As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  Using the Unix-like Artifacts Collector and Cado Community Edition to Investigate a Compromised Linux System
  
  
• Brian P. Mohr
  Demystifying Log Collection in Azure: Navigating Windows and Linux Server Logging for Microsoft Sentinel
  
  
• Emi Polito at Amped
  Measure Speed from Surveillance Video
  
  
• Felix Guyard at ForensicXlab
  📦 Volatility3 : Import Address Table
  
  
• Forensafe
  Investigating Android Snapchat App
  
  
• Max Groot & Erik Schamper at Fox-IT
  Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
  
  
• Magnet Forensics
  • I Spy With a Drone’s Little Eye: How to Access and Examine DJI Artifacts in Magnet AXIOM
  • Improve Investigation Accuracy With Higher Timestamp Resolution
    
    
• Nikunj
  Introduction to Windows Artifacts : Your Gateway to Effective Incident Response
  
  
• Salim Salimov
  A Hassle-Free EVTX to JSON Converter not only for Windows but Linux and Mac OS too
  
  
• Salvation DATA
  Hex Editor Neo Review: Comprehensive Analysis for 2023
  
  
• Suraj Yadav
  The Crime(Endpoint Forensics)
  
  
• System Weakness
  Wireshark investigation: Network Traffic Analysis
  

THREAT INTELLIGENCE/HUNTING

• Keith Chew at Active Countermeasures
  Malware of the Day – What Time Is It?
  
  
• Adam at Hexacorn
  Custom Install Path & portability issues
  
  
• Adam Goss
  The Importance of Clear Definitions in Threat Intelligence
  
  
• Jack Zalesskiy at Any.Run
  What are the most common methods cyber attackers use to infect a system with malware?
  
  
• Emma McGowan at Avast
  Avast Threat Report  shows humans are better targets that software
  
  
• Avast Threat Labs
  Opening a new front against DNS-based threats
  
  
• Avertium
  New Ransomware Strains – CACTUS and 3AM
  
  
• Eduardo Ortiz Pineda, Howard Irabor, Rodrigo Ferroni, and Scott Ward at AWS Security
  Four use cases for GuardDuty Malware Protection On-demand malware scan
  
  
• Silviu Stahie at Bitdefender
  North Korean Threat Actor Compromised Numerous Organizations in South Korea, Stole
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-12-12 – Brazil malspam leds to Astaroth (Guildma) infection
  • 2023-12-13 – Two AgentTesla infections (one FTP and one SMTP)
  • 2023-12-15 – TA577 Pikabot infection
    
    
• BushidoToken
  Top 10 Cyber Threats of 2023
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 09 – 15 Dicembre 2023
  
  
• Check Point
  • 11th December – Threat Intelligence Report
  • Unveiling the New Threats: Rhadamanthys v0.5.0 A Research Overview by Check Point Research (CPR)
  • Rhadamanthys v0.5.0 – a deep dive into the stealer’s components
    
    
• Yehuda Gelb at Checkmarx Security
  • How North Korea is Compromising Supply Chains
  • NPM Account Takeover Results in Crypto Supply Chain Attack
    
    
• CISA
  Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
  
  
• Cisco’s Talos
  • Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang
  • A personal Year in Review to round out 2023
  • Recommendations that defenders can use from Talos’ Year in Review Report
    
    
• Cyfirma
  Weekly Intelligence Report – 15 Dec 2023
  
  
• Deep Instinct
  Conti Group: An Inside Look
  
  
• Manuel Winkel at Deyda.net
  Checklist for NetScaler (Citrix ADC) CVE-2023-4966
  
  
• Dragos
  ELECTRUM Targeted Ukrainian Electric Entity Using Custom Tools and CaddyWiper Malware, October 2022
  
  
• Amey Gat, Mark Robson, John Simmons, Ken Evans, Jared Betts, Angelo Cris Deveraturda, Hongkei Chan and Jayesh Zala at Fortinet
  TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793
  
  
• FourCore
  • Rhysida Ransomware: History, TTPs and Adversary Emulation Plans
  • Threat-informed defense with LimaCharlie and FourCore ATTACK
    
    
• g0njxa
  Approaching stealers devs: Summary & refused talks.
  
