As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrew Rathbun at AboutDFIR
- Abdul Shareef
DFIR-Resources - Adam at Hexacorn
Excelling at Excel, Part 1 - Austin Songer at ‘Songer Tech’
Evidence Gathering Recommendation: Adding TimeStamp To Screenshots - Belkasoft
NIST tested Belkasoft support for SQLite data recovery - James McGee at DFIR Review
Enriching Investigations with Apple Watch Data Through the healthdb_secure.sqlite Database - Forensafe
- Forensics [Insider]
Implementing Best Practices in Mobile Device Seizure – Part 3 Comply with Legal Expectations - Howard Oakley at ‘The Eclectic Light Company’
How do you know when macOS detects and remediates malware? - Korstiaan Stam at ‘Invictus Incident Response’
Responding to an attack in AWS - Terryn at chocolatecoat4n6
Investigation Framework | Part 5 – Timeline Analysis - Uros Babic
How to Investigate Security Incidents in Azure — Forensic Acquisition of VMs in Azure
THREAT INTELLIGENCE/HUNTING
- Anomali
Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web - Anton Chuvakin
Google Cybersecurity Action Team Threat Horizons Report #5 Is Out! - Avertium
An In-Depth Look at Play Ransomware - Anna McAbee at AWS Security
Updated whitepaper available: AWS Security Incident Response Guide - Ionut Ilascu at BleepingComputer
Ransomware gang cloned victim’s website to leak stolen data - Brad Duncan at Malware Traffic Analysis
- Bruce Sussman at Blackberry
The Cybercriminal Who Rose from the Dead - CERT-AGID
Report annuale sull’andamento delle campagne malevole che hanno interessato l’Italia nel 2022 - Check Point Research
- Christian Taillon
Part-time Threat Hunting: Considering its Efficacy - Madison Burns at Cisco’s Talos
Threat Source newsletter (Jan. 5, 2023): Digging out of our inboxes - CTF导航
- Curated Intelligence
Analyzing DDoS-as-a-Service customer databases - Cyble
- Darktrace
- Delivr
HTML Smuggling: Recent observations of threat actor techniques - Ethan Smith at Spur
What is a residential proxy? - Myles Satterfield, Tyler Wood, Teauna Thompson, Tyler Collins, Ian Cooper and Nathan Sorrel at Expel
Incident report: stolen AWS access keys - Fortinet
Ransomware Roundup – Monti, BlackHunt, and Putin Ransomware - Francis Guibernau and Ken Towne at AttackIQ
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group - Haircutfish
- Mag Manoj at InfoSec Write-ups
Analysing Command Detected in Request Body - K7 Labs
- Keith McCammon
- Sarah Hawley, Gabby Roncone, Tyler Mclellan, Eduardo Mattos, and John Wolfram at Mandiant
Turla: A Galaxy of Opportunity - Marius Sandbu
Auditing Windows File Servers with Azure Sentinel / Log Analytics - Mehmet Ergene
Advanced KQL for Threat Hunting: Window Functions — Part 1 - MuSecTech
Scanning for Evil in Live Process Memory with AChoirX and YARA - Nik Alleyne at ‘Security Nik’
Understanding NMAP’s scan techniques: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans - Nsfocus
- Renaud Frere at NVISO Labs
DeTT&CT: Automate your detection coverage with dettectinator - Patrick Wardle at ‘Objective-See’
The Mac Malware of 2022 - Dave Bogle at Red Canary
eBPF: A new frontier for malware - Robin Dimyan
4-Level Analysis for Threat Prioritisation — Chapter I - SANS Internet Storm Center
- Security Joes
Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe - Dheeraj Kumar and Ella Dragun at Securonix
Securonix Threat Labs Monthly Intelligence Insights – December - Sekoia
Unveiling of a large resilient infrastructure distributing information stealers - SOC Fortress
Part 11. Wazuh Events and MISP Automation - SOCRadar
Dark Web Profile: MuddyWater APT Group - Eli Trevino at Sucuri
Finding & Removing Malware From Weebly Sites - Symantec Enterprise
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa - System Weakness
- The Sleuth Sheet
Cyber Threat Intelligence Self-Study Guide - Third Eye Intelligence
Australian Ransomware Threat Landscape 2022 - Greg Monson at Trustwave SpiderLabs
2022 Year in Review: Ransomware - Karthickkumar K at Uptycs
Infostealer Malware: Targeting Italian Region – Uptycs - Stefano Ortolani at VMware Security
How to Deploy a Threat Intelligence Platform in your Data Center - William Gamazo and Nathaniel Quist at Palo Alto Networks
PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources - Mark R at you sneakymonkey!
