As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  • Investigating AWS EC2 Compromise CTF by Cado Security
  • Scaling Log Forensics in the Cloud with cloudgrep
    
    
• CyberJunnkie
  Pre5 Forensics (CyberHackathon 23 Online Qualifiers)
  
  
• Digital Daniela
  Using Zeek Signatures!
  
  
• Shanna Daly at Fancy Forensics
  • Leveraging SRUM for Incident Response
  • Hunting webshells
    
    
• Forensafe
  Solving Cellebrite’s September 2023 CTF (Abe’s iPhone device) Using ArtiFast
  
  
• Gaurav Gogia
  WSL2 Forensics: Detection, Analysis & Revirtualization
  
  
• Josh Lemon
  File Timestamps for Apple APFS
  
  
• Krzysztof Miodoński
  Collaboration between KAPE and Microsoft Defender for Endpoint at the service of the SOC
  
  
• N00b_H@ck3r
  LetsDefend: Ransomware Attack
  
  
• Igor Rodrigues at Open Source DFIR
  Turbinia’s API Evolves: A Comprehensive Overview of the Latest Enhancements
  
  
• Phill Moore at ThinkDFIR
  How can I be of WebAssist(ance)?
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Who am I? Asking for my file friend: whoami.exe…
  
  
• Adam Goss
  Python Threat Hunting Tools: Part 11 — A Jupyter Notebook for MISP
  
  
• Alex Teixeira
  Beyond IOCs: Contextualized Leads from Analytics-Driven Threat Hunts
  
  
• Anton Chuvakin
  Decoupled SIEM: Brilliant or Stupid?
  
  
• Aon
  Detecting “Effluence”, An Unauthenticated Confluence Web Shell
  
  
• Stefan Hostetler, Markus Neis, Christopher Prest, Hady Azzam, Joe Wedderspoon, and Ross Phillips at Arctic Wolf
  TellMeTheTruth: Exploitation of CVE-2023-46604 Leading to Ransomware
  
  
• Ken Ng at AT&T Cybersecurity
  Don’t check out! – Credit card skimming activity observed
  
  
• Tim Manik, Bryant Pickford, and Daria Pshonkina at AWS Security
  How to improve your security incident response processes with Jupyter notebooks
  
  
• Martin Zugec at Bitdefender
  Hive Ransomware’s Offspring: Hunters International Takes the Stage
  
  
• Blackberry
  BiBi Wiper Used in the Israel-Hamas War Now Runs on Windows
  
  
• Bridewell
  Bridewell and Group-IB Uncover Possible BlackByte Victim Data
  
  
• Censys
  • Cheat Sheet: 20 Ways to Supercharge Your Threat Hunting Efforts with Censys Search
  • The 2023 State of Threat Hunting: How Threat Hunters Are Navigating a Transforming Cybersecurity Landscape
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 04-10 Novembre 2023
  
  
• Check Point
  • 6th November – Threat Intelligence Report
  • October 2023’s Most Wanted Malware: NJRat Jumps to Second Place while AgentTesla Spreads through new File Sharing Mal-Spam Campaign
  • Abusing Microsoft Access “Linked Table” Feature to Perform NTLM Forced Authentication Attacks
  • Keeping Up with Today’s Top Mobile Spyware Threat Trends
    
    
• CISA
  • Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed
  • FEMA and CISA Release Joint Guidance on Planning Considerations for Cyber Incidents
    
    
• Cisco’s Talos
  • Threat Roundup for November 3 to November 10
  • Spammers abuse Google Forms’ quiz to deliver scams
    
    
• Fabian Bader at Cloudbrothers
  Detect threats using Microsoft Graph activity logs – Part 2
  
  
• CTF导航
  Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
  
  
• Cyber Geeks
  Attackers impersonate Romanian Gas Companies – OSINT Investigation
  
  
• Cyfirma
  Weekly Intelligence Report – 10 Nov 2023
  
  
• Eclypsium
  Eclypsium Launches Guide to Supply Chain Security for Enterprise Infrastructure
  
  
• Aaron Jewitt at Elastic
  Detecting account compromise with UEBA detection packages
  
  
• F5 Labs
  Fake Account Creation Bots – Part 3
  
  
• FBI
  Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools
  
  
• Flare
  Initial Access Brokers (IAB): What You Need to Know
  
  
• Nikolay Kichatov at Group-IB
  Ransomware manager: Investigation into farnetwork, a threat actor linked to five strains of ransomware
  