  
• GreyNoise Labs
  • Talk-A-Blog: Apache Struts2 CVE-2023-50164, File Upload Vulnerability Analysis
  • If You’re Going to Spray My Exploit… (CVE-2022-41800)
    
    
• Jason Baker at GuidePoint Security
  GRIT Ransomware Report: November 2023
  
  
• Huntress
  • Orienting Intelligence Requirements to the Small Business Space
  • Curling for Data: A Dive into a Threat Actor’s Malicious TTPs
    
    
• Michael Zuckerman at Infoblox
  DNS for Early Detection – LAZARUS KANDYKORN
  
  
• Pierre Livet at Intrinsec
  Kerberos OPSEC: Offense & Detection Strategies for Red and Blue Team – Introduction
  
  
• Alanna Titterington at Kaspersky Lab
  Malicious browser extensions in 2023 | Kaspersky official blog
  
  
• KELA Cyber Threat Intelligence
  • Revealing Corporate Vulnerabilities: Understanding How Threat Actors Breach and Exploit Your Data
  • 5 Questions (and Answers) About the Kyivstar Attack
    
    
• Koen Van Impe at MISP
  Current state of the MISP playbooks
  
  
• Lab52
  Mustang Panda’s PlugX new variant targetting Taiwanese government and diplomats
  
  
• Lumen
  Routers Roasting on an Open Firewall: the KV-botnet Investigation
  
  
• Malwarebytes
  • Ransomware review: December 2023
  • ALPHV ransomware gang returns, sorta
    
    
• Mandiant
  • FLOSS for Gophers and Crabs: Extracting Strings from Go and Rust Executables
  • Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
    
    
• Microsoft Security
  • Threat actors misuse OAuth applications to automate financially driven attacks
  • Investigating malicious OAuth applications using the Unified Audit Log
    
    
• MITRE-Engenuity
  • Advancing Threat-Informed Defense Together
  • Understanding the Connection: Cybersecurity Events and MITRE ATT&CK®
    
    
• Michael Gorelik at Morphisec
  Responding to CitrixBleed (CVE-2023-4966): Key Takeaways from Affected Companies
  
  
• Nik Alleyne at ‘Security Nik’
  • Beginning Nikto – File Upload Vulnerability testing
  • Beginning Nikto – SQL Injection with default evasion
  • Beginning Nikto – Command Execution / Remote Shell
  • Beginning Nikto – Remote File Retrieval with evasion type 4 -> Prepend long random string
  • Beginning Nikto – Injection (XSS/Script/HTML) – with evasion type 3 -> Premature URL ending
  • Beginning Nikto – Information Disclosure with evasion type 2 -> Directory self-reference (/./)
  • Beginning Nikto – Misconfiguration / Default File – with evasion type 1 -> Random URI encoding (non-UTF8)
  • Beginning Nikto – Scanning for interesting files seen in the logs
    
    
• Nisos
  Investigation: Probable DPRK Online Personas Used To Fraudulently Obtain Remote Employment at U.S. Companies
  
  
• Dimitris Binichakis at NVISO Labs
  Scaling your threat hunting operations with CrowdStrike and PSFalcon
  
  
• Janos Szurdi, Shehroze Farooqi and Nabeel Mohamed at Palo Alto Networks
  Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains
  
  
• Phylum
  Ledger npm Repo Breached in Spear Phishing Attack
  
  
• Kelsey Merriman, Selena Larson, And Xavier Chambrier at Proofpoint
  Security Brief: TA4557 Targets Recruiters Directly via Email   
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, October 2023 (KOR)
  
  
• Laura Brosnan at Red Canary
  Diary of a Detection Engineer: Blown to BITSAdmin
  
  
• Todd Thiemann at ReliaQuest
  • Detection 101: Top 5 Detection Data Sources
  • Detection 101: Top Detections for Malware and Ransomware
    
    
• Resecurity
  Exposing the Cyber-Extortion Trinity – BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign
  
  
• Sunhyung Shim and Jaehak Oh at S2W Lab
  [Region Analysis_NOVEMBER] Dark Web Cyber-attacks targeting Thailand (Korean ver.)
  
