As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- CyberJunnkie
PrintNightmare : Memory forensics and Network forensics challenge -> Letsdefend - Derek Eiri
Exploring AI Assisted Picture Categorization with Magnet Forensics AXIOM and X-Ways Forensics with Excire, Re: Weapons - Digital Forensics Myanmar
Disk Scan (OR) Low Level Enumeration (FAT File System) - Erik Hjelmvik at Netresec
What is a PCAP file? - Forensafe
Investigating VirtualBox - Haircutfish
- Harel Segev
$I30 Parsers Output False Entries. Here’s Why - Joshua Hickman at ‘The Binary Hick’
That’s No Honey Badger. It’s A Brute Ratel. A Look At BRC4. - Lina Lau at Inversecos
Recovering Cleared Browser History – Chrome Forensics - Sharma Anurag at Mailxaminer
- Microsoft Outlook MSG File Analysis Using Proven Solution
- Know About Forensics Hash Function Algorithm
- Evidence Search in EMLX File Format Using Digital Forensic Tool
- Chaos Intellect Forensics – Search for Evidence
- Live Exchange Forensics – Evidence Examination
- Hotmail Forensics – Explore the Perfect Tactics
- DreamMail Forensics – Proven Tactics for Email Investigation
- Guide on Apple Mail Forensics: Data Storage Analysis
- KMail Email Forensics – Linux Email Client Insights
- Perform Email Forensics in Outlook Mac OLM File – A Brief Guide
- Pocomail Email Forensic Analysis – View Pocomail MBX File
- ParaFlare
Windows Shared PC Account Names. A tale of Hot C0ffee and Guest Users - Rich Plummer
Implementing Best Practices in Mobile Device Seizure – Part 1 Incident Response - Sumuri
Mac Imaging Go Bag Essentials - Nick Gilberti at TrustedSec
A Primer on Cloud Logging for Incident Response
THREAT INTELLIGENCE/HUNTING
- Akamai
- Alex Teixeira
A SIEM developer went fishing in the data lake. What happens next? - Anomali
- Arete
Reining in Ransomware - Blackberry
Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries - BleepingComputer
- Jake Ouellette at Blumira
How To Find a User With Their Security ID in Windows - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 22 – 28 ottobre 2022 - Check Point Research
- Ben Nahorney at Cisco
ThreatWise TV: Exploring Recent Incident Response Trends - Cisco’s Talos
- Coveware
Uber Verdict Raises New Risks for Ransom Payments - CTF导航
- Reza Rafati at Cyberwarzone
What are initial access brokers? - Alana Witten at Cyjax
A comprehensive synopsis of 217 subdomain takeover reports - Darktrace
When speedy attacks aren’t enough: Prolonging Quantum Ransomware - Barry Rellis at DomainTools
Crypto Phishing and Credential Stealer Footprint Continues to Expand - Dragos
- EclecticIQ
The Analyst Prompt #20: Attack Against Tata Power Highlights Cyber Risk to India’s Growing and Increasingly Connected Population - Esentire
ChromeLoader Observations on the Rise - Flashpoint
- Shunichi Imano and James Slaughter at Fortinet
Ransomware Roundup: New FBI, Wise Guys, and “Pyschedelic” Ransomware - Sourav Sen at FourCore
EDR: Detections, Bypassess and other Shenanigans - John Conwell at Gigamon
An OSINT Analysis of x509 Certificates, Part Two: Digging Into the SAN - Nikolay Shelekhov and Said Khamchiev at Group-IB
Treasure trove. Alive and well point-of-sale malware - Md. Abdullah Al Mamun
Bypass Browser History by HTML - Jerry Gamblin
CVElk - Mandiant
- How to Understand and Action Mandiant’s Intelligence on Information Operations
- Insider Threat: The Dangers Within
- Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections
- Cyber Security Forecast 2023 with Sandra Joyce, Mandiant Head of Global Intelligence
- MDSec
Autodial(DLL)ing Your Way - Microsoft Security
- MISP
SACTI – Secure aggregation of cyber threat intelligence - Ross Weisman, Mark E. Haase, and Ingrid Skoog at MITRE-Engenuity
Attack Flow — Make Threat-Informed Decisions Based on Steps in a Cyber-Attack - Cecilia Hu, Tao Yan, Jin Chen and Taojie Wang at Palo Alto Networks
Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving - Praetorian
From Self-Hosted GitHub Runner to Self-Hosted Backdoor - Kristen Cotten at Scythe
SCYTHE Presents: STEEP#MAVERICK - SOCRadar
- Puja Mahendru at Sophos
The State of Ransomware in Manufacturing and Production 2022 - Dark Reading
CISA: Multiple APT Groups Infiltrate Defense Organization - Symantec Enterprise
- Crystal Morin at Sysdig
Sysdig TRT uncovers massive cryptomining operation leveraging GitHub Actions - Dolev Taler at Varonis
The Logging Dead: Two Event Log Vulnerabilities Haunting Windows - Takahiro Haruyama at VMware Security
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad) - WaterISAC
Water and Wastewater Cybersecurity Incident Case Studies
UPCOMING EVENTS
- Belkasoft
Belkasoft and Semantics 21 webinar: Using Artificial Intelligence (AI) to automatically identify inappropriate media - Black Hills Information Security
Atomic Spotlight: Persistence with Accessibility Features - Cellebrite
Tips and Tricks: Data Collection for Cloud Workplace Applications - Censys
