As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’
  SQLite 3.45 introducing binary JSON
  
  
• Belkasoft
  The Investigator’s Guide to Android Acquisition Methods. Part I: Device
  
  
• Nate Bill at Cado Security
  Containerised Clicks: Malicious use of 9hits on vulnerable docker hosts
  
  
• CCL Solutions
  SQLite’s New Binary JSON Format
  
  
• Foxton Forensics
  Investigating Microsoft Teams IndexedDB data
  
  
• International Journal of Electronic Security and Digital Forensics
  Volume 16 Issue 1 2024
  
  
• Kevin Pagano at Stark 4N6
  Analyzing Life360 on Android
  
  
• Lee Holmes at Precision Computing
  leeholm16 in LNK file forensic artifacts
  
  
• Lionel Notari
  iOS Unified Logs – The use of the Dictaphone
  
  
• Luke Bradley
  • Ensuring Data Integrity: The Importance of Preserving MAC Times
  • Deep Dive into the Technical & Legal Complexities of Forensic Data Acquisition from Remote Cloud Storage
    
    
• Maher Yamout at Securelist
  A lightweight method to detect potential iOS malware
  
  
• Mattia Epifani at Zena Forensics
  • Analysis of Android settings during a forensic investigation
  • A first look at Android 14 forensics
    
    
• Plainbit
  Remote Collecting using Magnet IGNITE
  
  
• System Weakness
  • SOC175 — PowerShell Found in Requested URL — Possible CVE-2022–41082 Exploitation
  • SOC169 — Possible IDOR Attack Detected
  • SOC170 — Passwd Found in Requested URL — Possible LFI Attack
  • SOC173 — Follina 0-Day Detected
  • Splunk: Setting up a SOC Lab | Tryhackme Walkthrough
  • SOC239 — Remote Code Execution Detected in Splunk Enterprise
  • SOC168 — Whoami Command Detected in Request Body
  • Detect Application Windows Discovery Techniques on Windows using KQL
    
    
• Taz Wake
  Understanding nohup
  

THREAT INTELLIGENCE/HUNTING

• Adam Goss
  What Is the Indicator Lifecycle? A Guide to Using Indicators
  
  
• Alex Teixeira
  Splunk ES Correlation Searches (Rules) Best & Cool Practices
  
  
• Allan Liska at ‘Ransomware Sommelier’
  The Problem with Relying on Criminals for Data
  
  
• Antonio Formato
  Building a Mitre Attack Navigator Layer and TTPs Timeline using Azure OpenAI
  
  
• Ilay Goldman and Yakir Kadkoda at Aqua
  Deceptive Deprecation: The Truth About npm Deprecated Packages
  
  
• AttackIQ
  • GootLoader: Unloaded
  • Response to CISA Advisory (AA24-016A): Known Indicators of Compromise Associated with Androxgh0st Malware
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 13 – 19 Gennaio 2024
  
  
• Check Point
  • 15th January – Threat Intelligence Report
  • Check Point Research: 2023 – The year of Mega Ransomware attacks with unprecedented impact on global organizations
  • Check Point Research alerts on a new NFT airdrop campaign
  • Check Point Research Unfolds: Navigating the Deceptive Waters: Unmasking A Sophisticated Ongoing NFT Airdrop Scam
    
    
• Tzachi(Zack) Zorn at Checkmarx Security
  When the Hunter Becomes the Hunted
  
  
• CISA
  • Known Indicators of Compromise Associated with Androxgh0st Malware
  • Incident Response Guide for the WWS Sector
    
    
• Chris Neal at Cisco’s Talos
  Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
  
  
• Nathan Eades at Permiso
  Azure Logs: Breaking Through the Cloud Cover
  
  
• Cyborg Security
  Why Behavioral Threat Hunting is the Big Thing for Cybersecurity in 2024
  
  
• Cyfirma
  Weekly Intelligence Report – 19 Jan 2024
  
  
• Martin McCloskey and Christophe Tafani-Dereeper at Datadog Security Labs
  Tales from the cloud trenches: Amazon ECS is the new EC2 for crypto mining
  
  
• Regan at Detect FYI
  Building a beginner’s detection lab with Defender, Sentinel, and Splunk
  
  
• Joe St Sauver at DomainTools
  Finding Patterns That Only Match Registered Domains (and Which Don’t “Overmatch” Against Subdomains)
  
  
• Dr Nestori Syynimaa at AADInternals
  Exfiltrating NTHashes by abusing Microsoft Entra Domain Services
  
