As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Emi Polito at Amped
Deblur a License Plate in an Image - Belkasoft
Telegram Forensics: Getting Started - Digital Daniela
Investigating Suspicous Emails! - Jerry Chang
- Joshua Hickman at ‘The Binary Hick’
Finding Phones With Google Maps Part 1 (Android) - Justin De Luna at ‘The DFIR Spot’
Investigating a Compromised Web Server - Korstiaan Stam at ‘Invictus Incident Response’
Everything you need to know about the MicrosoftGraphActivityLogs - Magnet Forensics
- Mari Degrazia at ZeroFox
The Registry Hives You May be MSIX-ING: Registry Redirection with MS MSIX - Monty Security
Analyzing a Multi-Stage LNK Dropper - Nick Pockl-Deen
Phishing emails – a breakdown from an Incident Responder getting phished: Part 1. - Salvation DATA
4 Steps for Data Extraction from iTunes Backup - Vikas Singh
AWS CloudTrail Forensics – A SIEM Case Study
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
Mapping Chrome extension IDs to their names, Part 2 - Adam Goss
Threat Intelligence with MISP: Part 5 — Searching and Filtering - Stijn Tilborghs & Connor Faulkner at Akamai
Deep Analysis of Hospitality Phishing Campaign Shows Global Threat - Alex Teixeira
Why you need Data Engineering Pipelines before an enterprise SIEM - Allan Liska at ‘Ransomware Sommelier’
Tracking Healthcare Breaches in the United States - Anton Chuvakin
Focus Threat Intel Capabilities at Detection Engineering (Part 4) - Antonio Formato
Chat with your Cyber Threat Intelligence data with Azure OpenAI - Aon Cyber Labs
A SIMple Attack: A Look Into Recent SIM Swap Attack Trends - Jeremy Fuchs at Avanan
Account Takeover: The Bank Signature Change - Tushar Richabadas at Barracuda
Threat Spotlight: How bad bot traffic is changing - Alina Bizga at Bitdefender
When Emails Attack: BEC Attack Examples You Can’t Ignore - Lawrence Abrams at BleepingComputer
Ragnar Locker ransomware’s dark web extortion sites seized by police - Brad Duncan at Malware Traffic Analysis
- Cado Security
- CERT EU
Threat Landscape Report For Q3 2023 – Executive Summary - CERT Ukraine
Особливості деструктивних кібератак у відношенні українських провайдерів (CERT-UA#7627) - CERT-AGID
- Check Point
16th October – Threat Intelligence Report - Christopher Elce
Setting Up a Home Lab for Elastic SIEM: A Step-by-Step Guide - CISA
- Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks
- CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance
- CISA, NSA, FBI, and MS-ISAC Release Update to #StopRansomware Guide
- CISA Releases Fact Sheet on Effort to Revise the National Cyber Incident Response Plan (NCIRP)
- Cisco’s Talos
- Ben Reardon at Corelight
Turning the Tables on the Infiltrator | Corelight - CTF导航
- Curated Intelligence
Tracking Cyber Activity Surrounding War In Israel - Cyfirma
Weekly Intelligence Report – 20 Oct 2023 - Humoud Al Saleh and Majid Alqabandi at Cyphur
Hunting for Leaked Cobalt Strike v4.9 servers - Frederic Baguelin, Eslam Salem, Emile Spir, and Christophe Tafani-Dereeper at Datadog Security Labs
The Confluence CVE-2023-22515 vulnerability: Overview, detection, and remediation - Sean McNee, PhD at DomainTools
Less Phishing, More Cat Pictures - Eclypsium
Firmware and Frameworks: MITRE ATT&CK - Santosh Krishnan at Elastic
Elastic Global Threat Report 2023: Top cybersecurity forecasts and recommendations - Aaron Walton at Expel
Expel Q3 Quarterly Threat Report: the top five findings - Flare
Threat Spotlight: Initial Access Brokers on Russian Hacking Forums - Flashpoint
