As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Emi Polito at Amped
  Unroll a 360 Camera
  
  
• Forensafe
  • Solving Cellebrite’s September 2023 CTF (Felix’s iPhone device) Using ArtiFast
  • Investigating Android Installed Applications
    
    
• Salvation DATA
  How to Recover Deleted Partition on Hard Disk?
  
  
• Taz Wake
  • Linux Incident Response – using lsof to check network connections
  • Linux Live Incident Response – the ps command
  • Linux incident response – understanding endianess
  • Linux Incident Response – getting the EXT4 file creation time
    

THREAT INTELLIGENCE/HUNTING

• 1Password
  Security incident report
  
  
• Adam at Hexacorn
  • Hunting for Windows API prototypes and descriptions…
  • Beyond the good ol’ .bashrc entry… Part 2
  • Beyond the good ol’ .bashrc entry… Part 3
    
    
• Adam Goss
  Creating Your Own CTI Aggregator for Free: A Complete Guide
  
  
• Any.Run
  What is Cyber Threat Intelligence
  
  
• Arch Cloud Labs
  Abusing gdb Features for Data Ingress & Egress
  
  
• Ash Shatrieh at F-Secure
  The Changing Threat Landscape: Infostealers and the MacOS goldmine
  
  
• Nick Desler at AttackIQ
  Emulating Sogu/PlugX: The Sophistication of Malware Behaviors
  
  
• Ax Sharma at BleepingComputer
  Palestine crypto donation scams emerge amid Israel-Hamas war
  
  
• BlueteamOps
  Detecting ‘Dev Tunnels’
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-10-23 – 404 TDS URL chain leads to Async RAT variant
  • 2023-10-18 – IcedID Forked Variant with Anubis VNC, Cobalt Strike, etc.
  • 2023-10-25 – DarkGate infection from malspam
    
    
• CERT-AGID
  • Analisi di una campagna StrRat veicolata in Italia
  • Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 Ottobre 2023
    
    
• Check Point
  • 23rd October – Threat Intelligence Report
  • A Continuing Cyber-Storm with Increasing Ransomware Threats and a Surge in Healthcare and APAC region
    
    
• CISA
  CISA Announces Launch of Logging Made Easy
  
  
• Cisco’s Talos
  • Attacks on web applications spike in third quarter, new Talos IR data shows
  • Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan
  • How helpful are estimates about how much cyber attacks cost?
    
    
• Cloudflare
  • Cyber attacks in the Israel-Hamas war
  • Introducing HAR Sanitizer: secure HAR sharing
  • DDoS threat report for 2023 Q3
    
    
• Felix Aeppli at Compass Security
  Device Code Phishing – Compass Tooling
  
  
• Michael Steele at Confiant
  ScamClub’s Deceptive Landing Pages
  
  
• Simon Miteff at Corelight
  Writing a Zeek package in TypeScript with ZeekJS | Corelight
  
  
• Arfan Sharif at CrowdStrike
  Getting Value from Your Proxy Logs with Falcon LogScale
  
  
• CTF导航
  • APT36基本情况整理及样本分析记录
  • PLAY勒索软件分析
    
    
• Cyfirma
  Weekly Intelligence Report – 27 Oct 2023
  
  
• Darrel Lang at Bridewell
  An Encounter with DarkGate: Phishing’s Next Vector
  
  
• Sam Hanson at Dragos
  Measuring the Potential Impact of PIPEDREAM Malware OPC UA Module, MOUSEHOLE
  
  
• EclecticIQ
  Cisco IOS XE Web UI Privilege Escalation Vulnerability; Sandworm Targets Ukrainian Telecom
  
  
• Eric Capuano
  Threat Hunting with Velociraptor – Long Tail Analysis Lab
  
  
• Esentire
  • Exploiting QR Codes: AiTM Phishing with DadSec PhaaS
  • StealthBait: Evasive Phishing Tactics
    
    
• Flashpoint
  Cyber Threat Intelligence Index: Q3 2023 Edition
  
  
• Fortra’s PhishLabs
  Q3 Payload Report
  
  
• Parth Gol at FourCore
  Threat Hunting: Detecting Browser Credential Stealing [T1555.003]
  
