As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Me with contributions from Andrew Skatoff and Zach Stanford and hopefully others.
The RULER Project - Adam at Hexacorn
The world of partially downloaded files… - Belkasoft
Forensic Duel: Exploring Deleted WhatsApp Messages—iOS vs Android - Cado Security
Abstracting Cloud Complexity With Cado’s New Import UI - Emi Polito at Amped
Enhance and Optimize Facial Detail - Felix Guyard at ForensicXlab
📦 Volatility3 : Alternate Data Stream Scan - Forensafe
Investigating Android Gmail - Inginformatico
- Josh Lemon
File Timestamps for NTFS on macOS using Mountly - Invictus Incident Response
A Defenders Guide to GraphRunner — Part II - Mattia Epifani at Zena Forensics
iOS 15 Image Forensics Analysis and Tools Comparison – Browsers, Mail Clients, and Productivity apps - Ramo J at Open Source DFIR
GRR On The Command Line With GRRShell - Yarden Shafir at Trail of Bits
ETW internals for security research and forensics
THREAT INTELLIGENCE/HUNTING
- 4n6lady
FREE Security Incident Response Series on AWS Skillbuilder - Adam Goss
Python Threat Hunting Tools: Part 12 — MISP and CrowdStrike Falcon Integration - Akamai
- Allan Liska at ‘Ransomware Sommelier’
Okay, Fine Let’s Talk About Scattered Spider - John Althouse at APNIC
JA4+ network fingerprinting - AttackIQ
- BI Zone
Introducing our newest research “The seven faces of darkness” - Brad Duncan at Malware Traffic Analysis
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 Novembre 2023 - Check Point
- CISA
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability - Dylan Duncan at Cofense
Are DarkGate and PikaBot the new QakBot? - Cybereason
THREAT ALERT: INC Ransomware - Cyfirma
Weekly Intelligence Report – 24 Nov 2023 - EclecticIQ
Sandworm Targets Ukraine’s Critical Infrastructure; Overlooked AI Privacy Challenges - Esentire
- Flare
Threat Spotlight: Data Extortion Ransomware: Key Trends in 2023 - Huntress
Navigating the SMB Threat Landscape: Key Insights from Huntress’ SMB Threat Report - InfoSec Write-ups
Exploring Antivirus and EDR evasion techniques step-by-step. Part 3 - Intel471
Actor yalishanda: A snapshot of a prolific bulletproof hoster - Joshua Penny
Infrastructure Analysis: LockBit 3.0 - KELA Cyber Threat Intelligence
Uncovering Your Adversaries with KELA’s Threat Actors Hub - Kroll
Free Template: MITRE ATT&CK Detection Maturity Assessment & Guide - Simon Marechal at Synacktiv
Pcapan: a PCAP analysis helper - Marcus Edmondson at ‘The Threat Hunter’s Dilemma’
Threat Hunting Lab 1 – Answers - Microsoft Security
Social engineering attacks lure Indian users to install Android banking trojans - Andrea Fisher at Microsoft Security Insights Show
Using KQL in a Playbook for Sentinel - Nasreddine Bencherchali
SigmaHQ Rules Release Highlights — r2023–11–20 - Alex Jessop at NCC Group
Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group - Paul Hager at Nextron Systems
Supercharging Postfix With THOR Thunderstorm - NIS and NCSC
DPRK state-linked cyber actors conduct software supply chain attacks - Palo Alto Networks
Hacking Employers and Seeking Employment: Two Job-Related Campaigns Bear Hallmarks of North Korean Threat Actors - Penetration Testing Lab
Persistence – Scheduled Task Tampering - Rapid7
Sigma In Velociraptor - Red Alert
2023 The First Half Activities Summary of Ransomware Threat Actors (ENG) - James Xiang at ReliaQuest
Scattered Spider Attack Analysis - SANS
- SANS Internet Storm Center
- Sekoia
Unmasking the latest trends of the Financial Cyber Threat Landscape - SOCRadar
APT Profile: Volt Typhoon - Tamara Chacon at Splunk
Using RegEx for Threat Hunting (It’s Not Gibberish, We Promise!) - Taz Wake
- Satnam Narang at Tenable
Frequently Asked Questions for CitrixBleed (CVE-2023-4966) - Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll and Vinoo Thomas at Trellix
The Continued Evolution of the DarkGate Malware-as-a-Service - Trend Micro
- Joseliyo Sánchez at VirusTotal
Actionable Threat Intel (VI) – A day in a Threat Hunter’s life - Radek Jizba at WeLiveSecurity
Telekopye: Chamber of Neanderthals’ secrets - Wiz
- Zolder B.V.
