As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Cado Security
Analysing Docker Images in the Cado Platform - CTF导航
如何基于volatility2构建“新”版本内核的profile - DFIR Review
- Digital Forensics Myanmar
- Joseph Moronwi at Digital Investigator
- Elcomsoft
- Forensafe
Investigating File Extension Associations - Haircutfish
- TryHackMe Active Directory Basics — Task 8 Trees, Forests and Trusts & Task 9 Conclusion
- TryHackMe Investigating Windows — Task 1 Investigating Windows
- TryHackMe
Windows Forensics 1 — Task 1 Introduction to Windows Forensics & Task 2 Windows… - TryHackMe
Windows Forensics 1 — Task 3 Accessing registry hives offline & Task 4 Data Acquisition
- Mailxaminer
- Email Recovery in Cyber Forensics – A Complete Guide
- Let Us Know How to Conduct Workplace Investigation: Dig In Here!
- Raw Image Digital Forensics – Fight Crimes, Unravel Incidents
- Creating Bookmarks and Reports While Using MailXaminer Tool
- Windows Live Mail Forensics to Search Evidences Inside EML Files
- Outlook PST File into EML Format To Extract Evidence
- Concordance DAT File Format – Save Evidence Report Details
- Know the Difference Between Scanning Document and OCR
- Smartest Way to Perform IncrediMail Mailbox Forensics
- Word Cloud Analysis – Text Data Visual Representation
- Outlook PST File Forensics without Microsoft Outlook Email Client
- Skype Forensic Analysis for In-depth Investigation
- Convert MBOX Emails to PDF – Generate Forensic Evidence for Court
- Proximity, Fuzzy & Stem Search – Advance Search Methods In Digital Forensics
- E01 Forensics – Examining Structure and Storage of E01 Image File Format
- Importance of EnCase LX01 File Format in Digital Forensics Investigation
- A Guide to Recover Deleted Emails from Outlook to Carve Evidence
- Mattia Epifani at Zena Forensics
Sysdiagnose in iOS 16: a first look from a Digital Forensics perspective - Nisarg Suthar
CyberDefenders Write-up: GrabThePhisher - Michał Legin and Janosch Köpper at Open Source DFIR
Find the needle faster with hashR data - Luke Paine and Jonathan Johnson at SpecterOps
The Defender’s Guide to the Windows Registry - Terryn at chocolatecoat4n6
- The DFIR Report
Follina Exploit Leads to Domain Compromise - We are OSINTCurio.us
OSINT in a Metaverse - Yogesh Khatri at ‘Swift Forensics’
Reading OneDrive Logs Part 2
THREAT INTELLIGENCE/HUNTING
- Akamai
DNS Threat Report ? Q3 2022 - Anomali
- Ken Towne at AttackIQ
Customizing AttackIQ Scenarios to Validate Text4Shell Protections - Avast Threat Labs
Avast Q3/2022 Threat Report - Bitdefender
Bitdefender Threat Debrief | October 2022 - Blackberry
- RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom
- Cyber Threat Hunting: 2 Powerful Analysis Tools (Video)
- 13 Deadly Sins of APT Incident Response – Part 3
- ChromeLoader Infects the Browser by Loading Malicious Extension
- FBI Warns Poorly Protected VPN Servers Are Under Attack
- Eternity Project MaaS: Watch Time Run Out on Eternity Malware (Video)
- Lawrence Abrams at BleepingComputer
- Brad Duncan at Malware Traffic Analysis
2022-10-31 – IcedID (Bokbot) infection with DarkVNC & Cobalt Strike - CERT-AGID
- Check Point Research
- Aviad Gershon at Checkmarx Security
Researchers Are Poisoning Open-Source Packages. What Should We do? - Cisco’s Talos
- Reza Rafati at Cyberwarzone
A dive into Iranian Hacking Groups - Darktrace
New technique to deliver malicious email payloads: Webmail login portal hidden within Google Translate domain - Dropbox
How we handled a recent phishing incident that targeted Dropbox - Falco
Blog: Monitoring your EKS clusters audit logs - Financial Crimes Enforcement Network
FinCEN Analysis Reveals Ransomware Reporting in BSA Filings Increased Significantly During the Second Half of 2021 - Forcepoint
- Francisco Dominguez at DiabloHorn
Baby steps into MITRE Stix/Taxii, Pandas, Graphs & Jupyter notebooks - Mackenzie Jackson at GitGuardian
Dropbox Suffers Breach From Phishing Attack, Exposing Customer and Employee Emails - Rustam Mirkasymov at Group-IB
OPERA1ER APT in Africa - InfoSec Write-ups
Building a SIEM: centralized logging of all Linux commands with ELK + auditd - Intel471
Intel 471’s Overview of Ransomware Activity Through Q3 2022 - IronNet
Robin Banks still might be robbing your bank (part 2) - Mandiant
