As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Ali Alwashali at ‘HackDefend Labs’
Sysinternals case writeup - Paul Lorentz at Cellebrite
Smart Flow – A super-charged single step for extractions in UFED 7.60 - Domiziana Foti
LetsDefend- SOC112 — Traffic to Blacklisted IP - Doug Metz at Baker Street Forensics
Group collections from O365 with PowerShell - Forensafe
Investigating iOS FACEBOOK Messenger - Haircutfish
- Mohitrajai
CyberDefenders: Boss Of The SOC v1 - Oleg Afonin at Elcomsoft
- Oxygen Forensics
Import Snapchat My Data Into Oxygen Forensic® Detective - SANS
Updated Windows Forensic Analysis Poster
THREAT INTELLIGENCE/HUNTING
- Anomali
Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More - Anton Chuvakin
Security Incident Response in the Cloud: A Few Ideas - AT&T Cybersecurity
Stories from the SOC – Phishing for credentials - Avertium
An In-Depth Look at the North Korean Threat Actor, ZINC - BleepingComputer
- BlueteamOps
Secedit and I know it! - Justin Kikani at Blumira
Office 365 Audit Log Retention: Why It Matters and Best Practices - Brad Duncan at Malware Traffic Analysis
2022-11-11 – IcedID (Bokbot) infection with VNC traffic - BushidoToken
Detecting and Fingerprinting Infostealer Malware-as-a-Service platforms - Censys
Where the Weird Things Are – How to Investigate Unusual Internet Artifacts with Censys Search Data - Center for Internet Security
Cyber Threat Actors Evading MOTW for Malware Delivery - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 19 – 25 novembre 2022 - Check Point Research
21st November– Threat Intelligence Report - Autor at Cloudbrothers
AnalyticsRules.Exchange - CTF导航
- BushidoToken at Curated Intelligence
The Difficulties and Dubiousness of Darkweb Data Leaks Sites - Cybereason
THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies - Reza Rafati at Cyberwarzone
Explaining Phishing kits with examples - Cyble
- Datadog Security Labs
Investigating a backdoored PyPi package targeting FastAPI applications - EclecticIQ
- Ethan Tancredi at Huntress
Threat Advisory: Qakbot Activity Is Rising - Intel471
A Product Roadmap for Cybercrime - Jouni Mikkola at “Threat hunting with hints of incident response”
Qakbot - Julian-Ferdinand Vögele at ‘Fishing the Internet’
Threat Hunting as a Proactive Security Measure in the Energy Sector - Nancy Liu at SDX Central
How Leaked Chats Reveal Russian Ransomware Gangs’ Collusion - Yihua Liao, Ari Azarafrooz, and Yi Zhang at Netskope
Detecting Ransomware Using Machine Learning - Kristopher Russo at Palo Alto Networks
Threat Assessment: Luna Moth Callback Phishing Campaign - Louis Lang at Phylum
Disrupting a PyPI Software Supply Chain Threat Actor - Proofpoint
- Recorded Future
From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations - S2W Lab
Deep & Dark web User Profiling — Bjorka - Sandfly Security
Linux Stealth Rootkit Process Decloaking Tool Updated - SANS Internet Storm Center
- Charlotte Hammond at Security Intelligence
RansomExx Upgrades to Rust - Security Scorecard
Ransomware Attacks and Remediation Strategies for Financial Institutions - SOC Fortress
Part 7. Firewall Log Collection Made Easy - SOCRadar
- Joe at Stranded on Pylos
Detailing Daily Domain Hunting - Denis Sinegubko at Sucuri
New Wave of SocGholish cid=27x Injections - Stefano Chierici at Sysdig
Analysis on Docker Hub malicious images: Attacks through public container images - Andre Rall at Uptycs
CDR Detection Categories: Why Threat Actors Hate Cloud Detection and Response - VMware Security
Threat Analysis: Active C2 Discovery Using Protocol Emulation Part4 (Dacls, aka MATA)
UPCOMING EVENTS
- Black Hills Information Security
Atomic Spotlight: Defense Evasion with PowerShell Encoded Command - Microsoft Security
Join us at InfoSec Jupyterthon 2022
PRESENTATIONS/PODCASTS
- Amped
An Interview in Forensics Talks about Video Evidence - Arctic Wolf
Challenge Accepted Podcast – Mal Who, What, and Where - Barnaby Skeggs at Mandiant
Either you run the day, or the day runs you - Belkasoft
Remote Acquisition Training with Belkasoft - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2022-11-21 - Carlos Diaz
SAFIRO – Live Streaming Windows Logs - Cellebrite
Ask the Expert: Live Q and A at the Cellebrite Envisioning Center with Physical Analyzer and UFED Demos - Cybereason
The Russian Business Network - Digital Forensic Survival Podcast
DFSP # 353 – Webshells - InfoSec_Bret
End User Submission – Game or Malware via Discord - Insane Forensics
How To Use Process Hacker to Find Intrusions During Incident Response and Threat Hunting Engagements - John Dwyer
