As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Emi Polito at Amped
Measure Heights from Surveillance Video - John Hyla at Blue Crew Forensics
Connecting Discord Attachments to Threads & SDWebImage Library - Cado Security
A New Perspective on Resource-Level Cloud Forensics - Cellebrite
Data extraction cheatsheet - Cyber Social Hub
MediaTek: A Short Story - Digital Daniela
Memory Forensics Thesis! - Doug Metz at Baker Street Forensics
- Huntress Capture the Flag – A CTF Marathon
- Huntress CTF: Week 1 – WarmUps
- Huntress CTF: Week 1 – Malware: Hot Off The Press, HumanTwo, PHP Stager & Zerion
- Huntress CTF: Week 1 – Miscellaneous: I Won’t Let You Down
- Huntress CTF: Week 1 – Forensics: Backdoored Splunk, Traffic, Dumpster Fire
- Huntress CTF: Week 2 – WarmUps
- Huntress CTF: Week 2 – Forensics: Wimble, Opposable Thumbs, Tragedy_Redux
- Huntress CTF: Week 2 – Miscellaneous: Rock, Paper, Psychic
- Huntress CTF: Week 2 – Malware: VeeBeeEee, Snake Eater, Opendir
- Huntress CTF: Week 2 – OSINT: Where Am I?, Operation Not Found, Under the Bridge
- Huntress CTF: Week 2 – Steganography: Land Before Time
- Huntress CTF: Week 3 – Miscellaneous: Who Is Real?, Operation Eradication
- Huntress CTF: Week 3 – Forensics: Rogue Inbox, Texas Chainsaw Massacre: Tokyo Drift
- Huntress CTF: Week 3 – M Three Sixty Five
- Huntress CTF: Week 4 – Miscellaneous: MFAtigue
- Huntress CTF: Week 4 – Forensics: Bad Memory
- Oleg Afonin at Elcomsoft
Using and Troubleshooting the checkm8 Exploit - Felix Guyard at ForensicXlab
📘 Volatility3: Modern Windows Hibernation file analysis - Forensafe
Investigating Android Playstore Search History - Lionel Notari
iOS Unified Logs – Typing and sending a message in WhatsApp - Mattia Epifani at Zena Forensics
iOS 15 Image Forensics Analysis and Tools Comparison – Native Apps - Maxim Suhanov
Bringing unallocated data back: the FAT12/16/32 case - The DFIR Report
Netsupport Intrusion Results in Domain Compromise - William Oettinger
The Art of Digital Forensics Report Writing
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Threat Intelligence with MISP Part 6 — Using the API - Alex Teixeira
Navigating the crossroads of Threat Hunting & Detection Engineering - Anton Chuvakin
- Any.Run
Understanding Threat Intelligence Benefits for a Business - Assaf Morag at Aqua
Looney Tunables Vulnerability Exploited by Kinsing - Kushalveer Singh Bachchas at AT&T Cybersecurity
A guide to digital forensics data acquisition with FTK Imager - Francis Guibernau at AttackIQ
Attack Graph Response to CISA Advisory (AA23-284A): #StopRansomware: AvosLocker Ransomware - Avertium
An In-Depth Look at Rhysida Ransomware - Kevin Low at AWS Security
How to use chaos engineering in incident response - BhaveshL
Cobalt Strike & .HTA files - Martin Zugec at Bitdefender
Bitdefender Threat Debrief | October 2023 - Jake Ouellette at Blumira
Citrix NetScaler ADC and Gateway Auth Bypass Vulnerability CVE-2023-4966 (Citrix Bleed) - Brad Duncan at Malware Traffic Analysis
- Joshua Penny at Bridewell
BlackBasta: Discovering New Connections - CERT-AGID
- Check Point
- Cisco’s Talos
- Jared Elder at Cloud Chronicles
Why Identity Providers Aren’t Enough to Secure Identities in the cloud - Coveware
Scattered Ransomware Attribution Blurs Focus on IR Fundamentals - Reza Rafati at Cyberwarzone
The Art of IoC Threat Hunting - Cyfirma
Weekly Intelligence Report – 03 Nov 2023 - Simon Warren at Dragos
The Importance of OT Threat Intelligence Within the Cyber Assessment Framework (CAF) - Eclypsium
Applying ATT&CK Methodology to Hardware and Firmware - Elastic Security Labs
Elastic catches DPRK passing out KANDYKORN - Eric Capuano
- Esentire
- Chandler Matthews at Expel
