As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Emi Polito at Amped
  Video Deinterlacing
  
  
• Belkasoft
  Decoding Windows Registry Artifacts with Belkasoft X: UserAssist
  
  
• Chris Brown at Corelight
  Using Corelight to Identify Ransomware Blast Radius | Corelight
  
  
• Forensafe
  Investigating Android Facebook Messenger
  
  
• HackTheBox
  Detecting PsExec lateral movements: 4 artifacts to sniff out intruders
  
  
• Kathryn Hedley at Khyrenz
  Automated USB artefact parsing from the Registry
  
  
• Mattia Epifani at Zena Forensics
  iOS 15 Image Forensics Analysis and Tools Comparison – Processing details and general device information
  
  
• Oxygen Forensics
  APK Downgrade
  
  
• Synacktiv
  • Introducing ntdissector, a swiss army knife for your NTDS.dit files
  • Legitimate exfiltration tools : summary and detection for incident response and threat hunting
    
    
• The DFIR Report
  From ScreenConnect to Hive Ransomware in 61 hours
  
  
• Salim Salimov
  Analysing Pcap Files With Wireshark
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Beyond the good ol’ .bashrc entry… Part 1
  
  
• Adam Goss
  Visual Threat Intelligence: A Masterpiece of Infographics and Storytelling
  
  
• Allan Liska at ‘Ransomware Sommelier’
  Is Securing PowerShell a Lost Cause?
  
  
• Anton Chuvakin
  Build for Detection Engineering, and Alerting Will Improve (Part 3)
  
  
• ASERT
  Bulletproof Hosting (BPH) Taxonomy
  
  
• Assetnote
  RCE in Progress WS_FTP Ad Hoc via IIS HTTP Modules (CVE-2023-40044)
  
  
• AttackIQ
  • Attack Graph Response to CISA Advisory AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
  • How Does Your Security Stack Up Against North Korean Hackers? Put Your Defenses to the Test!
    
    
• Avanan
  • Preventing QR Code Phishing From Reaching the Inbox
  • Stealing Credentials Through Legitimate Dropbox Pages
    
    
• Emma McGowan at Avast
  RATs, rootkits, and ransomware (oh my!)
  
  
• Avertium
  MGM/Caesars Post-Mortem and Attribution
  
  
• Mark Ryland at AWS Security
  How AWS threat intelligence deters threat actors
  
  
• Martin Zugec at Bitdefender
  Bitdefender Threat Debrief | Septembers 2023
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-09-21 thru 09-25 – malspam examples pushing AgentTesla
  • 2023-08-31 – IcedID (Bokbot) activity
  • 2023-08-29 – IcedID (Bokbot) activity
  • 2023-09-28 – IcedID (Bokbot) infection with Keyhole VNC and Cobalt Strike
    
    
• Censys
  CVE-2023-40044: A Look at the Critical Ad Hoc Transfer Module Vulnerability in WS_FTP
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 23 – 29 Settembre 2023
  
  
• Check Point
  • 25th September – Threat Intelligence Report
  • Phishing via Dropbox
    
    
• Jossef Harush Kadouri at Checkmarx Security
  Surprise: When Dependabot Contributes Malicious Code
  
  
• CISA
  People’s Republic of China-Linked Cyber Actors Hide in Router Firmware
  
  
• Cisco’s Talos
  • ICS protocol coverage using Snort 3 service inspectors
  • Threat Roundup for September 22 to September 29
    
    
• Michael Tremante at Cloudflare
  Detecting zero-days before zero-day
  
  
• Confiant
  ScamClub Threat Intelligence Report Overview
  
  
• Covertshell
  Strengthening Your Defense Against IdP (Identity Provider)Attacks: Leveraging Google Workspace…
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 32 – Dock Tile Plugins
  
  
• Cyfirma
  Weekly Intelligence Report – 29 Sep 2023
  
  
• DomainTools
  Return to Sender – A Brief Analysis of a US Postal Service Smishing Campaign
  