  
• Huntress
  Confluence to Cerber: Exploitation of ​​CVE-2023-22518 for Ransomware Deployment
  
  
• Huseyin Rencber
  Okta Incident Response Notes and Threat Hunting in Okta
  
  
• Michael Zuckerman at Infoblox
  Malicious DNS in the News
  
  
• Intel471
  Malaysian Police Disrupt ‘The Phisherman’
  
  
• Jamf
  BlueNoroff strikes again with new macOS malware
  
  
• Tetsuya Mizuno at JPCERT/CC
  Credential Theft and Domain Name Hijacking through Phishing Sites
  
  
• Keith McCammon
  Top initial access techniques from 2019-2022, mapped to ATT&CK
  
  
• KELA Cyber Threat Intelligence
  Surviving the QakBot Takedown: Black Basta and Knight Ransomware Operations
  
  
• Bert-Jan Pals at KQL Query
  KQL Functions For Network Operations
  
  
• Nasreddine Bencherchali at MagicSword
  Streamlining LOLDrivers Contributions Via Streamlit
  
  
• Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk at Mandiant
  Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology
  
  
• Michael Koczwara
  Threat Intel-Pivoting using Censys
  
  
• Microsoft Security
  Microsoft shares threat intelligence at CYBERWARCON 2023
  
  
• Nasreddine Bencherchali
  SigmaHQ Rules Release Highlights — r2023–11–06
  
  
• NCC Group
  • D0nut encrypt me, I have a wife and no backups 
  • Demystifying Cobalt Strike’s “make_token” Command
    
    
• Nsfocus
  APT组织DarkCasino的燎原之火，WinRAR零日漏洞CVE-2023-38831的利用现状
  
  
• Olaf Hartong at Falcon Force
  FalconHound, attack path management for blue teams
  
  
• Palo Alto Networks
  • Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors
  • Chinese APT Targeting Cambodian Government
    
    
• Penetration Testing Lab
  Persistence – Windows Telemetry
  
  
• Rapid7
  • Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518
  • GhostLocker – A “Work In Progress” RaaS
    
    
• Rapid7
  CVE-2023-47246: SysAid Zero-Day Vulnerability Exploited By Lace Tempest
  
  
• Recorded Future
  Charting China’s Climb as a Leading Global Cyber Power
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, September 2023 (KOR)
  
  
• Red Canary
  • Adversaries exploit Confluence vulnerability to deploy ransomware
  • Better know a data source: Network telemetry
    
    
• ReliaQuest
  • Automating the Compromised Credential Playbook
  • Citrix Bleed Vulnerability: Background and Recommendations
    
    
• Rezonate
  Best Practices to Detect and Respond to a Compromised Identity
  
  
• Riccardo Ancarani at ‘Red Team Adventures’
  Attacking an EDR – Part 3
  
  
• Robin Dimyan
  Making Sense of Cyber Attacks
  
  
• S2W Lab
  • [Regional Analysis_OCTOBER] Dark Web Cyber-attacks targeting Japan
  • [Regional Analysis_OCTOBER] Dark Web Cyber-attacks targeting Japan (English ver.)
    
    
• SANS Internet Storm Center
  • Exploit Activity for CVE-2023-22518, Atlassian Confluence Data Center and Server, (Mon, Nov 6th)
  • Example of Phishing Campaign Project File, (Wed, Nov 8th)
  • What’s Normal: New uses of DNS, Discovery of Designated Resolvers (DDR), (Tue, Nov 7th)
  • Visual Examples of Code Injection, (Thu, Nov 9th)
  • Routers Targeted for Gafgyt Botnet [Guest Diary], (Thu, Nov 9th)
    
    
• Sansec
  Is your store’s newsletter being used for phishing?
  
