As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Cyber 5W
Windows Memory Forensics - Forensafe
Investigating Apple Data Usage - R Tec Cybersecurity
Abschlussbericht Security Incident - Salvation DATA
A Step-to-Step Guide for Data Extraction from Wechat - Scott Koenig at ‘The Forensic Scooter’
PhotoData – Photos.sqlite and Syndication Photo Library – Photos.sqlite Query Updates - Nathanael Ndong at Last Blog Article
VMware ESXi Forensic with Velociraptor
THREAT INTELLIGENCE/HUNTING
- Aaron Goldstein at Todyl
- Adam Goss
Threat Modeling: A Staple of Great Cyber Threat Intelligence - Allan Liska at ‘Ransomware Sommelier’
Ransomware Attacks Against Local Governments Accelerating - Anton Chuvakin
One More Time on SIEM Telemetry / Log Sources … - Avertium
Phobos Ransomware - BI.Zone
Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers… - Terry Reese at Black Hills Information Security
In Through the Front Door – Protecting Your Perimeter - Brad Duncan at Malware Traffic Analysis
2024-03-26: Google ad leads to Matanbuchus infection with Danabot - CERT-AGID
- Campagna di Phishing Outlook rivolta alle PA
- Agenzia delle Entrate – Punto Fisco: Campagna di Phishing mirata al furto di credenziali e Matrici di sicurezza
- AgentTesla intensifica la sua presenza in Italia: il ruolo cruciale degli allegati PDF
- Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 Marzo 2024
- Check Point
- Checkmarx Security
- João Tomé at Cloudflare
From .com to .beauty: The evolving threat landscape of unwanted email - CTF导航
- Cyble
- Cyfirma
Weekly Intelligence Report – 29 Mar 2024 - Arda Büyükkaya at EclecticIQ
Operation FlightNight: Indian Government Entities and Energy Sector Targeted by Cyber Espionage Campaign - Elastic Security Labs
In-the-Wild Windows LPE 0-days: Insights & Detection Strategies - Elliptic
Israeli authorities link 42 crypto addresses to terrorism - Matthew at Embee Research
- Flare
Ransomware in Context: 2024, A Year of Tumultuous Change - Flashpoint
- Google Cloud Threat Intelligence
- Roman Rez at Group-IB
Hunting Rituals #4: Threat hunting for execution via Windows Management Instrumentation - Marshall Price at GuidePoint Security
SCCM Exploitation: Account Compromise Through Automatic Client Push & AD System Discovery - Human Security
- Jai Minton and Harlan Carvey at Huntress
MSSQL to ScreenConnect | Huntress Blog - Invictus Incident Response
The Microsoft Graph for Unified Audit Log acquisitions is here! - Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt at Jamf
Infostealers continue to pose threat to macOS users - Andrey Polkovnichenko at JFrog
NPM Manifest Confusion: Six Months Later - JPCERT/CC
- Vigneshwaran P at K7 Labs
Unknown TTPs of Remcos RAT - Brian Krebs at Krebs on Security
- Raúl Redondo at Lares Labs
Kerberos II – Credential Access - Swachchhanda Shrawan Poudel at Logpoint
Raspberry Robin, Not a Juicy Raspberry You Love - Lumen
The Darkside of TheMoon - Michalis Michalos
Operationalizing MITRE ATT&CK with Microsoft Security (Part 2) - Tiffany Bergeron and Mark E. Haase at MITRE-Engenuity
Unite ATT&CK and Security Controls with Mappings Explorer - Nasreddine Bencherchali
SigmaHQ Rules Release Highlights — r2024–03–26 - Leandro Fróes at Netskope
Netskope Threat Labs Stats for February 2024 - Obsidian Security
Detecting & Blocking Tycoon’s latest AiTM Phishing Kit - Palo Alto Networks
ASEAN Entities in the Spotlight: Chinese APT Group Targeting - Palo Alto Networks
Threat Brief: Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094) - Positive Technologies
How APT groups operate in the Middle East - Grace Chi at Pulsedive
Sharing, Compared Part 1: How and Why Do We Connect? - Red Alert
- Resecurity
Cybercriminals Transform Raspberry Pi into a Tool for Fraud and Anonymization: GEOBOX Discovery - S2W Lab
Story of H2 2023: A Deep Dive into Data Leakage and Commerce in Chinese Telegram - SANS Internet Storm Center
- Sekoia
Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit - Frank Graziano at Square
Leveraging Linux Internals to Supercharge Osquery Malware Detection - Stephan Berger
MicroSocks: Convenient access through a compromised SonicWall SMA - Arianne Dela Cruz, Raymart Yambot, Raighen Sanchez, and Darrel Tristan Virtusio at Trend Micro
Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script - Bernard Bautista at Trustwave SpiderLabs
Agent Tesla’s New Ride: The Rise of a Novel Loader - Vectra AI
Vectra AI Threat Briefing: Scattered Spider by Vectra AI Product Team - Jakub Kaloč at WeLiveSecurity
Rescoms rides waves of AceCryptor spam - Merav Bar, Amitai Cohen, and Danielle Aminov at Wiz
Backdoor in XZ Utils allows RCE: everything you need to know
UPCOMING EVENTS
- Belkasoft
BelkaCTF #6: Bogus Bill - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2024-04-01 - Magnet Forensics
