As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Adam Cohen Hillel at Cado Security
Cado + GPT-3: Interactive Incident Response - Digital Forensics Myanmar
- Doug Metz at Baker Street Forensics
KAPE batch mode, ARM Memory, updates to CSIRT-Collect, and all the things I learned along the way. - Oleg Afonin at Elcomsoft
Forensically Sound checkm8 Extraction: Repeatable, Verifiable and Safe - Forensafe
- Korstiaan Stam at ‘Invictus Incident Response’
Incident Response in Azure - M. Alparslan A.
Threat Hunting & Incident Response Series Analysing Compromised Router by Discussing Advanced Network Attacks - Nugroho G Novianto at MII Cyber Security
Investigate The Intrusion Attack using Splunk with TryHackMe: New Hire Old Artifacts - Godwin Attigah at Open Source DFIR
Power Automate - Rich Plummer
Mobile Device Data Storage Concepts - Sygnia
Incident Response in Google Cloud: Forensic Artifacts - Ashish Bansal at System Weakness
Hunt them in Windows - The Security Noob
Practical Linux Forensics, A Guide for Digital Investigators by Bruce Nikkel for No Starch Press REVIEW
THREAT INTELLIGENCE/HUNTING
- Alexandra Martin at VirusTotal
Is malware abusing your infrastructure? Find out with VirusTotal! - Anomali
Anomali Cyber Watch: KilllSomeOne Folders Invisible in Windows, Everything APIs Abuse Speeds Up Ransomware, APT38 Experiments with Delivery Vectors and Backdoors - Antoine Cailliau
Tracking Organizations in Vertex Synapse - Any.Run
Malware News Digest: January 2023 - Emine Akbulut at AT&T Cybersecurity
Stories from the SOC – RapperBot, Mirai Botnet – C2, CDIR Drop over SSH - Avertium
Everything You Need to Know About the Data Extortion Group, RansomHouse - Martin Zugec at Bitdefender
Bitdefender Threat Debrief | January 2023 - Brad Duncan at Malware Traffic Analysis
- CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 21 gennaio – 03 febbraio 2023 - Check Point Research
- Cisco’s Talos
- Fabian Bader at Cloudbrothers
Prevent phishing based on domain registrations - CTF导航
2022年度APT高级威胁报告:从俄乌冲突看网络冲突威胁 - Niels Groeneveld at Cyber Threat Intelligence Training Center
Leveraging STIX and TAXII for Human Trafficking Intelligence: A Technical Analysis - CyberCX
- Cyble
- Darktrace
- Shaul Vilkomir-Preisman at Deep Instinct
No Macro? No Worries. VSTO Being Weaponized by Threat Actors - EclecticIQ
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware - Kirti Sodhi at Elastic
Detecting Lateral Movement activity: A new Kibana integration - Esentire
IcedID Malware Shifts Its Delivery Strategy - Expel
2023 Great eXpeltations report: top six findings - Flashpoint
- GreyNoise
- Chad Hudson at Huntress
Ave Maria and the Chambers of Warzone RAT - Fallen sky at InfoSec Write-ups
Threat Detection - Bukar Alibe at INKY
Fresh Phish: Southwest’s Flying Phish Takes Off With Your Credentials - Jeremy Wiedner at Cybersecurity Tid-Bytes
KC7 – Intrusion Analysis - Keith McCammon
Incidents: An organizational Swiss Army knife - Malwarebytes Labs
- Tj Alldridge and Megan Deblois at Mandiant
Optimize Your Workflows with the Mandiant Advantage Threat Intelligence Browser Plug-in - Melissa at Sketchymoose’s Blog
They Are Always After Me Lucky JARMS…. - Ken Wolstencroft at NCC Group
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage - Julien Levrard at OVHcloud
Ransomware targeting VMware ESXi - Phylum
Phylum Identifies 98 Malicious npm Packages - Tommy Madjar, Corsin Camichel, Joe Wise, Selena Larson And Chris Talib at Proofpoint
OneNote Documents Increasingly Used to Deliver Malware - Sathwik Ram Prakki at Quick Heal