  
• GreyNoise
  CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm
  
  
• Haircutfish
  TryHackMe Wireshark:Traffic Analysis — Task 3 ARP Poisoning & Man In The Middle and Task 4…
  
  
• Alison Rusk at INKY
  Fresh Phish: Streaming Platforms Are Targeted by Bad Actors Amid the Real Actors’ Strike
  
  
• Miguel B at Intel Optics
  • CAPABILITY MATURITY FOR CYBER THREAT INTELLIGENCE (CM-CTI) MODEL
  • CM-CTI LEVEL 1.0: INITIAL
  • CM-CTI LEVEL 2.0: MANAGED
  • CM-CTI LEVEL 4.0: QUANTIFIED
  • CM-CTI LEVEL 5.0: OPTIMIZING
  • CM-CTI-LEVEL 6.0: INNOVATING
    
    
• J Schell
  Remote Management Monitoring tools
  
  
• John F
  Advice For Catching a RedLine Stealer
  
  
• Kevin Beaumont at DoublePulsar
  Mass exploitation of CitrixBleed vulnerability, including a ransomware group
  
  
• Kim Zetter at ‘Zero Day’
  Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner
  
  
• Bert-Jan Pals at KQL Query
  Incident Response Part 3: Leveraging Live Response
  
  
• Swachchhanda Shrawan Poudel at Logpoint
  Emerging Threats Report: APT-29 – The Not So Cozy Bear
  
  
• Bill Cozens at Malwarebytes Labs
  Battling a new DarkGate malware campaign with Malwarebytes MDR
  
  
• Microsoft Security
  • Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction
  • Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability
  • Expanding audit logging and retention within Microsoft Purview for increased security visibility
    
    
• Monty Security
  Evasion by Annoyance: When LNK Payloads Are Too Long
  
  
• Nasreddine Bencherchali
  SigmaHQ Rule Release Highlights — r2023-10-23
  
  
• Jared Peck at Proofpoint
  From Copacabana to Barcelona: The Cross-Continental Threat of Brazilian Banking Malware 
  
  
• PwC
  Yellow Liderc ships its scripts and delivers IMAPLoader malware
  
  
• Brian Donohue and Tess Mishoe at Red Canary
  Emu-lation: Validating detection for Gootloader with Atomic Red Team
  
  
• Ivan Righi at ReliaQuest
  Ransomware and Cyber-extortion Trends in Q3 2023
  
  
• Roy Akerman at Rezonate
  • Okta Threat Hunting: Auditing Okta Logs Part 2
  • What is ITDR (Identity Threat Detection & Response) and Things to Look Out For
    
    
• SANS Internet Storm Center
  • How an AppleTV may take down your (#IPv6) network, (Mon, Oct 23rd)
  • Sporadic scans for “server-info.action”, possibly looking for Confluence Server and Data Center Vulnerability CVE-2023-22515, (Wed, Oct 25th)
  • Adventures in Validating IPv4 Addresses, (Thu, Oct 26th)
  • Size Matters for Many Security Controls, (Sat, Oct 28th)
    
    
• Securelist
  • The outstanding stealth of Operation Triangulation
  • StripedFly: Perennially flying under the radar
  • How to catch a wild triangle
  • A cascade of compromise: unveiling Lazarus’ new campaign
    
    
• Sekoia
  AridViper, an intrusion set allegedly associated with Hamas
  
  
• SentinelOne
  • The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest
  • Decrypting SentinelOne’s Detection | An In-depth Look at Our Real-Time CWPP Static AI Engine
  • Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware
    
    
• Simone Kraus
  • Ramping up UAC-0006, millions in losses (CERT-UA#7648, CERT-UA#7688, CERT-UA#7699, CERT-UA#7705)
  • Why LockBit is more successful than other ransomware groups.
    
