As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Emi Polito at Amped
  Increase Exposure of Dark Footage
  
  
• Cyber Triage
  EDRs don’t collect all DFIR artifacts, but they can help you do it
  
  
• Derek Eiri
  In Search of Extraction Techniques for Pair-Locked iOS Devices
  
  
• Oleg Afonin at Elcomsoft
  • iOS Forensic Toolkit: Exploring the Linux Edition
  • Forensic Insights into Apple Watch Data Extraction
    
    
• Forensafe
  Investigating Android Viber
  
  
• Ian Whiffin at DoubleBlak
  BrowserState.db last_visited_time?
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (12/1/2023)
  
  
• Megan Roddie
  Dots do matter: Why dots in Gmail addresses impact Google Workspace investigations
  
  
• Salvation DATA
  How to Recover Deleted Video Files of a Specific Date?
  

THREAT INTELLIGENCE/HUNTING

• 0xdeaddood
  Impacket v0.11.0 Now Available
  
  
• Bill Stearns at Active Countermeasures
  Network Scanners
  
  
• Adam at Hexacorn
  File System artifacts for known security software
  
  
• Stefan Hostetler, Markus Neis, and Kyle Pagelow at Arctic Wolf
  Qlik Sense Exploited in Cactus Ransomware Campaign
  
  
• Francis Guibernau and Andrew Costis at AttackIQ
  Response to CISA Advisory (AA23-325A): #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability
  
  
• BI.Zone
  Rare Wolf preys on sensitive data using fake 1C:Enterprise invoices as lure
  
  
• Binary Defense
  Beyond Alerting: Finding Hidden Threats 
  
  
• Martin Zugec at Bitdefender
  Bitdefender Threat Debrief | November 2023
  
  
• Blackberry
  AeroBlade on the Hunt Targeting the U.S. Aerospace Industry
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-11-27 – TA577 pushes IcedID (Bokbot) variant
  • 2023-11-30 – DarkGate activity
  • 2023-11-29 – email –> JinxLoader –> Formbook/XLoader
    
    
• Cado Security
  How Good do you Want to be? 
  
  
• CERT Ukraine
  • “Повістка до суду”: чергова цільова атака UAC-0050 з використанням RemcosRAT (CERT-UA#8150)
  • Зведена інформація щодо діяльності угрупування UAC-0006 станом на 01.12.2023
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 25 Novembre – 1 Dicembre 2023
  
  
• Check Point
  • 27th November – Threat Intelligence Report
  • Unlocking the Power of MITRE ATT&CK: A Comprehensive Blog Series on Implementation Strategies for Incident Response Teams
    
    
• CISA
  • Exploitation of Unitronics PLCs used in Water and Wastewater Systems
  • IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities
    
    
• CrowdStrike
  IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations
  
  
• CTF导航
  • The Art of Windows Persistence – HADESS
  • Malware analysis report: Stealc stealer – part 2
  • Mobile Malware Analysis Part 5 – Analyzing An Infected Device
  • APT-C-28（ScarCruft）组织针对韩国部署Chinotto组件的活动分析
    
    
• Cybereason
  THREAT ALERT: DJvu Variant Delivered by Loader Masquerading as Freeware
  
  
• Cyfirma
  Weekly Intelligence Report – 01 Dec 2023
  
  
• Embee Research
  • Identifying PrivateLoader Servers with Censys
  • Building Threat Intel Queries Utilising Regex and TLS Certificates – (BianLian)
  • Advanced Threat Intel Queries – Catching 83 Qakbot Servers with Regex, Censys and TLS Certificates
    
    
• Falco
  Blog: Using Falco to Create Custom Identity Detections
  
  
• Tim Berghoff at G Data
  Cobalt Strike: Looking for the Beacon
  
  
• GreyNoise
  CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild
  
  
• Ron Bowes at GreyNoise Labs
  Details and Caveats for ownCloud information disclosure (CVE-2023-49103)
  
