As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Abrar Hussain
  Small Things Matter in DFIR#1: Persistence without Privileges!
  
  
• Belkasoft
  How to Efficiently Triage Digital Evidence with Belkasoft T
  
  
• CCL Solutions
  What makes epoch timestamps tick?
  
  
• Cellebrite
  The Pitfalls of Relying on iTunes Backups for Investigations
  
  
• Fabio Poloni at Compass Security
  Exposing the Scammers: Unmasking the Elaborate Job Offering Scam
  
  
• Digital Daniela
  Investigating Traffic With Splunk!
  
  
• Emi Polito at Amped
  Separate a Fingerprint from the Background
  
  
• Shanna at Fancy Forensics
  Long story short, Persistence
  
  
• Forensafe
  Solving Cellebrite’s September 2023 CTF (Sharon’s Android device) Using ArtiFast
  
  
• Forensic Science International: Digital Investigation
  Forensic Science International: Digital Investigation – Volume 47, December 2023
  
  
• Naufal Arkaan at MII Cyber Security
  CAPA for Triage Malware Analysis
  
  
• Mohammed AlAqeel (AlJawarneh)
  DFIR/DTR Tip:- File history Value for Forensic Team
  
  
• The DFIR Report
  SQL Brute Force leads to Bluesky Ransomware
  
  
• Vikas Singh
  AWS CloudTrail Forensics – HTB Nubilum-1
  

THREAT INTELLIGENCE/HUNTING

• Antonio Formato
  Introducing TI Mindmap GPT
  
  
• Francis Guibernau at AttackIQ
  Response to CISA Advisory (AA23-339A): Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-12-05 – Loader –> Unidentified malware
  • 2023-12-07 – DarkGate activity
    
    
• BushidoToken
  Cybercriminals Leverage Hijacked Booking.com accounts for Phishing
  
  
• Cado Security
  • P2Pinfect – New Variant Targets MIPS Devices
  • New Features in Cloudgrep: Yara Rules, JSON Output and Log Parsing
  • Empowering Incident Response in GCP: Cado’s GCP Cheat Sheet
  • Cloudypots: Our Latest Method for Uncovering Novel Attack Techniques
  • Adopting a Proactive Approach to Cloud Incident Response with Cado
    
    
• CERT Ukraine
  Масова кібератака UAC-0050 з використанням RemcosRAT/MeduzaStealer у відношенні України та Польщі (CERT-UA#8218)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 2 – 9 Dicembre 2023
  
  
• Check Point
  • 4th December – Threat Intelligence Report
  • Check Point Research Report: Iranian Hacktivist Proxies Escalate Activities Beyond Israel
    
    
• CISA
  • Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers
  • Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns
    
    
• Cisco’s Talos
  • Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare
  • The malware, attacker trends and more that shaped the threat landscape in 2023
    
    
• CTF导航
  疑似Lazarus（APT-Q-1）涉及npm包供应链的攻击样本分析
  
  
• Curated Intelligence
  Curated Intel Threat Report: Multi Platforms Credit Card Information Harvesting Campaign
  
  
• Andy Thompson at CyberArk
  Why Ransomware Actors Abuse Legitimate Software
  
  
• Cyberdom
  • Spotting the Adversary with Microsoft Defender for Identity
  • Unmasking the Shadows: The Art of Threat Hunting in Defender for Identity
    
    
• Cyfirma
  Weekly Intelligence Report – 8 Dec 2023
  
  
• Deep Instinct
  • MuddyWater eN-Able spear-phishing with new TTPs
  • MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
    
    
• DomainTools
  Merry Phishmas: Beware US Postal Service Phishing During the Holidays
  
  
• Doug Metz at Magnet Forensics
  How To Run Remote Triage Collections on Quarantined Endpoints
  
  
• Dragos
  • Lundin Mining’s Cybersecurity Success: Key Takeaways
  • The Dragos Community Defense Program Helps Secure Industrial Infrastructure for Small Utilities
  • Cyber Av3ngers Hacktivist Group Targeting Israel-Made OT Devices
    
    
• Esentire
  • DanaBot’s Latest Move: Deploying IcedID
  • Citrix Bleed Vulnerability: A Gateway to LockBit Ransomware
    