  
• Doug Metz at Baker Street Forensics
  Creating YARA files with Python
  
  
• Aleksander W. Jarosz at EclecticIQ
  Ransomware and DDoS Feature in The Apex of Crime-as-a-Service Report
  
  
• Bryan Geraldo at Expel
  Proactive threat hunting: the what, why, and how
  
  
• Florian Roth
  Quick Insights on This Week’s Critical Software Flaws (Week 39)
  
  
• Fred Gutierrez at Fortinet
  Threat Actors Exploit the Tensions Between Azerbaijan and Armenia
  
  
• John Althouse at FoxIO
  JA4+ Network Fingerprinting
  
  
• Matthew Brennan, Harlan Carvey, Anthony Smith, Craig Sweeney, and Joe Slowik at Huntress
  Netscaler Exploitation to Social Engineering: Mapping Convergence of Adversary Tradecraft Across Victims
  
  
• Infoblox
  Introducing DNS Threat Actors
  
  
• Intezer
  Elevating Phishing Investigations With Generative AI
  
  
• Hannah Hamilton at Jamf
  Analyzing state-sponsored malware on macOS
  
  
• Bert-Jan Pals at KQL Query
  Incident Response Part 1: IR on Microsoft Security Incidents (KQL edition)
  
  
• Casey Charrier and Jared Semrau at Mandiant
  Analysis of Time-to-Exploit Trends: 2021-2022
  
  
• MDSec
  Nighthawk 0.2.6 – Three Wise Monkeys
  
  
• Oren Dvoskin at Morphisec
  Threat Analysis: MGM Resorts International ALPHV/Blackcat/Scattered Spider Ransomware Attack
  
  
• Jeff White at Palo Alto Networks
  CL0P Seeds ^_- Gotta Catch Em All!
  
  
• Phylum
  • Large Typosquat Campaign Targeting React and Angular
  • Sensitive Data Exfiltration Campaign Targets npm and PyPI
    
    
• Red Alert
  Monthly Threat Actor Group Intelligence Report, July 2023 (ENG)
  
  
• Matt Graeber at Red Canary
  Safely validate executable file attributes with Atomic Test Harnesses
  
  
• Resecurity
  Ransomed.Vc’ in the Spotlight – What We Know About The Ransomware Group Targeting Major Japanese Businesses
  
  
• Ashlee Benge at ReversingLabs
  What we know about BlackCat and the MGM hack
  
  
• Ryan Fetterman at Splunk
  Revisiting the Big Picture: Macro-level ATT&CK Updates for 2023
  
  
• SANS Internet Storm Center
  • YARA Support for .LNK Files, (Sun, Sep 24th)
  • A new spin on the ZeroFont phishing technique, (Tue, Sep 26th)
  • IPv4 Addresses in Little Endian Decimal Format, (Thu, Sep 28th)
  • Are You Still Storing Passwords In Plain Text Files?, (Fri, Sep 29th)
  • Simple Netcat Backdoor in Python Script, (Sat, Sep 30th)
    
    
• Securelist
  • QR codes in email phishing
  • A cryptor, a stealer and a banking trojan
    
    
• Thomas Roccia at SecurityBreak
  The Intel Brief by SecurityBreak
  
  
• Simone Kraus
  Ransomware & Data Extortion Landscape
  
  
• SOC Fortress
  Executable files analysis and capabilities detection using capa (Mandiant)
  
  
• Symantec Enterprise
  Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org
  
  
• Pierre Noujeim at System Weakness
  Automated Incident Response with SOAR and AWS
  
  
• Casey Smith at Thinkst Thoughts
  Cloned Website Token and Reverse Proxies
  
  
• Alvin Wen at Uptycs
  Machine Learning in Cybersecurity: Clustering for Threat Detection
  
  
• Kuldeep Pal at Walmart
  Battling Scams in Real Time with Max Mind Database
  
  
• Peter Kálnai at WeLiveSecurity
  Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company
  
