.
Interview with Krzysztof (Chris) Stanko ‘The Forensic Guy’, a Mobile & Computer Forensic Examiner and co-founder of Data Rescue Labs inc - Chris LaFleur at Trend Micro
Incident Response Services & Playbooks Guide - TrustedSec
- Andy Gill at ZeroSec
ZTH-CH4: Hook & Sling – Phishing For Gold
SOFTWARE UPDATES
- ANSSI
DFIR-ORC v10.1.3 - Cado Security
varc release v1.0.5 - Cyber Triage
Cyber Triage 3.4.0 New Release - daem0nc0re
ProcMemScan - Didier Stevens
Update: rtfdump.py Version 0.0.11 - Doug Burks at Security Onion
Security Onion 2.3.170 now available including Elastic 8.4.1, Zeek 4.0.9, and more! - ExifTool
ExifTool 12.46 – “Write WEBP” - Hasherezade
PE-Bear v0.6.1 - Manabu Niseki
Mihari v4.9.0 - Metaspike
Forensic Email Collector (FEC) Changelog – 3.80.3.1 - MISP
MISP 2.4.163 released with improved periodic notification system and many improvements - Open Source DFIR
Plaso 20220930 released - OSForensics
V10.0 Build 1004 27th September 2022 - Securizame
Publicamos una nueva versión de Wintriage: v.18092022 - Ulf Frisk
MemProcFS Version 5.1 - Xways
X-Ways Forensics 20.7 Preview 2 - Yamato Security
Hayabusa v1.7.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 