    
• Tafara Muwandi at F5 Labs
  Fake Account Creation Bots – Part 4
  
  
• Flare
  STIX & TAXII Threat Intelligence: A Quick Guide
  
  
• Flashpoint
  COURT DOC: Two Russian Nationals Working with Russia’s Federal Security Service Charged with Global Computer Intrusion Campaign
  
  
• G0njxa
  • Approaching stealers devs : a brief interview with Amadey
  • Approaching stealers devs : a brief interview with StealC
  • Approaching stealers devs : a brief interview with Meta
    
    
• GreyNoise Labs
  • The Forgotten ownCloud vulnerability (CVE-2023-49105)
  • Don’t Leave Me on Read: The Efficacy of Dynamic Honeypots for Novel Exploitation Discovery
    
    
• Joe Slowik at Huntress
  Exploring the Value of Indicators In Small Business Defense
  
  
• Darren Spruell, Nick Chalard, and William MacArthur at InQuest
  InQuest Presents “The Twelve Days of Maliciousness”
  
  
• Intel471
  Deck the Halls with Caution: Four Festive Cyber Threats to Look Out for This Season
  
  
• Kevin Beaumont at DoublePulsar
  Tracking Russia’s NoName057[16] attempts to DDoS UK public services
  
  
• Konrad Kaluzny
  • Detection Tips 1, and 2 Valid Account Abuse in Azure Logs
  • Detection Tips 3, and 4 How to spot potential RDP account abuse?
  • Detection Tips 5, and 6 Azure embedded functions and merging data from multiple tables
  • Detection Tips 7, and 8 Lateral movement: Remote Scheduled tasks precise threat actors weapon
    
    
• Anish Bogati at Logpoint
  Decoding the Threat: HTML Smuggling Detection Essentials
  
  
• Mehmet Ergene
  A Deep Dive into the KQL Union Operator
  
  
• Merill
  Check out @merill’s tweet
  
  
• Michael Koczwara
  Hunting Malicious Infrastructure-Headers and Hardcoded/Static Strings
  
  
• Microsoft Security
  • Star Blizzard increases sophistication and evasion in ongoing attacks
  • Microsoft Incident Response lessons on preventing cloud identity compromise
  • The Microsoft Security Experts Discussion Space: Your Gateway to Knowledge Sharing
    
    
• Monty Security
  Hunting Volt Typhoon TTPs
  
  
• Nasreddine Bencherchali
  SigmaHQ Rules Release Highlights — r2023–12–04
  
  
• Obsidian Security
  Navigating SaaS Security in the Financial Sector
  
  
• Palo Alto Networks
  Fighting Ursa Aka APT28: Illuminating a Covert Campaign
  
  
• Proofpoint
  TA422’s Dedicated Exploitation Loop—the Same Week After Week 
  
  
• PwC
  The Tortoise and The Malwahare
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, September 2023 (ENG)
  
  
• Thomas Gardner and Cody Betsworth at Red Canary
  By the same token: How adversaries infiltrate AWS cloud accounts
  
  
• ReliaQuest
  ALPHV Ransomware Site Outage: What We Know So Far
  
  
• Megan Roddie-Fonseca at SANS
  MITRE’s Updated ATT&CK Framework: What Cloud Defenders Need to Know
  
  
• SANS Internet Storm Center
  • Cobalt Strike’s “Runtime Configuration”, (Tue, Dec 5th)
  • Zarya Hacktivists: More than just Sharepoint., (Mon, Dec 4th)
  • Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th)
  • Revealing the Hidden Risks of QR Codes [Guest Diary], (Wed, Dec 6th)
    
    
• Dheeraj Kumar and Ella Dragun at Securonix
  Securonix Threat Labs Monthly Intelligence Insights – November 2023
  
  
• Sekoia
  When a Botnet Cries: Detecting Botnet Infection Chains
  
  
• Shyava Tripathi, Raghav Kapoor and Rohan Shah at Trellix
  Scanning Danger: Unmasking the Threats of Quishing
  
  
• Splunk
  • Unmasking the Enigma: A Historical Dive into the World of PlugX Malware
  • Reduce Operational Complexity with Splunk SOAR Logic Loops
    
    
• Sucuri
  • Common Website Hacking Techniques
  • 40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager
    
    
• Jean-Francois Gobin at Truesec
  A case of the FAUST Ransomware
  
  
• Shatak Jain, Shivam Sharma,and Pradeep Mahato at ZScaler
  Recent DarkGate Activity & Trends
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-12-11
  
  
• Eclypsium
  Network Infrastructure in Ransomware’s Crosshairs: Addressing Supply Chain Threats
  
  
• Gerald Auger at Simply Cyber
  GraphRunner LIVE with Beau Bullock
  
  
• Magnet Forensics
  Magnet Virtual Summit 2024: The Virtual DFIR Event of the Year is Back in February!
  
