Rushed last week and didn’t include Lee Whitfield’s post notifying the community that nominations for the 2023 Forensic 4Cast Awards is now open.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Emi Polito at Amped
Learn How to Remove Sensitive Audio in Amped Replay: Ready, Steady, Redact! - Amr Ashraf
RansomeWare Investigation - Oleg Afonin at Elcomsoft
- Forensafe
- Kathryn Hedley at Khyrenz
USB or not USB… Connection Times - Kinga Kięczkowska at InfoSec Write-ups
USB Forensics 101 - Korstiaan Stam at ‘Invictus Incident Response’
Email Forwarding Rules in Microsoft 365 - Magnet Forensics
Bringing it Back With Biome Data - N00b_H@ck3r
CyberDefenders: BlackEnergy - Melusi shoko at System Weakness
Email Analysis using open-source tools: Letsdefend challenge. - Vikas Singh
Remote Access Software – Forensics - Michael Hale Ligh at Volatility Labs
The 2022 Volatility Plugin Contest results are in! - Andy Gill at ZephrSec
Ticket Fraud Scammers – An Investigation
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Beyond good ol’ Run key, Part 141 - Alex Teixeira
The dotted lines between Threat Hunting and Detection Engineering - Alexandra Martin at VirusTotal
Upgrading from API v2 to v3: What You Need to Know - Ali AK at System Weakness
Persistence || Backdoor Techniques (Beginner to Advanced) in Linux - Andrea Fortuna
- Anomali
Anomali Cyber Watch: Earth Kitsune Uses Chrome Native Messaging for Persistence, WIP26 Targets Middle East Telco from Abused Clouds, Azerbaijan-Sponsored Group Geofenced Its Payloads to Armenian IPs - Edwardo Rodriguez at AT&T Cybersecurity
Stories from the SOC – The case for human response actions - Jeremy Fuchs at Avanan
Business Email Compromise Scam Leads to Credential Harvesting Evernote Page - Avertium
A Closer Look at QakBot - Martin Zugec at Bitdefender
Technical Advisory: Multiple ManageEngine Products Targeted by Various Threat Actors - Brad Duncan at Malware Traffic Analysis
2023-02-23 – Files for ISC Diary: URL files and WebDAV used for IcedID (Bokbot) - CERT EU
Russia’s War On Ukraine: One Year Of Cyber Operations - CERT Ukraine
- Check Point Research
- CISA
- Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors
- Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization
- #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
- ESXiArgs Ransomware Virtual Machine Recovery Guidance
- Protecting Against Malicious Use of Remote Monitoring and Management Software
- #StopRansomware: Cuba Ransomware
- Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
- Control System Defense: Know the Opponent
- #StopRansomware: Hive Ransomware
- #StopRansomware: Daixin Team
- Cisco’s Talos
- CTF导航
- Cyberknow
Update 22. 2023 Russia-Ukraine War — Cybertracker. February 20. - Cyble
- Dr. Neal Krawetz at ‘The Hacker Factor Blog’
New Honeypots - Brian Concannon at Echotrail
3 Ways To Utilize Process Behavior Data - EclecticIQ
A Year of the Russia-Ukraine War: Seven Types of Cyberattacks Used Against Ukraine - Emily Austin at Censys
ESXiArgs: History, Variants, and SLP! - Fortinet
- Fox-IT
From Backup to Backdoor: Exploitation of CVE-2022-36537 in R1Soft Server Backup Manager - GreyNoise
GreyNoise Analysis Of A Quartet of Exchange Remote Code Execution Vulnerabilities: CVE-2023-21529; CVE-2023-21706; CVE-2023-21707; CVE-2023-21710 - Horizon3
- Stuart Ashenbrenner at Huntress
Built-in macOS Security Tools - Intel471
How Offensive Action is Countering Ransomware - Kostas Sale
Threat Hunting Series: Detection Engineering VS Threat Hunting - Lior Sonntag at Wiz
Lateral movement risks in the cloud and how to prevent them – Part 3: from compromised cloud resource to Kubernetes cluster takeover - Malware Hell
Hunting Opaque Predicates with YARA - Menlo Security