  
• SANS
  • Helping CTI Analysts Approach and Report on Emerging Technology Threats and Trends
  • Cloud Attacks: What’s Old is New – Part 1
    
    
• SANS Internet Storm Center
  • IPv4-mapped IPv6 Address Used For Obfuscation, (Sat, Dec 9th)
  • Honeypots: From the Skeptical Beginner to the Tactical Enthusiast, (Sun, Dec 10th)
  • Malicious Python Script with a TCL/TK GUI, (Wed, Dec 13th)
  • T-shooting Terraform for DShield Honeypot in Azure [Guest Diary], (Wed, Dec 13th)
  • CSharp Payload Phoning to a CobaltStrike Server, (Fri, Dec 15th)
  • An Example of RocketMQ Exploit Scanner, (Sat, Dec 16th)
    
    
• Securelist
  • FakeSG campaign, Akira ransomware and AMOS macOS stealer
  • Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol
    
    
• Sekoia
  • ActiveMQ CVE-2023-46604 Exploited by Kinsing: Threat Analysis
  • CALISTO doxxing : Sekoia.io findings concurs to Reuters’ investigation on FSB-related Andrey Korinets 
    
    
• Daniel Petri at Semperis
  How to Defend Against MFA Fatigue Attacks: AD Security 101
  
  
• SentinelOne
  • Sandman APT | China-Based Adversaries Embrace Lua
  • Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises
  • Gaza Cybergang | Unified Front Targeting Hamas Opposition
    
    
• Simone Kraus
  Rhysida Ransomware and the Detection Opportunities
  
  
• Sophos
  Press and pressure: Ransomware gangs and the media
  
  
• Splunk
  • Deploy, Test, Monitor: Mastering Microsoft Defender ASR with Atomic Techniques in Splunk
  • Old School vs. New School
    
    
• Denis Sinegubko at Sucuri
  Analysis of the Fake WordPress CVE-2023-46182 Patch Plugin & Phishing Campaign 
  
  
• Taz Wake
  • Understanding Namespaces for Fun and Profit
  • Linux incident response – understanding stat
  • Linux incident response – malicious timestamp manipulation
    
    
• Steven Erwin at TrustedSec
  Unmasking Business Email Compromise: Safeguarding Organizations in the Digital Age
  
  
• Pancho Perdomo at VirusTotal
  • Protecting the perimeter with VT Intelligence – Email security
  • VTMondays
    
    
• YUCA
  Unveiling Team R70: A Deep Dive into Their Cyber Tactics and Global Hacktivist Alliances
  
  
• Deepen Desai and Rohit Hegde at ZScaler
  New ThreatLabz Report: Exploring Encrypted Attacks Amidst the AI Revolution
  

UPCOMING EVENTS

• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2024-01-08
  • BHIS – Talkin’ Bout [infosec] News 2023-12-18
    
    
• Huntress
  • Investigating macOS Malware with Patrick Wardle
  • Cyber Insurance Masterclass Office Hours
    
    
• Magnet Forensics
  Ep. 12 // Messing Around with Media: Understand Media Types in Modern Smartphones
  
  
• SANS
  Celebrating Cybersecurity Difference Makers | December 19, 2023
  

PRESENTATIONS/PODCASTS

• Richard T. Frawley at ADF Solutions
  ADF Solutions Evaluation Steps: A Quick Video Walkthrough
  
  
• Adversary Universe Podcast
  Inside the ”Alphabet Soup” of Incident Reporting Regulations
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast – Episode 8
  
  
• ArcPoint Forensics
  • Day 3 of the 12 Days of DFIRmas w. Jessica Hyde
  • Day 4 of the 12 Days of DFIRmas w. Dean Hoffman
  • Day 6 of the 12 Days of DFIRmas w. Alexis Brignoni
  • Day 5 of the 12 Days of DFIRmas w. Manny Kressel
  • Day 7 of the 12 Days of DFIRmas w. Aaron Sparling
    
    
• Black Hills Information Security
  • Spamming Microsoft 365 Like It’s 1995 
  • Talkin’ About Infosec News – 12/15/2023
    
