As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Andrew Skatoff at ‘DFIR TNT’
RMM – ScreenConnect: Client-Side Evidence - Cado Security
- Cyber Triage
Logon Session vs Local Session vs Cyber Triage Sessions. Oh My! - Decrypting a Defense
Mobile Surveillance, Body-worn Camera Audit Logs, Facial Rec. Source Code, & Threads Data - Oleg Afonin at Elcomsoft
- Forensafe
Investigating Android Telegram - Raj Upadhyay
Artifacts || PsExec Execution
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures
Sorting tshark’s Conversation (conv) Output - Adam at Hexacorn
- Adam Goss
Day in the Life of a Senior Threat Intelligence Analyst - Alex Teixeira
Windows AMSI Bypass — The turning point for an Endpoint Analytics eval - Alexandre Borges at ‘Exploit Reversing’
Threat Hunting with Malwoverview and Tines - Ofek Itach and Assaf Morag at Aqua
TeamTNT Reemerged with New Aggressive Cloud Campaign - Jesse Maldonado and Kristen Perreault at AT&T Cybersecurity
Stories from the SOC: OneNote MalSpam – Detection & response - Francis Guibernau and Giovanni López at AttackIQ
Attack Graph Response to CISA Advisory AA23-187A: Increased Truebot Activity Infects U.S. and Canada Based Networks - Avanan
- Avertium
Threat Actor Profile – Cadet Blizzard - Bill Toulas at BleepingComputer
Ransomware payments on record-breaking trajectory for 2023 - BlueteamOps
Spraying in the Microsoft Cloud - Brad Duncan at Malware Traffic Analysis
- CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 08 – 14 luglio 2023 - Check Point Research
10th July – Threat Intelligence Report - CISA
Enhanced Monitoring to Detect APT Activity Targeting Outlook Online - Cisco’s Talos
- Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes
- Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers
- Malicious campaigns target government, military and civilian entities in Ukraine, Poland
- QR codes are relevant again for everyone from diners to threat actors
- Roger Cheeks at Corelight
How SOCs can level up their PCAP game with Smart PCAP (Part 2) - Curated Intelligence
The Threat Actor Profile Guide for CTI Analysts - Cyble
- Cyborg Security
The Chirping Intruder: Unraveling the Mockingjay Cyber Attack and How to Stay Ahead of It - Cyfirma
Weekly Intelligence Report – 14 July 2023 - Esentire
Google Firebase Hosting Abused to Deliver Sorillus RAT, Phishing Page - Flashpoint
- Fortinet
- Max Rogers and Sharon Martin at Huntress
Thwarting Financial Fraud: Shutting Down Hackers in Microsoft 365 - Lumen
Routers from the Underground: Exposing AVrecon - Matt Suiche at Magnet Forensics
TrueBot Malware: What It Is and How to Hunt It - Mandiant
- Microsoft Security
- Jan Michael at Netskope
AWS Amplify Hosted Phishing Campaigns Abusing Telegram, Static Forms - Sandra Quincoses at Nisos
Chinese State-Linked Information Operation Revealed Social Media Account Takeover Potential - Palo Alto Networks
- Tom Caiazza at Rapid7
The Japanese Financial Services Attack Landscape - Recorded Future
China’s Targeting of International Companies in Geopolitical Competition - Red Alert
Monthly Threat Actor Group Intelligence Report, May 2023 (ENG) - Red Canary
- redhead0ntherun
Loader Activity for Formbook “QM18”: A Deep Dive and Detection Opportunities - Chris Morgan at ReliaQuest
Top Adversary Techniques: What We’re Seeing Right Now - Resecurity
Cybercriminals Evolve Antidetect Tooling For Mobile OS-Based Fraud - S-RM Insights
- SANS Internet Storm Center
- Christopher Peacock at Scythe
The Value of IOCs vs. IOAs - Melissa Frydrych and Golo Mühr at Security Intelligence
BlotchyQuasar: X-Force Hive0129 targeting financial institutions in LATAM with a custom banking trojan - Security Scorecard
- Jared Stroud at SentinelOne
Analyzing Attack Opportunities Against Information Security Practitioners - SOCRadar
- Sophos
- Alessandro Brucato at Sysdig
SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto - Pierre Noujeim at System Weakness
How to Automate Incident Response to MITRE ATT&CK Technique T1566: Phishing - The Sleuth Sheet
DarkNet Field Kit: Information Gathering - Threatmon
From Slides to Threats: Transparent Tribe’s New Attack on Indian Government Entities Using Malicious PPT - Trend Micro
- Zach Bevilacqua at TrustedSec
Modeling Malicious Code: Hacking in 3D - Karla Agregado at Trustwave SpiderLabs