  
• Niraj Shivtarkar and Satyam Singh at ZScaler
  BunnyLoader, the newest Malware-as-a-Service
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-10-02
  
  
• Magnet Forensics
  Leveraging AXIOM Cyber in Microsoft Azure
  
  
• Florian Roth at Nextron Systems
  Mjolnir Security: Incident Response Training – Dive Deep into Cybersecurity
  
  
• SANS
  To Click or Not to Click? | Host: Lodrina Cherne | October 3, 2023
  
  
• X1
  X1 Social Discovery v7.2 Product Tour
  

PRESENTATIONS/PODCASTS

• Avanan
  VIDEO: Phishing via Google Ads
  
  
• Black Hat
  • Nakatomi Space: Lateral Movement as L1 Post-exploitation in OT
  • Operation Clairvoyance: How APT Groups Spy on the Media Industry
    
    
• Black Hills Information Security
  • Unveiling the Breach: A Security Analyst’s Journey w/ Dale Hobbs | 1-Hour
  • Talkin’ About Infosec News – 9/25/2023
  • Frameworks: Fundamental for Infosec | Kelli Tarala | BHIS Nuggets
    
    
• Breaking Badness
  167. IR You Feeling Lucky?
  
  
• Cellebrite
  How to disable password prompts on PA Ultra?
  
  
• Cyber Security Interviews
  #127 – Douglas Brush (Part 5): Analysis Paralysis
  
  
• Digital Forensic Survival Podcast
  DFSP # 397 – Linux Home Directory Files for DFIR
  
  
• Faan Ross
  • Show Notes: Active Countermeasures Webcast 26.09.23
  • Full Video: Active Countermeasures Webcast 26.09.23
    
    
• Huntress
  • What Is a Cybercrime Group?
  • Structured Vs Unstructured Threat Hunts
    
    
• InfoSec_Bret
  Challenge – Powershell Script
  
  
• Intel471
  Why Ransomware is Stubbornly Sticking Around
  
  
• John Hammond
  • Exploring the Latest Malware Samples
  • New “Dark Web” Generative AI Chatbots?!
    
    
• Magnet Forensics
  • Customer Story | How the WR Sexual Assault and Domestic Violence Treatment Centre Uses Magnet SHIELD
  • Customer Story | Cayla Larkins, Grand Island Police Dept., Using Magnet Training to Find Evidence
  • Responding at Scale with Magnet RESPONSE
  • Ep. 9 // Exploring Samsung’s Secure Folder Feature to Recover Digital Evidence
    
    
• MSAB
  How to use the Relativity Export in XAMN?
  
  
• Sofia Marin
  • Red Team and Incident Response Series Part 3: Investigation of Business Email Compromise using UAL
  • Intro to Cybersecurity by Microsoft Security Analyst
    

MALWARE

• Adam at Hexacorn
  ZydisInfo – the disassembler that breaks the code, twice
  
  
• Any.Run
  Analyzing Lu0Bot: A Node.js Malware with Near-Unlimited Capabilities. Part 1
  
  
• ASEC
  CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)
  
  
• Jonathan Tanner at Barracuda
  Malware 101: Stealing information as an objective
  
  
• Confiant
  Exploring ScamClub Payloads via Deobfuscation Using Abstract Syntax Trees
  
  
• Cyber Geeks
  A Deep Dive into Brute Ratel C4 payloads – Part 2
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #158: Refreshing pseudocode
  
  
• Immersive Labs
  Unlock the Complexities of Reverse Engineering with Immersive Labs
  
  
• Jérôme Segura at Malwarebytes Labs
  Malicious ad served inside Bing’s AI chatbot
  
  
• Ovi Liber
  REArchive: Reverse engineering APT37’s GOLDBACKDOOR dropper
  
  
• Proofpoint
  ZenRAT: Malware Brings More Chaos Than Calm
  
  
• Splunk
  Defending the Gates: Understanding and Detecting Ave Maria (Warzone) RAT
  
  
• Thomas Gates
  Malware Analysis – Redline Stealer
  
  
• Mohamed Fahmy and Mahmoud Zohdy at Trend Micro
  APT34 Deploys Phishing Attack With New Malware
  
  
• Zhassulan Zhussupov
  Malware development trick – part 36: Enumerate process modules. Simple C++ example.
  