Scheduled Task Analysis with PowerShell!!! - LetsDefend
Alternative Avengers scenario for cybersecurity - Phylum
Phylum Research Roundtable 2022 - Richard Davis at 13Cubed
Let’s Talk About MUICache - RickCenOT
Pentesting ICS: openPLC – Angriff auf deine Heimautomatisierung! - SANS
SANS DFIR Summit 2022 - SANS Cyber Defense
- Sumuri
- Tech & Main
Heartland Community College, PYSA, Bitsight and KnowB4 | Ryan Chapman - The Defender’s Advantage Podcast
Threat Trends: Reflections on Russian Cyber Threat Activity During the War in Ukraine
MALWARE
- 0verfl0w_ at 0ffset Training Solutions
Biweekly Malware Challenge #4: Operation DreamJob - 4rchib4ld Victory Road
Nothing but dotnet when we shoot - Alexandre Borges at ‘Exploit Reversing’
Malware Analysis Series (MAS) – Article 6 - ASEC
- ASEC Weekly Malware Statistics (November 14th, 2022 – November 20th, 2022)
- Auto-Publishing and Auto-Reporting Programs for Blog Posts
- Word Documents Disguised as Normal MS Office URLs Being Distributed
- Malicious Word Document Being Distributed in Disguise of a News Survey
- Wiki Ransomware Being Distributed in Korea
- Koxic Ransomware Being Distributed in Korea
- Jan Rubín at Avast Threat Labs
ViperSoftX: Hiding in System Logs and Spreading VenomSoftX - Mehardeep Singh Sawhney at CloudSEK
Technical Analysis of the Eternity Stealer - Amy Griffiths at Cofense
Phishing Attack Targets Microsoft Users Via HTML Attachment - Cyble
Over 2 million users Affected with Browser Hijackers - Fortinet
Ransomware Roundup: Cryptonite Ransomware - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #116: IDA startup files - Guillaume André and Mickaël Benassouli at Synacktiv
A dive into Microsoft Defender for Identity - Malvuln
Conti Ransomware / Crypto Logic Flaw PoC - Malware Hell
DarkCloud Stealer Triage - Marco Ramilli
Is Hagga Threat Actor (ab)using FSociety framework ? - OALABS Research
- Pete Cowman at Hatching
Triage Thursday Ep. 90 - Sekoia
Aurora: a rising stealer flying under the radar - Vicente Díaz at VirusTotal
From zero to Zanubis - Lukas Stefanko at WeLiveSecurity
Bahamut cybermercenary group targets Android users with fake VPN apps
MISCELLANEOUS
- Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 11/22/22 - Chris Sanders
2022 Holiday Training Sale - Esentire
Incident Response Plans and Tabletop Exercises May Be a Waste of Time - Forensic Focus
- Detective Lee Bieber on Digital Forensics Tools for Complex Cases
- Cellebrite Endpoint Inspector Empowers Organizations With Remote Collection of Workplace Application
- The Case of Rainbowboy: How the Mobile IT-Forensic Laboratory Helps the German Police to Solve Their Cases Faster
- Exterro Continues FTK Grant Program in Winter 2022
- Register for Webinar: When an Android Phone Is All You Have
- Haircutfish
TryHackMe Unified Kill Chain Room - Allie Fick at Lacework
Machines won’t replace threat hunters until they master this one skill - MDSec
Nighthawk: With Great Power Comes Great Responsibility - Joachim Metz at Open Source DFIR
Transitioning Forensics Wiki to GitHub - Grace Chi at Pulsedive
Black Friday 2022 Your Way - Michelle Greenlee at Security Intelligence
Emotional Blowback: Dealing With Post-Incident Stress - Security Scorecard
Mobile Device Forensics: Challenges, Threats, & Solutions - Tim Thorne at Binalyze
Protect your chain of custody with content hashing and timestamping - Jonathan Barrett at Vectra AI
Types of Ransomware Attacks & Names to Watch For - Vikas Singh
The UTC Project - Zain ul Abidin
IBM QRadar Community Edition 7.3.3 Installation | Wincollect and Sysmon Configuration
SOFTWARE UPDATES
- AbuseCH
ThreatFox - Atola
TaskForce 2022.10: APFS support, better RAID reassembly, Format NVMe - Belkasoft
What’s new in Belkasoft X v.1.15 - Crowdstrike
Falconpy Version 1.2.4 - Cyber Triage
3.5 Release – Merging artifacts, viewing source files, and anomalous logons - GCHQ
CyberChef v9.54.0 - Datadog Security Labs
GuardDog v0.1.1 - Didier Stevens
Update: what-is-new.py Version 0.0.2 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.51 - Joachim Schict
Mft2Csv v2.0.0.48 - Manabu Niseki
Mihari v4.11.0 - MemProcFS-Analyzer
MemProcFS-Analyzer-v0.7 - MISP
MISP 2.4.165 released with many improvements, bugs fixed and security fixes. - Pulsedive
Announcing: Pulsedive 6 - Rapid7
Velociraptor 0.6.7 Release - Three Planet Software
Apple Cloud Notes Parser v0.10 - Velociraptor
Release 0.6.7 - Yamato Security
Hayabusa v1.8.1 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 