As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andre Maccarone and John Ailes at Aon
Amazon Web Services: Exploring the Cost of Exfil - CERT-SE CTF2022
CERT-SE CTF2022 - CyberJunnkie
Incident Response LetsDefend : Detecting Web App attack and detecting persistence - Forensafe
- Kathryn Hedley
Windows 11 Time Rules - Magnet Forensics
SRUM: Forensic Analysis of Windows System Resource Utilization Monitor - Carl Purser at OpenText
Apple property list parsing with EnScript - Justin Schoenfeld and Zach Diehl at Red Canary
Cloud coverage: Detecting an email payroll diversion attack - Samruddhi Raut
Back to Basics : Window Registry - John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, Paolo Nigro Herrero, and Ron Deibert at The Citizen Lab
New Pegasus Spyware Abuses Identified in Mexico - Alexia Bowie at The Leahy Center for Digital Forensics & Cybersecurity
Mobile Forensics on Kik Messenger
THREAT INTELLIGENCE/HUNTING
- Akamai
- Anomali
Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More - APNIC
Threat Integration: Lessons of indicator and incident exchange - Arctic Wolf
Threat Intelligence 101 - Giovanni López, Andres Arrowsmith, Ken Towne, and Jackson Wells at AttackIQ
Attack Graph Response to US-CERT Alert (AA22-277A): Chinese Threat Actors Steal Sensitive Information from a Defense Industrial Base Organization - Avertium
Everything You Need to Know About Bumblebee Malware - Ben Heater
Wazuh: Enhancing Zeek Logs with RITA - Martin Zugec at Bitdefender
Deep Dive into a Cryptojacking Operation - Blackberry
- Brad Duncan at Malware Traffic Analysis
- 2022-10-01 thru 10-03 – 3 days of traffic from scans/probes hitting a web server
- 2022-09-16 thru 09-30 – 15 days of traffic from scans/probes hitting a web server
- 2022-09-03 thru 09-15 – 13 days of traffic from scans/probes hitting a web server
- 2022-09-29 – Qakbot (Qbot) with Cobalt Strike
- 2022-10-04 – HTML smuggling –> IcedID (Bokbot) –> Cobalt Strike
- 2022-10-06 – HTML smuggling –> IcedID (Bokbot) –> Cobalt Strike
- Cado Security
AWS Lambda Incident Response - CERT-AGID
- Check Point Research
- Jossef Harush at Checkmarx Security
LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for over a Year - CISA
- Cisco’s Talos
- Cryptax
Virus Bulletin 2022 — Day 3 - CTF导航
- Cybereason
- Reza Rafati at Cyberwarzone
- Cyble
- Adam Price at Cyjax
Cyberattacks on the utilities sector - Daniel Chronlund
Sentinel Hunting Query Pack – DCSecurityOperations - David Krivobokov at Otorio
GhostSec Now Targeting Iranian ICS in Support of Hijab Protests - Maor Korkos at Deep Instinct
AMSI Unchained: How to Unchain the Antimalware Providers and Bypass AMSI - Joe St Sauver at DomainTools
Using AXAMD to Read Observations from NOD SIE Ch212 (“Newly Observed Domains”) with Python3 - Dragos
- EclecticIQ
Killnet Effectively Amplifies Russian Narratives but has Limited DDoS Capabilities - Esentire
Russian-Speaking Attacker Exposes Their Toolbox While Attempting to Deploy the Phobos Ransomware to Community College - Flashpoint
- Florian Roth
Capturing Detection Ideas to Improve Their Impact - Bob Rudis at GreyNoise
A week in the life of a GreyNoise Sensor: The benign view - Group-IB
- Vishal Garg at InfoSec Write-ups
Ransomware Attacks — Current Trends and Protection Strategies | by Vishal Garg | Medium - Intel471
Cyber Underground Marketplace Intelligence: A New Offering from Intel 471 to Help Anticipate Future Threats - Jamie Collier
Structured Analytical Techniques for Pragmatists - Keisuke Shikano at JPCERT/CC
TSUBAME Report Overflow (Apr-Jun 2022) - Lacework
Threat detection and response tools are built on shaky foundations, leaving your cloud workloads at risk - Luke Leal
McDonald’s Phishing Page Used to Steal Saudi Payment Data - Malwarebytes Labs
- Megan Deblois at Mandiant
