As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- DFIR101
- Forensafe
- John Reeman at Cyooda Security
How To: Email Phishing, malicious payload analysis walkthrough - Kairos (Hestia) Tay
- Kevin Pagano at Stark 4N6
- Juyeon Hyun at Plainbit
How to use AXIOM Process effectively - Salvation DATA
- Taz Wake
Linux Copy on Write for Incident Responders - Madi Brumbelow at The Hive
2024 Magnet Virtual Summit CTF Walkthrough
THREAT INTELLIGENCE/HUNTING
- Adam Goss
How to Optimize Data Sources: Collection Management Framework - Any.Run
- Avertium
LockBit 4.0? – An Update on the LockBit Ransomware Group - Barracuda
Who is behind Cactus ransomware? - BI.Zone
Fluffy Wolf sends out reconciliation reports to sneak into corporate infrastructures - Bishop Fox
- Blumira
- Brad Duncan at Malware Traffic Analysis
2024-03-19: DarkGate infection - Cado Security
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 16 – 22 Marzo 2024 - Check Point
18th March – Threat Intelligence Report - CISA
- Asheer Malhotra, Holger Unterbrink, Vitor Ventura, and Arnaud Zobec at Cisco’s Talos
New details on TinyTurla’s post-compromise activity reveal full kill chain - Corelight
Hunt of the Month: Detecting AsyncRAT Malware Over HTTPS | Corelight - CTF导航
新手法!APT28组织最新后门内置大量被控邮箱(可成功登录)用于窃取数据 - Cyfirma
Weekly Intelligence Report – 22 Mar 2024 - Eclypsium
Linux Supply Chain Validation Cheat Sheet - Elastic Security Labs
Unveiling malware behavior trends - Ervin Zubic
CTI: Undervalued and Underutilized in Cybersecurity Decision-Making - Andrew Bentle at Expel
Logs your SOC can use every day: a quick reference guide - g0njxa
Profiling Трафферы: Raven Logs - Justin Timothy, Jason Baker, and Drew Schmitt at GuidePoint Security
T-O-X-I-N-B-I-O – Ransomware Recruitment Efforts Following Law Enforcement Disruption - Ian Shefferman at Trellix
Midnight Blizzard Attack Detection in Trellix Helix - Infoblox
DNS Early Detection – Cobalt Strike DNS C2 - Julien Houry at Airbus
Uncovering Cyber Intruders: A Forensic Deep Dive into NetScan, Angry IP Scanner, and Advanced Port Scanner - Kaido Järvemets at Kaido Järvemets
Streamlining Windows Server Security: A Deep Dive into Sentinel’s Common Event IDs - KELA Cyber Threat Intelligence
New Phone, Who Dis? The Importance of Verifying Threats in the Age of Fake RaaS - Raúl Redondo at Lares Labs
Kerberos I – Overview - Michael Raggi, Adam Aprahamian, Dan Kelly, Mathew Potaczek, Marcin Siedlarz, and Austin Larsen at Mandiant
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect - Mehmet Ergene
A Common KQL Mistake in Threat Hunting and Detection Engineering - Michael Haag
The Crucial Role of Proof of Concept (POC) in Detection Engineering - Microsoft Security
- Palo Alto Networks
- Proofpoint
Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign - Digvijay Mane at Quick Heal
Beware: Malicious Android Malware Disguised as Government Alerts. - Rapid7
- Recorded Future
- Red Alert
Activity of Hacking Group Targeted Financial Industry in 2023 (KOR) - Red Canary
- Salim Salimov
Studying “BazarCall to Conti Ransomware via Trickbot and Cobalt Strike”: Part 1 - SANS Internet Storm Center
- Gamified Learning: Using Capture the Flag Challenges to Supplement Cybersecurity Training [Guest Diary], (Sun, Mar 17th)
- Attacker Hunting Firewalls, (Tue, Mar 19th)
- Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th)
- Whois “geofeed” Data, (Thu, Mar 21st)
- 1768.py’s Experimental Mode, (Sat, Mar 23rd)
- Securelist
- Security Intelligence
- Securonix
Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware - Simone Kraus
Sysmon File Block Execution — How we can use Sysmon to block Hermetic Wiper, RMM Tools and… - SOCRadar
- Jonas Bülow Knudsen at SpecterOps
Pwned by the Mail Carrier - Sophos
- Remote Desktop Protocol: The Series
- Remote Desktop Protocol: Exposed RDP (is dangerous)
- Remote Desktop Protocol: How to Use Time Zone Bias
- Remote Desktop Protocol: Queries for Investigation
- Remote Desktop Protocol: Executing the 4624_4625 Login Query
- Remote Desktop Protocol: Executing the External RDP Query
- Trend Micro
- Trustwave SpiderLabs
Trustwave SpiderLabs: Artificial Intelligence Playing a Prime Role in BEC and Phishing Attacks - Wiz
UPCOMING EVENTS
- Black Hills Information Security
Phishtory and the Phuture of Phishing with Joseph - Huntress
An Insider’s Guide to Choosing an EDR - Magnet Forensics
PRESENTATIONS/PODCASTS
- Anuj Soni
An Intro to Binary Ninja (Free) for Malware Analysis - Arkime
JA4+ Intro - Black Hat
Unmasking APTs: An Automated Approach for Real-World Threat Attribution - Breaking Badness
Breaking Badness Cybersecurity Podcast – 183. BlackCat’s Out of the Bag - Cellebrite
