As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- AbdulRhman Alfaifi at U0041
Exploring Windows Artifacts : $Security Artifact - Catie Walsh
SysInternals Case Write Up - Dany at Digitella
Using Powershell To Enumerate Information on Windows Defender and Firewalls - Digital Forensics Myanmar
BitLocker Decryption Methods - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
The Importance of Data that Doesn’t Exist – Part One (Timelines) - Oleg Afonin at Elcomsoft
iOS 15.5 Low-Level Keychain Extraction - Forensafe
Investigating Windows MalwareBytes - InfoSec Write-ups
- Matt Suiche at Magnet Forensics
Full Memory Crash Dumps vs. Raw Dumps: Which Is Best for Memory Analysis for Incident Response ? - William Suryajaya at MII Cyber Security
Cloud Forensic — Cado Cloud and Container Compromised Simulator - Oxygen Forensics
Berla iVe backups: Collecting data from Car Devices - The DFIR Report
Unwrapping Ursnifs Gifts
THREAT INTELLIGENCE/HUNTING
- 0xRob
Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 1 – Setting up Msticpy with MDE - Adam at Hexacorn
Excelling at Excel, Part 2 - Anomali
Anomali Cyber Watch: Turla Re-Registered Andromeda Domains, SpyNote Is More Popular after the Source Code Publication, Typosquatted Site Used to Leak Company’s Data - Any.Run
Annual Report 2022 - Arch Cloud Labs
Analyzing CVE-2022-46630 (DLL Hijacking in Squirrel.Windows) - Avertium
MITM Attacks – EvilProxy and Evilginx - Justin Kikani at Blumira
How To Navigate Microsoft 365 Audit Logs - Brad Duncan at Malware Traffic Analysis
2023-01-05 – IcedID (Bokbot) infection with Cobalt Strike - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 06 – 13 gennaio 2023 - Check Point Research
- Cisco’s Talos
- CTF导航
- Cybereason
- CyberProof
How ransomware actors use EDR bypassing to run cybercrime campaigns - Cyble
- EclecticIQ
QakBot Malware Used Unpatched Vulnerability to Bypass Windows OS Security Feature - Esentire
Gootloader Malware Leads to Cobalt Strike and Hand-on-Keyboard Activity - Andrey Polovinkin at Group-IB
Dark Pink - Haircutfish
- TryHackMe Zeek — Task 1 Introduction, Task 2 Network Security Monitoring and Zeek, & Task 3 Zeek…
- TryHackMe Zeek — Task 4 CLI Kung-Fu Recall: Processing Zeek Logs, Task 5 Zeek Signatures, & Task 6…
- TryHackMe Zeek — Task 7 Zeek Scripts | Scripts and Signatures, Task 8 Zeek Scripts | Frameworks…
- TryHackMe Zeek Exercises — Task 1 Introduction & Task 2 Anomalous DNS
- James Horseman at Horizon3
ManageEngine CVE-2022-47966 IOCs - Stuart Ashenbrenner at Huntress
Insistence on Persistence - Keith McCammon
Simple, measurable ATT&CK testing with Atomic Red Team - Koen Van Impe
Include threat information from MISP in Zeek network visibility - Lina Lau at Inversecos
Detecting Fake Events in Azure Sign-in Logs - Elli at Misconfig
Recon Azure AD - Doron Karmi, Deror Czudnowski, Ariel Szarf, and Or Aspir at Mitiga
CircleCI Cybersecurity Incident Hunting Guide - Natanja Friedrich at Truesec
Ransomware Attacks and the Skills Needed for a Efficient and Successful Cyber Incident Response Team - Nextron Systems
Antivirus Event Analysis Cheat Sheet v1.11.0 - Alexander Poth at NVISO Labs
Malware-based attacks on ATMs – A summary - Eoin Miller at Rapid7
Increasing The Sting of HIVE Ransomware - Jos Celphas at Velocidex
