As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- CTF导航
Cyberdefenders蓝队-恶意软件流量分析3 - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Weird Science - Forensafe
Investigating Window Kaspersky Antivirus - Howard Oakley at ‘The Eclectic Light Company’
Rolling logs and anti-malware scans - Jason Wilkins at ‘Noob to Pro Forensics’
Drive Geometry, File Systems, and How Criminals Hide Data - Joe T. Sylve, Ph.D.
- 2022 APFS Advent Challenge Day 13 – Data Streams
- 2022 APFS Advent Challenge Day 14 – Sealed Volumes
- 2022 APFS Advent Challenge Day 15 – Keybags
- 2022 APFS Advent Challenge Day 16 – Wrapped Keys
- 2022 APFS Advent Challenge Day 17 – Blazingly Fast Checksums with SIMD
- Update: Blazingly Fast-er SIMD Checksums
- Kyle Song
Phone Scam Series: USB Modem with Asterisk Analysis and Visualize artifacts - Magnet Forensics
Free Digital Forensics Tools Every Investigator Needs - Matt Muir at Cado Security
Kiss-a-Dog Discovered Utilizing a 20- Year-Old Process Hider - Maxim Suhanov
Do researchers handle exFAT volumes correctly? - MuSecTech
Copying Files For Forensic Collection
THREAT INTELLIGENCE/HUNTING
- Adrian at ‘Agood cloud’
- Anastasios Pingios
OSINT: A Summary of SIDEWINDER Operations in 2022 - James Liolios at Arctic Wolf
New Microsoft Exchange Exploit Chain via “OWASSRF” Leads to RCE - Atomic Matryoshka
Mimikatz 101 - Francis Guibernau and Ken Towne at AttackIQ
- Brad Duncan at Malware Traffic Analysis
- CERT-AGID
- Check Point Research
19th December – Threat Intelligence Report - Vanja Svajcer at Cisco’s Talos
Threat Spotlight: XLLing in Excel – threat actors using malicious add-ins - Cofense
Microsoft Customer Voice URLs Used In Latest Phishing Campaign - Cyberknow
Update 21. 2022 Russia-Ukraine War — Cyber Group Tracker. December 19 - DCSO CyTec
APT41 — The spy who failed to encrypt me - DeTTECT
v1.8.0 - Gameel Ali
Detect Nokoyawa ransomware With YARA Rule. - Artem Grischenko at Group-IB
Godfather: A banking Trojan that is impossible to refuse - Haircutfish
- TryHackMe Snort — Task 4 First Interaction with Snort, Task 5 Operation Mode 1: Sniffer Mode, &…
- TryHackMe Snort — Task 7 Operation Mode 3: IDS/IPS & Task 8 Operation Mode 4: PCAP Investigation
- TryHackMe Snort — Task 9 Snort Rule Structure, Task 10 Snort2 Operation Logic: Points to Remember…
- PowerShell Provider Cmdlets Student Assignment From Introduction to Windows PowerShell 5.1 on Udemy
- TryHackMe Snort Challenge — The Basics — Task 1 Introduction, Task 2 Writing IDS Rules (HTTP), &…
- Patrick Schläpfer at HP Wolf Security
Chinese Phishing Campaign Abuses QR Codes to Steal Credit Card Details - Josh Allman at Huntress
Using Shodan Images to Hunt Down Ransomware Groups - InfoSec Write-ups
- Intrusion Truth
No-limits relationship? China’s state hackers scoop up intelligence on Ukraine… and Russia - Magnet Forensics at Magnet Forensics
Researching FORCEDENTRY: Detecting the Exploit With No Samples - Jérôme Segura at Malwarebytes Labs
Adult popunder campaign used in mainstream ad fraud scheme - Mehmet Ergene
Detecting Azure AD Account Takeover Attacks - Microsoft Security
Microsoft research uncovers new Zerobot capabilities - Elli at Misconfig
Play with PowerShell & MG – MS Security Graph 101 - Nextron Systems
Extended ProxyNotShell Detection Covering OWASSRF - Palo Alto Networks
- Phylum
Phylum Discovers New Stealer Variants in Burgeoning PyPI Supply Chain Attack - Prodaft
[FIN7] Fin7 Unveiled: A deep dive into notorious cybercrime gang - Recorded Future
RedDelta Targets European Government Organizations and Continues to Iterate Custom PlugX Variant - Red Alert
Monthly Threat Actor Group Intelligence Report, October 2022 (ENG) - Red Canary
- SANS Internet Storm Center
- Infostealer Malware with Double Extension, (Sun, Dec 18th)
- Hunting for Mastodon Servers, (Mon, Dec 19th)
- Linux File System Monitoring & Actions, (Tue, Dec 20th)
- Exchange OWASSRF Exploited for Remote Code Execution, (Thu, Dec 22nd)
- Can you please tell me what time it is? Adventures with public NTP servers., (Wed, Dec 21st)
- Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd)
- DShield Sensor Setup in Azure, (Wed, Dec 21st)
- Kristen Cotten at Scythe
Threat Emulation: STEEP#MAVERICK - Securelist
- Jonathan Reed at Security Intelligence
How Reveton Ransomware-as-a-Service Changed Cybersecurity - Securonix
New STEPPY#KAVACH Attack Campaign Likely Targeting Indian Government: Technical Insights and Detection Using Securonix - SOC Fortress
Detecting Abnormal Network Ports With Wazuh - SOCRadar
- Reports of ProxyNotShell Vulnerabilities Being Actively Exploited (CVE-2022-41040 and CVE-2022-41082)
- An Analysis of Central Banks Hackings: Who is Next?
