As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Atola
RAID With Parity: Reassembly and Image Acquisition - Alexis Brignoni at ‘Initialization Vectors’
- Belkasoft
Belkasoft CTF 6: Write-up - Compass Security
Behind The Scenes Of Ransomware Attacks - Craig Ball at ‘Ball in your Court’
Cloud Attachments: Versions and Purview - Forensafe
Investigating Android Digital Wellbeing - Joshua Hickman at ‘The Binary Hick’
DeRR.p. Investigating Power Events on Samsung Devices - Kevin Pagano at Stark 4N6
Splitwise on iOS - Maxim Suhanov
Operation-based prefetching - Mike at ØSecurity
Forensic Collection from Proxmox VE - Salim Salimov
Studying “BazarCall to Conti Ransomware via Trickbot and Cobalt Strike”: Part 3 - Shanon Burgess
Beyond the Windshield: Dashcam Forensics – A Quick Overview - Ashish Singh at System Weakness
TestDisk in Linux and recover deleted files
THREAT INTELLIGENCE/HUNTING
- Faan Rossouw at Active Countermeasures
Malware of the Day – Tunneled C2 Beaconing - Adam Goss
Top 5 Challenges With Indicators and How to Overcome Them - AttackIQ
Intercept the Adversary: Lazarus Group – Operation In(ter)ception - Australian Cyber Security Centre
PRC State-Sponsored Cyber Activity - Martin Zugec at Bitdefender
Bitdefender Threat Debrief | April 2024 - Brad Duncan at Malware Traffic Analysis
- Campaign and public sector information security
USPS Package notification (or how to check bad links) - CERT-AGID
- Check Point
- Yehuda Gelb at Checkmarx Security
New Technique to Trick Developers Detected in an Open-Source Supply Chain Attack. - CISA
CISA Issues Emergency Directive 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System - Cisco’s Talos
Starry Addax targets human rights defenders in North Africa with new malware - Permiso
An Adversary Adventure with Cloud Administration Command - Cofense
Agent Tesla: The Punches Keep Coming - CyberCX
CyberCX Reveals Insights into Australian and New Zealand Cyber Attack Landscape in 2023 - Cyberknow’s Newsletter
Australia & New Zealand Cyber Update #15 - Cyble
- Cyfirma
Weekly Intelligence Report – 12 Apr 2024 - John Burns and Caitlin Sullivan at Dragos
The Hunt: Detecting VOLTZITE Threat Group Activity in Critical Infrastructure - Duo
Duo vs. Fraudulent Device Registration - EclecticIQ
Turla APT Targets Albania With Backdooor in Ongoing Campaign to Breach European Organizations - Elastic Security Labs
Linux detection engineering with Auditd - Matthew at Embee Research
Infrastructure Tracking – Locating Vultur Domains With DNS Records - Esentire
- Cara Lin at Fortinet
ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins - Louis Evans at GreyNoise
Leveraging AI Advances to Improve Intelligence for Discovery, Identification, and Interpretation - Jason Baker at GuidePoint Security
Awkward Adolescence: Increased Risks Among Immature Ransomware Operators - Patrick Schläpfer at HP Wolf Security
Raspberry Robin Now Spreading Through Windows Script Files - Immersive Labs
Havoc C2 Framework – A Defensive Operator’s Guide - Osama Ellahi at InfoSec Write-ups
Unfolding KUIPER Ransomware - Pedram Amini at InQuest
100 Days of YARA 2024: It’s a Wrap. - Jonathan Johnson
Understanding ETW Patching - Bert-Jan Pals at KQL Query
Sentinel Automation Part 1: Enriching Sentinel Incidents with KQL Results - Krebs on Security
- Louis Mastelinck
Microsoft Defender for Endpoint auditing capabilities - Jérôme Segura at Malwarebytes
Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla - Microsoft Security Experts’
- Maretta Morovitz at MITRE Engage™
Adversary Engagement is a Process Not a Tech Stack (Part 2) - Forrest Carver, Steve Luke & Ivy Oeltjenbruns at MITRE-Engenuity
