As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexander Tasse
Blue Team Labs — “Suspicious USB Stick” - Emi Polito at Amped
Super Resolution from Different Perspectives - Angry-Bender’s blog house
A SIEM On the Cheap – Using Sqlite for Data Analysis - Belkasoft
iCloud Advanced Data Protection: Implications for Forensic Extraction - Brian Maloney
OneDriveExplorer ODL Parsing Issues - Matt Muir at Cado Security
Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic - Doug Metz at Baker Street Forensics
Magnet RESPONSE PowerShell - DS4N6
[BLOG] Graph Machine for DFIR with CHRYSALIS, by Mario Pérez - Forensafe
Investigating Android Last SIM - Forensic Science International: Digital Investigation
Volume 46 - Magnet Forensics
- Nived Sawant
Packet analysis using network miner - Salvation DATA
A Complete Guide for SQL Database Recovery - Bill Marczak, John Scott-Railton, Daniel Roethlisberger, Bahr Abdul Razzak, Siena Anstis, and Ron Deibert at The Citizen Lab
PREDATOR IN THE WIRES: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Threat Intelligence with MISP: Part 2 — Setting up MISP - Shiran Guez at Akamai
Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests - Allan Liska at ‘Ransomware Sommelier’
PowerShell: Great Ransomware Tool or Greatest Ransomware Tool? - Anton Chuvakin
Detection Engineering and SOC Scalability Challenges (Part 2) - Francis Guibernau at AttackIQ
Emulating the Controversial and Intriguing Rhysida Ransomware - Jeremy Fuchs at Avanan
Breaking Down the Remcos Malware Attempts on Colombian Banks - Avertium
Ransomware Groups Pivoting Away from Encryption - Hayden Covington at Black Hills Information Security
Stop Phishing Yourself: How Auto-Forwarding and Exchange Contacts Can Stab You in the Back - Blackberry
Silent Skimmer: Online Payment Scraping Campaign Shifts Targets From APAC to NALA - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana 16 – 22 Settembre 2023 - Check Point
- Will the Real Slim Shady Please Stand Up? Check Point Research Exposes Cybercriminal Behind Malicious Software Impacting EMEA and APAC
- 18th September – Threat Intelligence Report
- Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos
- Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components
- CISA
#StopRansomware: Snatch Ransomware - Jonathan Munshaw at Cisco’s Talos
What’s the point of press releases from threat actors? - Ian Ahl at Cloud Chronicles
LUCR-3: Scattered Spider Getting SaaS-y in the Cloud - Andy Thompson at CyberArk
The MGM Resorts Attack: Initial Analysis - Cyfirma
Weekly Intelligence Report – 21 Sep 2023 - David Hazar
Containment in the Cloud – Their Native Firewalls Don’t Always Work - Malachi Walker at DomainTools
Music and Malicious Behavior – Six Warnings Signs to Look out For - Arda Büyükkaya at EclecticIQ
Qakbot Infrastructure Takedown, UNC4841 Exploits Barracuda Zero-Day - Esentire
- Shunichi Imano and James Slaughter at Fortinet
Ransomware Roundup – Retch and S.H.O. - InfoSec Write-ups
- Jan Geisbauer at Empty Datacenter
Investigating HVNC Attacks - Jouni Mikkola at “Threat hunting with hints of incident response”
OpenCTI RSS feed support - Justin De Luna at ‘The DFIR Spot’
Cloud Incident Response – Investigating AWS Incidents - Swachchhanda Shrawan Poudel at Logpoint
Emerging Threat: Akira, Not a CyberPunk Movie – A Very Real Ransomware Threat - Luke Jenkins, Josh Atkins, and Dan Black at Mandiant
Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations - Marco Ramilli
Malware Persistence Locations: Windows and Linux - Gavriel Fried and Doron Karmi at Mitiga
Ransomware Strikes Azure Storage: Are You Ready? - MITRE-Engenuity
- Palo Alto Networks
- Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
- Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
- Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda
- Persistent Attempts at Cyberespionage Against Southeast Asian Government Target Have Links to Alloy Taurus
- Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government
- Pete Bryan at Microsoft
Fortifying Your Defenses: How Microsoft Sentinel Safeguards Your Organization from BEC Attacks - Recorded Future
Multi-year Chinese APT Campaign Targets South Korean Academic, Government, and Political Entities - Red Alert
Monthly Threat Actor Group Intelligence Report, July 2023 (KOR) - Red Canary
Intelligence Insights: September 2023 - Jason Downey at Red Siege Information Security
Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks - Miles Arkwright and James Tytler at S-RM Insights
Cyber Intelligence Briefing: 15 September 2023 - SANS Internet Storm Center
- Tom Hegel at SentinelOne
Cyber Soft Power | China’s Continental Takeover - Sean Gallagher at Sophos
Latest evolution of ‘pig butchering’ scam lures victim into fake mining scheme - Splunk
- Puja Srivastava at Sucuri
How to Find & Fix Japanese SEO Spam - Alessandro Brucato at Sysdig
AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation - System Weakness
- AWS Automated EC² Security Incident Response in Practice
- SOC131 EventID:67— Reverse TCP Backdoor Detected — letsdefend.io
- Crossing Boundaries: A Deep Dive into Cross-Origin Attacks and Their Prevention
- Defend, Detect, Decode: TryHackMe’s Security Engineer Journey!