- AWS Elastic IP Transfer Feature Could Be Exploited in Attacks
- All You Need to Know About the Linux Kernel ksmbd Remote Code Execution (ZDI-22-1690) Vulnerability
- Matt Wixey at Sophos
The scammers who scam scammers on cybercrime forums: Part 3 - Kayleigh Martin at Sucuri
Fake jQuery Domain Redirects Site Visitors to Scam Pages - Alexey Firsh at VirusTotal
VT Intelligence Cheat Sheet
UPCOMING EVENTS
- Black Hills Information Security
Atomic Spotlight: LSA Protection, Good ol’ Mimikatz, and Wdigest - Cellebrite
How to Simplify Workplace App Collections with Endpoint Inspector - Jan Hoff and Tim Ennis at Dragos
Incident Response for ICS: You Are Not Alone!
PRESENTATIONS/PODCASTS
- Anastasios Pingios
BSides Cyprus: Cloud… Just somebody else’s computer - Belkasoft
Uncovering Cyber Threat Actors’ Persistence Mechanisms - Black Hills Information Security
- BlueMonkey 4n6
Becky Passmore – Day in the Life of DFIR – 5 most important items to bring on a search #shorts - Breaking Badness
142. The Pheast of the Seven Phishes - Cellebrite
- How to Search for Hidden Photos with UFED Cloud in Mobile Forensics
- How to Streamline Your Investigative Workflow With Cellebrite Guardian
- How to Examine Sent Messages Using New Mobile Forensics Features for iOS 16 in Physical Analyzer
- How to Automatically Open Physical Analyzer After a UFED File System Extraction
- How to Use the Cellebrite Notebook to Learn New Topics and Simplify Digital Forensics
- How to Find Great Mobile Forensics Resources On The Cellebrite Community Portal – Physical Analyzer
- How to Maximize Your File System Extractions With UFED Smart Flow in Mobile Forensics
- How to Streamline Your Digital and Physical Evidence Processes with Cellebrite Guardian
- How to Use UFED Smart Flow For Selective Data Collection During Mobile Forensics
- How to Use Keyword Search In Physical Analyzer & Recover Digital Artifacts – Mobile Device Forensics
- How Guardian Can Help Streamline Your Investigations From End-To-End
- How to Use Call Logs, Location Data and more for iOS Forensics – Physical Analyzer 7.57
- How to Use Samsung Rubin in Cellebrite Physical Analyzer for Mobile Device Forensics
- How to Stay Updated On Cellebrite UFED with Release Notes for Mobile Device Forensics
- How to Use Keyword Search In Physical Analyzer To Recover More Artifacts
- How to Load Any Full File System Extraction Into Physical Analyzer from a Different Tool
- How To Search Messages For Emojis of Interest in a Forensic Image during a Digital Investigation
- How to Find Full-Sized Assets on iPhones During Forensic Examinations – Scott Koenig
- Ransomware Q and A With Ryan Chapman – Digital Forensics & Incident Response
- Digital Forensic Survival Podcast
DFSP # 357 – EVTX Analysis - Doug Burks at Security Onion
Introduction to Analyzers in Security Onion: Enriching Observable Data in Cases During an Investigation - Gerald Auger at Simply Cyber
Stop Thinking MITRE ATT&CK Is a Sliver Bullet - InfoSec_Bret
CyberDefenders – EscapeRoom - Mossé Cyber Security Institute
- NVISO Belgium
OpenAI in Cortex XSOAR: Detecting Phishing with AI (16.12.2022) - Politico Tech
The person behind the keyboard - Richard Davis at 13Cubed
The Dissect Effect – An Open Source IR Framework - RickCenOT
BREAKDOWN Realistic Pentest/Hacking of of a Moxa industrial communication processor NPort 5110 - SANS Cyber Defense