Storm-1575 platform used to target cybersecurity experts
UPCOMING EVENTS
- Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2023-11-27 - Cellebrite
Harnessing the Power of Advanced Extractions with Mobile Ultra - Magnet Forensics
Magnet AUTOMATE for Internal Investigations, IR, and eDiscovery - SANS
Cyber Warfare Frontlines: Unveiling the Digital Battlefield with Jake Williams
PRESENTATIONS/PODCASTS
- AhmedS Kasmani
Cyber Security Lab Basics – Installing EDR in Malware Development Lab - Ali Hadi
- AT&T
United We Defend | AT&T Secure Connections 2023 - Black Hills Information Security
Talkin’ About Infosec News – 11/22/2023 - Cellebrite
- CYBERWOX
- Digital Forensic Survival Podcast
DFSP # 405 – Werfault Attacks - Dr Josh Stroschein
Investigating a Password-Protected Zip Archive – Exploring Brute-forcing Tools & 7-Zip - Hardly Adequate
Hardly a Week 47 November 23, 2023 - InfoSec_Bret
IR -SOC108-179 – Malicious Remote Access Software Detected - Insane Forensics
Cybersecurity Training and Certifications: From Free to $$ - John Hammond
How Hackers Compromise Other Users - Justin Tolman at AccessData
- Magnet Forensics
Keeping Up With the Changing Cybersecurity Landscape using Magnet IGNITE and YARA Rules - Matt Green
Velociraptor DEATHcon 2023 - Microsoft
New Era Threat Actor: A Year Battling Octo Tempest | BRK266 - MSAB
How to use Full File System Consent extractions in XRY? - RickCenOT
PWN’ing a Moxa NPort W2150A ICS/OT server with OS Command Injection and establishing a backdoor - SANS Cyber Defense
Threat Detection Trends 2023 - The Cyber Mentor
The Future of EDR, SIEM & Threat Hunting is FREE
MALWARE
- Alberto Marín at Outpost24
Unveiling LummaC2 stealer’s novel Anti-Sandbox technique: Leveraging trigonometry for human behavior detection - Any.Run
XWorm Malware: Exploring C&C Communication - ASEC
- CTF导航
APT-C-35(肚脑虫)利用RemcosRAT远控攻击活动分析 - Matthew at Embee Research
- Cara Lin at Fortinet
Konni Campaign Distributed Via Malicious Document - Hex Rays
- InfoSec Write-ups
- OALABS Research
PikaBot Is Back With a Vengeance – Part 2 - Mohammad Amr Khan at Pulsedive
Analyzing DarkGate Loaders - Suraj Mundalik at Qualys
Unveiling the Deceptive Dance: Phobos Ransomware Masquerading As VX-Underground - RussianPanda
MetaStealer – Redline’s Doppelgänger - Securelist
HrServ – Previously unknown web shell used in APT attack - Anna Lvova at G Data
New “Agent Tesla” Variant: Unusual “ZPAQ” Archive Format Delivers Malware - Sekoia
DarkGate Internals
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 11/24/2023 - Kushalveer Singh Bachchas at AT&T Cybersecurity
How to perform basic digital forensics on a Windows computer - Belkasoft
Black Friday Deal: Save 67% On Training Course Bundles - Doug Burks at Security Onion
- Elan at DFIR Diva
Free & Affordable Training News: Black Friday 2023 Edition - Elastic Security Labs
Streamlining ES|QL Query and Rule Validation: Integrating with GitHub CI - Forensic Focus
- InfoSec Write-ups
Automating Splunk Infrastructure Buildout with Ansible - Oxygen Forensics
Collaborate Your Way Forward - Salvation DATA
Sleuth Kit: Premier Digital Forensics Suite - Alexandra Martin at VirusTotal
The definitive VirusTotal’s admin guide
SOFTWARE UPDATES
- Crowdstrike
Falconpy Version 1.3.4 - Didier Stevens
Update: 1768.py Version 0.0.20 - Digital Sleuth
winfor-salt v2023.32.3 - Doug Burks at Security Onion
Security Onion 2.4.30 Hotfix 20231121 Now Available! - Doug Metz at Baker Street Forensics
Ginsu: A tool for repackaging large collections to traverse Windows Defender Live Response - Eilay Yosfan
ForensicMiner - ExifTool
ExifTool 12.70 (production release) - Jeffrey Lyon
AWS Kill Switch - Manabu Niseki
Mihari v6.1.0 - Mazars Tech
AD_Miner v0.6.0 - Martin Willing
MemProcFS-Analyzer v1.0 - Metaspike
Forensic Email Intelligence – v2.1.13.3 - SigmaHQ
pySigma v0.10.9 - Mark Baggett
Srum-Dump – Version 2.6 Bloodier Sport - Rapid7
Velociraptor 0.7.1 Release - WithSecure Labs
Chainsaw v2.8.1 - Xways
X-Ways Forensics 21.0 Beta 4
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 