As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Ann Bransom
Hunting for File Deletion Artifacts in Google File Stream Data - Monica Harris at Cellebrite
How Cellebrite and Relativity’s Mobile Advisory Board is Shaping the Future of Mobile eDiscovery - Bret at Cyber Gladius
The Active Directory Access Control List Explained - Cyber Triage
DFIR Next Steps: What To Do When You Find Mimikatz Was Run - Forensafe
Investigating iOS Voice Triggers - Foxton Forensics
Proving copyright infringement with PageRecon - Justin De Luna at ‘The DFIR Spot’
Evidence of Program Existence – Shimcache - Dominique Calder & Sarah Hayes at Hexordia
Bootloader Unlocking a Google Pixel 6 - Angel Garrow at tcdi
Choosing the Right Setting for Your Digital Forensic Collections - Vikas Singh
Browser Cache and Interrupted Downloads – Investigation Strategies
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Discover MITRE’s CTI Blueprints: A Revolutionary New Project - Allan Liska at ‘Ransomware Sommelier’
The Conjoined Triangle of Ransomware - Kushalveer Singh Bachchas at AT&T Cybersecurity
The rise of ransomware: Strategies for prevention - Madison Steel at AttackIQ
In the Cyber Jungle, the Mighty Mustang Panda Phishes Tonight - Martin Zugec at Bitdefender
Bitdefender Threat Debrief | January 2024 - Blackberry
Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT - Kim Brown at Blumira
Unveiling the Power of Sysmon: A Deep Dive into Threat Hunting - Brad Duncan at Malware Traffic Analysis
- Censys
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 20 – 26 Gennaio 2024 - Check Point
22nd January – Threat Intelligence Report - Nicole Hoffman at Cisco’s Talos
Significant increase in ransomware activity found in Talos IR engagements, while education remains one of the most-targeted sectors - Coveware
New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying - Cyfirma
Weekly Intelligence Report – 26 Jan 2024 - Dragos
Dragos Industrial Ransomware Analysis: Q4 2023 - Ervin Zubic
- Expel
2024 Annual Threat Report: findings and predictions - Flashpoint
COURT DOC: Two Russian Nationals Charged in Separate Indictments with Fraud and Other Offenses Related to Hacking Campaigns - Fortinet
Ransomware Roundup – Albabat - GuidePoint Security
Annual GRIT Ransomware Report – 2023 - Haircutfish
- HuntIO
Introducing the Hunt.io C2 Feed - Intel471
- Itochu Cyber & Intelligence
The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 – v0.7.3 Analysis - Jeffrey Appel
Protect against QR Code phishing with Microsoft Defender products - Koen Van Impe
Ivanti vulnerabilties – recap - Kyle Cucci at SecurityLiterate
Creating Quick and Effective Yara Rules: Working with Strings - Lab539
The Cyber Defenders Kill Chain (TCDO Part2) - Malwarebytes
2024 State of Ransomware in Education: 92% spike in K-12 attacks - Alexander Marvi, Shawn Chew, and Punsaen Boonyakarn at Mandiant
Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 - Marius Sandbu
Part two: Infection and lateral movement of Ransomware attack - Manuel Arrieta at MaverisLabs
Building a Threat Hunt for SolarMarker TTPs - Michael Haag at Splunk
Security Insights: Investigating Ivanti Connect Secure Auth Bypass and RCE - Microsoft Security
Midnight Blizzard: Guidance for responders on nation-state attack - Microsoft’s ‘Security, Compliance, and Identity’ Blog
Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets - Axel Boesenach and Erik Schamper at NCC Group
Memory Scanning for the Masses - Leandro Fróes at Netskope
Netskope Threat Labs Stats for December 2023 - Nikos Karouzos at Falcon Force
SOAPHound — tool to collect Active Directory data via ADWS - Daniel Frank at Palo Alto Networks
Threat Assessment: BianLian - Penetration Testing Lab
Domain Escalation – Backup Operator - Pulsedive
PikaBot Rising - Raymond Roethof
Microsoft Defender for Identity Recommended Actions: Stop clear text credentials exposure - Recorded Future
Leaks and Revelations: A Web of IRGC Networks and Cyber Companies - Red Alert
- Red Canary
Intelligence Insights: January 2024 - Red Siege Information Security
- ReliaQuest
Top Cyber-Threat Techniques in Q4 2023: What We’re Seeing - SANS Internet Storm Center
- Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527, (Mon, Jan 22nd)
- Update on Atlassian Exploit Activity , (Tue, Jan 23rd)
- How Bad User Interfaces Make Security Tools Harmful, (Wed, Jan 24th)
- Facebook AdsManager Targeted by a Python Infostealer, (Thu, Jan 25th)
- A Batch File With Multiple Payloads, (Fri, Jan 26th)
- Nir Somech at Security Intelligence
PixPirate: The Brazilian financial malware you can’t see - SentinelOne
- Simone Kraus