Curating Threat Intelligence with Custom Dashboards - Matt Zorich at Microsoft Sentinel 101
A picture is worth a thousand words – visualizing your data. - Microsoft 365 Security
- Mark Russinovich and Jeffrey He at Microsoft Azure
Advancing anomaly detection with AIOps—introducing AiDice - Microsoft Security
Detecting and preventing LSASS credential dumping attacks - MITRE
- Shawn Westfall at Palo Alto Networks
Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell) - PhishLabs
What is Email Spoofing? - Selena Larson and Daniel Blackford at Proofpoint
Exploiting COVID-19: how threat actors hijacked a pandemic - Digvijay Mane at Quick Heal
Beware: SOVA Android Banking Trojan emerges more powerful with new capabilities - Rabobank
DeTTECT v1.7.0 - Red Alert
Monthly Threat Actor Group Intelligence Report, August 2022 (KOR) - Will Thomas at SANS
Cracked Brute Ratel C4 framework proliferates across the cybercriminal underground - SANS Internet Storm Center
- Credential Harvesting with Telegram API, (Tue, Oct 4th)
- More IcedID, (Wed, Oct 5th)
- Powershell Backdoor with DGA Capability, (Fri, Oct 7th)
- What is in your Infosec Calendar? , (Thu, Oct 6th)
- Critical Fortinet Vulnerability Ahead, (Fri, Oct 7th)
- Wireshark 4.0.0 Released, (Sat, Oct 8th)
- Sysmon v14.1 Release, (Sat, Oct 8th)
- Securelist
- Secureworks
2022 State of the Threat: A Year in Review - Security Intelligence
- Dheeraj Kumar and Ella Dragun at Securonix
Securonix Threat Labs Monthly Intelligence Insights – September - Sekoia
XDR detection engineering at scale: crafting detection rules for SecOps efficiency - Snyk
- SOC Fortress
- Sonatype
- Joshua Prager and Emily Leidy at SpecterOps
Prioritization of the Detection Engineering Backlog - Stephen Johnston at Sucuri
What is a Malware Attack? - Sygnia
Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single Ransomware Group - Team Cymru
A Visualizza into Recent IcedID Campaigns: - Teri Radichel
AWS Credentials in Boto3 and CLI Debug Output - Trellix
Evolution of BazarCall Social Engineering Tactics - Edwin David at TrustedSec
Common Conditional Access Misconfigurations and Bypasses in Azure - Roman Kovac at WeLiveSecurity
ESET Threat Report T2 2022
UPCOMING EVENTS
- Cellebrite
What You Need to Know Now About macOS 13 and iOS 16 - Huntress
A Sneak Peek at hack_it 2022 - Magnet Forensics
- SANS
Make Security a Lifestyle, Not Just a Job - SANS Institute
Sharing the Mic in Cyber. A Day of Allyship and Action
PRESENTATIONS/PODCASTS
- Aon
37: On Aon’s Cyber Threat Hunt with Samantha Billy and Jonathan Rajewski - ArcPoint Forensics
Cesar Quezada & Jessica Hyde Present: Missing Pieces - Black Hills Information Security
- BlueMonkey 4n6
Necessary skills for a career in DFIR – interview with DerrickDonnelly - Breaking Badness
133. A Shot in the Dark Web - Censys
Episode Three: The Internet’s Response to Major Vulnerabilities - Digital Forensic Survival Podcast
DFSP # 346 – Masquerading - Doug Burks at Security Onion
Security Onion Conference 2022 recordings are now available! - Forensic Focus
- Gerald Auger at Simply Cyber
How to Use Attack Emulation to Find Cybersecurity Control Failure! - Horangi Cyber Security
Threat Hunting and Incident Response (Ask A CISO SE02EP35) - InfoSec_Bret
End User Submission – Game Demo or Cred Stealer??? - John Hammond
- LetsDefend
The weekend started for SOC Analysts - Magnet Forensics
- MalGamy
- Paraben Corporation
E3 Forensic Platform Overview - Richard Davis at 13Cubed
Impacket Impediments – Finding Evil in Event Logs - Sandfly Security
- SANS
- Semperis
The Growing Threat of Ransomware as a Service - The Ransomware Files
Unproven Data Recovery - Unallocated Space by ArcPoint Forensics
UNALLOCATED SPACE S1: EP11 ASK US ANYTHING - Velocidex Enterprises
MALWARE
- Aaron Jornet
