Welcome to 2023! I wrote a 2022 Wrap Up!

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Oleg Afonin at Elcomsoft
  checkm8 for iOS 16.2 and Windows-based iOS Low-Level Extraction
  
  
• Joe T. Sylve, Ph.D.
  • 2022 APFS Advent Challenge Day 18 – Decryption
  • 2022 APFS Advent Challenge Day 20 – Snapshot Metadata
  • 2022 APFS Advent Challenge Day 21 – Fusion Containers
  • 2022 APFS Advent Challenge Day 22 – Retrospective
    
    
• Joshua Hickman at ‘The Binary Hick’
  Relays in the Apple Ecosystem.  Passing the Baton
  
  
• MII Cyber Security
  • Write-up Investigating Serverless and Container Attacks Cado CTF on AWS
  • Database Forensic : Investigating Which Tables Were Dumped From Sqlmap Tools
    
    
• Thomas Roccia at SecurityBreak
  Investigation of a targeted attack in the CryptoCurrency field
  
  
• Tawan S. at Skynet_Cyber
  Analyzing Network Logs
  
  
• The Security Noob.
  [DFIR TOOLS] EvtxECmd, what is it & how to use!
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Beyond good ol’ Run key, Part 140
  • A bunch of OLD-School RCE tricks…
    
    
• Adepts of 0xCC
  Spice up your persistence: loading PHP extensions from memory
  
  
• Anomali
  Anomali Cyber Watch: Zerobot Added New Exploits and DDoS Methods, Gamaredon Group Bypasses DNS, ProxyNotShell Exploited Prior to DLL Side-Loading Attacks, and More
  
  
• Martin Zugec at Bitdefender
  Bitdefender Threat Debrief | December 2022 
  
  
• Bill Toulas at BleepingComputer
  New info-stealer malware infects software pirates via fake cracks sites
  
  
• Brad Duncan at Malware Traffic Analysis
  2022-12-28 – Link from USPS-themed malspam pushes NetSupport RAT
  
  
• BushidoToken
  RedZei – Chinese-speaking scammers targeting Chinese students in the UK
  
  
• Cado Security
  Automated Analysis of Critical Cloud Infrastructure with Cado and AWS Lambda
  
  
• Check Point Research
  26th December – Threat Intelligence Report
  
  
• CTF导航
  • BlackByte勒索软件开始使用新的数据泄露工具ExByte
  • Operation Dragon Dance：悬在博彩行业上的达摩克里斯之剑
  • APT-C-56（透明部落）利用外贸链接伪装文档攻击分析
  • TeamTNT挖矿木马应急溯源分析
    
    
• Cyble
  • New wave of Finacial Fraud: Scammers Monitoring Social Media Complaints
  • Pure coder offers multiple malware for sale in Darkweb forums
    
    
• Dr. Web
  Linux backdoor malware infects WordPress-based websites
  
  
• EclecticIQ
  Comparing Sysmon and EclecticIQ Endpoint Response – Event Filters
  
  
• Guardio
  “MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs…
  
  
• Haircutfish
  • TryHackMe Snort Challenge — The Basics — Task 4 Writing IDS Rules (PNG) & Task 5 Writing IDS Rules…
  • TryHackMe Snort Challenge — The Basics — Task 6 Troubleshooting Rule Syntax Errors
  • TryHackMe Snort Challenge — The Basics — Task 7 Using External Rules (MS17–010)
  • TryHackMe Snort Challenge — The Basics — Task 8 Using External Rules (Log4j) & Task 9 Conclusion
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  • Checking macOS malware scans: Endpoint Security or the log?
  • What happens when XProtect Remediator discovers real malware?
    