    
• SOCRadar
  • Security Breach in Okta Support System Continues Sparking Concerns: Cloudflare and 1Password Share Disclosures
  • Cyber Awakeness Month: Takedown of Trigona, Hive Ransomware Resurges, RansomedForum and New RaaS ‘qBit’
    
    
• Nico Shyne at SpecterOps
  Domain of Thrones: Part I
  
  
• Splunk
  Detect WS_FTP Server Exploitation with Splunk Attack Range
  
  
• Ben Martin at Sucuri
  FakeUpdateRU Chrome Update Infection Spreads Trojan Malware
  
  
• Cedric Pernet at Trend Micro
  How Kopeechka, an Automated Social Media Accounts Creation Service, Can Facilitate Cybercrime
  
  
• Megan Nilsen at TrustedSec
  • A Hitch-hacker’s Guide to DACL-Based Detections (Part 3)
  • A Hitch-hacker’s Guide to DACL-Based Detections (Part 2)
  • A Hitch-hacker’s Guide to DACL-Based Detections (Part 1B)
  • A Hitch-hacker’s Guide to DACL-Based Detections (Part 1A)
    
    
• Josh Lemon at Uptycs
  Combat Cybersecurity Alert Fatigue with a Priority Matrix
  
  
• Daniel Pascual at VirusTotal
  Unifying threat context with VirusTotal connectors
  
  
• WeLiveSecurity
  • Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
  • ESET APT Activity Report Q2–Q3 2023
    
    
• Avigayil Mechtinger and Itamar Gilad at Wiz
  Linux rootkits explained – Part 2: Loadable kernel modules
  

UPCOMING EVENTS

• Gerald Auger at Simply Cyber
  Breaking Into DFIR: Is It Entry-Level? With Special Guest Jessica Hyde
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-10-30
  
  
• Cyborg Security
  Mastering the Hunt: Translating intelligence to action
  
  
• Dragos
  Capture the flag 2023
  
  
• Magnet Forensics
  • Simplifying Microsoft 365 Collections in AXIOM Cyber
  • Unleash the Power of Your GRAYKEY at Scale – Introducing Magnet GRAYKEY Fastrak
  • Magnet User Summit 2024: Look Out Nashville, We’re Coming Back!
    
    
• SANS
  2023 SANS Difference Makers Awards Ceremony
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Setting up Malware Development Lab
  
  
• Black Hills Information Security
  BHIS / Antisyphon
  
  
• Breaking Badness
  170. MOVEit on Up
  
  
• Cellebrite
  How to maximize the performance of Cellebrite Physical Analyzer Ultra?
  
  
• Dark Mode
  AISA CyberCon 2023 Recap
  
  
• Digital Forensic Survival Podcast
  DFSP # 401 – INF Fetch Execute
  
  
• Dr Josh Stroschein
  Debugging Assembly Programs Using WinDbg and Time-Travel Debugging – Getting Started with Assembly
  
  
• Dr. Meisam Eslahi at ‘Nothing Cyber’
  Cyber Threat Hunt 101: Part 6 – 70+ Tools, Techniques, and Resources!
  
  
• FIRST
  Dissect: the Solution to Large-Scale Incident Response (and Why APTs Hate Us) | *Edited Version
  
  
• Hardly Adequate
  Hardly a Week 43 October 23, 2023
  
  
• Intel471
  Should Ransom Payments Be Made Illegal
  
  
• John Hammond
  • RagnarLocker Ransomware Seized by Law Enforcement
  • The 3CX Hack In Retrospect
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Mini Timeline – FTK 8.0
  
  
• Magnet Forenics
  Collecting and Analyzing Mobile Evidence in the Workplace
  
  
• Microsoft Threat Intelligence Podcast
  China Threat Landscape: Meet the Typhoon
  
  
• MSAB
  How to import Berla iVe files in XAMN Pro?
  
  
• Nextron Systems
  THOR Cloud Lite Release Session
  
  
• OALabs
  Are Red Team Tools Helping or Hurting Our Industry?
  
  
• Sandfly Security
  Detecting Evasive Linux Malware Presentation
  
  
• SANS Cloud Security
  From Analyst to CISO and Board Member | S2-E1
  
  
• The CyberWire
  No rest for the wicked HiatusRAT.
  