- Threat Hunting — (Threat Intelligence)
- Srivathsa Sharma at Trend Micro
Examining the Activities of the Turla APT Group - Adam Chester at TrustedSec
Okta for Red Teamers - Joseliyo Sánchez at VirusTotal
It’s all about the structure! Creating YARA rules by clicking - Callum Roxan, Paul Rascagneres, and Thomas Lancaster at Volexity
EvilBamboo Targets Mobile Devices in Multi-year Campaign - WeLiveSecurity
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes - Yuca
Automating Identification of Actor Procedural Level Details in OSINT Blogs: How AI-Powered Tools Streamline MITRE ATT&CK Procedural Technique Analysis and Threat Profiling - ZScaler
UPCOMING EVENTS
- Andreas Sfakianakis at ‘Tilting at windmills’
FIRST CTI Symposium 2023 Agenda is out!! - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-09-25 - Cado Security
Demystifying Cloud Forensics - Cqure Academy
All Eyes on Threats: Techniques for Proactive Detection in a Modern Infrastructure of 2024 - Cyber Social Hub
Let’s Talk Advanced Drone Forensics with V2 Forensics - Dragos
Bridging the IT and OT Gap for Effective Incident Response - Magnet Forensics
- OpenText
Streamlining Data Collection for Investigations and eDiscovery - SANS
Cybersecurity Catalysts: The Difference Makers | Host: Rob T. Lee
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Digital Forensics Now Episode – 2 - Arkime
Arkime AWS All In One - Jeremy Fuchs at Avanan
- Black Hat
Insider Threats Packing Their Bags With Corporate Data - Black Hills Information Security
- BlueMonkey 4n6
iSCSI Target setup on NAS tutorial – the whats and hows of using iSCSI - Breaking Badness
Voices From Infosec – Tony Robinson - Cellebrite
- Cloud Security Podcast by Google
EP139 What is Chronicle? Beyond XDR and into the Next Generation of Security Operations - Cyber Social Hub
How AI Can Help In Your Digital Forensic Investigation - CyberDefenders
Elastic Case – Official Walkthrough - Digital Forensic Survival Podcast
DFSP # 396 – URL Leak - Dr Josh Stroschein
Crafting Yara Signatures from Code using Hex – Detecting PECompact2 - Dr. Meisam Eslahi at ‘Nothing Cyber’
Cyber Threat Hunt 101: Part 4 – Success Factors and Key Enablers! - Huntress
- InfoSec_Bret
Challenge – QakBot Malware - John Hammond
- Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis Course for Hedgehogs is out - LetsDefend
LetsTalk Blue Team #2: Threat Hunting - Magnet Forensics
- MSAB
- Red Canary
Be prepared: The key to cloud and enterprise incident response - RickCenOT
I will pwn an infrastructure substation (conpot) in less than 60 seconds - SANS
- You came with *that* plan? You’re braver than I thought!
- FEATURE SEGMENT: Detection Engineering: The Blue Team Cheat Code
- SANS Threat Analysis Rundown (STAR) | Live Stream
- Leveraging Digital Footprints for Darkweb Investigations and Attack Surface Management
- DFIR Summit 2023
- A Visual Summary of SANS OSINT Summit 2023
- What’s new with SANS SEC301 Introduction to Cyber Security?