COURT DOC: Moldovan Charged, Arrested, And Extradited For Administration Of Site Involved In The Illicit Sale Of Compromised Computer Credentials - Gi7w0rm
The curious case of the 7777-Botnet - Kate Morgan at Google Threat Analysis Group
Government-backed actors exploiting WinRAR vulnerability - InfoSec Write-ups
Behind the Screens: Exploring a Fresh Phishing Campaign in Indonesia Stealing Facebook Credentials - Intel471
Detecting and Stopping Malicious Traffic - LockBoxx
The Hunt for Red Apples Workshop - Molly Moser at Lumen
What is a threat feed? (and what it’s not) - Jérôme Segura at Malwarebytes Labs
The forgotten malvertising campaign - Mandiant
Remediations for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966) - Microsoft Security
Automatic disruption of human-operated attacks through containment of compromised user accounts - Shuyang Wang & Ryan Wisniewski at Obsidian Security
Behind the Breach: Cross-tenant Impersonation in Okta - Cedric Van Bockhaven at Outflank
Listing remote named pipes - Palo Alto Networks
- Phylum
Q3 2023 Evolution of Software Supply Chain Security Report - Plainbit
Sweeper Bot - Dusty Miller at Proofpoint
Are You Sure Your Browser is Up to Date? The Current Landscape of Fake Browser Updates - Grace Chi at Pulsedive
Announcing: Pulsedive 6.2 - Caitlin Condon at Rapid7
CVE-2023-20198: Active Exploitation of Cisco IOS XE Zero-Day Vulnerability - Recorded Future
- Red Canary
Intelligence Insights: October 2023 - Robin Dimyan
Importance of Collection Planning in CTI - SANS Internet Storm Center
- Are typos still relevant as an indicator of phishing?, (Mon, Oct 16th)
- Domain Name Used as Password Captured by DShield Sensor, (Sun, Oct 15th)
- Hiding in Hex, (Wed, Oct 18th)
- Changes to SMS Delivery and How it Effects MFA and Phishing, (Tue, Oct 17th)
- base64dump.py Handles More Encodings Than Just BASE64, (Sun, Oct 22nd)
- Securelist
- SentinelOne
- SOCRadar
- Solidarity Labs
CloudOps Tactics – Github Logs - Jared Atkinson at SpecterOps
On Detection: Tactical to Functional – Part 9: Perception vs. Conception - Sucuri
- Symantec Enterprise
Crambus: New Campaign Targets Middle Eastern Government - Third Eye intelligence
My take on Role of Threat Intelligence in Security Operations - Threatmon
Navigating the Digital Frontier: Cyber Threats in the Israeli-Palestinian War - Ernesto Fernández Provecho and David Pastor Sanz at Trellix
Discord, I Want to Play a Game - Carl Malipot at Trend Micro
Beware: Lumma Stealer Distributed via Discord CDN - Joseliyo Sánchez at VirusTotal
The path from VT Intelligence queries to VT Livehunt rules: A CTI analyst approach - Camilo Gutiérrez Amaya and Fernando Tavella at WeLiveSecurity
Operation King TUT: The universe of threats in LATAM
UPCOMING EVENTS
- Cyborg Security
Mastering the hunt: Translating intelligence to action - Logpoint
On Demand: Defending Against 8base - Magnet Forensics
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Digital Forensics Now – Episode 4 - Arkime
Arkime 5.0 Upcoming Backend Features - Black Hills Information Security
AC-HUNTER: GUI Network Analysis (FREE!) John Strand | BHIS Nuggets - Catfish Cops
Episode 104: Jared Barnhart with Cellebrite – Part 1 - Cellebrite
The DIgFor – CTF Winners - Charlie Clark and Andrew Schwartz
You (dis)liked DCSync? Wait for Netsync - Check Point
H1 2023 in Cybersecurity - CyberDefenders
- Digital Forensic Survival Podcast
DFSP # 400 – CMSTP - Hack.lu 2023
Hack.lu 2023 - InfoSec_Bret
CyberDefenders – Qradar101 (Part 2) - Insane Forensics