  
• Hackopia
  Initial Access Brokers and Cyber Threat Intelligence
  
  
• Haircutfish
  TryHackMe Wireshark:Traffic Analysis — Task 5 Tunneling Traffic: DNS and ICMP & Task 6 Cleartext…
  
  
• Human Security
  HUMAN Satori Threat Intelligence Alert: Account Takeover Attacks Use ScrubCrypt to Deploy RedLine Stealer Malware
  
  
• Huntress
  • Can’t Touch This: Data Exfiltration via Finger
  • MFT Exploitation and Adversary Operations
    
    
• Infoblox
  DNS Early Detection – ROMCOM
  
  
• William MacArthur at InQuest
  Threat Sequencing from the Darkside
  
  
• Kostas
  Behind the Scenes: The Daily Grind of Threat Hunter
  
  
• Bert-Jan Pals at KQL Query
  From Threat Report to (KQL) Hunting Query
  
  
• Land of Jacob’s Musings
  YARA and Me: Contributing to YARA’s Upcoming Release
  
  
• Bill Cozens at Malwarebytes
  Ransomware gangs and Living Off the Land (LOTL) attacks: A deep dive
  
  
• Lauren Parker at MITRE-Engenuity
  Attack Flow for Turla
  
  
• Mostafa Yahia
  Hunting for AMSI Bypassing methods
  
  
• Obsidian Security
  Detecting AiTM Phishing Sites with Fuzzy Hashing
  
  
• Red Canary
  Intelligence Insights: November 2023
  
  
• Salim Salimov
  Hunting Malware in Sysmon Log with Splunk
  
  
• SANS Internet Storm Center
  • Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th)
  • Decoding the Patterns: Analyzing DShield Honeypot Activity [Guest Diary], (Mon, Nov 27th)
  • Pro Russian Attackers Scanning for Sharepoint Servers to Exploit CVE-2023-29357, (Tue, Nov 28th)
  • Prophetic Post by Intern on CVE-2023-1389 Foreshadows Mirai Botnet Expansion Today, (Thu, Nov 30th)
    
    
• Securelist
  • IT threat evolution in Q3 2023. Mobile statistics
  • IT threat evolution Q3 2023
  • IT threat evolution in Q3 2023. Non-mobile statistics
    
    
• SentinelOne
  • Leveraging the Law, Exposing Incriminating Data and Other New Tactics in Cyber Extortion
  • Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure
    
    
• Sophos
  • The Dark Side of AI: Large-Scale Scam Campaigns Made Possible by Generative AI
  • Cybercriminals can’t agree on GPTs
    
    
• Cody Thomas at SpecterOps
  Mythic v3.2 Highlights: Interactive Tasking, Push C2, and Dynamic File Browser
  
  
• Stephan Wolfert
  Detecting Resource-Based Constrained Delegation Abuse
  
  
• Sygnia
  Why Monitoring Monitors Is the Key to Cyber Threat Resilience
  
  
• Tamara Chacon at Splunk
  • Parsing Domains with URL Toolbox (Just Like House Slytherin)
  • Detecting Dubious Domains with Levenshtein, Shannon & URL Toolbox
    
    
• Taz Wake
  • DFIR Memory Analysis – Comparing Windows & Linux
  • Incident Response – More on the Windows PEB
  • Exploring the Power of the ls Command in Linux
  • GDB for incident responders – an overview
  • Incident Response – Use CRM principles
    
    
• John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Siena Anstis, and Ron Deibert at The Citizen Lab
  Spyware Targeting Against Serbian Civil Society
  
  
• Alexandre Mundo and Max Kersten at Trellix
  Akira Ransomware
  

UPCOMING EVENTS

• Belkasoft
  Webinar: Digital Triage with Belkasoft T
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-12-04
  
  
• Huntress
  Part 2: Smooth Talking: Tackling Objections
  
  
• Magnet Forensics
  • Top Cyber Threats to Financial Services & How to Rapidly Investigate with Digital Forensic Solutions
  • Duty to Preserve, but How?
  • What’s New in Magnet REVIEW 5.3
    