Mandiant Cyber Security Forecast 2023 - MDSec
Nighthawk 0.2.1 – Haunting Blue - Microsoft Security
Stopping C2 communications in human-operated ransomware through network protection - Misconfig
- Nasreddine Bencherchali
LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary Commands - Aurelien Chalot at Orange Cyberdefense
Abusing Windows’ tokens to compromise Active Directory without touching LSASS - ORKL
ORKL About - Phylum
Phylum Discovers Dozens More PyPI Packages Attempting to Deliver W4SP Stealer in Ongoing Supply-Chain Attack - Recorded Future
Discovering Exchange Servers: Leveling the Field Using Attack Surface Intelligence - Red Alert
Monthly Threat Actor Group Intelligence Report, September 2022 (KOR) - Red Canary
Why so, ISO? Mark-of-the-Web, explained - ReversingLabs
- SANS Internet Storm Center
- Kristen Cotten at Scythe
SCYTHE Presents: STEEP#MAVERICK: Rename Adobe - Securelist
APT trends report Q3 2022 - Securonix
- Sekoia
BlueFox Stealer: a newcomer designed for traffers teams - Antonio Cocomazzi and Antonio Pirozzi at SentinelLabs
Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor - SOC Fortress
Part 5. Intelligent SIEM Logging - SOCRadar
- Rianna MacLeod at Sucuri
- Sygnia
Incident Response in Google Cloud: Foundations - Brett Wolmarans at Sysdig
Does cloud log management shield you from threats? CloudTrail vs CloudWatch - Team Cymru
Inside the V1 Raccoon Stealer’s Den - Sergio Caltagirone at Threat Intel Academy
CART: The 4 Qualities of Good Threat Intelligence - Brandon McGrath at TrustedSec
- Josh Lemon at Uptycs
Customer Security Advisory: OpenSSL Buffer Overflow Vulnerabilities CVE-2022-3602 and CVE-2022-3786 - Alexey Firsh at VirusTotal
Not a dream job: Hunting for malicious job offers from an APT - WMC Global
Introducing MRWEEBEE
UPCOMING EVENTS
- Arman Gungor at Metaspike
Forensic Email Intelligence 2.0 — Technology Showcase - Black Hills Information Security
Atomic Spotlight: Persistence with Command Process Auto Run Registry Key - Cyborg Security
Threat Hunting Workshop: Hunting for defense evasion - Dawn Capelli, Jim Gilsinn, and Abdulrahman H. Alarmi at Dragos
When Ransomware Strikes: The Impact of Ransomware in Operational Technology Environments - Magnet Forensics
[Air]Tag You’re It! – a look through location artifacts generated by Apple’s AirTag, iOS, and macOS devices within the FindMy application. - SANS
SANS Threat Analysis Rundown (STAR) - Sophos
Sophos Threat Hunting Academy Season 4 registration is now open
PRESENTATIONS/PODCASTS
- Archan Choudhury at BlackPerl
Splunk for Security Analysts Workshop | Splunk101 - Black Hills Information Security
- BHIS – Talkin’ Bout [infosec] News 2022-10-31
- BHIS | Pentester Tactics, Techniques, and Procedures TTPs | Chris Traynor
- AASLR: Hiding Your Malware’s Strings and Imports | Greg Hatcher
- Atomic Spotlight: Persistence with Accessibility Features | Carrie Roberts
- AASLR: Drive Vulnerability Remediation with MS Teams | Ean Meyer
- BHIS | Firmware Enumeration Using Open Source Tools | Paul Asadoorian | 1-Hour
- Breaking Badness
137. Vishing Persons Report - Heather Mahalik at Cellebrite
- How Guardian Can Help Your Investigations From End-To-End
- How to Use UFED Smart Flow For Selective Data Collection
- Physical Analyzer 7.57 Updated Features – Call Logs, Location Data and more
- How to Use Samsung Rubin in Cellebrite Physical Analyzer
- How to Stay Updated On Cellebrite UFED with Release Notes
- How to Streamline Your Digital and Physical Evidence Processes with Cellebrite Guardian
- How to Use Keyword Search In Physical Analyzer To Recover More Artifacts
- Cyberspatial
How I Turn Packet Captures Into Network Maps Instantly With Teleseer (Demo Tutorial) - Digital Forensic Survival Podcast
DFSP # 350 – Linux Fileless Attacks - Forensic Focus
The Historic View of Financial Cybercrime - Hacker Valley Blue
Villages, Unicorns, & the Not-So-Mythical Purple Team with SCYTHE’s Bryson Bort - InfoSec_Bret
QBOT Malware Investigation - Insane Forensics
How To Detect Malicious Network Share Usage With The Windows Event Logs When Threat Hunting - John Dwyer
Let’s talk about scheduled tasks! - Justin Tolman at AccessData
FTK Over the Air Reacts – Episode 2 – Kate Davenport chats about Brett Shavers Comments! - LetsDefend
