As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Krzysztof Gajewski at CyberDefNerd
The $MFT flag that you have never considered before – OneDrive not synchronized files. - Mohamed Labib at DetectiveStrings
May svchosts guid you - Domiziana Foti
LetsDefend- SOC 175- PowerShell Found in Requested URL-Microsoft Exchange Server… - Forensafe
Investigating FileZilla - Fox-IT
I’m in your hypervisor, collecting your evidence - InfoSec Write-ups
Pylirt — Python Linux Incident Response Toolkit - Md. Abdullah Al Mamun
My Recent Forensic Investigation Project - Théo Letailleur at Synacktiv
Legitimate RATs: a comprehensive forensic analysis of the usual suspects - Magnet Forensics
Pre-processing and Acquiring User Data in Microsoft 365 - Sharma Anurag at Mailxaminer
ZIP File Forensics – Analyze & Extract Digital Evidence from Archive - Muhammed Aygün
Event Log Analizi
THREAT INTELLIGENCE/HUNTING
- Anomali
Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More - AT&T Cybersecurity
Stories from the SOC: Feeling so foolish – SocGholish drive by compromise - Avertium
An In-Depth Look at Russian Threat Actor, Killnet - Ben Heater
Threat Hunting with FleetDM and Osquery - Andrei Pisau at Bitdefender
Effective Fraud Detection and Prevention with Threat Intelligence - Lawrence Abrams at BleepingComputer
TommyLeaks and SchoolBoys: Two sides of the same ransomware gang - Jake Ouellette at Blumira
Event ID 4732: The Case of the Missing Username - Brad Duncan at Malware Traffic Analysis
2022-10-17 – IcedID (Bokbot) infection with Cobalt Strike - CERT Ukraine
Кібератака на державні організації України з використанням шкідливої програми RomCom. Можлива причетність Cuba Ransomware aka Tropical Scorpius aka UNC2596 (CERT-UA#5509) - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 15 – 21 ottobre 2022 - Check Point Research
17th October – Threat Intelligence Report - CISA
AA22-294A: #StopRansomware: Daixin Team - Cisco’s Talos
- Cobalt Strike Research and Development
Out Of Band Update: Cobalt Strike 4.7.2 - CTF导航
- Cybereason
THREAT ANALYSIS REPORT: DLL Side-Loading Widely (Ab)Used - Cyble
- Cyborg Security
Venus Ransomware - Darktrace
Growing your onion: AutoIt malware in the Darktrace kill chain - Dragos
- Eclypsium
Firmware Attacks: An Endpoint Timeline - Elastic
Sneak Peek: Elastic’s 2022 Global Threat Report - Cara Lin at Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability - John Conwell at Gigamon
An OSINT Analysis of x509 Certificates, Part One: Something Seems Phishy - GreyNoise
Observing Industrial Control System (ICS) protocols with GreyNoise - Group-IB
- Heresh Zaremand at Truesec
Fortinet CVE-2022-40684 Vulnerability From an Incident Response Perspective - Intel471
Pro-Russian Hacktivism and Its Role in the War in Ukraine - JFrog
JFrog’s Advanced Security Scanners Discovered Thousands of Publicly Exposed API Tokens – And They’re Active - John Hammond
How Hackers Hide - Maggie MacAlpine and Mike Cunningham at MITRE-Engenuity
Call for Participation: Sightings Ecosystem - Malwarebytes Labs
Winnti APT group docks in Sri Lanka for new campaign - Mandiant
- Microsoft 365 Security
- Microsoft Security
Defenders beware: A case for post-ransomware investigations - Orange Tsai at Devcore
A New Attack Surface on MS Exchange Part 4 – ProxyRelay! - Zhanhao Chen, Daiping Liu, Wanjin Li and Fan Fei at Palo Alto Networks
Detecting Emerging Network Threats From Newly Observed Domains - Red Alert
Monthly Threat Actor Group Intelligence Report, August 2022 (ENG) - Red Canary
- SANS Internet Storm Center
- Fileless Powershell Dropper, (Mon, Oct 17th)
- Python Obfuscation for Dummies, (Tue, Oct 18th)
- Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th)
- Forensic Value of Prefetch, (Thu, Oct 20th)
- sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st)
- Video: PNG Analysis, (Sun, Oct 23rd)
- rtfdump’s Find Option, (Sat, Oct 22nd)
- Scythe
- Kurt Baumgartner and Georgy Kucherin at Securelist
DiceyF deploys GamePlayerFramework in online casino development studio - Matt Dunn at Security Intelligence
How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell - Aleksandar Milenkoski & Gijs Rijnders at SentinelOne
Ransoms Without Ransomware, Data Corruption and Other New Tactics in Cyber Extortion - SOCRadar
- Sean Gallagher at Sophos
Sophos X-Ops finds Attackers Using Covert Channels in Backdoor Against Devices - Alessandro Brucato at Sysdig
Detecting and mitigating CVE-2022-42889 a.k.a. Text4shell - Tomer Bar at Safebreach