Packet Tuesday – TLS Server Hello - SANS Institute
What You Need to Know About OpenAI’s New ChatGPT Bot – And How it Affects Cybersecurity? SANS Panel - Thomas Roccia at SecurityBreak
Code Graphology - Sumuri
SUMURI Gives Back 2022 | Winning Agency
MALWARE
- 0day in {REA_TEAM}
[Z2A]Bimonthly malware challege – Emotet (Back From the Dead) - ASEC
- Assume-breach
Home Grown Red Team: Let’s Make Some Malware In C: Part 3 - Cluster25
An infostealer comes to town: Dissecting a highly evasive malware targeting Italy - Krzysztof Gajewski at CyberDefNerd
Python analysis: how to deal with compiled scripts. - Cyble
- Flashpoint
“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader” - Fortinet
- Hex Rays
- John Hammond
Filter Evasion in a REVERSE SHELL (no spaces!!) - K7 Labs
- Keysight
ATI Polymorphic Android Malware - Lordx64
L’art de l’évasion: How Shlayer hides its configuration inside Apple proprietary DMG files - Rob Bone at Nettitude Labs
Avoiding Detection with Shellcode Mutator - NTT Security Japan
Ghidra+Python3スクリプティングによる解析事例 - Karlo Zanki at ReversingLabs
SentinelSneak: Malicious PyPI module poses as security software development kit - Sekoia
New RisePro Stealer distributed by the prominent PrivateLoader - Antonio Cocomazzi at SentinelLabs
Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development - Team Cymru
Inside the IcedID BackConnect Protocol - Trend Micro
- Raspberry Robin Malware Targets Telecom, Governments
- A Closer Look at Windows Kernel Threats
- A Technical Analysis of CVE-2022-22583 and CVE-2022-32800
- Detecting Windows AMSI Bypass Techniques
- Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks
- IcedID Botnet Distributors Abuse Google PPC to Distribute Malware
- Wojciech Cieslak at Trustwave SpiderLabs
Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT - Zhassulan Zhussupov
Malware development tricks: part 25. EnumerateLoadedModules. C++ example.
MISCELLANEOUS
- Jessica Hyde
A Case for Digital Forensics - Martino Jerian at Amped
Survey Results: The State of Video Forensics 2022 - Olga Koksharova at Elcomsoft
Season’s Greetings and 2022 in Review - Florian Roth
Guide to Use Nextron’s Sigma EVTX Checker - Forensic Focus
Yulia Samoteykina, Director of Marketing, Atola Technology - Ken Pryor
A Little Homelab and Life Update - Joachim Metz at Open Source DFIR
DFIR for good - Oxygen Forensics
Top Software Updates in 2022 - Grace Chi at Pulsedive
2022 Year in Review - SANS
Q&A From SANS Special Broadcast: What You Need to Know About OpenAI’s New ChatGPT Bot – and How it Affects Your Security - Byron Price at Sophos
Meet Anthony Bradshaw, MDR Threat Analyst and Team Lead - Ron Deibert at The Citizen Lab
CatalanGate Report: Correcting a Case
SOFTWARE UPDATES
- AccessData
Forensic Tools 7.6.0 Service Pack 2 - Arsenal
Arsenal Image Mounter Changelog – v3.9.233 - CCL Solutions
What do you get a digital forensics analyst for Christmas? - Costas K
WinEDB_Browser - Crowdstrike
Falconpy Version 1.2.8 - Didier Stevens
- Elcomsoft
Elcomsoft Phone Viewer 5.40 updated for iOS 16 - Eric Zimmerman
Kape Changelog - JPCERT/CC
LogonTracer v1.6 Released - k1nd0ne
VolWeb – v4.1.0-alpha - MazX0p
ThreatHound - Metaspike
Forensic Email Collector (FEC) Changelog – 3.85.0.8 - radare2
5.8.0 - theflakes
0.4.2 File Metadata - Thiago Canozzo Lahr
uac-2.4.1 - Yamato Security
Hayabusa v2.0.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 