Uncovering LockBit Black’s Attack Chain and Anti-forensic activity - Rapid7
- Raymond Roethof
Microsoft Defender for Identity Hidden Feature Custom Logs Location - Recorded Future
New “Crypto Drainer” Phishing Pages Siphon Cryptocurrency in Seconds - Tess Mishoe at Red Canary
Detecting credential access without losing cred - Resecurity
Nevada Ransomware – Waiting For The Next Dark Web Jackpot - SANS Internet Storm Center
- Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th)
- Packet Tuesday: Large ICMP Errors https://www.youtube.com/watch?v=z9jk8Bbf4_o , (Tue, Jan 31st)
- DShield Honeypot Setup with pfSense, (Tue, Jan 31st)
- Detecting (Malicious) OneNote Files, (Wed, Feb 1st)
- Rotating Packet Captures with pfSense, (Wed, Feb 1st)
- Check out a couple of my older posts, (Thu, Feb 2nd)
- Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th)
- Anna Shreder at Sayfer
Threat Hunting Case study – A Tale of Bots & Stolen Funds - Security Joes
Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It’s Biggest Gathering - Securonix
Securonix Threat Labs Monthly Intelligence Insights – January 2023 - Sekoia
SEKOIA.IO Ransomware Threat Landscape – second-half 2022 - SOCRadar
- Jagadeesh Chandraiah at Sophos
Fraudulent “CryptoRom” trading apps sneak into Apple and Google app stores - Tanium
CTI Roundup: Threat Actors Use Sliver C2 Framework - Threatmon
- Todyl
Investigating Malicious Use of OneNote to Deploy Qbot - Trend Micro
- 6 Ransomware Trends & Evolutions For 2023
- New APT34 Malware Targets The Middle East
- Monthly Threat Webinar Series in 2023: What to Expect
- Attack Vector vs Attack Surface: The Subtle Difference
- TgToxic Malware’s Automated Framework Targets Southeast Asia Android Users
- What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits
- Justin C. Klein Keane at Unveiled Security
Rethinking Cyber Threat Intelligence - Vani Asawa at Microsoft
[What’s New] Extract Actionable Intelligence from Text-based Threat Intel using Sentinel Notebook - Jean-Ian Boutin at WeLiveSecurity
ESET APT Activity Report T3 2022 - WMC Global
2022 Year In Review
UPCOMING EVENTS
- Peter Sosic at Amped
The Amped Software Training 2023 Has Landed! - Black Hills Information Security
Networking for Pentesters: Beginner | Serena DiPenti | 1-Hour - Censys
Profiles in Threat Hunting: Finding Threats by Observing Behaviors - Cyber Secrets
Troubleshooting Autopsy – update or rebuild in CSI Linux - Cyborg Security
Overwatch – threat hunting management workshop - Gerald Auger at Simply Cyber
Adversary Emulation All The Things! 🔥 Fireside Chat With Bryson Bort - Magnet Forensics
Cyber Regulations and the Effects on Financial Services - SANS Institute
Leading Cyber in a Neurodivergent Workforce - Andrew Case at Volatility Labs
The Return of In-Person Volatility Malware and Memory Forensics Training!
PRESENTATIONS/PODCASTS
- Ali Hadi
- ArcPoint Forensics
My Friends Dog Does Forensics - Black Hills Information Security
- Breaking Badness
146. I Am Extortionary (If You Ever Get To Know Me) - Chris Sienko at the Cyber Work podcast
How to set up a digital forensics lab | Cyber Work Hacks - Cybereason
You Should Be Afraid of SIM Swaps - Digital Forensic Survival Podcast
DFSP # 363 – RDP Forensics - Down the Security Rabbithole Podcast
DtSR Episode 536 – Incident Response Automation Dreaming - I Am Ironcat
Irconcat Malware – String Based Detection Evasion - InfoSec_Bret
CyberDefenders – TeamSpy – Part Three - James Spiteri at ‘Oh My Malware!’