  
• Securelist
  Modern Asian APT groups’ tactics, techniques and procedures (TTPs)
  
  
• Anusthika Jeyashankar at Security Investigation
  How Does DGA Malware Operate And How To Detect In A Security Operation Center
  
  
• Security Joes
  Mission “Data Destruction”: A Large-scale Data-Wiping Campaign Targeting Israel
  
  
• Securonix
  Securonix Threat Labs Monthly Intelligence Insights – October 2023
  
  
• SentinelOne
  • Arid Viper | APT’s Nest of SpyC23 Malware Continues to Target Android Devices
  • Predator AI | ChatGPT-Powered Infostealer Takes Aim at Cloud Platforms
    
    
• SOCRadar
  New Gootloader Variant “GootBot” Changes the Game in Malware Tactics
  
  
• Sophos
  • Identifying Group Policy attacks
  • Memory scanning leaves attackers nowhere to hide
  • Same threats, different ransomware
    
    
• SpecterOps
  • Domain of Thrones: Part II
  • Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
  • Phishing With Dynamite
    
    
• Rianna MacLeod at Sucuri
  Black Friday & Cyber Monday Ecommerce Security Threats
  
  
• Taz Wake
  • Linux Incident Response – Buffer Overflow and ret2libc basics
  • Linux incident response – the readelf command
  • Linux Incident Response – Understanding Auditd
  • Linux Incident Response – The journal
  • Linux Incident Response – using the find command
    
    
• Christopher Conrad and Marcin Nawrocki at Netscout
  Anonymous Sudan
  
  
• Trend Micro
  • Threat Actors Leverage File-Sharing Service and Reverse Proxies for Credential Harvesting
  • Cerber Ransomware Exploits Atlassian Confluence Vulnerability CVE-2023-22518
    
    
• Melvin Langvik at TrustedSec
  The Triforce of Initial Access
  
  
• Quentin Olagne at Vectra
  Technical analysis: Barracuda Email Security Gateway by Quentin Olagne
  
  
• Lukas Stefanko at WeLiveSecurity
  Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan
  
  
• WeLiveSecurity
  Cyber threat intelligence: Getting on the front foot against adversaries
  

UPCOMING EVENTS

• Cellebrite
  Harnessing the Power of Advanced Extractions with Mobile Ultra
  
  
• Huntress
  Cybersecurity Horror Stories: Introducing Huntress MDR for Microsoft 365
  

PRESENTATIONS/PODCASTS

• Elan Wright at ‘DFIR Diva’
  Breaking Into DFIR: Is It Entry-Level? With Special Guest Jessica Hyde
  
  
• Adversary Universe Podcast
  Iran’s Rise from Nascent Threat Actor to Global Adversary
  
  
• Black Hills Information Security
  • Measuring Success in Your SOC w/Hayden Covington | 1-Hour
  • Talkin’ About Infosec News – 11/09/2023
  • Abusing Active Directory Certificate Services (Part 3)
  • Talkin’ About Infosec News – 11/10/2023
    
    
• Breaking Badness
  172. SolarWinds of Change
  
  
• c3rb3ru5d3d53c
  [70] Linux AI TTS Helper Script
  
  
• Cellebrite
  How to start using the PA Ultra Dashboard
  
  
• Digital Forensic Survival Podcast
  DFSP # 403 – Lateral Movement Kerberos Auth Events
  
  
• Hardly Adequate
  • Hardly a Week 45 November 6, 2023
  • Catching up with Si
    
    
• Huntress
  • Oct 2023 | Auto-Remediations
  • Oct 2023 | Microsoft 365 Bug Fixes
    
    
• InfoSec_Bret
  SA – SOC227 EventID: 189 (Microsoft SharePoint Server Elevation of Privilege – CVE-2023-29357)
  
  
• Intel471
  Cybercrime Exposed Podcast: The Extortionists
  
  
• John Hammond
  • they’re selling WHAT on Telegram?!?
  • How Hackers Hide From Memory Scanners
  • Hacking with Bloodhound: Map Your Environment
    
    
• Justin Tolman at AccessData
  • Create a Case in Forensic Toolkit (FTK)
  • Using FTK Connect to Search Case Automatically
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  • Malware Analysis – ZPAQ to .NET downloader to Injector DLL unpacking
  • Malware Analysis – .NETReactor deobfuscation and configuration extraction of AgentTesla
    
    
• MSAB
  How to disable the Wasted App with XRY Pro?
  