- Magnet Forensics
- MSAB
XRY in 5 – Apple iOS screen video capture recording - OALabs
The Vitali Metric - Sumuri
How to Image a T2 Mac with RECON ITR Live! - The Defender’s Advantage Podcast
Skills Gap: Finding Your Fit in Cyber
MALWARE
- Any.Run
What is Orcus RAT? Technical Analysis and Malware Configuration - ASEC
- AgentTesla Being Distributed via VBS
- A Case of Malware Infection by the Lazarus Attack Group Disabling Anti-Malware Programs With the BYOVD Technique
- Appleseed Being Distributed to Nuclear Power Plant-Related Companies
- Elbie Ransomware Being Distributed in Korea
- ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022)
- Surtr Ransomware Being Distributed in Korea
- Avertium
An In-Depth Look at Lorenz Ransomware - Cleafy
The Android Malware’s Journey: From Google Play to banking fraud - CTF导航
- Cyber Geeks
A technical analysis of Pegasus for Android – Part 3 - Cyble
- Doug Burks at Security Onion
Quick Malware Analysis: ICEDID (BOKBOT) with DARK VNC and COBALT STRIKE pcap from 2022-10-31 - Gergely Revay at Fortinet
Tips and Tricks: Using the .NET Obfuscator Against Itself - Gameel Ali
Detect Surtr Ransomware With YARA Rule. - Hex Rays
Plugin focus: HRDevHelper - John Hammond
The King Of Malware is Back - Luke Leal
WordPress Keylogger Injection - Nathan Collier at Malwarebytes Labs
Malware on the Google Play store leads to harmful phishing sites - Palo Alto Networks
- petikvx
- Securelist
- Oleg Boyarchuk, Giovanni Vigna and Stefano Ortolani at VMware Security
ESXi-Targeting Ransomware: Tactics and Techniques (Part 2) - Zhassulan Zhussupov
Malware development: persistence – part 18. Windows Error Reporting. Simple C++ example. - Nipun Gupta at Zimperium
We Smell A RatMilad Android Spyware
MISCELLANEOUS
- Dark Reading
Vitali Kremez Found Dead After Apparent Scuba Diving Accident - 0ut3r Space
Security Roadmap - John Lukach at 4n6ir
Security Event Bus Implementation - Andreas Sfakianakis at ‘Tilting at windmills’
FIRST CTI Symposium 2022 Recap - Belkasoft
Sneak peek of Belkasoft X v.1.15 - Brett Shavers
The truth hurts. But the other option is worse. - Jonathan Munshaw at Cisco’s Talos
Researcher Spotlight: How Azim Khodjibaev went from hunting real-world threats to threats on the dark web - Cyber Threat Intelligence Training Center
OpenC2 Architecture Specification - Paul Bottomley at Cybereason
Machine Timeline Enhancements Improve Investigation Workflows - Cyborg Security
The No-Nonsense Benefits of Threat Hunting - Jess Garcia at DS4N6
[BLOG] ODSC West 2022 – “DS/AI for Incident Response & Threat Hunting with CHRYSALIS & DAISY”, by Jess Garcia - ERMProtect
Using Digital Forensics to Investigate Insider Threats in the Remote Workforce - Flashpoint
COURT DOC: USA v. Daniel Kaye - Grayshift
Reveal by Grayshift Now Generally Available - IntaForensics
Social Media – the Aladdin’s Cave of Defence Evidence - Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
Linux: Virtual Machine Tools - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (11/1/2022) - Microsoft Security
The door is open for anyone to become a cyber defender - Troy Lainhoff at Microsoft’s ‘Security, Compliance, and Identity’ Blog
Using Microsoft Security APIs for Incident Response – Part 2 - Vicente Díaz at VirusTotal
Service Accounts are here to help - John Patzakis at X1
Proportionality in eDiscovery is Ideal, but Difficult to Realize Without an Optimized Process
SOFTWARE UPDATES
- AccessData
CodeMeter run-time 7.30 - Brian Maloney
OneDriveExplorer v2022.11.04 - Costas K
MFTBrowser.exe (x64) - Digital Detective
NetAnalysis® v3.3 and HstEx® v5.3 Released - Elcomsoft
Elcomsoft Phone Breaker 10.12: better compatibility, iCloud-related improvements - F-Response
F-Response 8.4.1.3 and Collect 4.1.1.1 Released – Updates to Collect, Classic, and Universal - Alexis Brignoni
iLEAPP v1.18.1 - Alexandre Borges
Malwoverview 5.1.1 - Matt Seyer
aws-snap-io - Nextron Systems
ASGARD 2.14 Release - Oxygen Forensics
Oxygen Forensic® Detective v.15.1 - Paraben Corporation
Digital forensic treats for OSINT investigators with new E3 Forensic Platform version 3.4 Release - Sandfly Security
Sandfly 4.2.3 – OpenSSL CVE-2022-3602 and CVE-2022-3786 Update - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 