Okta cross-tenant impersonation: a new Expel detection - F5 Labs
- FBI
Tactics, Techniques, and Indicators of Compromise Associated with Hello Kitty/FiveHands Ransomware - Flare
- Shunichi Imano and James Slaughter at Fortinet
Ransomware Roundup – Knight - HP Wolf Security
HP Wolf Security Threat Insights Report Q3 2023 - Alicja Dobrzeniecka & Marvin Straathof at Hunt & Hackett
K-means Clustering for Lateral Movement Detection - Infoblox
Prolific Puma: Shadowy Link Shortening Service Enables Cybercrime - Intel471
- Koen Van Impe
- Korstiaan Stam at ‘Invictus Incident Response’
A Defenders Guide to GraphRunner — Part I - Marc Brawner, Devon Ackerman, Keith Wojcieszek, George Glass, and Ryan Hicks at Kroll
A Behind-the-Scenes Look at Creating LOLDrivers - Michael Haag at MagicSword
A Behind-the-Scenes Look at Creating LOLDrivers - Sebastian Demmer, Nicole Jenaye, Doug Bienstock, Tufail Ahmed, John Wolfram, and Ashley Frazer at Mandiant
Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966) - Ravisankar Ramprasad at Menlo Security
EvilProxy Phishing Attack Strikes Indeed - Michalis Michalos
Microsoft Defender for Endpoint curated list of resources for DFIR - Amy L. Robertson at MITRE ATT&CK
ATT&CK v14 Unleashes Detection Enhancements, ICS Assets, and Mobile Structured Detections - Maggie MacAlpine at MITRE-Engenuity
Dive into Attack Flow with the OceanLotus Adversary Emulation Plan - Monty Security
From LNK Payload to Infostealer Source Code - Nasreddine Bencherchali
Introducing SigmaHQ Rule Creation GUI - NCC Group
- Paul Hager at Nextron Systems
Integration of THOR in Velociraptor: Supercharging Digital Forensics and Incident Response - Nick Pockl-deen
MFA Bypass – how frameworks like Evilginx are giving threat actors the tools to succeed. - Chris Fuller at Obsidian Security
Fortify Okta Against Session Token Compromise - Palo Alto Networks
- Phylum
- Axel F and Selena Larson at Proofpoint
Security Brief: TA571 Delivers IcedID Forked Loader - Red Alert
- Ivan Righi at ReliaQuest
Ransomware and Cyber-extortion Trends in Q3 2023 - Yogi Kapur at Salesforce
New Automation Tools: Stopping Hundreds of Future Threats Instantly - Katie Nickels at SANS
Recent Cyber Threats Defenders Should Pay Attention To. - SANS Internet Storm Center
- Spam or Phishing? Looking for Credentials & Passwords, (Sun, Oct 29th)
- Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th)
- Malware Dropped Through a ZPAQ Archive, (Wed, Nov 1st)
- Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st)
- Quick Tip For Artificially Inflated PE Files, (Thu, Nov 2nd)
- Security Intelligence
- Thomas Roccia at SecurityBreak
Applying LLMs to Threat Intelligence - Tom Hegel at SentinelOne
So, State-Sponsored Attackers Are Targeting Your Mobile Device. Now What? - Simone Kraus
Ransomware & Data Extortion Landscape - SOCRadar
- Sai Lakshmi Ghanasyam at Sophos
Step-by-step through the Money Message ransomware - SpecterOps
- Stephan Wolfert
Webshell Compilation Artifacts - System Weakness
- Taz Wake
- Lewis Henderson at Team Cymru
Threat Modeling and Real-Time Intelligence – Part 1 - Trellix
Trellix 2024 Threat Predictions - Uptycs
- Vmware
Hunting Vulnerable Kernel Drivers
UPCOMING EVENTS
- Brittany Roberts at ADF Solutions
Best 2024 Law Enforcement Conferences - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-11-06 - Huntress
Using Memory Forensics to Bring Your Investigations Back from the Dead - Magnet Forensics
Leveraging AXIOM Cyber to Accelerate Corporate Investigations - MSAB
Updates from the Frontline
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
Inside China’s Evolution as a Global Security Threat - Alexis Brignoni
Digital Forensics Now – Episode 5 - Black Hills Information Security