Mobile Unpacked Ep. 15 // Considering the Keys – Exploring the Keychain and Keystore for What Value They Hold - MobilEdit
New schedule and format of MOBILedit webinars is now available! - Ed Skoudis at SANS
The Art of Possible: Your Guide to RSAC 2024 - SANS Cyber Defense
🔐 Top Defense Strategies 2024: Inside SANS Secure Your Fortress Event! 🛡️
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
LIVE from Gov Threat Summit: A Chat with Morgan Adamski, Chief of the NSA’s Cybersecurity Collaboration Center - Alexis Brignoni
Apple is at it again changing our logicals - Black Hat
Hiding in the Clouds: Abusing Azure DevOps Services to Bypass Microsoft Sentinel Analytic Rules - Black Hills Information Security
REKAST – Talkin’ Bout [infosec] News 2024-03-25 #infosecnews #cybersecurity #podcast #podcastclips - Breaking Badness
Breaking Badness Cybersecurity Podcast – 184. Saflok It Down - Cellebrite
How to Rapidly Identify Media Origins from the Device? - Cyber from the Frontlines
E7 Building a Successful Cyber Threat Intelligence Program - Cyberwox
The Cybersecurity Incident Response Life Cycle Explained - Hacker Valley Blue
How Threat Actors Are Accessing Your SaaS Environments with Jaime Blasco - Hardly Adequate
Hardly a Week 12 March 25, 2024 - InfoSec_Bret
Challenge – macOS Malware - Jai Minton
This PICTURE contains MALWARE! Analysis of Steganography, winrm.vbs downloader, and launcher script - John Hammond
- Magnet Forensics
- Microsoft Threat Intelligence Podcast
Live from New York it’s Microsoft Secure - MSAB
- MyDFIR
NEW 2024 SOC Analyst Course (TEASER) - Off By One Security
Low-Level x86-64 Architecture, Linking & Loading, Memory Management, etc… - Palo Alto Networks Unit 42
Active Directory and Office Vulnerabilities | Beyond the Hunt | Episode 3 - Ted Smith at ‘X-Ways Forensics Video Clips’
Video 69 – Understanding and Using the Data Interpreter in X-Ways Forensics - The Defender’s Advantage Podcast
Hunting for “Living off the Land” Activity
MALWARE
- Adam at Hexacorn
Subfrida v0.1 - Any.Run
- ASEC
Malware Disguised as Installer from Korean Public Institution (Kimsuky Group) - Bart at Blaze’s Security Blog
Analyse, hunt and classify malware using .NET metadata - Tatjana Ljucovic at cyber.wtf
Destructive IoT Malware Emulation – Part 1 of 3 – Environment Setup - Dr Josh Stroschein
- Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #179: Bitmask enums - Arnold Osipov at Morphisec
Breaking Boundaries: Mispadu’s Infiltration Beyond LATAM - Joshua Kamp at NCC Group
Android Malware Vultur Expands Its Wingspan - PetiKVX
- Phylum
- Tom Elkins at Rapid7
Stories from the SoC Part 1: IDAT Loader to BruteRatel - Petar Kirhmajer at ReversingLabs
Suspicious NuGet package grabs data from industrial systems - Ryan at Intel Corgi
Bellingcat Malware Investigation - Securelist
DinodasRAT Linux implant targeting entities worldwide - SonicWall
New Golang Trojan Installs Certificate for Comms Evasion - Vlad at ‘Слава Україні — Героям Слава!’
Сам собі sandbox або як перевіряти файли
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 03/29/2024 - Brett Shavers
“DFIR Investigative Mindset” Release Hits a Snag – Here’s What’s Up - Craig Ball at ‘Ball in your Court’
What’s All the Fuss About Linked Attachments? - Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.4.60! - F-Response
Sometimes you can’t deploy… - Forensic Focus
- Google Workspace
Workspace audit log exports in BigQuery now enriched with Drive label metadata - Justin De Luna at ‘The DFIR Spot’
Minimizing Malicious Script Execution - Magnet Forensics
- MISP
- Morten Knudsen
Re-onboard LogAnalytics to Sentinel, if SecurityInsights solution is deleted by mistake - Sandfly Security
Sandfly Security Receives Seed Funding from Gula Tech Adventures & Sorenson Capital - Mike Elgan at Security Intelligence
How will the Merck settlement affect the insurance industry? - Sally Adam at Sophos
The impact of compromised backups on ransomware outcomes
SOFTWARE UPDATES
- Alexis Brignoni
- Berla
iVe Software v4.7 Release - Crowdstrike
Falconpy Version 1.4.2 - Didier Stevens
Update: metatool.py Version 0.0.4 - Digital Sleuth
winfor-salt v2024.5.5 - Phil Harvey
ExifTool 12.81 - GCHQ
CyberChef 10.14.0 - Google
timesketch 20240328 - IntelOwl
v6.0.1 - k1nd0ne
VolWeb 2.0 - Magnet Forensics
Magnet Graykey adds full support for Apple iOS 17, Samsung Galaxy S24 Devices, and Pixel 6,7 Devices - Microsoft
msticpy – Sentinel Split Query fix - MISP
MISP 2.4.188 released major performance improvements and many bugs fixed. - OpenCTI
6.0.8 - prosch88
Universal Forensic Apple Device Extractor - Sigma
- Xways
X-Ways Forensics 21.1 Beta 4 - Yamato Security
Hayabusa v2.14.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!