  
• Sandfly Security
  BPFDoor Evasive Linux Backdoor and Malware Forensic Investigation Presentation
  
  
• Security Conversations
  Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers
  
  
• The Cyber Mentor
  Master JSON in 8 Minutes
  

MALWARE

• Any.Run
  • Analyze Script Execution in ANY.RUN Using Script Tracer
  • Understanding interactive vs automated malware analysis sandboxes
    
    
• ASEC
  • Distribution of LockBit Ransomware and Vidar Infostealer Disguised as Resumes
  • Warning Against Phobos Ransomware Distributed via Vulnerable RDP
  • Phishing PDF Files Downloading Malicious Packages
  • [Kimsuky] Operation Covert Stalker
    
    
• Yehuda Gelb at Checkmarx Security
  Python Obfuscation Traps
  
  
• Elastic Security Labs
  Introducing the REF5961 intrusion set
  
  
• Matthew at Embee Research
  Unpacking Malware With Hardware Breakpoints – Cobalt Strike
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #164: Where’s my code? The case of missing function arguments
  
  
• Kelvin W
  GuLoader Malware Analysis: Technically Still a Noob Edition
  
  
• Jérôme Segura at Malwarebytes
  Malvertiser copies PC news site to deliver infostealer
  
  
• Maxime Thiebaut at NVISO Labs
  Generating IDA Type Information Libraries from Windows Type Libraries
  
  
• Squiblydoo.blog
  October 2023 SolarMarker
  
  
• Zhassulan Zhussupov
  Malware development trick – part 37: Enumerate process modules via VirtualQueryEx. Simple C++ example.
  

MISCELLANEOUS

• Abhiram Kumar
  Compiling Volatility for Windows
  
  
• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 11/10/2023
  
  
• Jonathan Tanner at Barracuda
  Malware 101: Signature evasion techniques
  
  
• Manny Kressel at Bitmindz
  PCIe 5.0 NVMe’s Launching Now – RCKTBX
  
  
• Doug Burks at Security Onion
  • Security Onion 2.4 Feature o’ the Day – Configure Elastic Fleet
  • 5-month End Of Life (EOL) reminder for Security Onion 2.3
  • Top 5 Reasons to Sign Up for our 4-day Security Onion Fundamentals for Analysts & Threat Hunters Class in December 2023
  • Security Onion 2.4 Feature o’ the Day – Configure Elasticsearch
  • Security Onion 2.4 Feature o’ the Day – Configure Firewall
  • Security Onion 2.4 Feature o’ the Day – Configure Global Settings
  • Security Onion 2.4 Feature o’ the Day – Configure Host Settings
    
    
• Doug Metz at Baker Street Forensics
  Installing REMnux on a MacBook Pro
  
  
• Forensic Focus
  • Solving Digital Evidence Challenges With Oxygen Forensics
  • ADF Solutions Elevates Digital Forensics With Private Server Cloud Platform
  • How To Use The Macroblocks Filter In Amped FIVE
  • Forensic Focus Digest, November 10 2023
  • Digital Forensics Round-Up, November 09 2023
  • Podcast #70 Recap: 2023 E-Crime Symposium: Cutting Edge Topics In Digital Forensics
    
    
• Digit Oktavianto at MII Cyber Security
  Lesson Learned From Dragos CTF 2023
  
  
• MITRE Engage™
  MITRE Engage™ Benefactor Program
  
  
• MobilEdit
  Introducing MOBILedit Academy!
  
  
• Oxygen Forensics
  • Top Questions to Ask When Purchasing Digital Forensic Software
  • VeraCrypt support in Oxygen Forensic® Detective
    
    
• Ryan McGeehan
  Lessons from the SEC’s Lawsuit against SolarWinds and Tim Brown
  
  
• Salvation DATA
  Expert Insights on Mobile Forensics Trends and Tools
  
  
• SANS
  Next Generation FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  

SOFTWARE UPDATES

• Atola
  TaskForce 2023.10: now with RAID 6 support
  
  
• Brim
  v1.4.1
  
  
• Cellebrite
  Mobile Ultra: Advancing Digital Investigations in the Age of Evolving Technology
  
  
• Crowdstrike
  Falconpy Version 1.3.3
  
  
• Datadog Security Labs
  GuardDog v1.5.1
  
  
• Digital Sleuth
  winfor-salt v2023.30.9
  
  
• Joseph Avanzato
  Logboost
  
  
• Magnet Forensics
  Magnet OUTRIDER 4.1: New Officer Wellness Tools, MAG24 Hashing and Matching, and More
  
  
• MALCAT
  0.9.4 is out: Ubuntu 23 support, python 3.11 and magic masking
  
  
• Manabu Niseki
  Mihari v5.7.2
  
  
• OpenCTI
  5.11.13
  
  
• Sigma
  r2023-11-06
  
  
• Xways
  • X-Ways Forensics 20.9 SR-7
  • X-Ways Forensics 21.0 Beta 3
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!