Measure, Maximize, & Mature Your Threat-Informed Defense - Palo Alto Networks
- Proofpoint
Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer - Recorded Future
- Red Alert
Activity of Hacking Group Targeted Financial Industry in 2023 (ENG) - R. Aidan Campbell at Red Canary
Translating our detection engine: A journey from JRuby to Go - Justin Palk at Red Siege Information Security
Using Microsoft Dev Tunnels for C2 Redirection - ReliaQuest
Phishing: Current Tactics and Trends - Kyunghee Kim, Jiho Kim and Huiseong Yang at S2W Lab
Ransomware Resurgence: A Deep Dive into 2023’s Threatscape and Risk Assessment - SANS Internet Storm Center
- A Use Case for Adding Threat Hunting to Your Security Operations Team. Detecting Adversaries Abusing Legitimate Tools in A Customer Environment. [Guest Diary], (Sun, Apr 7th)
- Evolution of Artificial Intelligence Systems and Ensuring Trustworthiness, (Thu, Apr 11th)
- Building a Live SIFT USB with Persistence, (Fri, Apr 12th)
- Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400), (Sat, Apr 13th)
- Josu Palacios at Security Art Work
EDR Silencer - Jonathan Reed at Security Intelligence
Ransomware payouts hit all-time high, but that’s not the whole story - Securonix
- SOCRadar
Dark Web Profile: Mallox Ransomware - Chris Thompson at SpecterOps
Rooting out Risky SCCM Configs with Misconfiguration Manager - Sucuri
- Sysdig
RUBYCARP: A Detailed Analysis of a Sophisticated Decade-Old Botnet Group - Ali Asgar Kanchwala at System Weakness
Tycoon 2FA: The rise of Phishing as a Service - Jambul Tologonov and John Fokker at Trellix
The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups - Megan Nilsen and Andrew Schwartz at TrustedSec
A Hitch-Hacker’s Guide To DACL-Based Detections – The Addendum - Uptycs
Uptycs Threat Bulletin Q1 2024: Today’s Cybersecurity Threat Landscape - Eric Saraga at Varonis
Sidestepping SharePoint Security: Two New Techniques to Evade Exfiltration Detection | Varonis - Volexity
Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2024-04-15 - Cado Securtiy
Fireside Chat: Navigating the Cloud – Expert Insights on Emerging Cloud Threats and Complexities - KPMG
Malicious Code in xz Utils: Back to the Development Build Pipeline - Magnet Forensics
- Permiso
LUCR-3: Scattered Spider Threat Briefing - RecordedFuture
The Power Struggle within the Ransomware Landscape: A Closer Look - Tim Conway at SANS
The Quest to Summit | SANS ICS Security Summit 2024
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
Adversary Attribution: What It Means and How It Works - Alexis Brignoni
Digital Forensics Now Episode 16 - Anuj Soni
5 Ways to Find Encryption in Malware - Black Hat
- Black Hills Information Security
REKAST – Talkin’ Bout [infosec] News 2024-04-08 #infosecnews #cybersecurity #podcast #podcastclips - Breaking Badness
Breaking Badness Cybersecurity Podcast – 186. While My Vidar Gently Weeps - Cellebrite
What is The 101 Community? - Cyber Social Hub
- Hardly Adequate
Hardly a Week 14 April 8, 2024 - Huntress
500,000 Phishing Emails in One Hour - InfoSec_Bret
Challenge – Serpent Stealer - Jai Minton
STEALTHY MSIX MALWARE and Fake Browser Updates – FakeBat Reverse Engineering - John Hammond
- JPCERT/CC
- LaurieWired
Chaos to Clarity: Deciphering Obfuscated JavaScript Malware - Magnet Forensics
- Mostafa Yahia
Incident Handling\Response Phases - MSAB
- MyDFIR
SOC Analyst Roles and Responsibilities | JOB WALKTHROUGH - Off By One Security
- Palo Alto Networks Unit 42
Unit 42 Exclusive: March’s Threat Landscape | Beyond the Hunt | Episode 4 - Prodaft
- Sandfly Security
Stop Using Cryptographic Hashes to Find Linux Malware - SANS
