(Turns out the first post of the year should have been week 0 instead of week 1….whoops….week 52 is 1 week early this year)

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Amged Wageh
  DriveFS Sleuth — Investigating Google Drive File Stream’s Disk Artifacts
  
  
• David Spreadborough at Amped
  Correct the Aspect Ratio of CCTV Footage
  
  
• Oleg Afonin at Elcomsoft
  iOS 17.3 Developer Preview: Stolen Device Protection
  
  
• Forensafe
  Solving Cellebrite’s September 2023 CTF (Russell’s Android device) Using ArtiFast
  
  
• The DFIR Report
  Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  zcutter – More Flexible Zeek Log Processing
  
  
• Adam Goss
  What is Cyber Threat Intelligence? A Quick Guide
  
  
• Akamai
  Novel Detection of Process Injection Using Network Anomalies
  
  
• Antonio Formato
  Enhancing Cyber Threat Intelligence with TI Mindmap GPT: Integration of Azure OpenAI and advanced…
  
  
• ASEC
  Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks
  
  
• AttackIQ
  • Infecting the Infected: Rhysida’s Ruthless Ransomware Regime
  • Response to CISA Advisory (AA23-347A): Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally
  • Response to CISA Advisory (AA23-349A): Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment
  • Response to CISA Advisory (AA23-352A): #StopRansomware: Play Ransomware
    
    
• Pete Herzog at Blackberry
  Sneaky GPU.zip Technique Steals Sensitive Information From Your Graphics Card
  
  
• Lawrence Abrams at BleepingComputer
  Qbot malware returns in campaign targeting hospitality industry
  
  
• Brad Duncan at Malware Traffic Analysis
  2023-12-18 – TA577 Pikabot infection with Cobalt Strike
  
  
• Bridewell
  • Hunting for Ursnif
  • Bridewell and Group-IB Uncover Possible BlackByte Victim Data
    
    
• Cado Security
  • Enhance Incident Response in GCP: Introducing Cado’s GCP Incident Response Playbook
  • How to Build a Cloud-Ready Incident Response Playbook
    
    
• CERT Ukraine
  • Modus operandi UAC-0177 (JokerDPR) на прикладі однієї з кібератак (CERT-UA#8290)
  • “Заборгованість Київстар”, “Запит СБУ”: нова атака UAC-0050 з використанням RemcosRAT (CERT-UA#8338)
    
    
• CERT-AGID
  Il malware Vidar attacca ancora una volta le PEC in Italia
  
  
• Check Point
  • 18th December – Threat Intelligence Report
  • The Rising Threat of Phishing Attacks with Crypto Drainers
  • Navigating the Perilous Waters of Crypto Phishing Attacks
    
    
• Yehuda Gelb at Checkmarx Security
  Python Packages Leverage GitHub to Deploy Fileless Malware.
  
  
• CISA
  • #StopRansomware: Play Ransomware
  • #StopRansomware: ALPHV Blackcat
    
    
• Mike Gentile, Asheer Malhotra and Vitor Ventura at Cisco’s Talos
  Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware
  
  
• Cybereason
  THREAT ALERT: CITRIXBLEED (CVE-2023-4966)
  
  
• Cyfirma
  Weekly Intelligence Report – 22 Dec 2023
  
  
• Deep Instinct
  Threat Actor ‘UAC-0099’ Continues to Target Ukraine
  
  
• Dragos
  Developing and Executing a Fully Informed OT Threat Hunt 
  
  
• EclecticIQ
  Star Blizzard Operations Linked to Russian Intelligence Agency; APT28 Targets NATO’s Rapid Response
  
  
• Paul Asadoorian at Eclypsium
  Detecting LogoFAIL Vulnerabilities and Exploits at Enterprise Scale
  
  
• Emanuele De Lucia
  A {Black}Cat and mouse game: How the gang’s operators have ‘unseized’ their Dedicated Leak Site
  
  
• Esentire
  • PhantomControl returns with Ande Loader and SwaetRAT
  • “NextPHP” Phishing Campaign
    
    
• Flashpoint
  COURT DOC: Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant
  
  
• Florian Roth
  Introducing YARA-Forge
  
  
• Pei Han Liao at Fortinet
  Bandook – A Persistent Threat That Keeps Evolving
  
  
• g0njxa
  Endless Malvertising & Deadly Spam: Threat hunting with Malcore!
  