    
• Huntress
  OWASSRF Explained: Analyzing the Microsoft Exchange RCE Vulnerability
  
  
• Marco Ramilli
  Most Exploited Vulnerabilities in 2022
  
  
• Michael Koczwara
  Adversaries Infrastructure-Ransomware Groups, APTs, and Red Teams
  
  
• Oliver Lyak
  Pass-the-Challenge: Defeating Windows Defender Credential Guard
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, November 2022 (KOR)
  
  
• SANS Internet Storm Center
  • Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th)
  • Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th)
  • SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th)
  • YARA v4.3.0-rc1 –print-xor-key, (Sat, Dec 31st)
    
    
• Ross Moore at Secjuice
  Getting started with the MITRE ATT&CK Framework
  
  
• Jennifer Gregory at Security Intelligence
  The Most Prolific Ransomware Gangs of 2022
  
  
• Matt Wixey at Sophos
  The scammers who scam scammers on cybercrime forums: Part 4
  
  
• Telsy
  Microsoft Exchange Servers Exploited With Owassrf
  
  
• Andre Rall at Uptycs
  • Detecting Anomalous AWS Sessions From Temporary Credentials – 1 of 2
  • Detecting Anomalous AWS Sessions From Temporary Credentials – 2 of 2
    

UPCOMING EVENTS

• Black Hills Information Security
  Atomic Spotlight: Malware Blocking Execution with “DisallowRun” Registry Key
  
  
• Cellebrite
  How to Simplify Workplace App Collections with Endpoint Inspector
  

PRESENTATIONS/PODCASTS

• Chris Stanko at Data Rescue Labs Inc.
  Everything Digital Forensics – From Certifications to Lab Setup
  
  
• Digital Forensic Survival Podcast
  DFSP # 358 – Listening Ports
  
  
• InfoSec_Bret
  CyberDefenders –  DeepDive
  
  
• John Hammond
  How to Proxy Command Execution: “Living Off The Land” Hacks
  
  
• LockBoxx
  Hacker Valley Blue Interview
  
  
• OALabs
  • Advantages Of Intermediate Language (IL) Over Pseudo C Code [ Reverse Engineering AMA ]
  • How Accessible Is The Reverse Engineering Industry [ Reverse Engineering AMA ]
  • How To Get Started Reverse Engineering [ Reverse Engineering AMA ]
  • Do CTFs Help Build Malware Analysis Skills [ Reverse Engineering AMA ]
  • Does Big Cyber Pay Better Than Startups [ Reverse Engineering AMA ]
  • How to Switch Careers Into Reverse Engineering [ Reverse Engineering AMA ]
  • Tips for Analysis of Large Complex Binaries [ Reverse Engineering AMA ]
  • What Is The Most Interesting Malware From 2022 [ Reverse Engineering AMA ]
  • Most Embarrassing Malware You Have Analyzed [ Reverse Engineering AMA ]
  • How To Identify Unknown Crypto Functions [ Reverse Engineering AMA ]
  • One Trick To Level Up Your Reverse Engineering [ Reverse Engineering AMA ]
  • Tips For Writing a .NET Static Config Extractor for Malware [ Reverse Engineering AMA ]
  • What is The Future of Reverse Engineering [ Reverse Engineering AMA ]
    
    
• RickCenOT
  Pentest/Hacking of gas station controller: Veeder-Root TLS 350 ATG (automated tank gauge)
  
  
• SentinelLabs
  LABScon Replay | Breaking Firmware Trust From The Other Side: Exploiting Early Boot Phases (Pre-Efi)
  

MALWARE

• 0day in {REA_TEAM}
  Diving into a PlugX sample of Mustang Panda group
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (December 11th, 2022 – December 17th, 2022)
  • ASEC Weekly Malware Statistics (December 12th, 2022 – December 18th, 2022)
  • Caution! Malware Signed With Microsoft Certificate
  • Types of Recent .NET Packers and Their Distribution Trends in Korea
    
    
• CTF导航
  一道简单Chacha20_RC4算法CTF题目
  
  
• Didier Stevens
  • Combining dns-pydivert And dnsresolver
  • Combining zipdump, file-magic And myjson-filter
    