Tracking an adversary in real-time using Velociraptor - Recorded Future
Anatomy of a Threat Hunt with Splunk Enterprise Security and Splunk SOAR - Red Canary
- Resecurity
Dark Web Markets Compete For The Drug Trafficking And Illegal Pharmacy Monopoly - Rob Zuber at CircleCI
CircleCI incident report for January 4, 2023 security incident - S-RM Insights
Cyber Intelligence Briefing: 13 January 2023 - SANS Internet Storm Center
- YARA v4.3.0-rc1 –skip-larger, (Sat, Jan 7th)
- DShield Sensor JSON Log Analysis, (Sun, Jan 8th)
- New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th)
- Passive detection of internet-connected systems affected by vulnerabilities from the CISA KEV catalog, (Wed, Jan 11th)
-
Prowler v3: AWS & Azure security assessments, (Thu, Jan 12th)
- Security Intelligence
- Dheeraj Kumar and Ella Dragun at Securonix
Securonix Threat Labs 2022 Intelligence Insights - Sekoia
Raspberry Robin’s botnet second life - SentinelLabs
- SOC Fortress
Detect Malcious File Uploads With Wazuh and Yara - SOCRadar
- Splunk
Introducing Attack Range v3.0 - Joe at Stranded on Pylos
Embedded System Ransomware and the Meaning of Criminal Operations - The Sleuth Sheet – Medium
How To Safely Access The Darknet For Threat Research - ThreatMon
ThreatMon Ransomware Group Activity Report | 01.01.2023-13.01.2023 - Hitomi Kimura, Ryan Maglaque, Fe Cureg, and Trent Bessell at Trend Micro
Gootkit Loader Actively Targets Australian Healthcare Industry - Megan Nilsen at TrustedSec
A LAPS(e) in Judgement - Unveiled Security
Defining Cyber Threat Intelligence - Oleg Boyarchuk at VMware Security
Detection of Lateral Movement with the Sliver C2 Framework - Lukas Stefanko at WeLiveSecurity
StrongPity espionage campaign targeting Android users
UPCOMING EVENTS
- Black Hills Information Security
Atomic Spotlight: “Office Test” Registry Key for Persistence - Cellebrite
Episode 20: Nothing to see here – I BEG TO DFIR – Samsung Rubin - Cellebrite
How to Simplify Workplace App Collections with Endpoint Inspector - Exterro
Effectively Conducting Forensic Investigations in a Zero Trust Environment - Jan Hoff and Tim Ennis at Dragos
Incident Response for ICS: You Are Not Alone! - Magnet Forensics
PRESENTATIONS/PODCASTS
- Alzette InfoSec
SANS Holiday Hack Challenge 2022 Write-up/Walkthrough - Black Hills Information Security
- Breaking Badness
144. LastPass on The Left - Cloud Security Podcast by Google
EP103 Security Incident Response and Public Cloud – Exploring with Mandiant - Cyber Secrets
- Digital Forensic Survival Podcast
DFSP # 360 – Permitted Events - Eric Conrad
Blind Data Exfiltration Using DNS and Burp Collaborator - Erik Hjelmvik at Netresec
IEC-104 File Transfer Extraction - Forensic Focus
Magnet Forensics’ Matt Suiche on the Rise of e-Crime and Info Stealers - InfoSec_Bret
- Justin Tolman at AccessData
Windows Timestamp – Forensic Practical Example - Magnet Forensics
- Mossé Cyber Security Institute
Identifying Tampered Images - Nick Berrie
- RickCenOT
Realistic Pentest/Hacking of a Siemens Simatic S7-1200 PLC (Real + open Source Tools) - SANS
- SANS Cyber Defense
- Sarah Hayes at Hexordia
Tool Walkthroughs Posted - SOC Fortress
World’s Best FREE SIEM Stack Series Compilation - The Defender’s Advantage Podcast