  
• GreyNoise
  Spike in Atlassian Exploitation Attempts: Patching is Crucial
  
  
• Nicole Fishbein and Ryan Robinson at Intezer
  Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk
  
  
• Jaron Bradley at The Mitten Mac
  Threat Hunting Pids Within Apple’s Endpoint Security API
  
  
• Jonathan Johnson
  • Uncovering Adversarial LDAP Tradecraft
  • Mastering Windows Access Control: Understanding SeDebugPrivilege
  • Demystifying DLL Hijacking Understanding the Intricate World of Dynamic Link Library Attacks
    
    
• karttoon
  20DEC2023 – The Origin of OriginLogger & Agent Tesla
  
  
• KELA Cyber Threat Intelligence
  • Your Compromise Is Confirmed: How Threat Actors Access Hotel Accounts on Booking.com
  • 5 Questions About Hamas-Israel War
    
    
• Kevin Beaumont at DoublePulsar
  The ticking time bomb of Microsoft Exchange Server 2013
  
  
• Konrad Kaluzny
  Detection Tips 12-15 Remote Access Software: RMM tools
  
  
• Ujwal Thapa at Logpoint
  TTPs of Russian SVR-affiliated Threat Actor Exploiting CVE-2023-42793
  
  
• Jérôme Segura at Malwarebytes
  New MetaStealer malvertising campaigns
  
  
• Michael Haag
  LOLDrivers and HVCI
  
  
• Malla Reddy Donapati and Subhash Popuri at Microsoft Security Response Center
  Azure Serial Console Attack and Defense – Part 2
  
  
• MITRE-Engenuity
  • Tinker Turla Soldier Spy: Automating Turla with MITRE Caldera™
  • Enriching Threat Intelligence with Mappings
    
    
• Nasreddine Bencherchali
  SigmaHQ Rules Release Highlights — r2023–12–21
  
  
• Obsidian Security
  Securing against OAuth Exploitation: A Step-By-Step Guide
  
  
• OSArmor
  QakBot and PikaBot Delivered via Digitally Signed MSI Windows Installers
  
  
• Axel F, Dusty Miller, Tommy Madjar and Selena Larson at Proofpoint
  BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates 
  
  
• Mohammad Amr Khan and Grace Chi at Pulsedive
  2023 In Review
  
  
• Saeed Abbasi at Qualys
  2023 Threat Landscape Year in Review: If Everything Is Critical, Nothing Is
  
  
• Raymond Roethof
  Microsoft Defender for Identity NTLM Relay Attack
  
  
• Recorded Future
  Leading with Intelligence: Winning Against Credential Theft
  
  
• Red Canary
  • What Home Alone teaches us about proactive defense
  • Intelligence Insights: December 2023
    
    
• ReliaQuest
  • Double Extortion Attack Analysis
  • Detection 101: Top Detections for Email Phishing and BEC
    
    
• Resecurity
  2024 Cyber Threat Landscape Forecast
  
  
• Roy Akerman at Rezonate
  How Threat Actors Leveraged HAR Files to Attack Okta’s Customers
  
  
• SANS Internet Storm Center
  • What are they looking for? Scans for OpenID Connect Configuration (Update: CitrixBleed), (Tue, Dec 19th)
  • Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518), (Wed, Dec 20th)
  • Shall We Play a Game?, (Fri, Dec 22nd)
  • Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd)
    
    
• Sansec
  Magento wish list exploit bypasses WAF protection
  
  
• Sekoia
  IAM & Detection Engineering
  
  
• SentinelOne
  • Decrypting SentinelOne Detection | The Behavioral AI Engine in Real-Time CWPP
  • December 2023 Cybercrime Update | Extortion Trends, Identity-Focused Attacks & Counter-Operations
    
    
• Simone Kraus
  Big Game Hunting — Vidar Server Infrastructure in Germany
  
  
• SOCRadar
  Dark Web Profile: Cyber Av3ngers
  
  
• Sophos
  • “Inhospitality” malspam campaign targets hotel industry
  • CryptoGuard: An asymmetric approach to the ransomware battle
  • Akira, again: The ransomware that keeps on taking
    