    
• Hex Rays
  • Styling IDA listings background with CSS
  • Igor’s Tip of the Week #121: Limiting search to an address range
    
    
• Mike at “CyberSec & Ramen”
  A Quick Look at ELF Bifrose (Part 1)
  
  
• Mohitrajai
  Malware Analysis Report: Phobos Ransomware
  
  
• Esmid Idrizovic, Bob Jung, Daniel Raygoza and Sean Hughes at Palo Alto Networks
  Navigating the Vast Ocean of Sandbox Evasions
  
  
• petikvx
  How to install FLARE-VM
  
  
• Phylum
  Phylum detects a series of suspicious publications on NPM…again
  
  
• V3ded
  Red Team Tactics: Writing Windows Kernel Drivers for Advanced Persistence (Part 1)
  
  
• Seongsu Park at Securelist
  BlueNoroff introduces new methods bypassing MoTW
  
  
• Thomas Roccia at SecurityBreak
  • Dhash Icon
  • My Jupyter Collection
    
    
• Yiftah Perl at System Weakness
  WinAPI, and “Cheap” Malware Analysis Using AI — Part 2
  
  
• Taha Karim at ‘Objective-See’
  L’art de l’évasion
  

MISCELLANEOUS

• Andrea Fortuna
  Open source tools for SOC: my own list
  
  
• Belkasoft
  Belkasoft’s Year in Review—2022
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 12/31/22
  
  
• Chris Long
  Sunsetting DetectionLab
  
  
• Cloudbrothers
  Integrate MDI health alerts in Microsoft Sentinel
  
  
• Derek Eiri
  Reflecting on 2022
  
  
• Digital Corpora
  Android 13 Image
  
  
• Forensic Focus
  Top Software Updates from Oxygen Forensics in 2022
  
  
• Karthikeyan Nagaraj at InfoSec Write-ups
  • Safe Opener — Reverse Engineering | PicoCTF 2022 Writeup
  • Wireshark twoo — Forensics| PicoCTF Write-up | 100 Points
    
    
• LockBoxx
  • Adverserial Tradecraft Audiobook!
  • CPTC 2022 Regionals Review
    
    
• Marius Sandbu
  New book – Windows Ransomware Protection and Detection
  
  
• ADF
  • How to Preserve Digital Evidence: The Importance of Data Collection
  • Cloud Forensics: Identifying the Major Issues and Challenges
  • The State of Digital Forensics
    
    
• Mark Stone at Security Intelligence
  Outrageous Stories From Three Cyber Incident Responders
  
  
• Thomas Roccia at SecurityBreak
  Highlights from 2022
  
  
• SentinelOne
  Why Governments and Agencies Are Targeted by Cyber Attacks | A Deep Dive into the Motives
  
  
• Yulia Samoteykina at Atola
  2022 Year in Review
  

SOFTWARE UPDATES

• Berla
  iVe Software v4.2 Release
  
  
• Breakpoint Forensics
  Graykey Password Parser Changelog
  
  
• Costas K
  WinEDB_Browser
  
  
• Didier Stevens
  • New Tool: dns-pydivert.py
  • Update: zipdump.py Version 0.0.24
    
    
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 8.10 adds checkm8 extraction for iOS 16.2, fixes extraction agent signing
  
  
• Griffeye
  Release of Analyze 22.3
  
  
• IntelOwl
  v4.1.4
  
  
• k1nd0ne
  VolWeb v1.0.0-beta
  
  
• MISP
  MISP 2.4.167 released with many improvements, bugs fixed and security fixes.
  
  
• Open Source DFIR
  Plaso 20221227 released
  
  
• OpenCTI
  5.5.1
  
  
• Martin Korman
  Regipy 3.1.2
  
  
• DFIR-HBG
  Snapchat_Auto v1.0.4 – Improvements to local memories
  
  
• YARA
  YARA v4.3.0-rc1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!