- Breaking Badness
171. The Fancy Bear Necessities - Cellebrite
- Digital Forensic Survival Podcast
DFSP # 402 – Linux Root Directory Files for DFIR - Desi at Hardly Adequate
Hardly a Week 44 October 30, 2023 - Huntress
- InfoSec_Bret
IR -SOC215-168 – Possible Zero Day Exploit Detected(CVE-2023-36884) - John Hammond
Hacking Websites: NodeJS Server-Side Template Injection - Justin Tolman at AccessData
- Magnet Forensics
Simplifying Microsoft 365 Collections in AXIOM Cyber - Microsoft Threat Intelligence Podcast
Octo Tempest Threat Actor Profile - MSAB
How to harness Apple OCR in XAMN Pro? - Nextron Systems
THOR Cloud Lite – Microsoft Defender ATP Integration - RickCenOT
Breakdown “PWN’ing a Moxa NPort W2150A ICS/OT server over UART and finding hardcoded credentials” - Securizame
Una caña con Lawwait – Episodio 28 – Mario Guerra Soto - Sophos
Investigating data exfiltration…
MALWARE
- Stefan Hostetler, Markus Neis, Christopher Prest, Hady Azzam, Joe Wedderspoon, and Ross Phillips at Arctic Wolf
TellMeTheTruth: Exploitation of CVE-2023-46604 Leading to Ransomware - ASEC
- Charles Lomboni
Zero2Auto Custom Sample – Part 1 - CTF导航
- Doug Burks at Security Onion
Quick Malware Analysis: ICEDID variant with BACKCONNECT, ANUBIS VNC, COBALT STRIKE & SCREENCONNECT pcap from 2023-10-18 - Embee Research
- Fatih Yilmaz
Malicious Document Analysis Part-1 (Microsoft Word Documents) - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #163: Names list - InfoSec Write-ups
DarkGate (DarkLoader) Malware Analysis - Karlo Zanki at ReversingLabs
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations - Lakshya Mathur & Vignesh Dhatchanamoorthy at McAfee Labs
Unmasking AsyncRAT New Infection Chain - Netskope
- OALABS Research
SparkRAT - Ovi Liber
[0x0v1] Newsletter | Hacktivist Field Guide: Reverse engineering [Part 2] - S2W Lab
- Security Joes
BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group - Phil Stokes at SentinelOne
11 Ways to Tweak radare2 for Faster and Easier macOS Malware Analysis - Splunk
More Than Just a RAT: Unveiling NjRAT’s MBR Wiping Capabilities - Suraj Yadav
Dridex Trojan(Stealer) - Ivan Bešina, Michal Škuta, and Miloš Čermák at WeLiveSecurity
Who killed Mozi? Finally putting the IoT zombie botnet in its grave
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 11/03/2023 - Jonathan Tanner at Barracuda
Malware 101: Additional payloads - Berla
iVe Software Support for Long Paths - Doug Burks at Security Onion
- Elan at DFIR Diva
Free & Affordable Training News Monthly: October 2023 - Forensic Focus
- Matt Kiely at Huntress
The Hackers in the Arena: The Huntress CTF Retrospective - Andrew Rathbun and Eric Zimmerman at Kroll
KAPE Quarterly Update – Q3 2023 - Passware
Passware Certified Examiner Training v2 Now Available - Salvation DATA
5 Questions about the Digital Forensics Expert
SOFTWARE UPDATES
- Nicholas Dubois at Hexordia
Introducing Evanole Community Edition - Berla
iVe Software v4.5 Release - Cado Security
What’s new in the Cado Platform Q3 2023 - Canadian Centre for Cyber Security
Assemblyline Release 4.4.0.73 - Cellebrite
- Dark Data Discovery
Dark Data Detective has arrived! - Datadog Security Labs
GuardDog v1.5.0 - Digital Sleuth
winfor-salt v2023.30.4 - Federico Lagrasta
PersistenceSniper v1.14.0 - IntelOwl
v5.2.0 - Alexandre Borges
Malwoverview 5.4.2 - Manabu Niseki
Mihari v5.7.1 - Mazars Tech
AD_Miner v0.5.0 - MISP
MISP 2.4.178 released with many workflow improvements, enhancement and bugs fixed. - Nextron Systems
Introducing THOR-Cloud Lite: Seamless On-Demand Security Scanning Made Easy - PuffyCid
Artemis 0.5.0 – Released! - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!