- MITRE ATT&CK
2023 ATT&CK Roadmap - Nsfocus
近期APT组织SideCopy针对印度政府的钓鱼攻击活动分析 - Phylum
Phylum Discovers 520 Malicious Python Packages in PyPI - Andrew Northern at Proofpoint
TA569: SocGholish and Beyond - Red Alert
Threat Actor targeting Vulnerable Links in Cyber Security (ENG) - Robin Dimyan
4-Level Analysis for Threat Prioritisation — Chapter II - James Tytler at S-RM Insights
Hacking for the Kremlin: Russia, ransomware and the West’s response - SANS Internet Storm Center
- “Unsupported 16-bit Application” or HTML?, (Sun, Feb 19th)
- OneNote Suricata Rules, (Sun, Feb 19th)
- Phishing Page Branded with Your Corporate Website, (Tue, Feb 21st)
- Internet Wide Scan Fingerprinting Confluence Servers, (Wed, Feb 22nd)
- URL files and WebDAV used for IcedID (Bokbot) infection, (Fri, Feb 24th)
- Kristen Cotten at Scythe
Command-Line Obfuscation - Mitch Mayne and Mike Worley at Security Intelligence
Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023 - Securonix
Securonix Threat Research Knowledge Sharing Series: Hiding the PowerShell Execution Flow - Tom Hegel at SentinelOne
SOC Team Essentials | How to Investigate and Track the 8220 Gang Cloud Threat - SOC Fortress
Maximizing Threat Detection and Response with Cortex - Steven Campbell, Ross Phillips, Seth Battles, and Markus Neis at Arctic Wolf
Getting Dumped: A Trust Relationship Destroyed by Lorenz - Sucuri
- Symantec Enterprise
- Team Cymru
Desde Chile con Malware (From Chile with Malware) - Teri Radichel
Okta Logging, Monitoring, and Alerts - Trellix
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data - Trend Micro
- Mattias Wåhlén at Truesec
What Is Anonymous Sudan? - Jason Reaves, Josh Platt, Jonathan McCay and Kirk Sayre at Walmart
Qbot testing malvertising campaigns?
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-02-27 - WiCyS – Women in CyberSecurity
Stairway to DFIR: My Journey into Cybersecurity
PRESENTATIONS/PODCASTS
- Black Hills Information Security
Talkin’ About Infosec News – 2/22/2023 - Breaking Badness
149. You Data Broker My Heart - c3rb3ru5d3d53c
[60] Shorts – Why did my YARA Signature Match? - Dark Mode
ChatGPT, Warfare, Threat Intel & Modernizing the Digital Economy - Detection: Challenging Paradigms
Episode 29: Olaf Hartong (pt. 2) - Digital Forensic Survival Podcast
DFSP # 366 – Linux File System - Dump-Guy Trickster
Reverse Engineering Mixed Mode Assemblies (IDA, DnSpyEx) - I Am Ironcat
- Justin Tolman at AccessData
- FTK Feature Focus – Index Search Refinement
- Upgrade from Imager to FTK – Automatic File Categorization
- Upgrade from Imager to FTK – File Carving
- R.A.N.G.E – Focus on Your Mental Health
- Upgrade from Imager to FTK – Viewing System and User Activity
- Upgrade from Imager to FTK – Powerful Fast Searching
- Upgrade from Imager to FTK – Saving Examination Progress
- Justin Tolman at AccessData
Upgrade from Imager FTK – Viewing Web History Artifacts - Linkcabin
Analysing Lockbit and AlphaV DDoS Protection client side code – Hashing and spread functions - SANS Cloud Security
Microsoft Sentinel 101: Using a Cloud Native SIEM - SANS Institute
- Sumuri
SUMURI Podcast Episode 014 – The Wonderful World Of Training - The Defender’s Advantage Podcast
Threat Trends: Head of TAG on Commercial Spyware, Cyber Activity in Eastern Europe and More
MALWARE
- Alex Petrov at Hex Rays
Plugin focus: Capa Explorer - ASEC
- HWP Malware Using the Steganography Technique: RedEyes (ScarCruft)
- ASEC Weekly Phishing Email Threat Trends (February 5th, 2023 – February 11th, 2023)
- ASEC Weekly Malware Statistics (February 13th, 2023 – February 19th, 2023)
- Anti-Forensic Techniques Used By Lazarus Group
- ChromeLoader Disguised as Illegal Game Programs Being Distributed
