As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Amped
- Digital Daniela
Examining Traffic with NetworkMiner! - Justin De Luna at ‘The DFIR Spot’
Artifacts of Execution: Prefetch – Part One - Kevin Pagano at Stark 4N6
- Magnet Forensics
- Oxygen Forensics
Extracting Data from UNISOC-based Devices - Bill Marczak, John Scott-Railton, and Ron Deibert at The Citizen Lab
Independently Confirming Amnesty Security Lab’s finding of Predator targeting of U.S. & other elected officials on Twitter/X - The Security Noob
[DFIR TOOLS] JLECmd, what is it & how to use!
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Threat Intelligence with MISP: Part 4 — Using Feeds - Aditya Pratap
Leveraging ChatGPT for Blue Team in Cyber Security - Allan Liska at ‘Ransomware Sommelier’
Avenging PowerShell to Stop Ransomware - Any.Run
- Assume-breach
Home Grown Red Team: LNK Phishing In 2023 Revisited…Again - AT&T Cybersecurity
Stories from the SOC: Quishing – Combatting embedded malicious QR codes - Francis Guibernau at AttackIQ
Emulating the Commodity Downloader GootLoader - Benjamin Hosack at Foregenix
Stealthy Malware – eCommerce Malware Trends - BI Zone
Sticky Werewolf attacks public organizations in Russia and Belarus - Pete Herzog at Blackberry
Inside the FBI and DOJ Takedown of Qakbot, the “Swiss Army Knife” of Malware - Brad Duncan at Malware Traffic Analysis
- Bridewell
Analysing a Widespread Microsoft 365 Credential Harvesting Campaign - Censys
Unmasking Deception: Navigating Red Herrings and Honeypots - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 07 – 13 Ottobre 2023 - Check Point
- Yehuda Gelb at Checkmarx Security
Users of Telegram, AWS, and Alibaba Cloud Targeted in Latest Supply Chain Attack - CISA
- Fabien Bader at Cloudbrothers
Detect threats using Microsoft Graph Logs – Part 1 - Cluster25
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations - Hendrik Eckardt at cyber.wtf
Config Extraction from in-memory CobaltStrike Beacons - Reza Rafati at Cyberwarzone
The Dark Roulette: A Timeline of Cyberattacks on Casinos (2023) - Cyfirma
Weekly Intelligence Report – 13 Oct 2023 - Datadog Security Labs
Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild - Dean Parsons at SANS
Living Off the Land Attacks and Countermeasures in Industrial Control Systems - EclecticIQ
Johnson Controls Ransomware Attack; McLaren Health Care Data Breach; Unpatched Exim Vulnerability; Lazarus LinkedIn Attack; NATO Cyber Breach - Matthew at Embee Research
How To Develop Yara Rules for .NET Malware Using IL ByteCodes - Erik Hjelmvik at Erik Hjelmvik at Netresec
Forensic Timeline of an IcedID Infection - Fortra’s PhishLabs
Threat Actor Profile: Strox Phishing-as-a-Service - Gianni Castaldi at Kusto King
Hunting for the Curl vulnerability - Jonathan Johnson
- Bert-Jan Pals at KQL Query
Incident Response Part 2: What about the other logs? - Doug Metz at Magnet Forensics
Responding at Scale with Magnet RESPONSE - Malwarebytes Labs
Ransomware review: October 2023 - Michael Barnhart, Austin Larsen, Jeff Johnson, Taylor Long, Michelle Cantos, and Adrian Hernandez at Mandiant
Assessed Cyber Structure and Alignments of North Korea in 2023 - MITRE-Engenuity
- Nasreddine Bencherchali
- Nik Alleyne at ‘Security Nik’
Beginning Fourier Transform – Detecting Beaconing in our networks - NSA Cyber
Elitewolf - Nsfocus
APT组织DarkPink利用WinRAR 0day漏洞CVE-2023-38831攻击越南与马来西亚多个目标 - Olaf Hartong at Falcon Force
Microsoft Defender for Endpoint Internals 0x05 — Telemetry for sensitive actions - Red Alert
Monthly Threat Actor Group Intelligence Report, August 2023 (KOR) - ReliaQuest
- SANS Internet Storm Center
- Alex Delamotte & Christian Vrescak at SentinelOne
Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains - SOCRadar
- Symantec Enterprise
Grayling: Previously Unseen Threat Actor Targets Multiple Organizations in Taiwan - Alvaro Martinez Muñoz at System Weakness
- Trellix
- Jon Clay at Trend Micro
How to Prevent Ransomware as a Service (RaaS) Attacks
UPCOMING EVENTS
- Black Hills Information Security
- Cellebrite
Leveraging SaaS to Power Mobile Data Collections and Advanced Collections - Censys
Spilling the MFTea: The history and current state of MFT Attacks - Cyborg Security
Mastering the Hunt: Translating Intelligence to Action - DFRWS
Wearables and Health Data: An Update - Magnet Forensics
- SANS
SANS Cyber Defense Initiative® 2023 in Washington, DC
PRESENTATIONS/PODCASTS
- AhmedS Kasmani
NjRat Malware Analysis - Anuj Soni
6 Tips to Kickstart & Sustain Your Malware Analysis Journey - ArcPoint Forensics
- Black Hills Information Security
- Breaking Badness
[Special Report] Two Seans, a Tim, and a Pig Butchering Ring - Cellebrite