    
• BlueMonkey 4n6
  Android and iOS backup analysis using *LEAPP tools and Linux based tools
  
  
• BSides Cape Town
  Opening Address – BSides Cape Town 2023
  
  
• Cellebrite
  • Pathfinder Tutorials I Investigative Views I Map
  • Pathfinder Tutorials I Investigative Views I Timeline
  • Pathfinder Tutorials I Investigative Views I Persons
  • Pathfinder Tutorials I Investigative Views I Emails
  • Pathfinder Tutorials I Investigative Workflows I Collaboration & Scalability – part 2
  • Pathfinder Tutorials I Investigative Views I Chats
  • Can Cell Phone Apps Prove You Weren’t Distracted Driving?
  • Dissecting Key Digital Intelligence and Trends Challenges
    
    
• Hazel Burton at Cisco’s Talos
  Video: Talos 2023 Year in Review highlights
  
  
• Cyber Secrets
  Operation OShINT – Shake The Cobwebs
  
  
• Digital Forensic Survival Podcast
  DFSP # 408 – Nesting
  
  
• Forensic Focus
  • UK Cyber 9/12 Strategy Challenge And CyberWomen Groups C.I.C.
  • MSAB: Updates From The Frontline
  • Picture Perfect: Using Screenshots And Screen Recording In Mobile Device Investigations
  • Tips And Tricks For Collecting Employee Chat Data
  • Acquisition And Extraction With Cellebrite’s New Endpoint Mobile Now And Mobile Ultra
    
    
• Huntress
  • Nov 2023 | Internal SOC Improvements
  • Must Know SMB Threat Insights
    
    
• InfoSec_Bret
  IR -SOC213-169 – Possible Data Exfiltration Detected
  
  
• Insane Forensics
  How To Choose the Right Industrial Cybersecurity Vendor
  
  
• John Hammond
  This Company Got Hacked… but HOW?
  
  
• Magnet Forensics
  • Top Cyber Threats to Financial Services & How to Rapidly Investigate with Digital Forensic Solutions
  • Duty to Preserve, but How?
  • What’s New in Magnet REVIEW 5.3
    
    
• Microsoft Threat Intelligence Podcast
  A Journey through Cyberwarcon
  
  
• MSAB
  How to harness the iOS Faces Filter in XAMN Pro?
  
  
• Nuix
  Take Control of Microsoft O365 Data with Nuix Alex Chatzistamatis – Jan 22 2021
  
  
• OALabs
  Tips For Analyzing Delphi Binaries in IDA (Danabot)
  
  
• The Defender’s Advantage Podcast
  Threat Trends: Tales from the 2023 Trenches
  
  
• Carlos Perez at TrustedSec
  Tech Brief – Citrix Bleed Abused by Ransomware Crews
  
  
• Uptycs
  Keeping Pace in Cyber: Josh Lemon on Incident Response and Building Teams
  

MALWARE

• Arda Büyükkaya
  DarkGate Config Extraction
  
  
• ASEC
  • Distribution of Phishing Email Under the Guise of Personal Data Leak (Konni)
  • Infected Systems Controlled Through Remote Administration Tools (Detected by EDR)
    
    
• Cryptax
  Bad Zip and new Packer for Android/BianLian
  
  
• Hex Rays
  • Plugin focus: msdocviewer
  • Igor’s Tip of the Week #168: Rebasing
    
    
• Mohitrajai
  Malware Analysis Report: Lockbit Black Ransomware
  
  
• Petikvx
  • Analyze with ANY.RUN
  • How to recovery files after Jigsaw
    
    
• Quick Heal
  Cerber Ransomware Exposed: A Comprehensive Analysis of Advanced Tactics, Encryption, and Evasion
  
  
• Sonatype
  Decrypting the Ledger connect-kit compromise: A deep dive into the crypto drainer attack
  
  
• Trend Micro
  • Analyzing AsyncRAT’s Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases
  • Decoding CVE-2023-50164: Unveiling the Apache Struts File Upload Exploit
    
    
• Jean-Francois Gobin at Truesec
  Persistent web shell identified in SonicWall SMA
  
  
• WeLiveSecurity
  • A pernicious potpourri of Python packages in PyPI
  • OilRig’s persistent attacks using cloud service-powered downloaders
    
    
• Zhassulan Zhussupov
  • Malware development: persistence – part 23. LNK files. Simple Powershell example.
  • Malware in the wild book.
    