  
• The Defender’s Advantage Podcast
  Threat Trends: DHS Secretary Alejandro Mayorkas in Conversation with Kevin Mandia
  
  
• Thomas Roccia
  State-Sponsored Financially Motivated Attacks
  

MALWARE

• Any.Run
  Unpacking the Use of Steganography in Recent Malware Attacks
  
  
• ASEC
  • 2023 Aug – Threat Trend Report on Ransomware Statistics and Major Issues
  • 2023 Jul – Deep Web and Dark Web Threat Trend Report
  • 2023 Aug – Threat Trend Report on APT Groups
  • 2023 Aug – Threat Trend Report on Kimsuky Group
    
    
• Avast Threat Labs
  Rhysida Ransomware Technical Analysis
  
  
• Jarosław Jedynak at CERT Polska
  Malware stories: Deworming the XWorm
  
  
• Cluster25
  The Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles
  
  
• Matthew at Embee Research
  • Cobalt Strike .VBS Loader – Decoding with Advanced CyberChef and Emulation
  • Understanding and Improving The Ghidra UI for Malware Analysis
  • Remcos Downloader Analysis – Manual Deobfuscation of Visual Basic and Powershell
    
    
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #162: Where’s my code? The case of no-return call
  
  
• MWLab
  Decryption of AsyncRAT config strings with CyberChef
  
  
• NVISO Labs
  • Most common Active Directory misconfigurations and default settings that put your organization at risk
  • Introducing CS2BR pt. III – Knees deep in Binary
    
    
• OALABS Research
  Origin Logger
  
  
• Siddharth Sharma at Palo Alto Networks
  When PAM Goes Rogue: Malware Uses Authentication Modules for Mischief
  
  
• Zhassulan Zhussupov
  Malware and cryptography 21: encrypt/decrypt payload via WAKE. Simple C++ example.
  
  
• ZScaler
  • Mystic Stealer Revisited
  • A Retrospective on AvosLocker
    

MISCELLANEOUS

• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 10/27/2023
  
  
• ADF Solutions
  Exterro and ADF Solutions Announce Global Strategic Partnership
  
  
• Cado Security
  Cado Incident Readiness Dashboard: Comprehensive Cloud Incident Response Preparedness
  
  
• CrowdStrike
  CrowdStrike Services Offers Incident Response Executive Preparation Checklist
  
  
• Doug Burks at Security Onion
  • Security Onion 2.4 Feature o’ the Day – Dynamic Observable Extraction in SOC Cases
  • Security Onion 2.4 Feature o’ the Day – SOC can now import PCAP and EVTX files
  • 10% Early Bird discount for Security Onion for Analysts & Threat Hunters Class in December 2023!
  • Security Onion 2.4 Feature o’ the Day – Manage User Accounts via SOC
  • Security Onion 2.4 Feature o’ the Day – Manage Nodes via SOC
  • Security Onion 2.4 Feature o’ the Day – SOC Grid Improvements
    
    
• Forensic Focus
  • GMDSOFT New Product Release Announcement ‘MD-PLUG’
  • Four Must-Haves For Efficient Incident Response Analysis And Investigation
  • Introducing The AFCE Certification (Amped FIVE Certified Examiner)
  • Digital Forensics Round-Up, October 26 2023
  • Forensic Focus Digest, October 27 2023
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Where is my file’s metadata?
  
  
• MSAB
  Interim Report Q3, July – September 2023
  
  
• Nick Pockl-deen
  AISA CyberCon 2023
  
  
• Plainbit
  • Techno Security & Digital Forensics Conference 2023
  • 선별 수집 데이터 분석 in AXIOM
    
    
• Robin Dimyan
  A Threat is not a Threat Actor!
  
  
• Sue Poremba at Security Intelligence
  Cost of a data breach: The evolving role of law enforcement
  

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 31095: Frame Hash Analysis, Improvements to Copy & Verify, Automatic File Listing in Report and Much More
  
  
• Digital Sleuth
  v2023.30.3
  
  
• Eric Kutcher
  Thumbcache Viewer
  
  
• ExifTool
  ExifTool 12.69
  
  
• Google
  • GRR release 3.4.7.1
  • timesketch 20231025
    
    
• Manabu Niseki
  Mihari v5.6.2
  
  
• Metaspike
  Forensic Email Intelligence – 2.1.12.2
  
  
• Wajih Yassine at Open Source DFIR
  Introducing OSDFIR Infrastructure: Automating Deployment and Integration of Open Source DFIR Tools to Kubernetes
  
  
• OpenCTI
  5.11.12
  
  
• Sigma
  Release r2023-10-23
  
  
• SigmaHQ
  pySigma v0.10.6
  
  
• USB Detective
  Version 1.6.4 (10/25/2023)
  
  
• Xways
  X-Ways Forensics 21.0 Beta 1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!