  
• Esentire
  SmartApeSG Delivering NetSupport RAT
  
  
• Peter Michalski at Expel
  Assessing suspicious Outlook rules: an exercise
  
  
• Jessica Ellis at Fortra’s PhishLabs
  Executive Attacks on Social Media Hit All-Time High as Analysts Point to AI
  
  
• Will Francillette at French365Connection
  Connect to Advanced Hunting API with the Graph SDK PowerShell module
  
  
• Wesley ShieldsThreat Analysis Group at Google Threat Analysis Group
  Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware
  
  
• Ron Bowes at GreyNoise
  Ivanti Connect Secure Exploited to Install Cryptominers
  
  
• InfoSec Write-ups
  • What is Alert Fatigue and How Does the Incident Response Team Suffer?
  • Blue Team Bootcamp Series (P3): How to Detect Cross-Site Scripting (XSS) Attacks
  • Streamlining SOC Operations with the “Shift Email Playbook” in Microsoft Sentinel
    
    
• Intrinsec
  ThreeAM ransomware
  
  
• Jamie MacColl, Dr Pia Hüsch, Dr Gareth Mott, James Sullivan, Dr Jason R. C. Nurse, Sarah Turner and Nandita Pattnaik at RUSI
  Ransomware: Victim Insights on Harms to Individuals, Organisations and Society
  
  
• KELA Cyber Threat Intelligence
  Off-the-shelf Ransomware Source Code is a New Weapon for Threat Actors
  
  
• Bert-Jan Pals at KQL Query
  KQL Security Sources – 2024 Update
  
  
• Kroll
  • Open the DARKGATE – Brute Forcing DARKGATE Encodings
  • Inside the SYSTEMBC Command-and-Control Server
    
    
• Kennet Harpsøe at Logpoint
  New Reality: APTs Boost Sophisticated Cyber Attacks
  
  
• Microsoft Security
  • New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs
  • New Microsoft Incident Response guides help security teams analyze suspicious activity
    
    
• Microsoft Security Response Center
  Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard
  
  
• Nasreddine Bencherchali
  SigmaHQ Rules Release Highlights — r2024–01–15
  
  
• Marcin Nawrocki, Christopher Conrad, and Clark Arenberg at Netscout
  NoName057(16)
  
  
• Florian Roth at Nextron Systems
  Cyber Security 2024: Key Trends Beyond the Hype
  
  
• Noah McDonald at Google Cloud
  Google Cloud Incident Response Cheat Sheet
  
  
• Obsidian Security
  • Behind the Breach: Pass-The-Cookie Beyond IdPs
  • Unlock SaaS Security Intelligence with Splunk and Obsidian
    
    
• Jose Rodriguez at Open Threat Research
  Exploring Defensive Challenges with Artificial Intelligence: From Traditional to Generative
  
  
• Penetration Testing Lab
  Lateral Movement – Visual Studio DTE
  
  
• Prodaft
  Seeing Through the Fog: Detecting Malicious Sites and Fake Social Media
  
  
• Proofpoint
  Security Brief: TA866 Returns with a Large Email Campaign 
  
  
• Raymond Roethof
  Microsoft Defender for Identity Recommended Actions: Reduce lateral movement path risk to sensitive entities
  
  
• Tess Mishoe and Rachel Schwalk at Red Canary
  Misbehaving binaries: How to detect LOLBin abuse in the wild
  
  
• Robin Moffatt
  Hosting on GitHub Pages? Watch out for Subdomain Hijacking
  
  
• RussianPanda
  From Russia With Code: Disarming Atomic Stealer
  
  
• SANS Internet Storm Center
  • Number Usage in Passwords, (Wed, Jan 17th)
  • Scans for Ivanti Connect “Secure” VPN Vulnerability (CVE-2023-46805, CVE-2024-21887), (Tue, Jan 16th)
  • macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th)
  • More Scans for Ivanti Connect “Secure” VPN. Exploits Public, (Thu, Jan 18th)
    
    
• Securonix
  Securonix Threat Research Knowledge Sharing Series: On Detection of Real-world Attacks Involving RMM Behaviors Using Securonix
  
  
• Jim Walter at SentinelOne
  The Rise of Drainer-as-a-Service | Understanding DaaS
  
  
• Ameer Owda at SOCRadar
  Dark Web Profile: Scattered Spider
  
  
• Lance B. Cain at SpecterOps
  Calling Home, Get Your Callbacks Through RBI
  
  
• Splunk
  • Enter The Gates: An Analysis of the DarkGate AutoIt Loader
  • Hypothesis-Driven Cryptominer Hunting with PEAK
    