    
• Symantec Enterprise
  Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
  
  
• Taz Wake
  Linux Incident Response – understanding the heap and the stack
  
  
• VirusTotal
  • Protecting the perimeter with VT Intelligence – malicious URLs
  • Sigma rules for Linux and MacOS
    
    
• WeLiveSecurity
  • ESET Threat Report H2 2023
  • These aren’t the Androids you should be looking for
    
    
• Kaivalya Khursale at ZScaler
  Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla
  

UPCOMING EVENTS

• Magnet Forensics
  Simplifying the Digital Investigation of Apple Devices
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  • Malware Analysis Lab Basics – Part 2 – Installing Ghidra
  • Malware Analysis Lab Basics – Part 1 – Installing Flare VM
    
    
• Anuj Soni
  Malware Evasion Techniques: API Unhooking
  
  
• ArcPoint Forensics
  • Day 7 of the 12 Days of DFIRmas w. Geraldine Blay
  • Day 9 of the 12 Days of DFIRmas w. Marcos Ortiz
  • Day 10 of the 12 Days of DFIRmas w. Heather Charpentier
  • Day 11 of the 12 Days of DFIRmas w. Stephen Boyce
  • Day 12 of the 12 Days of DFIRmas w. Ali Hadi
  • Talkin’ About Infosec News – 12/21/2023
    
    
• Breaking Badness
  175. BazarCall of the Wild
  
  
• BSides Cape Town
  • Let the Children play – Leveraging ADCS for persistence in Parent-Child configured forests
  • Outsmarting cyber villains on a shoestring budget – Roshan Harneker | BSides Cape Town 2023
  • The cyber-pirate’s guide to C2 development – Gerhard Botha | BSides Cape Town 2023
    
    
• Cellebrite
  • How Can Phone Location Data Solves Homicide Cases?
  • South Carolina Law Enforcement Division Takes on Big Cases with Digital Intelligence
    
    
• Cloud Security Podcast by Google
  EP153 Kevin Mandia on Cloud Breaches: New Threat Actors, Old Mistakes, and Lessons for All
  
  
• CYBERWOX
  Investigating an AWS Cloud Exfiltration Attack with Google Sheets & CloudWatch
  
  
• Detection: Challenging Paradigms
  Episode 37: Steve Luke and Roman Daszczyszak
  
  
• Digital Forensic Survival Podcast
  DFSP # 409 – Regsvcs and Regasm Abuse
  
  
• Hacker Valley Blue
  What’s Lurking In Your Containers? AMBERSQUID Operations, Freejacking, and Microservice Exploitation
  
  
• InfoSec_Bret
  IR -SOC214-166 – Qakbot Data Theft
  
  
• Magnet Forensics
  Ep. 12 // Messing Around with Media: Understand Media Types in Modern Smartphones
  
  
• MSAB
  • XRY 10.8 raises the bar with improved performance and cutting-edge features
  • Now Available: XRY 10.8, XAMN 7.8 and XEC 7.8
  • XAMN 7.8: Transforming your forensic data analysis experience
  • XEC Director 7.8: Mobile forensics management made better
  • Database Source Validation – XAMN Pro
  • Forensic Fix Episode 11 – Jen Hoey
    
    
• NVISO Belgium
  NVISO Podcast Episode # 1: Michel Coene on the Latest Ransomware Campaigns, Groups and Breaches
  
  
• OS Security as a Science: Anticipatory Improvements Under Countermeasures
  ALPChecker – Detecting Spoofing and Blinding Attacks by Anastasiia Kropova and Igor Korkin #HITB2023HKT #COMMSEC
  
  
• Richard Davis at 13Cubed
  Hyper-V Memory Forensics – MemProcFS to the Rescue!
  