- Distribution of Malware Exploiting Vulnerable Innorix: Andariel
- Magniber Ransomware’s Relaunch Technique
- Jarosław Jedynak and Michał Praszmo at CERT Polska
A tale of Phobos – how we almost cracked a ransomware using CUDA - CISA
- MAR-10365227-2.v1
- MAR-10400779-2.v1 – Zimbra 2
- MAR-10400779-1.v1 – Zimbra 1
- MAR-10386789-1.v1 – Log4Shell
- MAR-10382580-r2.v1 – RAT
- MAR-10382580-1.v1 – Unidentified RAT
- MAR-10382254-1.v1 – C2 RAT
- MAR-10376640-1.v1 – IsaacWiper and HermeticWizard
- MAR-10376640-2.v1 – CaddyWiper
- MAR-10375867-1.v1 – HermeticWiper
- Cofense
- Flashpoint
Russian Malware Developer Arrested And Extradited To The United States - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #129: Searching for text in database - Mellvin S at K7 Labs
RedLine Stealer spreading through OneNote - Jérôme Segura at Malwarebytes Labs
Multilingual skimmer fingerprints ‘secret shoppers’ via Cloudflare endpoint API - Marcus Hutchins at MalwareTech
A Realistic Look at Implications of ChatGPT for Cybercrime - Michael Koczwara
Malicious DLL Analysis - Quick Heal
- ReversingLabs
- Pedro Tavares at Segurança Informática
How AsyncRAT is escaping security defenses - Sekoia
Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1 - Tony Lambert
NetSupport Manager RAT from a Malicious Installer - Jason Hill at Varonis
HardBit 2.0 Ransomware - WeLiveSecurity
- Zhassulan Zhussupov
Malware AV/VM evasion – part 12: encrypt/decrypt payload via TEA. Simple C++ example. - Nikolaos Pantazopoulos and Sarthak Misraa at ZScaler
Technical Analysis of Rhadamanthys Obfuscation Techniques
MISCELLANEOUS
- Andrew Rathbun
Eric Zimmerman’s Binary Foray - Brett Shavers
In this thing of ours, the world of digital forensics, there is one thread that ties us all together - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update 02/25/23 - CERT Polska
Artemis vulnerability scanner is now open source - Bret at Cyber Gladius
PowerShell Best Practices for Preventing Abuse - Eric Capuano
- Forensic Focus
- Eliminating Backlogs And Fast-Tracking Investigations With Detego Global’s Cutting-Edge Technology
- 2023 Industry Trends Report: 70% State Accessing Data Offsite Is A Major Endpoint Collection Problem
- ChatGPT: A Digital Sleuth For Detectives?
- The Image Generation Model
- Digital Forensics Round-Up, February 23 2023
- Greg Ake at Huntress
What Endpoint Detection and Response (EDR) Looks Like Under the Hood - Anubhab Sahu at Keysight
A Quick Look into ChatGPT’s Network Traffic - Sascha Rommelfangen at MISP
MISP and fail2ban - Ryu Hiyoshi at NTT Security Japan
Three Typical Challenges with EDR Analysis and Our SOC Team’s Approach - Salvation DATA
- Mark Stone at Security Intelligence
What is an Incident Response Professional? - Harry Taheem at StealthBay
- Chris Grettenberger at Sumuri
How to decide which PALADIN is right for you? - The Leahy Center for Digital Forensics & Cybersecurity
SOFTWARE UPDATES
- ANSSI
DFIR-ORC v10.1.6 - Brian Carrier at Cyber Triage
3.6 Release – Processes, OS Accounts, and Indicator Exports - Cellebrite
- Costas K
JumplistBrowser - ExifTool
ExifTool 12.57 - Federico Lagrasta
PersistenceSniper v1.9.2 - Hasherezade
PE-Bear v0.6.5 - Magnet Forensics
- Manabu Niseki
Mihari v5.1.0 - MISP
Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167) - MSAB
XRY 10.4.1 Released today – More devices, more apps, more extractions, more data - Passmark Software
V10.0 Build 1009 23rd February 2023 - Passware
Passware Kit Mobile 2023 v2 Now Available - Martin Korman
Regipy 3.1.5 - Rizin Organization cutter
v2.2.0-rc2 - Thiago Canozzo Lahr – Unix-like Artifacts Collector
uac-2.5.0 - Xways
- Yamato Security
Hayabusa v2.2.2 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 