It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused - Alexandra Martin at VirusTotal
Actionable Threat Intel (III) – Introducing the definitive YARA editor - Roman Kováč at WeLiveSecurity
ESET Threat Report H1 2023 - Avigayil Mechtinger, Oren Ofer, and Itamar Gilad at Wiz
PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer
UPCOMING EVENTS
- Cellebrite
Uncovering Hidden Data: How to Collect the Mobile Data your Investigation is Missing - DFRWS
DFRWS APAC 2023 CFP - Magnet Forensics
- SANS
- Trellix
Ransomware Detection & Response Virtual Summit - Yihao Lim at Mandiant
M-Trends 2023 by the Numbers: Today’s Top Cyber Developments and Attacks LIVE
PRESENTATIONS/PODCASTS
- Black Hills Information Security
- Breaking Badness
160. Legends of the Hidden Data - Cellebrite
- cloudyforensics
Cloud Forensic Tools - Digital Forensic Survival Podcast
DFSP # 386- The Three Task Hosts - InfoSec_Bret
InfoSec Tools – AppGuard Solo - Intel471
Stopping the Reuse of Credentials and Session Tokens - John Hammond
Dark Web Dumpster Diving (Hunting Infostealer Malware) - John Hubbard at ‘The Blueprint podcast’
Strategy 10: Measure Performance to Improve Performance - Lee Whitfield
Forensic 4:cast Awards 2023 Update - Magnet Forensics
Investigate Security Incidents Faster with Magnet Forensics DFIR Solutions - Malwarebytes Labs
From Malvertising to Ransomware: A ThreatDown webinar recap - MSAB
How to perform a smarter phone number searching in XAMN Pro? - Richard Davis at 13Cubed
Detecting PsExec Usage - SANS Cloud Security
MALWARE
- Abdallah Elshinbary
Deep Analysis of GCleaner - Any.Run
Malware Trends Report: Q2, 2023 - ASEC
- c3rb3ru5d3d53c
[68] Malware News from Around the World - Fatih Yilmaz
- Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #148: Fixing “call analysis failed” - Roei Kriger at InfoSec Write-ups
Deobfuscation for Beginners - Lab52
- Malware Hell
Destroying GuLoader - Jérôme Segura at Malwarebytes Labs
Criminals target businesses with malicious extension for Meta’s Ads Manager and accidentally leak stolen accounts - OALABS Research
Truebot - Robert Giczewski
TrueBot Analysis Part IV – Config Extraction - Sekoia
CustomerLoader: a new malware distributing a wide variety of payloads - Puja Srivastava at Sucuri
Malicious Injection Redirects Traffic via Parked Domain - Tony Lambert
Faster Malware Triage with YARA - Nischay Hegde and Siddartha Malladi at Uptycs
New PoC Exploit Found: Fake Proof of Concept with Backdoor Malware - WeLiveSecurity
ESET Research Podcast: Finding the mythical BlackLotus bootkit
MISCELLANEOUS
- Brittany Roberts at ADF Solutions
7 Effective Ways to Conduct Targeted Searches Using ADF Software - Black Cell
Responding to a Cyber Incident Infographic - Cassie Doemel at AboutDFIR
AboutDFIR Site Content Update – 07/15/2023 - Jonathan Munshaw at Cisco’s Talos
Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders - Derek Eiri
DFIR (Mostly) Updates - Forensic Focus
- Inginformatico
Compilation of web page links that show lists of incident response playbooks [ENG] - Magnet Forensics
- Revo4n6
Cloud Storage and CJIS Compliance in the U.S. - Salvation DATA
Top 5 Digital Forensic Corps: Leaders in Cybersecurity in 2023 - Securityinbits
Converting Integers to Hex with CyberChef – Recipe 1 - Steven F at SpecterOps
Performance, Diagnostics, and WMI - Sumuri
CaseScan: Revolutionizing CSAM Detection with Speed, Accuracy, and Officer Well-Being
SOFTWARE UPDATES
- Atola
Yes, it’s Atola TaskForce 2. And it’s impressive! Come take a look - Amped
Amped FIVE Update 29850: Updated GUI, Improved Macroblocks Filter, New Smart Adjust Filter and Much More! - Canadian Centre for Cyber Security
Assemblyline v4.4.1.dev152 - GCHQ
CyberChef v10.5.2 - Doug Burks at Security Onion
Security Onion 2.4 Beta 4 Release Now Available! - Doug Metz at Baker Street Forensics
Mal-Hash Updates - Elcomsoft
Accelerating digital forensics: Elcomsoft System Recovery boosts efficiency in forensic analysis - Eric Kutcher
- Magnet Forensics
- MALCAT
New release: 0.9.2 - Manabu Niseki
Mihari v5.3.0 - MISP
MISP 2.4.173 released with various bugfixes and improvements - OpenCTI
5.9.2 - Passware
Passware Kit 2023 v3 Now Available - WithSecure Labs
Chainsaw v2.7.2 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!