Cloud Metadata – AWS IAM Credential Abuse
UPCOMING EVENTS
- Black Hills Information Security
Atomic Spotlight: Persistent Code Execution with Office Addins - Jan Hoff and Tim Ennis at Dragos
Incident Response for ICS: You Are Not Alone! - Magnet Forensics
- Mike Jankowski-Lorek, PhD and Piotr Pawlik at Cqure Academy
Attack and Defense: Azure AD and other resources under constant surveillance. - MSAB
What`s New in XRY 10.4 & XAMN 7.4 - SANS
PRESENTATIONS/PODCASTS
- Anastasios Pingios
2022 CTI-EU Talk: Threat Landscape and Defences Against Mobile Surveillance Implants - Basis Technology
- Meet the xLeapp Family with Alexis Brignoni and Mark McKinnon (OSDFCon Webinar)
- friTap – Decrypting TLS Traffic on the Fly with Daniel Baier (OSDFCon Webinar)
- Log Parser as a Forensic Tool with Robert Kardell (OSDFCon Webinar)
- Two Faces to the Same Linux: GUI Environments (OSDFCon Webinar)
- Chrome Wasn’t Built in a Day with Jessica Hyde (OSDFCon Webinar)
- Black Hills Information Security
Talkin’ About Infosec News – 1/3/2023 - BlueMonkey 4n6
Reading forensic images with Windows using 7zip with forensic7z plugin - Breaking Badness
143. The Best of 2022 - Cyber Secrets
- Digital Forensic Survival Podcast
DFSP # 359 – Career Checkpoint - Gerald Auger at Simply Cyber
A “Night” In The Life of a SOC Analyst (Real Truths) - Justin Tolman at AccessData
- Magnet Forensics
- OALabs
- SANS Cyber Defense
Packet Tuesday – IP Options - SentinelLabs
LABScon Replay | InkySquid: The Missing Arsenal - WeLiveSecurity
Ransomware target list – Week in security with Tony Anscombe
MALWARE
- Abdul Samad at System Weakness
Steganographic Malware(Hide Malware in Image) - Adam at Hexacorn
Putting ELF on the shelf… - Alexandre Borges at ‘Exploit Reversing’
Malware Analysis Series (MAS) – Article 7 - Andrea Fortuna
A brief history of malware - Ofek Itach and Assaf Morag at Aqua
In-depth Analysis of the PyTorch Dependency Confusion Administered Malware - Ilay Goldman at Aqua
Can You Trust Your VSCode Extensions? - Arch Cloud Labs
Abstractions & The Art of Debugging - ASEC
- ASEC Weekly Malware Statistics (December 19th, 2022 – December 25th, 2022)
- ASEC Weekly Phishing Email Threat Trends (December 18th, 2022 – December 24th, 2022)
- How Infostealer Threat Actors Make a Profit
- Shc Linux Malware Installing CoinMiner
- Distribution of NetSupport RAT Malware Disguised as a Pokemon Game
- ASEC Weekly Malware Statistics (December 26th, 2022 – January 1st, 2023)
- David Zimmer at Avast Threat Labs
Scripting Arbitrary VB6 Applications - CTF导航
GandCrabV2.0勒索病毒分析 - Dr4k0nia
Unpacking RedLine Stealer - Hex Rays
- Hussein Adel
- John Hammond
Internet Explorer Forced to Run Malware - Microsoft Security
Unraveling the techniques of Mac ransomware - Natalie Zargarov at Minerva Labs
New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection - Phylum
A Deep Dive Into poweRAT: a Newly Discovered Stealer/RAT Combo Polluting PyPI - Akshat Pradhan at Qualys
BitRAT Now Sharing Sensitive Bank Data as a Lure - Splunk
CISA Top Malware Summary - ThreatFabric
SpyNote: Spyware with RAT capabilities targeting Financial Institutions - Armando Nathaniel Pedragoza at Trend Micro
Dridex Returns, Targets MacOS Using New Entry Method - Vishal Thakur
AAA of Modern Malware Analysis Attack, Automate and Analyse - Zack Zorn at Checkmarx Security
Py Torch, a Leading Ml Framework, Was Poisoned with Malicious Dependency - Zhassulan Zhussupov
Malware development tricks: part 26. Mutex. C++ example.
MISCELLANEOUS
- 0xdf hacks stuff
- 2022 SANS Holiday Hack Challenge, featuring KringleCon V: Golden Rings
- Holiday Hack 2022: KringleCon Orientation
- Holiday Hack 2022: Web Ring
- Holiday Hack 2022: Cloud Ring
- Holiday Hack 2022: Burning Ring of Fire
- Holiday Hack 2022: Appendix B: Hacking KringleCon
- Holiday Hack 2022: Appendix A: Exploring KringleCon
- Adrian at ‘Agood cloud’
SANS SEC504 - Alex Vakulov at AT&T Cybersecurity
The dos and don’ts of ransomware negotiations - James Campbell at Cado Security
The Future of Cloud Security: Top Four Predictions for 2023 - CCL Group
Case Work: Mobile forensics examination for a family law solicitor - Albert Robinson at Cellebrite
- Doug Metz at Baker Street Forensics
BakerStreetForensics – 2022 Year in Review - Oleg Afonin at Elcomsoft
Use The Brute Force, Luke - Falcon Guard
Password auditing with mixed AMD and Nvidia GPUs - Forensic Focus
2022 in Review with Binalyze Founder, Emre Tınaztepe - Howard Oakley at ‘The Eclectic Light Company’
Should you use a disk image or a volume? - IntaForensics
What does the future of digital investigation look like? - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (1/1/2023) - Oxygen Forensics
Year in Review 2022 - Dan Sherry at Pulsedive
What Are “Properties” in Pulsedive? - Sandfly Security
SSH Major Compromise Vector for Linux - SANS
SANS Institute proudly welcomes professor Ciaran Martin, founder of the UK National Cyber Security Centre, to its ranks - Serge Woon at Security Intelligence
3 Reasons to Make EDR Part of Your Incident Response Plan - Sumuri
Don’t Get Locked Out of Your Business - The Security Noob
SOFTWARE UPDATES
- Costas K
WinEDB_Browser - Crowdstrike
Falconpy Version 1.2.9 - Erik Hjelmvik at Netresec
NetworkMiner 2.8 Released - ExifTool
ExifTool 12.54 - IntelOwl
v4.1.5 - Maxim Suhanov
dfir_ntfs file system parser 1.1.14
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 