Pathfinder Tutorials I Investigative Workflows I Collaboration & Scalability – part I - CYBERWOX
Introduction to AWS Threat Detection w/ @linkedinlearning - Digital Forensic Survival Podcast
DFSP # 399 – Lateral Movement Failed Logon Events - Doug Burks at Security Onion
Security Onion Conference 2023 Videos are now available! - FIRST
FIRSTCON23 - Gerald Auger at Simply Cyber
Fireside Cyber Chat with Ian Anderson - InfoSec_Bret
CyberDefenders – Qradar101 (Part 1) - Intel471
Cybercrime Exposed Podcast: The Phisherman - John Hammond
- Justin Tolman at AccessData
FTK 8.0 Feature Focus – Reviewing Mobile Chats - Karsten Hahn at Malware Analysis For Hedgehogs
Hiding .NET IL code from DnSpy with R2R Stomping - LaurieWired
Ghidra Scripting to Speed Up Reverse Engineering - Magnet Forensics
Where Did This Come From? Revealing The Sending Phone Number Of An Unidentified AirDrop File - Microsoft Threat Intelligence Podcast
- MSAB
- Nuix
Data Challenges 1920×1080 V4 0 - Richard Davis at 13Cubed
VMware Memory Forensics – Don’t Miss This Important Detail! - RickCenOT
25min Pomodoro Vaporwave Beats for Laser-Focused Studying and ICS/OT Hacking | Productivity Boost - SANS
Healthcare Ransomware Discussion | Ryan Chapman - Security Onion
Security Onion Conference 2023 - Sofia Marin
Series Red team and Incident Response :Identified and secure Azure Storage Account. - The Cyber Mentor
Phishing, Smishing, and Vishing Explained – 2023
MALWARE
- Adams Kone
Brute Ratel BRC4 - Alessandra Perotti
Malware Analysis & Investigation Framework - Amit Tambe at F-Secure
Take a note of SpyNote! - ASEC
- Infostealer with Abnormal Certificate Being Distributed
- Infostealer Being Distributed via Spam Email (AgentTesla)
- Distribution of Magniber Ransomware Stops (Since August 25th)
- ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses
- Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares
- Blake Darché, Armen Boursalian, and Javier Castro at Cloudflare
Malicious “RedAlert – Rocket Alerts” Application Targets Israeli Phone Calls, SMS, and User Information - CTF导航
LightSpy APT攻击微信用户,窃取支付数据 - Dr Josh Stroschein
Getting Started with REMnux – Installing Tools in a Custom VM - Fortinet
- Hex Rays
Igor’s Tip of the Week #160: Hiding casts in the decompiler - Kelvin W
- Didier Stevens at NVISO Labs
XOR Known-Plaintext Attacks - OALABS Research
ADVObfuscator - Ruian Duan and Daiping Liu at Palo Alto Networks
Understanding DNS Tunneling Traffic in the Wild - Phylum
- Soumen burma at Quick Heal
MedusaLocker Ransomware: An In-Depth Technical Analysis and Prevention Strategies - Giampaolo Dedola, Domenico Caldarella, Alexander Fedotov, and Andrey Gunkin at Securelist
ToddyCat: Keep calm and check logs - Alex Delamotte and Jim Walter at SentinelOne
Dark Angels | ESXi Ransomware Borrows Code & Victimology From RagnarLocker - Satyajit Daulaguphu at Tech Zealots
Code Obfuscation: Understanding the Techniques and Methods - Trend Micro
- Virus Bulletin
New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects
MISCELLANEOUS
- Anton Chuvakin
How to Banish Heroes from Your SOC? - Atola Technologies
Damaged Drive Imaging: Examples And Popular Questions - Jonathan Tanner at Barracuda
Malware 101: Wiperware and other destructive malware - Belkasoft
DFIR Labs in the Cloud: The Future of Digital Forensics - Binary Defense
Mastering Windows Access Control: Understanding SeDebugPrivilege - James Schweitzer at Corelight
How to Configure the Corelight App for Splunk | Corelight - Dirk-jan Mollema
Phishing for Primary Refresh Tokens and Windows Hello keys - Tim Helming at DomainTools
Investigate All the Things – in Slack - Doug Burks at Security Onion
Security Onion Documentation printed book now updated for the new Security Onion 2.4! - Doug Metz at Baker Street Forensics
Baker Street Forensics joins the Fediverse - Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 10/13/2023 - Forensic Focus
- Plainbit
- Grace Chi at Pulsedive
Behind the Scenes: Hiring a Threat Researcher - Gerry Johansen at Red Canary
Is your IR plan DOA? - Robin Dimyan
Predictive Defense: How to do cyber crime forecasting with examples - Salvation DATA
Everything about SalvationDATA: the Leading Provider of Digital Forensic Solutions - SANS DFIR
Case Leads
SOFTWARE UPDATES
- Adam at Hexacorn
Dexray v2.33 - Doug Burks at Security Onion
Security Onion 2.4.20 Hotfix 20231012 Now Available! - James Habben
4n6 App Finder - MALCAT
0.9.3 is out: python, python, python (and firmwares) - Manabu Niseki
Mihari v5.4.9 - Mazars Tech
AD_Miner v0.3.0 - Pasquale Stirparo
machofile - Passmark Software
OSForensics – V10.0 Build 1016 10th Octover 2023 - Sigma
Release r2023-10-09 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 