  
• Recorded Future
  Ransomware Never Rests
  
  
• SANS
  Ed’s Whacky Winter Wonder Holiday Bonanza | Host: Ed Skoudis | December 12, 2023
  

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  • Day 1 of the 12 Days of DFIRmas w. Rob Fried
  • Day 2 of the 12 Days of DFIRmas w. Heather Mahalik Barnhart
    
    
• Black Hills Information Security
  • Talkin’ About Infosec News – 12/06/2023
  • Rapid Windows Endpoint Investigations with Velociraptor & KAPE w/ Patterson
  • OSINT for Incident Response (Part 1)
    
    
• Breaking Badness
  174. Pick Your DNS Cache Poison
  
  
• Cellebrite
  Cellebrite Pathfinder Assists in Consolidating & Analyzing Vast Data Sets for Law Enforcement
  
  
• Check Point
  Iran’s Most Advanced Cyber Attack Yet
  
  
• Cisco’s Talos
  Beers with Talos episode 141: The TurkeyLurkey Man wants YOU to read Talos’ Year in Review report
  
  
• Cyber Social Hub
  Barry Bonds and Digital Forensics: Privileged Documents and Efficient Review
  
  
• CYBERWOX
  Investigating Data Exfiltration in AWS Cloud
  
  
• Detection: Challenging Paradigms
  Episode 36: Chris Thompson
  
  
• Digital Forensic Survival Podcast
  DFSP # 407 – More About Lateral Movement and Kerberos
  
  
• Eclypsium
  BTS #18 – Defending Against Supply Chain Attacks – Bri Rolston
  
  
• Hacker Valley Blue
  Ransomware: How to Use AI to Create a Readiness Kit with Scott Sutherland
  
  
• Hardly Adequate
  Hardly a Week 49 December 6, 2023
  
  
• Huntress
  • macOS Malware Persistence
  • The Current State of Mac Malware
  • How Hackers Are “Blending In” to Evade Detection
    
    
• InfoSec_Bret
  IR -SOC216-170 – Suspicious MSI Installation
  
  
• Insane Forensics
  Volt Typhoon: Unpacking State Sponsored Living-Off-the-Land Attacks on Critical Infrastructure
  
  
• Intel471
  Cybercrime Exposed Podcast: Social Engineering
  
  
• John Hammond
  • Writing Custom Malware: Import Address Table Hooking
  • Digital Forensics with FTK Imager (TryHackMe Advent of Cyber Day 8)
    
    
• Magnet Forensics
  • An Overview of Magnet WITNESS
  • Magnet Virtual Summit 2024: The Virtual DFIR Event of the Year is Back!
  • What to Expect in the Magnet Virtual Summit CTF
    
    
• Malwarebytes
  Why a ransomware gang tattled on its victim, with Allan Liska: Lock and Code S04E24
  
  
• MSAB
  XRY and Python Scripts – #MSABMonday
  
  
• Nicolas Brulez at Hexorcist
  Unpacking and IDA Processor Training Course
  
  
• Paraben Corporation
  Ring Compliance Data Processing
  
  
• RickCenOT
  Breakdown “PWN’ing a Moxa NPort W2150A with OS Command Injection and establishing a backdoor”
  
  
• SentinelOne
  LABScon Replay | The Cyber Arm of China’s Soft Power: Reshaping a Continent
  
  
• The CyberWire
  On the hunt for popping up kernel drives.
  