A Live Investigation with Censys Search - Forensic Focus
Register for Webinar: XAMN – The Best Digital Forensic Analysis Solution
PRESENTATIONS/PODCASTS
- Black Hills Information Security
- Breaking Badness
136. TTPS. I Love You - Digital Forensic Survival Podcast
DFSP # 349 – Registry Modification Events - Forensic Focus
- Hacker Valley Blue
Bridging the Gap: The Rise of ‘Purple Teams’ - InfoSec_Bret
SA – SOC175-125 – PowerShell Found in Requested URL – Possible CVE-2022-41082 Exploitation - Insane Forensics
How To Threat Hunt for Malicious Account Usage Using the Windows Event Logs - Justin Tolman at AccessData
FTK Feature Focus – Episode 49 – Tracking User Activity Remotely with FTK Enterprise - LetsDefend
- Magnet Forensics
Column Filters in Magnet REVIEW: Quickly Home In on the Evidence That Matters - Sumuri
How to update RECON LAB! - The Defender’s Advantage Podcast
Threat Trends: Inside Google Cloud’s Threat Horizons Report - VTO
VTO’s New Drones and Data Extraction
MALWARE
- Any.Run
STRRAT: Malware Analysis of a JAR archive - Arch Cloud Labs
Cryptojacking Campaign Adopts Platypus for C2 - ASEC
- Amadey Bot Disguised as a Famous Korean Messenger Program Being Distributed
- ASEC Weekly Malware Statistics (October 10th, 2022 – October 16th, 2022)
- Rapidly Evolving Magniber Ransomware
- Analysis on Attack Techniques and Cases Using RDP
- Qakbot Malware Being Distributed in Korea
- ASEC Weekly Malware Statistics (October 17th, 2022 – October 23rd, 2022)
- CoinMiner Being Installed on Vulnerable Apache Tomcat Web Server
- FormBook Malware Being Distributed as .NET
- Avertium
Iranian Cyber Threats – APT42 & HomeLand Justice - Cofense
New Phishing Campaign Leverages Income Tax Refunds - Mathilde Venault at CrowdStrike
Playing Hide-and-Seek with Ransomware, Part 2 - Benoit ANCEL at CSIS TechBlog – Medium
Chapter 1 — From Gozi to ISFB: The history of a mythical malware family. - Cyble
- Didier Stevens
The Making Of: qa-squeaky-toys.docm - Docguard
LNK file-based Attacks Are on The Rise - Doug Burks at Security Onion
Quick Malware Analysis: ICEDID (BOKBOT) with COBALT STRIKE pcap from 2022-10-17 - Gergely Revay at Fortinet
Fake Hungarian Government Email Drops Warzone RAT - Hex Rays
- OALABS Research
BitRat Exposed - Mark Lim at Palo Alto Networks
Defeating Guloader Anti-Analysis Technique - Pete Cowman at Hatching
Triage Thursday Ep. 88 - petikvx
Unpacking ASPack with x64dbg - Ryan Cornateanu
Hardware Trojans Under a Microscope - Lee Sebin & Shin Yeongjae at S2W Lab
Unveil the evolution of Kimsuky targeting Android devices with newly discovered mobile malware - SANS Internet Storm Center
- Sonatype
This Week in Malware – Over 70 Packages Discovered - ThreatFabric
Malware wars: the attack of the droppers - Tony Lambert
Malware Weight Loss the Fast Way with Foremost - Trend Micro
- LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company
- From Bounty to Exploit: Observations About Cybercriminal Contests
- Addressing Ransomware in Hospitals & Medical Devices
- Threat Actors Target AWS EC2 Workloads to Steal Credentials
- Where is the Origin?: QAKBOT Uses Valid Code Signing
- Jason Reaves at Walmart
Brute Ratel Config Decoding update - Zhassulan Zhussupov
APT techniques: Token theft via UpdateProcThreadAttribute. Simple C++ example.
MISCELLANEOUS
- Jessica Hyde at Hexordia
Resources to Skill Up and Collaborate in DFIR - Arctic Wolf
10 Most Common Types of Malware Attacks - Breakpoint Forensics
FileSifter - Cellebrite
How Device Backlogs and Lack of Digital Forensic Expertise is Causing Law Enforcement to Outsource Digital Forensics - Magnet Forensics
The Right Tools for Efficient Client Investigations - Sharma Anurag at Mailxaminer
Know About Need of Digital Forensics in the Emerging IoT World - Bill Cozens at Malwarebytes Labs
An interview with cyber threat hunter Hiep Hinh - MSAB
Interim Report Q3 2022 - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — October 23 to October 29 - Sandfly Security
Sandfly Security Code Audit and Continuous Monitoring - SANS
Geolocation Resources for OSINT Investigations - Security Intelligence
- SOC Fortress
Part 4. Wazuh Agent Install —Endpoint Monitoring - Stephen Johnston at Sucuri
Malware vs Virus: What’s the Difference? - Xavier Mertens at /dev/random
CTI-Summit 2022 Luxembourg Wrap-Up
SOFTWARE UPDATES
- Amped
Amped Replay Update 26089: Improved Decoding Performance, Custom Interpolation Method, Aligning Annotations and More! - ANSSI
DFIR-ORC v10.1.4 - Alexander Taylor at Binary Ninja
3.2 Release - Didier Stevens
Update: byte-stats.py Version 0.0.9 - Doug Burks at Security Onion
Security Onion 2.3.181 Now Available! - Eric Zimmerman
ChangeLog - GadgetInspector
Argus - Magnet Forensics
- Mente Binária
retoolkit 2022.10 - Passware
Passware Kit 2022 v4 Now Available - RealityNet
Android Triage 1.5 - Velociraptor
Release 0.6.7 RC1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 