Skills Gap: Addressing the Cyber Mobilization Crisis - WeLiveSecurity
APT group trojanizes Telegram app – Week in security with Tony Anscombe
MALWARE
- 0day in {REA_TEAM}
[QuickNote] Another nice PlugX sample - Alex Turing and Hui Wang at 360 Netlab
警惕:魔改后的CIA攻击套件Hive进入黑灰产领域 - Adam at Hexacorn
Decrypting SHell Compiled (SHC) ELF files - ASEC
- Atomic Matryoshka
Metamorfo MSI Analysis and IOC Extraction - Avast Threat Labs
NeedleDropper - Simon Kenin at Deep Instinct
Malicious JARs and Polyglot files: “Who do you think you JAR?” - Fortinet
Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps” - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #123: Opcode bytes - Jouni Mikkola at “Threat hunting with hints of incident response”
AsyncRAT - Shusei Tomonaga at JPCERT/CC
Automating Malware Analysis Operations (MAOps) - Jérôme Segura at Malwarebytes Labs
Crypto-inspired Magecart skimmer surfaces via digital crime haven - Michael Koczwara
Sliver C2 Implant Analysis - Pete Cowman at Hatching
Triage Thursday Ep. 92 - petikvx
Unpacking e9ffda70e3ab71ee9d165abec8f2c7c52a139b71666f209d2eaf0c704569d3b1 - Ismail Tasdelen at System Weakness
What is malware analysis? How is it done? - Tony Lambert
.NET Downloader Leading to OriginLogger - Rene Holt at WeLiveSecurity
Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit - Xorhex
Z3 Solver Simplifying String Decryption - بانک اطلاعات تهدیدات بدافزاری پادویش
MISCELLANEOUS
- Jessica Hyde from Hexordia
Mentorship Day at Magnet Virtual Summit 2023 - Marija Mladenovska at AT&T Cybersecurity
Understanding Malware-as-a-Service (MaaS): The future Of cyber attack accessibility - Belkasoft
- Manny Kressel at Bitmindz
Workflow with a Processing Engine instead of a Forensic Workstation - John Hubbard at Blueprint Cyber
My Breakup Letter to LastPass – It’s All About Trust - Jordan Bowen at Cado Security
Catch up, Keep up: Overcoming Key Cloud Security Challenges - Cellebrite
Cellebrite to Release Fourth Quarter and Fiscal Year 2022 Financial Results on February 15, 2023 - Craig Ball at ‘Ball in your Court’
The Annotated ESI Protocol - John G. Asmussen at Everything DFIR…
DFIR Briefly Expained… - Forensic Focus
- Grayshift
Grayshift Translations - Howard Oakley at ‘The Eclectic Light Company’
- Intel471
A Look at eSIMs and Number Hijacking - Jason Dickson at CCL Solutions
Mastering the Masters course - Kelvin Tegelaar at CyberDrain
The return of CyberDrain CTF - Morten Knudsen
Sentinel Alert Rules Management with Add / Update / Remove & Alert Rule Action automation - Project Cyber
Notice: SANS Holiday Hack Challenge & KringleCon Are Still On! - Toby Marriott at ADF
The Current State of Affairs of the UK’s Forensic Backlog - We are OSINTCurio.us
Changes at OSINT Curious
SOFTWARE UPDATES
- Jessica Hyde at Hexordia
Introducing The Hexordia Sysdiagnose Log Monitoring Tool - Alexis Brignoni
- Costas K
- Elcomsoft
Elcomsoft iOS Forensic Toolkit 8.11 decrypts iOS 15.5 keychain - Magnet Forensics
MAGNET DumpIt for Windows & MAGNET DumpIt for Linux: Now Available - Metaspike
- OpenCTI
Version 5.5.2 - Daniel Mayer at Stairwell
Stairwell releases open-source Cobalt Strike stager decoder - WithSecure Labs
Chainsaw v2.3.1 - Xways
- Yamato Security
Hayabusa v2.1.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 