    
• Stephan Berger
  Hunting AsyncRAT & QuasarRAT
  
  
• Ben Martin at Sucuri
  The Dangers of Lateral Movement & Website Cross Contamination
  
  
• UnderDefense
  UnderDefense Initiates Proactive Threat Hunting and Detects Hidden Threats in the Client’s Environment
  
  
• Viktor Sahin-Uppströmer at Truesec
  A Victim of Mallox Ransomware: How Truesec CSIRT Fought Back
  
  
• Volexity
  • Ivanti Connect Secure VPN Exploitation Goes Global
  • Ivanti Connect Secure VPN Exploitation: New Observations
    
    
• Jacob Baines at VulnCheck
  7777-Botnet Infection Vectors
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2024-01-22
  
  
• Christa Miller at DFRWS
  The Women in Forensic Computing Workshop Returns to DFRWS-EU!
  
  
• Cyborg Security
  Episode 14
  
  
• Magnet Forensics
  • How Nashville Metro Police Eliminated Their Mobile Device Backlog & Accelerated Justice with Magnet AUTOMATE
  • Collecting and Analyzing Mobile Evidence in the Workplace
    
    
• SANS
  • 2024 Ransomware Trends and Predictions
  • 2024 Industrial Control Systems Trends and Predictions
    
    
• Krishna Vishnubhotla at Zimperium
  Mobile Banking Heists: The Emerging Threats and How to Respond
  

PRESENTATIONS/PODCASTS

• ADF Solutions
  • Investigating Chromebooks with ADF Solutions
  • Stop Victimizing Trafficking Survivors: Meet Joe Scaramucci
    
    
• Adversary Universe Podcast
  AI Through the Defender’s Lens: A Chat with CrowdStrike’s Global CTO
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast Episode 10
  
  
• ArcPoint Forensics
  EASILY RECOVER FILE PASSWORDS WITH ATRIO
  
  
• Black Hat
  • Input Output + Syslog (iO+S): Obtaining Data From Locked iOS Devices via Live Monitoring
  • HARry Parser and the Cursed Tracker: Breaking the Spell of Online Data Collection
    
    
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2024-01-15
  • Talkin’ About Infosec News – 1/16/2024
    
    
• Breaking Badness
  Breaking Badness Book Club #2
  
  
• Cellebrite
  The Digital Forensics Series – Ep. 6 Cellebrite Inseyets Frequently Asked Questions
  
  
• Cyberwox
  Splunk Basics: SPL
  
  
• Digital Forensic Survival Podcast
  DFSP # 413 – Ransomware Initial Response
  
  
• Hardly Adequate
  Hardly a Week 2 January 15, 2024
  
  
• Huntress
  • Spooky Skeleton Keys
  • Token Theft from Office Desktop Applications
    
    
• InfoSec_Bret
  SA -SOC250-212 – APT35 HyperScrape Data Exfiltration Tool Detected
  
  
• Insane Forensics
  WannaCry: Background and Detection of a Major SMB Based Ransomware Event
  
  
• Jai Minton
  Is this Android app MALWARE? It wants to know your PRIVATE BROWSING HISTORY! – APK Malware Analysis
  
  
• John Hammond
  How Hackers Move Through Networks (with Ligolo)
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – C2 extractor for Turla’s Kopiluwak using Binary Refinery
  
  
• Magnet Forensics
  • Upgrade Your Video Investigations with Magnet WITNESS
  • Magnet AUTOMATE for Internal Investigations, IR, and eDiscovery
    
    
• MSAB
  How to use Generic Profiles in XRY?
  
  
• OALabs
  • Introduction to YARA Part 4 – Efficient Rule Development
  • Introduction to YARA Part 3 – Rule Use Cases
  • Introduction to YARA Part 2 – Hunting on UnpacMe
  • Introduction to YARA Part 1 – What is a YARA Rule
    
    
• Paraben Corporation
  Strengthening Your Career In Digital Investigations
  
  
• Security Conversations
  Costin Raiu: The GReAT exit interview
  

MALWARE

• Any.Run
  A Full Analysis of the Pure Malware Family: Unique and Growing Threat
  
  
• ASEC
  • Remcos RAT Being Distributed via Webhards
  • Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks
  • LockBit Ransomware Distributed Via Word Files Disguised as Resumes
    
    
• Dr Josh Stroschein
  Unraveling an obfuscated PHP web shell! Exploring web shells for malware anlaysis!
  