- SANS Cloud Security
- Sofia Marin
Mitigaciones de 5 Riesgos administrando Azure Entra ID - The Defender’s Advantage Podcast
Threat Trends: Unraveling WyrmSpy and DragonEgg Mobile Malware with Lookout - Velocidex Enterprises
VeloCON 2023 Presentation of the Conference Winner
MALWARE
- Any.Run
Malware Analysis for Keeping Up with the Latest Threats: Lessons from ANY.RUN - ASEC
- Jarosław Jedynak at CERT Polska
Unpacking what’s packed: DotRunPeX analysis - Yehuda Gelb at Checkmarx Security
Attacker Unleashes Stealthy Crypto Mining via Malicious Python Package - Asheer Malhotra, Caitlin Huey, Sean Taylor, Vitor Ventura, and Arnaud Zobec at Cisco’s Talos
New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants - CTF导航
Advanced Root Detection & Bypass Techniques - Doug Burks at Security Onion
Quick Malware Analysis: PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-05-23 - Alex Petrov at Hex Rays
Igor’s tip of the week: Season 03 - David Carter at Huntress
Understanding Evil: How to Reverse Engineer Malware - Intezer
What’s New in Intezer’s FREE Community Edition - Proofpoint
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape - Mohammad Amr Khan at Pulsedive
Analyzing Agniane Stealer - R136a1
More on DreamLand - Anuj Soni at SANS
Latest Must-Read Malware Analysis Blogs - SentinelOne
- Ax Sharma at Sonatype
npm packages caught exfiltrating Kubernetes config, SSH keys - Joseph C Chen and Jaromir Horejsi at Trend Micro
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement - WeLiveSecurity
Stealth Falcon preying over Middle Eastern skies with Deadglyph
MISCELLANEOUS
- Adam at Hexacorn
- JP Redding at ADF Solutions
The Future of Digital Forensic Software: Advancements and Innovations to Look Out For - Andreas Sfakianakis at ‘Tilting at windmills’
When Cyber Meets Physical - Belkasoft
Download your free e-book: Essays on Digital Forensics - Amy Cohanim at Cyberbit
Beyond the Code: Mastering Non-Technical Skills in Cyber Crisis Management - Fabian Mendoza at AboutDFIR
- Forensic Focus
- New IDC Report: The State Of Digital Forensics And Incident Response 2023
- Andrew Carr, Director of Cybersecurity Graduate Programs, Utica University
- Using The Maps Activity Matrix In Oxygen Forensic® Detective
- How To Review Mobile Forensics Evidence With Mobile Device Investigator
- UPCOMING WEBINAR – The State Of Digital Forensics And Incident Response 2023
- Digital Forensics Round-Up, September 21 2023
- Bob Rudis at GreyNoise
Welcome to GreyNoise Labs! - Patrick Sofo at Huntress
Introducing Incident Notification: A Game Changer for Critical Incident Response - Intel471
Jason Passwaters, Intel 471: “the goal in using threat intelligence is to obtain actionable information and insight” - J & L Forensics
New to Cyber: Matteson Williams - Kaido Järvemets
Auditing Microsoft Sentinel Analytics Rules with PowerShell - Brad Duncan at Palo Alto Networks
Wireshark Tutorial: Changing Your Column Display - Findlay Whitelaw at Securonix
Understanding the Technical and Behavioral Indicators of Insider Threats - John Patzakis at X1
SOFTWARE UPDATES
- AbdulRhman Alfaifi
Fennec v0.4.0 - ANSSI
DFIR-ORC v10.2.2 - Brian Maloney
OneDriveExplorer v2023.09.22 - Drew Alleman
DataSurgeon 1.2.5 - ExifTool
ExifTool 12.67 - Foxton Forensics
Browser History Viewer — Version History – Version 1.4.2 September 19, 2023 - Kevin Pagano
SQLiteWalker – v0.0.5 – Revenge of the Fifth - Magnet Forensics
Updated Memory Analysis Capabilities in Magnet IGNITE - Manabu Niseki
Mihari v5.4.4 - DFIR-HBG
Snapchat_Auto v1.2.2 Beta 2 – Bug fixes - SpecterOps
Ghostwriter v4: 2FA, RBAC, and Logging, Oh My! - Thiago Canozzo Lahr
uac-2.7.0 - Xways
X-Ways Forensics 21.0 Preview 3 - Yamato Security
Hayabusa v2.9.0 🦅
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 