RecordBreaker - Alexander Adamov at ‘Malware Research Academy’
Analysis of Cyberweapons – Ep3: Decompiling WhisperGate’s stage2.exe in dnSpy - Arda Büyükkaya
- ASEC
Change in Magniber Ransomware (*.js → *.wsf) – September 28th - Avast Threat Labs
Decrypted: MafiaWare666 Ransomware - CISA Analysis Reports
- Cofense
- CTF导航
- Doug Burks at Security Onion
Quick Malware Analysis: QAKBOT (QBOT) infection with COBALT STRIKE pcap from 2022-09-29 - Fortinet
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #109: Hex view text encoding - David Ledbetter at InQuest
Hiding in the XML - Mhidat
Function Call Obfuscation101 - Gustavo Palazolo at Netskope
RedLine Stealer Campaign Abusing Discord via PDF Links - OALABS Research
ISFB / GOZI / RM3 Config Extraction - One Night in Norfolk
Some Notes on VIRTUALGATE - Panagiotis Nakoutis
CTFlearn writeup: RE_verseDIS challenge using Ghidra. - Securelist
- Pedro Tavares at Segurança Informática
Phishing com visualizadores de PDF impactam utilizadores - Andreas Klopsch at Sophos
Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse - Splunk
Deliver a Strike by Reversing a Badger: Brute Ratel Detection and Analysis - Stephen Sims
Using Malware Analysis to Improve Exploitation with Didier Stevens - Trend Micro
- Rodel Mendrez at Trustwave SpiderLabs
HTML File Attachments: Still A Threat - Zhassulan Zhussupov
Malware development: persistence – part 13. Hijacking uninstall logic for application. Simple C++ example. - Nipun Gupta at Zimperium
We Smell A RatMilad Android Spyware - Shatak Jain and Aditya Sharma at ZScaler
Analysis of LilithBot Malware and Eternity Threat Group
MISCELLANEOUS
- John Lukach at 4n6ir
Catching that VPC Flow Log Wave - Adam at Hexacorn
Dealing with alert fatigue, Part 2 - Beau Faull
Microsoft Purview/s — What is the difference? - Doug Burks at Security Onion
Sneak Peek at Security Onion 2.4 - Michael Karsyan at Event Log Explorer blog
Scripting in Event Log Explorer - LockBoxx
Cyber Responder’s Deliemma / Fallacy - Tyler Tracy at Logz.io
Tips and Tricks for the Small SOC:Part I - Magnet Forensics
Have Your Say on The State of Enterprise DFIR - Mailxaminer
- Markus Schober at Blue Cape Security
How do you become an expert in DFIR - Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’
Hedge Funds: A Unique CyberSecurity Posture - NixIntel
Use Python To Automate Your OSINT Reporting - Carlos Canto at Rapid7
Velociraptor Version 0.6.6: Multi-Tenant Mode and More Let You Dig Deeper at Scale Like Never Before - Kevin Gee at Red Canary
Introducing Linux EDR Response Actions - Steven Valverde at ADF
Here Are 3 Tips To Improve Your Digital Image Forensics Skills - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — October 2 to October 8 - Salvation DATA
What are the 8 Types of Digital Evidence? - SANS
5 Reasons to Head to Charlotte for SANS DFIRCON 2022 - Victor Santoyo at Sucuri
How to Secure & Harden Your Joomla! Website in 12 Steps - The Security Noob.
Interview With DFIR Legend Brett Shavers - John Patzakis at X1
Flawed Collection Methods Prevent TAR and Other Applications of Analytics on Social Media Evidence
SOFTWARE UPDATES
- Apache
Apache Tika – Release 2.5.0 – 09/30/2022 - DFIR-HBG
v1.0.1 Decrypt cached iOS Memories/MEO - ExifTool
ExifTool 12.47 - Fox IT
dissect - Hex Rays
IDA 8.1 released - k1nd0ne
VolWeb – v4.0.0-alpha - Magnet Forensics
Magnet DVR Examiner 3.2: Improving Your Workflow With New Features - MALCAT
New release: 0.8.5 - Manabu Niseki
Mihari v4.10.0 - MobilEdit
MOBILedit Forensic 9.0.1 is live with even better Smartwatch and Cloud Forensic - MSAB
- OpenText
OpenText Security eliminates digital blind spots with enhanced threat detection, investigation and response capabilities - WithSecure Labs
Chainsaw v2.1.1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 