  
• Dr. Web
  Hidden crypto miner in pirated software makes cybercriminals rich at the expense of their victims
  
  
• ElementalX
  GoStealer: Golang-based credential stealer targets Indian Airforce Officials.
  
  
• Herbie Zimmerman at “Lost in Security”
  2024-01-14 Remcos RAT Infection
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #172: Type editing from pseudocode
  
  
• Irfan_eternal
  Understanding Internals of SmokeLoader
  
  
• Jamf
  Jamf Threat Labs discovers new malware embedded in pirated applications
  
  
• Preksha Saxena and Yashvi Shah at McAfee Labs
  From Email to RAT: Deciphering a VB Script-Driven Campaign
  
  
• Nikhil “Kaido” Hegde
  NoaBot Botnet – Sandboxing with ELFEN and Analysis
  
  
• Jeroen Beckers at NVISO Labs
  Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating
  
  
• Phylum
  npm Package Found Delivering Sophisticated RAT
  
  
• Minyeop Choi at S2W Lab
  Detailed Analysis of DarkGate; Investigating new top-trend backdoor malware
  
  
• Todyl
  Todyl Detection Engineering deep-dive: A stroll through PowerShell script reversing
  
  
• Joshua Platt, Jonathan McCay and Jason Reaves at Walmart
  Keyhole Analysis
  
  
• Zhassulan Zhussupov
  Malware and cryptography 24: encrypt/decrypt file via Madryga. Simple C/C++ example.
  
  
• Santiago Vicente and Ismael Garcia Perez at ZScaler
  Zloader: No Longer Silent in the Night
  

MISCELLANEOUS

• Jessica Hyde at Hexordia for Magnet Forensics
  Magnet Virtual Summit 2024 Capture The Flag
  
  
• Adam at Hexacorn
  How to become/continue to be a security researcher?
  
  
• Peter Sosic at Amped
  The Amped Software Training 2024 Is Out!
  
  
• Eric Capuano
  So You Want to Build an IR Practice?
  
  
• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 01/19/2024
  
  
• Forensic Focus
  • Oxygen Forensic Training And Digital Forensics Solutions With Keith Lockhart
  • Join Our New Forensic Focus Discord Community
  • Image And Video Forensic Training Courses With Amped Software: Register Now
  • Forensic Focus Digest, January 19 2024
  • Digital Forensics Round-Up, January 18 2024
    
    
• Alex Petrov at Hex Rays
  Participate in our IDA Plugin Community Survey
  
  
• Neil Lines at Lares Labs
  Introducing Super Sharp Shares
  
  
• Lee Sult at Sleuth Kit Labs
  Ready, Set, Defend: Cyber Tabletop Exercises
  
  
• Magnet Forensics
  • Announcement: Magnet Forensics Acquires High Peaks Cyber
  • Get the Year Started Right With Magnet Forensics Training 
    
    
• Angelika Rohrer and Jon Brown at Open Source DFIR
  How do you know you are “Ready to Respond”?
  
  
• Salvation DATA
  • Digital Detective: Mobile Device Forensics in the Cyber Age
  • Recuva vs. Glarysoft: Which One is the Best Deleted Video Recovery Software?
    
    
• SANS
  • Ransomware Cases Increased Greatly in 2023
  • FOR528: Ransomware & Cyber Extortion Course Updates Implemented – What’s New?
  • Industrial Control Systems Cyber Threats & The Gulf Region: ICS Blog Series: 1 of 3
    
    
• Sergey Lozhkin, Anna Pavlovskaya, Kaspersky Security Services at Securelist
  Dark web threats and dark market predictions for 2024
  
  
• Pierre Coyne at Tenable
  Tap Into Your Inner Logs for Better Anomaly Detection and Incident Response
  

SOFTWARE UPDATES

• Airbus Cybersecurity
  IRIS-Web v2.4.5
  
  
• Costas K
  LNK & Jumplist Browser
  
  
• Digital Sleuth
  winfor-salt v2024.1.0
  
  
• dnSpyEx
  v6.5.0-rc2
  
  
• Doug Burks at Security Onion
  Security Onion 2.4.40 now available including some new features and lots of bug fixes!
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.20.3
  
  
• Hasherezade
  PE-Bear v0.6.7.3
  
  
• Manabu Niseki
  Mihari v7.3.1
  
  
• OpenCTI
  5.12.20
  
  
• Passmark Software
  OSForensics – V11.0 build 1001 18th January 2024
  
  
• Sigma
  • r2024-01-15
  • pySigma v0.11.2
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!