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Data Extortion Dethrones Ransomware as the Threat to Watch
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast -Episode 7
  
  
• Black Hills Information Security
  • DevOps for Red Team Initial Access Operations w/ Joff Thyer
  • Talkin’ About Infosec News – 11/30/2023
    
    
• BlueMonkey 4n6
  TX1 firmware update 23.4 detects Android and iOS phones – backup feature
  
  
• Breaking Badness
  Breaking Badness Book Club #1
  
  
• Cisco’s Talos
  What is threat hunting?
  
  
• CYBERWOX
  AWS DFIR – Investigating a Compromised AWS Environment
  
  
• Digital Forensic Survival Podcast
  DFSP # 406 – All the BIN Directories
  
  
• Hardly Adequate
  Hardly a Week 48 November 27, 2023
  
  
• Huntress
  • Investigating macOS Malware Using Open Source Tools
  • The Importance of Crash Reports
    
    
• HuskyHacks
  I, Too, Stole a Microsoft 365 Account. Here’s How. (Stealing Access Tokens from Office Desktop Apps)
  
  
• Intel471
  Mandiant’s CTO: A Bad Year for Ransomware and Extortion
  
  
• John Hammond
  Incident Response: Azure Log Analysis
  
  
• Justin Tolman at AccessData
  Changing the Evidence location in FTK
  
  
• Magnet Forensics
  • Magnet REVIEW 5 3 Walkthrough
  • Magnet AUTOMATE for Internal Investigations, IR, and eDiscovery
    
    
• Microsoft Threat Intelligence Podcast
  Threat Landscape with Wes Drone
  
  
• MSAB
  Date and Time Stamps in XAMN Pro
  
  
• OALabs
  How To Recognize Macro Encrypted Strings in Malware
  
  
• Paraben Corporation
  Google Takeout Parsing Series 1
  
  
• SANS Cloud Security
  Hands On Workshop Building Better Detections AWS Edition
  
  
• Paolo Dal Checco at Studio d’Informatica Forense
  Prevenzione e analisi forense degli attacchi Man in The Mail tramite DKIM, DMARC ed SPF
  

MALWARE

• Any.Run
  • RisePro Malware Analysis: Exploring C2 Communication of a New Version
  • 5 malware threats we discovered in the wild in November 2023
    
    
• ASEC
  • Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
  • Kimsuky Targets South Korean Research Institutes with Fake Import Declaration
  • Personal Information Sales Used as Bait to Distribute Malware
    
    
• Ashley Shen and Chetan Raghuprasad at Cisco’s Talos
  New SugarGh0st RAT targets Uzbekistan government and South Korea
  
  
• Matthew at Embee Research
  • Ghidra Basics – Cross References From Imported Functions
  • Ghidra Basics – Manual Shellcode Analysis and Locating Function Calls
    
    
• Cara Lin at Fortinet
  GoTitan Botnet – Ongoing Exploitation on Apache ActiveMQ
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #167: Adding and splitting segments
  
  
• InfoSec Write-ups
  • Unmasking NJRAT: A Deep Dive into a Notorious Remote Access Trojan Part2
  • Unfolding Remcos RAT- 4.9.2 Pro
    
    
• Nicole Fishbein at Intezer
  WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel
  
  
• Arunkumar at K7 Labs
  Uncovering the “Serpent”
  
  
• Mike Hunhoff, Moritz Raabe, Willi Ballenthin, and Tina Johnson at Mandiant
  Improving FLARE’s Malware Analysis Tools at Google Summer of Code 2023
  
  
• Microsoft Security
  Diamond Sleet supply chain compromise distributes a modified CyberLink installer
  