MISCELLANEOUS

• Atola
  10+ Top Picks For Digital Forensics
  
  
• Brian Maloney
  What’s New in OneDriveExplorer
  
  
• Paul Stamp at Cado Security
  Revisiting NIST Forensics Guidance in a Cloud Age
  
  
• Doug Burks at Security Onion
  • Security Onion 2.4 Feature o’ the Day – Configure Strelka
  • Security Onion 2.4 Feature o’ the Day – Configure Suricata
  • Security Onion 2.4 Feature o’ the Day – Configure Telegraf
  • Security Onion 2.4 Feature o’ the Day – Configure Zeek
    
    
• Elan at DFIR Diva
  My Experience with Coursera’s DFIR Specializations
  
  
• Erik Hjelmvik at Netresec
  Network Forensics Training – Spring 2024
  
  
• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 12/15/2023
  
  
• Mark Shelhart at Foregenix
  5 reasons why IT Shouldn’t Lead HR Incidents or Policy Violation Investigations
  
  
• Forensic Focus
  • Focus Investigations With MITRE ATT&CK Insights
  • Digital Forensics Round-Up, December 14 2023
  • Supercharge Your Investigations With Mobile Ultra
    
    
• HackTheBox
  Operational Tinsel Trace: practice your DFIR skills with festive-themed Sherlock
  
  
• Luke Bradley
  • Can you ‘still’ recover deleted data?
  • Complexities of data preservation in restructuring & business insolvency matters
    
    
• Microsoft Security
  New Microsoft Incident Response team guide shares best practices for security teams and leaders
  
  
• Joachim Metz at Open Source DFIR
  Running GRR everywhrr
  
  
• Oxygen Forensics
  Managing Corporate Digital Investigations More Efficiently
  
  
• SANS
  A Look at the SANS Sponsorship Program
  
  
• Chester Wisniewski at Sophos
  Arrested Intimidation
  
  
• Snigdha Basu at The Citizen Lab
  Peer-reviewed publication: Regulating Transnational Dissident Cyber espionage
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.3.7
  
  
• Atola
  Customize the Taskbar in the TaskForce 2023.11 update
  
  
• Belkasoft
  What is new in v.1.2 of Belkasoft Remote Acquisition
  
  
• Breakpoint Forensics
  12/16/2023 GKPasswordParser-V1.4 Release
  
  
• Brian Maloney
  OneDriveExplorer v2023.12.13
  
  
• CISA
  CISA Releases SCuBA Google Workspace Secure Configuration Baselines for Public Comment
  
  
• Costas K
  JumplistBrowser v.0.0.36.0
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Exterro
  Meet your new favorite forensic tool FTK 8.0
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.20.2 December 15, 2023
  
  
• IsoBuster
  IsoBuster 5.3 released
  
  
• Magnet Forensics
  • Magnet AXIOM Cyber 7.8: Higher Resolution Timestamps, Enhancements to Email Explorer and Teams Data Collection!
  • Magnet AXIOM 7.8 – Adding DJI Drone Insights and Millisecond Precision
    
    
• Manabu Niseki
  Mihari v6.3.0
  
  
• Mandiant
  flare-floss v3.0.1
  
  
• Matt Shannon at F-Response
  F-Response 8.7.1.17 – Collect gets Self Delete
  
  
• MSAB
  Now Available: XRY 10.8, XAMN 7.8 and XEC 7.8
  
  
• OpenCTI
  5.12.8
  
  
• Passware
  Passware Kit 2024 v1 Now Available
  
  
• SigmaHQ
  pySigma v0.10.10
  
  
• X1
  X1 Expands Cutting Edge MS 365 Support With Very High and Unmatched Throughput Capabilities
  
  
• Xways
  X-Ways Forensics 21.0
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!