Oh My Malware – Episode 3 – Emotet - Kela
Future of Cyber Crime – KELA – Harlan Carvey - Magnet Forensics
- NTCore
Blitz 45 Seconds OneNote Malware Analysis - RickCenOT
BREAKDOWN Realistic Pentest of a Schneider Electric Industrial Control System M221 PLC - SANS
A Visual Summary of SANS CTI Summit 2023 - SANS Cyber Defense
Packet Tuesday – Large ICMP Errors - SANS Institute
- 2022 CDI Keynote: An Industry on Fire! A Cybersecurity Fireside Chat with Brandon Wales and Rob Lee
- The SANS Healthcare Forum 2022: Ransomware
- SANS Healthcare Forum 2022: Panel Discussion
- The SANS Healthcare Forum 2022: Security Strategy
- SANS Healthcare Forum 2022: Healthcare IoT and OT Vulnerabilities
- SANS 2022 Healthcare Forum: Healthcare Policies and Governance
- SANS Healthcare Forum 2022: Security as a Business Enabler
- 2022 SANS Healthcare Forum: Threat Landscape and Digital Transformation
MALWARE
- Akshata Rao, Esmid Idrizovic, Sujit Rokka Chhetri, Bob Jung and Mark Lim at Palo Alto Networks
Machine Learning Versus Memory Resident Evil - Asaf Eitani and Nitzan Yaakov at Aqua
HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign - ASEC
- Analysis Report on Malware Distributed via Microsoft OneNote
- ASEC Weekly Malware Statistics (January 16th, 2023 – January 22nd, 2023)
- ASEC Weekly Phishing Email Threat Trends (January 15th, 2023 – January 21st, 2023)
- A Phishing Page that Changes According to the User’s Email Address (Using Favicon)
- Attack Cases of CoinMiners Mining Ethereum Classic Coins
- Phishing Emails in Circulation, This Time Disguised as Requests for Product Quotation
- TZW Ransomware Being Distributed in Korea
- ASEC Weekly Malware Statistics (January 23rd, 2023 – January 29th, 2023)
- Malicious LNK File Disguised as a Normal HWP Document
- Erik Pistelli at Cerbero
OneNote Format Support - Cleafy
PixPirate: a new Brazilian Banking Trojan - CTF导航
APT 摩诃草样本分析 - Fortinet
- Hardik Manocha at FourCore
A Malicious Note: Hackers using Microsoft OneNote Attachments to spread malware - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #126: Non-returning functions - Jonathan Sar Shalom at JFrog
Detecting Known and Unknown Malicious Packages and How They Obfuscate Their Malicious Code - K7 Labs
- Malware Hell
Ghidra Python Scripting Cheatsheet - Marco Ramilli
Onenote Malware: Classification and Personal Notes - Michael Haag
RATMatrix - Quadrant
Technical Analysis: Black Basta Malware Overview - Securelist
Prilex modification now targeting contactless credit card transactions - Aleksandar Milenkoski and Tom Hegel at SentinelLabs
MalVirt | .NET Virtualization Thrives in Malvertising Attacks - Squiblydoo
debloat - Ben Martin at Sucuri
Konami Code Backdoor Concealed in Image - TrustedSec
- Zhassulan Zhussupov
Malware analysis: part 7. Yara rule example for CRC32. CRC32 in REvil ransomware
MISCELLANEOUS
- Bill Stearns at Active Countermeasures
Is It OK to Capture Packets in a Virtual Machine? - Antonio Formato
ChatGPT and Microsoft Sentinel — simplify the incident handling process - Belkasoft
Automation with Belkasoft: Export for Amped FIVE - Forensic Focus
Detego Global Teams Up with FCI to Deliver Free Access to Cutting-Edge Digital Forensics Tools - Howard Oakley at ‘The Eclectic Light Company’
Log literacy: Reducing log entries shown - Keith McCammon
- Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’
Honoring Mentoring Month - Nathan McNulty
Azure Automation – Advanced Auditing - Darren Mar-Elia at SDM Software
SwiftSlicer Malware and Group Policy - Jennifer Gregory at Security Intelligence
How Do Threat Hunters Keep Organizations Safe? - SOC Fortress
Your Open-Source Incident Response Platform - William Colley at ADF
5 Tips For Collecting Digital Evidence Properly - John Patzakis at X1
A.I. Bot ChatGPT Explains How Corporate Legal Can Streamline eDiscovery Processes
SOFTWARE UPDATES
- John Lukach at 4n6ir
Amazon Linux Triage Update - ANSSI
DFIR-ORC v10.1.5 - Federico Lagrasta
PersistenceSniper v1.9.1 - Trevor Borden at InQuest
ThreatIngestor Release v1.0.2 - Manabu Niseki
Mihari v4.12.0 - MobilEdit
MOBILedit’s Innovations and Focus on Smartwatch Forensics - Thiago Canozzo Lahr
uac-2.5.0-rc1
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 