Intro to Cellebrite Inseyets – UFED - Cyber Social Hub
- Cyberwox
Investigating a Windows Intrusion Attack with Splunk | TryHackMe Investigating with Splunk - Digital Forensic Survival Podcast
DFSP # 422 – EVTX Express: Cracking into Windows Logs Like a Pro - Hardly Adequate
Hardly a Week 11 March 18, 2024 - InfoSec_Bret
Challenge – PDFURI - Insane Forensics
Volt Typhoon: Finding Malicious, Masquerading RDP - Jai Minton
Creating Yara rules with Ghidra to hunt for Havoc Demon implants – Malware Analysis - John Hammond
How Hackers Compromise BIG Networks (with NetExec) - Justin Tolman at AccessData
Basics of accessing Encrypted Office Documents using Password Recovery Toolkit (PRTK) - Magnet Forensics
- Mostafa Yahia
DFIR (Windows Forensics) Course: Collecting Network info from Registry hives - MSAB
General Options Menu in XRY - MyDFIR
- SalvationData
Professional Surveillance Video Recovery System—SVR | SalvationDATA - Sandfly Security
Linux Threat Hunting Tactics and Techniques vs. Signatures - Teds X-Ways Clips Channel
Video 69 – Understanding, and Using the Data Interpreter in X-Ways Forensics - The Cyber Mentor
Remediate XXE (XML External Entity Injection)
MALWARE
- Arda Büyükkaya
How Ransomware Encryption Works (ChaCha20 + RSA) - ASEC
- Cryptax
Phishing attempt on French e-tolls - Cyber 5W
CryptNet Ransomware Detailed Analysis - Dr Josh Stroschein – The Cyber Yeti
Why Do You Need to Know Assembly to Use IDAPro or Ghidra? Exploring disassembly and decompilation! - Francisco Dominguez at DiabloHorn
Analyzing Pipedream / Incontroller with MITRE/STIX - Gi7w0rm
VexTrio’s Browser Fingerprinting - Hex Rays
Plugin focus: ida kmdf - Kashinath T Pattan at Juniper Networks
Shielding Networks From Androxgh0st - Shanmugasundharam E at K7 Labs
Python Ciphering : Delving into Evil Ant’s Ransomware’s Tactics - Malvuln
Stop Ransomware / Remote Code Execution MITM - Jérôme Segura at Malwarebytes
New Go loader pushes Rhadamanthys stealer - MWLab
XWorm RAT and Steganography - Nextron Systems
Unveiling KamiKakaBot – Malware Analysis - OALABS Research
New Gcleaner - PetiKVX
- Saurabh Arya
MSIXploit: From MSIX to LummaC2: A Technical Breakdown of a Stealthy Malware - Juan Andrés Guerrero-Saade & Tom Hegel at SentinelOne
AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine - Snyk
Getting started with PHP static analysis in 2024 - SonicWall
- Ben Martin at Sucuri
Sign1 Malware: Analysis, Campaign History & Indicators of Compromise - Ken Kaneki
Flare-on challenge with Pin framework
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 03/22/2024 - Brett Shavers
The most innovative DFIR book in a decade is coming - Cellebrite
Incident Response in Safeguarding Organizations Against Cyber Threats - Craig Ball at ‘Ball in your Court’
ESI Protocols: How Do I Get Out of a Bad Deal? - Dragos
The Hunt: Threat Hunting in OT Environments - Elan at DFIR Diva
Partnering with Wicked6: Women’s Cyber Games & Conference (March 29-30, 2024) - Forensic Focus
- Cellebrite Revolutionizes Data Collection With Ground-Breaking SaaS Solution
- UPCOMING WEBINAR – Maximizing Data Collection With SaaS Innovations
- Oxygen Forensic® Detective v.16.2 Is Available
- Amped Replay – A Case Study Of The Organisational Rollout Within Avon & Somerset Police
- Robert Fried, Senior Vice President And Global Head Of Forensics And Investigations, Sandline Global
- Digital Forensics Round-Up, March 21 2024
- HackTheBox
A (realistic) template for writing incident response response reports - Magnet Forensics
2024 Magnet Virtual Summit CTF winners and another chance to play! - Oxygen Forensics
Warrant Returns - SentinelOne
Experiencing a Data Breach? 8 Steps for Effective Incident Response
SOFTWARE UPDATES
- AbdulRhman Alfaifi
Fennec v0.4.1 - Airbus Cybersecurity
IRIS-Web v2.4.7 - Brian Maloney
OneDriveExplorer v2024.03.22 released - Digital Sleuth
winfor-salt v2024.5.4 - Security Onion
Security Onion 2.4.60 now available including some new features and lots of bug fixes! - Elcomsoft
Elcomsoft Phone Viewer 5.50 packs multiple compatibility improvements - ExifTool
ExifTool 12.80 - F-Response
F-Response 8.7.1.27 Now Available - Hex Rays
IDA 8.4 Service Pack 1 released - Magnet Forensics
Magnet GRAYKEY Adds Full Support for Apple iOS 17, Samsung Galaxy S24 Devices, and Pixel 6,7 Devices - Manabu Niseki
Mihari v7.5.0 - MasterParser
MasterParser-v2.4.1 - Minoru Kobayashi
macOS Artifact Collector (macosac) – 20240321 - Passmark Software
OSForensics V11.0 build 1007 20th March 2024 - PuffyCid
Artemis v0.8.0 – Released! - Three Planet Software
Apple Cloud Notes Parser v0.16.2 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 