Sensor Mappings to ATT&CK (SMAP) — a concrete example of how to use the SMAP for a real world… - SOCRadar
- Jonas Bülow Knudsen at SpecterOps
ADCS Attack Paths in BloodHound — Part 1 - Symantec Enterprise
The 2024 Ransomware Threat Landscape - Sysdig
How Sysdig can detect Impersonation Attacks in Okta IdP (Joe Test) - Taz Wake
Cybersecurity Incident Response in Large Enterprises - Travis Green
TGI HUNT Ruleset Update - Zach Bevilacqua at TrustedSec
From Zero to Purple - Trustwave SpiderLabs
Trustwave SpiderLabs Detects Spike in Greatness Phishing Kit Attacks on Microsoft 365 Users - Wiz
Cloud threat landscape
UPCOMING EVENTS
- Black Hills Information Security
- Cyborg Security
Threat Hunting Workshop 9: Hunting for Privilege Escalation - Magnet Forensics
Ep.13 // Unlocking iOS 17’s Secrets – Exploring the Full File System
PRESENTATIONS/PODCASTS
- Chris Brenton and Bill Stearns at Active Countermeasures
Our Top Ten Network Tools and Techniques - Black Hat
- Breaking Badness
177. Just Around the COLDRIVER Bend - Cellebrite
Sextortion Investigations – Victim’s Device - Chris Sienko at the Cyber Work podcast
The Wild West era of data collection is over | Guest Sean Falconer - CYBERWOX
SIEM Capabilities for SOC Analysts – Threat Hunting, Detection Engineering & Incident Response - Digital Forensic Survival Podcast
DFSP # 414 – CRON Forensics - Dr Josh Stroschein
How-To Install Arkime 4.0 in Linux – A Quick Guide on Installation and Processing PCAPs - FIRST
FIRSTCTI23 - Hardly Adequate
Hardly a Week 3 January 22, 2024 - Huntress
How Defenders Analyze RMM Compromises - InfoSec_Bret
SA -SOC210-212 – Possible Brute Force Detected on VPN - Jai Minton
My password archive got CORRUPTED. Can it be repaired? – 010 Template Showcase - John Hammond
- Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – Unpacking AutoIt stub with large obfuscated script - Magnet Forensics
- Microsoft Threat Intelligence Podcast
North Korea Threat Landscape Update - MSAB
- Richard Davis at 13Cubed
RDP Authentication vs. Authorization - SalvationDataOfficia
Video Investigation Portable 2.0 |SalvationDATA|VIP2.0|DVR - SANS
- The Defender’s Advantage Podcast
Is The CTI Lifecycle Due For An Update?
MALWARE
- 0ffset Training Solutions
Python Opcode Obfuscation: A Powerful Anti-Analysis Technique - Any.Run
- Hady Azzam, Christopher Prest, and Steven Campbell at Arctic Wolf
CherryLoader: A New Go-based Loader Discovered in Recent Intrusions - ASEC
- Fernando Martinez at AT&T Cybersecurity
The dark side of 2023 Cybersecurity: Malware evolution and Cyber threats - Bridewell
ClearFake Campaign – Delivering Malware via “Fake Browser Updates - ElementalX
Priv8: Technical Analysis of Rage Stealer. - Fortinet
- Alex Petrov at Hex Rays
Plugin focus: q3vm - OALABS Research
VM Reverse Engineering Part 2 – Disassembly - Patrick Wardle at Objective-See
Why Join The Navy If You Can Be A Pirate? - Lucija Valentić at ReversingLabs
GitGot: GitHub leveraged by cybercriminals to store stolen data - Ax Sharma at Sonatype
- Trend Micro
Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver - Bernardo.Quintero at VirusTotal
Uncovering Hidden Threats with VirusTotal Code Insight - Facundo Muñoz at WeLiveSecurity
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
MISCELLANEOUS
- Brett Shavers
The most neglected skill in DFIR is…. - Cado Security
- Jonathan Munshaw at Cisco’s Talos
Why is the cost of cyber insurance rising? - Craig Ball at ‘Ball in your Court’
Will AI Summarization Disrupt Discovery? - Chris Brook at Digital Guardian
Favorite SOC Analyst Interview Questions - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
- Forensic Focus
Digital Forensics Round-Up, January 25 2024 - Magnet Forensics
Software Kernels: Unraveling Digital Forensics Intricacies - MISP
MISPbot - MSAB
Interim Report Q4, October-December 2023 - Open Source DFIR
Life of a GRR message - Salvation DATA
- Siddhartha Ray Barua at Microsoft
WMI command line (WMIC) utility deprecation: Next steps - System Weakness
SOFTWARE UPDATES
- Acelab
New version of the PC-3000 Mobile PRO 2.6x is available now - Amped
Amped Replay Update 32077: Updated GUI, Support for Audio Files and Much More! - Sergiy Pasyuta at Atola
TaskForce 2024.1 update ‒ Verify segmented hashes - Capa
v7.0.0-beta - Costas K
- Digital Sleuth
winfor-salt v2024.1.1 - dnSpyEx
v6.5.0-rc3 - ExifTool
ExifTool 12.74 - Invictus Incident Response
Major update(v 1.2) for the Microsoft Extractor Suite - Manabu Niseki
Mihari v7.3.2 - Security Joes
MasterParser-v2.1 - OpenCTI
5.12.23 - Simson L. Garfinkel
Announcing bulk_extractor 2.1.0 - Thiago Canozzo Lahr
uac-2.8.0 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 