SafeBreach Labs Researchers Uncover New Fully Undetectable PowerShell Backdoor - Bernard Bautista and Diana Lopera at Trustwave SpiderLabs
Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR - Zac Szewczyk
Cybersecurity Tools & Resources
UPCOMING EVENTS
- Cellebrite
iOS 16 – A Walkthrough of Collecting and Analyzing iOS 16 devices - Cyborg Security
Threat hunting workshop: hunting for defense evasion - Griffeye
Webinar: Introducing CyberTip ONE - MSAB
Digital Forensic Analysis with XAMN
PRESENTATIONS/PODCASTS
- Shelby Perry at Active Countermeasures
Threat Hunting Shorts – Collecting The Right Data – Video Blogs - ArcPoint Forensics
UNALLOCATED SPACE S1: EP12 DAVE GONZALEZ - Black Hills Information Security
- BlueMonkey 4n6
Bootable Windows environment for forensics – WinFE - Breaking Badness
135. Raspberry Pi in the Sky - Bsides
BSides Portland 2022 - Curated Intelligence
REvil Ransomware on Darknet Diaries - DEFCON
DEF CON 30 – Cesare Pizzi – Old Malware, New tools: Ghidra and Commodore 64 - Digital Forensic Survival Podcast
DFSP # 348 – Root Cause - InfoSec_Bret
DFIR – Windows Forensics – Part 2 - Justin Tolman at AccessData
Breaking down Forensics in Zoolander - LetsDefend
Getting Started to become a SOC Analyst - LockBoxx
Bootcamp #26: Modern Infosec Shows - Magnet Forensics
Pre-processing and Acquiring User Data in Microsoft 365 - The Defender’s Advantage Podcast
Skills Gap: More Than a Resume - Thomas Roccia
Practical Threat Intelligence
MALWARE
- Arch Cloud Labs
Bash Dropper Tricks with Curl - ASEC
- Check Point Research
Black Basta and the Unnoticed Delivery - CISA
10398871-1.v2 Zimbra October Update - Doug Burks at Security Onion
Quick Malware Analysis: BB02 QAKBOT (QBOT) pcap from 2022-10-14 - Igor Skochinsky at Hex Rays
Igor’s tip of the week #111: IDA Keyboard Shortcuts cheat sheet - McAfee Labs
New Malicious Clicker found in apps installed by 20M+ users - petikvx
- Sila Ozeren at Picus Security
SolidBit Ransomware Targets Gamers and Social Media Users - Tejaswini Sandapolla at Quick Heal
- Rio Sherri at Security Intelligence
Analysis of a Remote Code Execution (RCE) Vulnerability in Cobalt Strike 4.7.1 - Sonatype
This Week in Malware – Nearly 40 Packages Discovered - Splunk
Dark Crystal RAT Agent Deep Dive - Ben Martin at Sucuri
Wordfence Evasion Malware Conceals Backdoors - Symantec Enterprise
- Tony Lambert
Bad Guys Hate This Trick for Malware Weight Loss! - Sunil Bharti at Trend Micro
TeamTNT Returns – or Does It? - Lukas Stefanko at WeLiveSecurity
Domestic Kitten campaign spying on Iranian citizens with new FurBall malware - Zhassulan Zhussupov
Malware development: persistence – part 16. Cryptography Registry Keys. Simple C++ example.
MISCELLANEOUS
- Anton Chuvakin
- Jordan Bowen at Cado Security
Investigating Tanium Live Response collections in the Cado platform - Cyborg Security
Threat Hunting Interview Questions: The Top 10 for 2022! - Forensic Focus
- 2022 Q3 MD-Series Release Note Highlights
- An In-Depth Conversation on Digital Forensics Training and Certification
- Register for Webinar: Binalyze AIR 3.0 Cloud Forensics
- Karan Dwivedi, Security Engineering Manager, Google
- Detego Would’ve Been Ideal in My Previous Role : A Former Law Enforcement Professional’s Perspective
- Expand Your Knowledge with Oxygen Forensics Training Courses
- Gina Scaldaferri at Cellebrite
CCRS – Cellebrite Certified Recovery Specialist Certification - Sharma Anurag at Mailxaminer
What is Digital Forensics and How is it Used in Investigations? - Jeffry Gunawan at MII Cyber Security
Microsoft Defender For Endpoint Article Series: Simulate Attack with Atomic Red Team - Ryan Campbell at ‘Security Soup’
SOFTWARE UPDATES
- Alexis Brignoni
ALEAPP v3.1.1 - Cado Security
Cado Security Continues its Innovation with Launch of Cado varc Volatile Artifact Collector Tool - Didier Stevens
Update: rtfdump.py Version 0.0.12 - Doug Burks at Security Onion
Security Onion 2.3.180 now available including Elastic 8.4.3, Suricata 6.0.8, Zeek 5.0.2, and new and improved Sysmon dashboards! - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.49 - Federico Lagrasta
PersistenceSniper v1.7.1 - Foxton Forensics
Browser History Examiner — Version History – Version 1.18.0 - Hayabusa by Yamato Security
v1.7.2 🦅 - Alexis Brignoni
iLEAPP v1.18.0 - IntelOwl
v4.1.1 - Magnet Forensics’
- Metaspike
Forensic Email Collector v3.81 Release Notes - RAB301000001C3
Pcapextract - SpecterOps
Ghostwriter v3.1 Now Available - StrangeBee
Cortex-Analyzers – release 3.2 - WithSecure Labs
Chainsaw v2.2.0
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 