  
• Mohammed Salah
  LockBit Unpacked P.1: Fundamentals of Basic Static Analysis
  
  
• Mostafa Farghaly
  Deep Analysis of Vidar Stealer
  
  
• Chema Garcia at Palo Alto Networks
  New Tool Set Found Used Against Organizations in the Middle East, Africa and the US
  
  
• Patrick Wardle at Objective-See
  It’s Turtles All The Way Down
  
  
• Ben Martin at Sucuri
  Skimming Credit Cards with WebSockets
  
  
• Tommy Dong and Yuanjing Guo at Symantec Enterprise
  Spyware Employs Various Obfuscation Techniques to Bypass Static Analysis
  
  
• Raymond Chen at The Old New Thing
  • Why does the Windows Portable Executable (PE) format have separate tables for import names and import addresses?, part 1
  • Why does the Windows Portable Executable (PE) format have separate tables for import names and import addresses?, part 2
    
    
• Zhassulan Zhussupov
  Malware and cryptography 22: encrypt/decrypt payload via XTEA. Simple C++ example.
  
  
• Aazim Bill SE Yaswant and Vishnu Pratapagiri at Zimperium
  Unveiling the Persisting Threat: Iranian Mobile Banking Malware Campaign Extends Its Reach
  

MISCELLANEOUS

• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 12/01/2023
  
  
• Jonathan Tanner at Barracuda
  Malware 101: File system evasion — memory-only and registry-resident
  
  
• Belkasoft
  Whitepaper: Cyber Incident Response with Belkasoft X
  
  
• Cado Security
  Navigating the Cloud: The Art of Digital Forensics and Incident Response in Google Cloud Platform (GCP)
  
  
• Cellebrite
  • Targeted Collections: Balancing Legal Precision and Data Privacy
  • Supercharge Your Investigations with Mobile Ultra
    
    
• Dominique Calder and A’zariya Daniels at Hexordia
  BGIC REFRESH SUMMIT 23
  
  
• Doug Burks at Security Onion
  • Security Onion 2.4 Feature o’ the Day – Configure Nginx
  • Security Onion 2.4 Feature o’ the Day – Configure NTP
  • Security Onion 2.4 Feature o’ the Day – Configure OS Updates
  • Security Onion 2.4 Feature o’ the Day – Configure Packet Capture
  • Security Onion 2.4 Feature o’ the Day – Configure Playbook
    
    
• Elan at DFIR Diva
  • My Experience with Kase Scenarios: Immersive OSINT Training
  • Free & Affordable Training News Monthly: Nov-Dec, 2023
  • Walkthrough: Kase Scenarios – The Vanishing of Rosie Parker
    
    
• Forensic Focus
  • Mike Bates, Technical Sales Engineer, Detego Global
  • UPCOMING WEBINAR – Unlocking Digital Clues: Enhancing Investigations Through Social Media Intelligence
  • Hacking Your Future: Education Choices For A Cybersecurity Career
  • Digital Forensics Round-Up, November 30 2023
    
    
• Jay Jay Davey
  An Effective Junior SOC Analyst
  
  
• Magnet Forensics
  • Magnet REVIEW 5.3: Review All Your Evidence Together
  • Magnet REVIEW 5.3: Cross Evidence Views, All-New Case Dashboard, and Much More
    
    
• Michael Haag
  ASRGEN: Simplifying Attack Surface Reduction
  
  
• Ian Briley at Red Siege Information Security
  Reject Passwords, Return to (Security) Keys
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.3.5
  
  
• Alexis Brignoni
  ALEAPP v3.1.9
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.4.0.81
  
  
• Joe St Sauver at DomainTools
  New Improvements to dnsdbq
  
  
• Doug Burks at Security Onion
  Security Onion 2.3.280 now available including several updated components!
  
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 8.50 expands capabilities for Linux users and legacy devices
  
  
• IsoBuster
  IsoBuster 5.3 beta released
  
  
• MISP
  MISP 2.4.179 released with a host of improvements a security fix and some new tooling.
  
  
• Xways
  X-Ways Forensics 21.0 Beta 5
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!