MISCELLANEOUS

• ADF Solutions
  4 Mistakes Investigators Make When Screenshotting Phone Evidence
  
  
• Monica Harris at Cellebrite
  Beyond Trends: The Strategic Shift Towards SaaS Architecture in Legal Operations
  
  
• Chris at AskClees
  Converting NSRL RDS Deltas
  
  
• Kithu Shajil at CyberProof
  The essential checklist for reducing the impact of ransomware attacks
  
  
• Daniel Chronlund Cloud Security Blog
  How To Deploy a Complete Entra ID Conditional Access PoC in Under 5 Minutes
  
  
• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 09/29/2023
  
  
• Forensic Focus
  • Extracting Google Chrome Using Android Agent
  • Cell Phone Tracking And SS7 – Hacking Security Vulnerabilities To Save Lives
  • How To Screenshot Mobile Evidence With Mobile Device Investigator
  • Digital Forensics Round-Up, September 28 2023
  • Intro To DEI PRO: AssessingAll Devices In A Timely Manner
  • Advance Your Investigations With ADF Solutions’ Enhanced Screen Recording And Streamlined Features
  • Forensic Focus Digest, September 29 2023
    
    
• Christa Miller at Forensic Horizons
  Expressing Uncertainty Without Confusing the Fact Finders
  
  
• InfoSec Write-ups
  The Introduction to AXIOM
  
  
• Ilias Mavropoulos at InfoSec Write-ups
  Mastering BTL1: Journey, Tips, and Insights for Cyber Defenders
  
  
• J & L Forensics
  New to Cyber: Jelani Coleman
  
  
• Kevin Pagano at Stark 4N6
  Cyber5W’s CCDFA Certification – A Review
  
  
• Korstiaan Stam at ‘Invictus Incident Response’
  Cloud Incident Response trainings
  
  
• LockBoxx
  My First Fal.Con – A Crowdstrike Conference
  
  
• Marco Ramilli
  Understanding and Defending Against Microsoft 365 Attacks
  
  
• Salvation DATA
  An Honest Review about FTK Forensic Toolkit in 2023
  
  
• Security Intelligence
  • Cost of a data breach 2023: Geographical breakdowns
  • How I got started: SIEM engineer
    
    
• Abraham Cueto Molina at Security Intelligence
  Tequila OS 2.0: The first forensic Linux distribution in Latin America
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv and Amped Engine Update 30628: New Supported Formats and More
  
  
• Brim
  v1.3.0
  
  
• Didier Stevens
  • Update: hash.py Version 0.0.10
  • Update: zipdump.py Version 0.0.28
  • Update: emldump.py Version 0.0.13
  • Update: file-magic.py Version 0.0.7
    
    
• Eric Zimmerman
  ChangeLog
  
  
• Exterro
  Introducing FTK® 8.0
  
  
• Google
  BinDiff 8 Open Source
  
  
• Hashlookup Forensic Analyser
  hashlookup-forensic-analyser version 1.3 – including Bloom filter improvements and bugs fixed
  
  
• Manabu Niseki
  Mihari v5.4.5.1
  
  
• Mazars Tech
  AD_Miner v0.1.0
  
  
• MISP
  MISP 2.4.177 released with various improvements and bugs fixed.
  
  
• OpenCTI
  5.10.3
  
  
• Volatility Foundation
  Volatility 3 2.5.0
  
  
• Ryan Benson at dfir.blog
  Unfurl v2023.09 Released!
  
  
• Three Planet Software
  Apple Cloud Notes Parser v0.14.0-beta
  
  
• Xways
  • X-Ways Forensics 20.9 SR-4
  • X-Ways Forensics 21.0 Preview 4b
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!