  
• SANS
  Introducing SANS Executive Cybersecurity Exercises
  
  
• SANS Cloud Security
  Fred Bret-Mounet: Eating Pasta and Not Building Fort Knox | Season 2 Ep9
  
  
• WeLiveSecurity
  ESET Research Podcast: Neanderthals, Mammoths and Telekopye
  

MALWARE

• Doug Burks at Security Onion
  Quick Malware Analysis: ICEDID BOKBOT infection pcap from 2023-07-25
  
  
• Dr Josh Stroschein
  Generating Shellcode with MSFVENOM
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #169: Jumping to a file offset
  
  
• Fernando Ruiz at McAfee Labs
  Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices
  
  
• Ghanashyam Satpathy and Jan Michael Alcantara at Netskope
  A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government
  
  
• OALABS Research
  DanaBot Core
  
  
• PetiKVX
  • Dharma Ransomware family
  • How to make a ransomware harmless ?
    
    
• Securelist
  • Windows CLFS and five exploits used by ransomware operators (Exploit #4 – CVE-2023-23376)
  • Windows CLFS and five exploits used by ransomware operators (Exploit #3 – October 2022)
  • Windows CLFS and five exploits used by ransomware operators (Exploit #2 – September 2022)
  • Windows CLFS and five exploits used by ransomware operators
  • Windows CLFS and five exploits used by ransomware operators (Exploit #1 – CVE-2022-24521)
  • Windows CLFS and five exploits used by ransomware operators (Exploit #5 – CVE-2023-28252)
    
    
• Ben Martin at Sucuri
  MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer
  
  
• Martin Balc’h at Synacktiv
  Writing a decent win32 keylogger [1/3]
  

MISCELLANEOUS

• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 12/22/2023
  
  
• Cellebrite
  Endpoint Inspector: Top 5 Features for Next-Gen Digital Forensics
  
  
• CISA
  CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool
  
  
• Cyber Social Hub
  Navigating SEC Regulations In Cybersecurity And Incident Response
  
  
• Doug Burks at Security Onion
  Security Onion 2.4.40 Sneak Peek!
  
  
• Forensic Focus
  • Leveraging SaaS To Power Mobile Data Collections
  • BFU Extraction Support From MSAB – Seeing Is Believing 
  • MediaTek Device Extraction With Boot ROM Interface Disabled
  • Event Recap: Security BSides London 2023
  • Targeted Collections: Balancing Legal Precision And Data Privacy
  • iOS 17 Initial Access Support For Magnet GRAYKEY And Magnet VERAKEY
  • Digital Forensics Round-Up, December 21 2023
    
    
• Koos Goossens
  Split up your logs with $pl1tR
  
  
• Magnet Forensics
  • iOS 17 Initial Access Support for Magnet GRAYKEY and Magnet VERAKEY
  • The Top 10 Updates to Magnet AXIOM Cyber in 2023
  • The Top 10 Updates in MAGNET AXIOM in 2023
  • Advanced Research and Exploitation Methodologies With Magnet GRAYKEY Labs
    
    
• Salvation DATA
  Mobile Forensics Showdown: Cellebrite vs MSAB Analysis
  
  
• SANS
  • Diego Mendoza: Completing the SANS Operational Cybersecurity Executive Triad
  • Top 15 SANS Summit Talks of 2023
    
    
• Kurt Muhl at TrustedSec
  Regex Cheat Sheet
  

SOFTWARE UPDATES

• Brian Maloney
  OneDriveExplorer v2023.12.20
  
  
• Brim
  v1.5.0
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.4.0.88
  
  
• CCL Solutions
  ccl-segb
  
  
• Cellebrite
  Now Available: Cellebrite Inspector 10.8
  
  
• Costas K
  LNK & Jumplist Browser
  
  
• Digital Sleuth
  winfor-salt v2023.33.8
  
  
• Eilay Yosfan
  AuthLogParser
  
  
• ExifTool
  ExifTool 12.71
  
  
• Joachim Schict
  Mft2Csv v2.0.0.50
  
  
• Jonny Johnson
  PowerParse
  
  
• Mazars Tech
  AD_Miner v1.0.0
  
  
• Metaspike
  Forensic Email Intelligence – 2.1.14.8
  
  
• MISP
  MISP 2.4.182 released with new features, improvements bugs fixed and an important security fix.
  
  
• MobilEdit
  Introducing Samsung Galaxy Watch Forensics
  
  
• OpenCTI
  5.12.12
  
  
• Sigma
  Release r2023-12-21
  
  
• Xways
  X-Ways Forensics 21.0 SR-1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!