MALWARE

• Alessandra Perotti
  ExeWho2 – A Tool from the Wild
  
  
• Alexander Tasse
  Blue Team Labs — “Malicious PowerShell Analysis”
  
  
• ASEC
  • Ransomware Attacks Using RDP as the Attack Vector (Detected by EDR)
  • AsyncRAT Distributed via WSF Script
  • Kimsuky Group Uses AutoIt to Create Malware (RftRAT, Amadey)
  • 2023 Oct – Threat Trend Report on APT Groups
  • 2023 Oct – Deep Web and Dark Web Threat Trend Report
  • 2023 Oct – Threat Trend Report on Kimsuky Group
  • 2023 Oct – Threat Trend Report on Ransomware Statistics and Major Issues
    
    
• Jonathan Tanner at Barracuda
  Malware 101: File system evasion — rootkits and bootkits
  
  
• Hendrik Eckardt at cyber.wtf
  The csharp-streamer RAT
  
  
• Elastic Security Labs
  Getting gooey with GULOADER: deobfuscating the downloader
  
  
• Matthew at Embee Research
  Ghidra Basics – Identifying, Decoding and Fixing Encrypted Strings
  
  
• Cara Lin at Fortinet
  MrAnon Stealer Spreads via Email with Fake Hotel Booking PDF
  
  
• Monty Security
  Stumbling Through an APK File
  
  
• OALABS Research
  DanaBot Triage
  
  
• PetiKVX
  • Chaos Ransomware family
  • Phobos Ransomware family VXUG version
    
    
• Phylum
  Encrypted npm Packages Found Targeting Major Financial Institution
  
  
• Securelist
  • BlueNoroff: new Trojan attacking macOS users
  • New macOS Trojan-Proxy piggybacking on cracked software
    
    
• Lukas Stefanko at WeLiveSecurity
  Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths
  

MISCELLANEOUS

• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 12/08/2023
  
  
• Adam Goss
  Kraven Security Website Launch!
  
  
• Blaze’s Security Blog
  Fara: Faux YARA
  
  
• Censys
  Introducing Censys Search Solo
  
  
• Doug Burks at Security Onion
  • Security Onion 2.4 Feature o’ the Day – Configure Redis
  • Security Onion 2.4 Feature o’ the Day – Configure Sensor Settings
  • 4-month End Of Life (EOL) reminder for Security Onion 2.3
  • Security Onion 2.4 Feature o’ the Day – Configure Sensoroni
  • Security Onion 2.4 Feature o’ the Day – Configure SOC
  • Security Onion 2.4 Feature o’ the Day – Configure Soctopus and Sigma
    
    
• Forensic Focus
  • Investigating A Malware Attack Using Binalyze AIR’s Investigation Hub
  • Digital Forensics Round-Up, December 07 2023
  • Forensic Focus Digest, December 08 2023
    
    
• Kelvin W
  The Value of Cybersecurity Certifications
  
  
• Julien Legras and Mehdi Elyassa at Synacktiv
  Using ntdissector to extract secrets from ADAM NTDS files
  
  
• Mary Ellen Kennel
  • MaryEllen’s (@icanhaspii) Holiday Hack 2023 CheatSheet_v2.0
  • icanhaspii-CTF CheatSheet
    
    
• Nextron Systems
  Introducing the Nextron Community Discord Server
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.3.6
  
  
• Amped
  Amped Authenticate Update 31646: Introducing the New Video Mode and the Renewed GUI
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.4.0.86
  
  
• Costas K
  • MFTBrowser.exe
  • JumplistBrowser
    
    
• Cyber Triage
  3.9 introduces our first incident-level analysis features!
  
  
• Digital Sleuth
  winfor-salt v2023.33.4
  
  
• Doug Burks at Security Onion
  Security Onion 2.4.30 Hotfix 20231204 Now Available!
  
  
• FalconForce
  Added new data processors and a source skip feature
  
  
• iLEAPP
  iLEAPP v1.18.8
  
  
• IntelOwl
  v5.2.1
  
  
• Magnet Forensics
  Introducting Magnet WITNESS
  
  
• Manabu Niseki
  Mihari v6.2.0
  
  
• Metaspike
  Forensic Email Intelligence 2.1.14 Release Notes
  
  
• OpenCTI
  5.12.4
  
  
• Oxygen Forensics
  Oxygen Forensic® KeyDiver – a decryption tool for computer partitions, files, and applications
  
  
• Passware
  Passware Kit Mobile 2024 v1 Now Available
  
  
• PuffyCid
  Artemis 0.6.2 – Released!
  
  
• Sigma
  r2023-12-04
  
  
• Google
  timesketch 20231206
  
  
• Xways
  • X-Ways Forensics 20.9 SR-7
  • X-Ways Forensics 21.0 Beta 7
    
    
• Yamato Security
  Hayabusa v2.11.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!