How to Tailor NSA/CISA’s ELITEWOLF Snort Signatures To Your Industrial Environment - John Hammond
3 FREE Resources for Cyber Defenders - Justin Tolman at AccessData
- Magnet Forensics
- Micah Babinski
Using Sigma as a gateway to detection engineering - MSAB
- RickCenOT
PWN’ing a Moxa NPort W2150A ICS/OT industrial server over UART and finding hardcoded credentials - SANS Cloud Security
- The Cybersecurity Defenders podcast
#72 – LOLDrivers & Sigma community-based detections with Nas Bencherchali, Detection engineer & Threat researcher at Nextron Systems - The Defender’s Advantage Podcast
Threat Trends: Addressing Risk in the Cloud with Wiz - Velocidex Enterprises
WSC Intro to Velociraptor - Yaniv Hoffman
Hunting Malware: File Manipulation Hands-On Demo with a Security Pro
MALWARE
- Any.Run
Malware Analysis in ANY.RUN: The Ultimate Guide - ASEC
- Doug Burks at Security Onion
Quick Malware Analysis: TA577 PIKABOT INFECTION WITH COBALT STRIKE pcap from 2023-10-17 - Embee Research
- James Slaughter at Fortinet
Another InfoStealer Enters the Field, ExelaStealer - Hex Rays
- Lathashree K at K7 Labs
Rusty Droid: Under the Hood of a Dangerous Android RAT - Kelvin W
What a Load of %<<Title>>#!: DarkGate Malware Analysis - Born at nullteilerfrei
Ghidra: YARA scanning - OALABS Research
Extended ADVObfuscator - OSArmor
Fake “Copyright Infringement” Messages Lead to Facebook 2FA Bypass - Ayush Anand at Securityinbits
Deobfuscate Script using CyberChef – Recipe 0x3 - Quentin Bourgue at Sekoia
ClearFake: a newcomer to the “fake updates” threats landscape - Rajesh Nataraj at Sophos
Ransomware actor exploits unsupported ColdFusion servers—but comes away empty-handed - Nijith Wilson at System Weakness
Creating a Simple Discord RAT (Remote Administration Tool) with Python - The Citizen Lab
PREDATOR في الاتصالات: أحمد الطنطاوي مستهدف ببرنامج التجسس Predator بعد الإعلان عن نيته للترشح للرئاسة - Tejaswini Sandapolla and Karthickkumar Kathiresan at Uptycs
Quasar RAT Leverages DLL Side-Loading Techniques - Joshua Platt and Jason Reaves at Walmart
IcedID gets Loaded
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 10/20/2023 - Cellebrite
- Doug Burks at Security Onion
- Forensic Focus
- The State Of Digital Forensics And Incident Response 2023
- UPCOMING WEBINAR – Unlock The Power Of IR
- UPCOMING WEBINAR – Enhancing Mobile Investigations: A Focus On Screenshots And Screen Recording
- Share What You’re Seeing in DFIR in Magnet Forensics’ State of Enterprise DFIR Survey
- Beyond Trends: The Strategic Shift Towards SaaS Architecture in Legal Operations
- Digital Forensics Round-Up, October 19 2023
- Decrypt WD My Passport Disks and Macs with T2 Chip With the New Passware Device Decryption Add-on
- Magnet Forensics
The State of Enterprise DFIR: Share What You’re Seeing in Our Survey! - Salvation DATA
The Ultimate Guide to Network Forensics Tools for 2023
SOFTWARE UPDATES
- Apache
20 October 2023: Apache Tika Release - Breakpoint Forensics
10/17/2023 BFIP-V4.4 Release - Brim
v1.3.1 - Canadian Centre for Cyber Security
Assemblyline 4.4.0.70 - Digital Sleuth
winfor-salt v2023.30.0 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.68 - FalconForce
FalconHound v1.0.0 - Manabu Niseki
Mihari v5.5.0 - Matt Shannon at F-Response
F-Response 8.7.1.9 – Collect, Compute, and More - Mazars Tech
AD_Miner v0.4.1 - Metaspike
Forensic Email Intelligence 2.1.12 Release Notes - MobilEdit
MOBILedit Forensic 9.2.1 just released - OpenCTI
5.11.8 - Passware
Passware Kit 2023 v4 Now Available - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 