FOR585: Smartphone Forensic Analysis In-Depth course overview - SANS Cyber Defense
2024 OSINT Summit - The Cyber Mentor
LIVE Blue Team with MalwareCube | SOC | Malware | AMA - The Defender’s Advantage Podcast
Assessing the State of Multifaceted Extortion Operations - The DFIR Report podcast
DFIR Discussions: From OneNote to RansomNote: An Ice Cold Intrusion – Part 1
MALWARE
- 0day in {REA_TEAM}
[QuickNote] Phishing email distributes WarZone RAT via DBatLoader - 0ffset Training Solutions
Resolving Stack Strings with Capstone Disassembler & Unicorn in Python - 4p0cryph0n
Windows Malware Development Part 5: Payload Encryption – RC4 - Any.Run
- ASEC
- Binary Defense
Analyzing CryptoJS Encrypted Phishing Attempt - CISA
CISA Announces Malware Next-Gen Analysis - CTF导航
- Cyber 5W
Gafgyt Backdoor Analysis - Simon Kenin at Deep Instinct
DarkBeatC2: The Latest MuddyWater Attack Framework - Alex Petrov at Hex Rays
An overview of the makesig plugin - OALABS Research
Lumma Stealer Obfuscation - Tom Elkins at Rapid7
Stories from the SOC Part 2: MSIX Installer Utilizes Telegram Bot to Execute IDAT Loader - Securelist
XZ backdoor story – Initial analysis - Sarthak Misraa & Antonio Pirozzi at SentinelOne
XZ Utils Backdoor | Threat Actor Planned to Inject Further Vulnerabilities - Andreas Klopsch at Sophos
Smoke and (screen) mirrors: A strange signed backdoor - Smukx at System Weakness
Malware Development Essentials Part 1 - Cyris Tseng and Pierre Lee at Trend Micro
Cyberespionage Group Earth Hundun’s Continuous Refinement of Waterbear and Deuterbear - Nikolaos Pantazopoulos at ZScaler
Automating Pikabot’s String Deobfuscation
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 04/12/2024 - Harun Abdi at AWS Security
Detecting and remediating inactive user accounts with Amazon Cognito - Cellebrite
Mythbusters: Busting the Top 5 Myths About Incident Response - Cerbero
YARA Rules Package - Security Onion
Security Onion 2.3 has reached End Of Life - Mike Nichols andMike Paquette at Elastic
Tracing history: The generative AI revolution in SIEM - Forensic Focus
- Rachel Bishop at Huntress
ProxyShell vs. ProxyLogon: What’s the Difference? - Kaido Järvemets
Defender for Cloud PowerShell Module – Simplify Your Azure Security Management - Magnet Forensics
- Streamline collections for eDiscovery with RSMF exports
- Harnessing MFT parsing for incident response investigations
- Bring your mobile evidence to life with the new Mobile View in Magnet Axiom
- Identify deepfakes and quickly surface evidence with new AI tools in Magnet Axiom
- Introducing Magnet Nexus: Large-scale investigations, made easy
- Griffeye products now a part of the Magnet Forensics product suite
- Morphisec
History of Ransomware: The Evolution of Attacks and Defense Mechanisms - Nextron Systems
End-of-Life ASGARD Management Center v2 and Master ASGARD v2 - Pulsedive
Tool Guide: CyberChef 101 - Raymond Roethof
Microsoft Defender for Identity Recommended Actions: Remove unsecure SID history attributes from entities - Salvation DATA
How Does Forensic Video Analysis Contribute to Court Proceedings? - Tcdi
What is Digital Forensics?
SOFTWARE UPDATES
- Datadog Security Labs
GuardDog v1.5.8 - EclecticIQ
EclecticIQ Intelligence Center 3.3 is here - Foxton Forensics
Browser History Examiner — Version History – Version 1.20.6 - GCHQ
Cyberchef v10.17.0 - Magnet Forensics
- MasterParser
MasterParser-v2.5 - MISP
MISP 2.4.189 released with bug fixes, performance improvements and a new blocklist feature. - MSAB
- X1
New X1 Search 9 Provides the Best Means to Search Your Microsoft 365 Data Sources
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!