As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Belkasoft
Android WhatsApp Forensics. Part II: Analysis - Cyber 5W
NTFS Artifacts Analysis - Dr. Brian Carrier at Cyber Triage
DFIR Next Steps: What to do after you find a suspicious Windows Network Logon Session - Doug Metz at Baker Street Forensics
MAGNET Virtual Summit 2024 Capture the Flag - David Stenhouse at DS Forensics
Microsoft Office Alerts (“OAlerts”) - Elcomsoft
checkm8: Advancements in iOS 16 Forensic Extraction - Forensafe
- Intrinsec
Addressing Forensic Challenges in Ivanti Pulse Secure Environments with Automated AES Key Recovery - Justin De Luna at ‘The DFIR Spot’
Evidence of Program Existence – Amcache - MuSecTech
AChoirX and Android – Another Rabbit Hole - Sarah Hayes at Hexordia
Deserializing NSKey Archives - Jeremy McBroom at “Yeah, I have a question…”
CyberDefenders: Tomcat Takeover
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Adam Goss
The Cyber Kill Chain: How to Map and Analyze Cyber Attacks - Axelarator
A CTI Analyst Homelab - BI.Zone
Mysterious Werewolf hits defense industry with new RingSpy backdoor - Blackberry
Systems Under Siege: BlackBerry Report Reveals Millions of Attacks Targeting Critical Infrastructure - Brad Duncan at Malware Traffic Analysis
- CERT-AGID
- Check Point
- Cisco’s Talos
- CTF导航
- Cyble
- Cyborg Security
- Cyfirma
Weekly Intelligence Report – 15 Mar 2024 - Martin McCloskey at Datadog Security Labs
Tales from the cloud trenches: Using malicious AWS activity to spot phishing campaigns - Sean Muehlenhardt Whitley and Lauren Parker at Elastic Security Labs
Sinking macOS Pirate Ships with Elastic Behavior Detections - Falco
Blog: Preventing attacker persistence with Falco on AWS - Flare
LockBit’s Conversation on XSS Forum with an Initial Access Broker - Flashpoint
COURT DOC: Iranian National Charged for Multi-Year Hacking Campaign Targeting U.S. Defense Contractors and Private Sector Companies - Shunichi Imano and Fred Gutierrez at Fortinet
Ransomware Roundup – RA World - Ron Bowes at GreyNoise Labs
Where are they now? Starring: Confluence CVE-2023-22527 - GuidePoint Security
GRIT Ransomware Report: February 2024 - Hornet Security
Monthly Threat Report März 2024: Ein Monat voller Cyberangriffe mit großer Reichweite - Rebecca Lumley at Hunt & Hackett
iSoon leak sheds light on China’s use of extensive hacker-for-hire ecosystem - Faith Stratton and Harlan Carvey at Huntress
Using Backup Utilities for Data Exfiltration | Huntress Blog - INKY
Fresh Phish: Leveraging Legitimate Adobe and Constant Contact Tools in a Multi-Layered Phishing Attack - Jouni Mikkola at “Threat hunting with hints of incident response”
Threat hunting for signs of credential dumping - Malwarebytes
- Sean Muehlenhardt Whitley and Lauren Parker at MITRE-Engenuity
See Further with the Sightings Ecosystem - Nasreddine Bencherchali
SigmaHQ Rules Release Highlights — r2024–03–11 - Plainbit
i-SOON leaks : An overview of Chinese data leakage - Red Alert
Monthly Threat Actor Group Intelligence Report, January 2024 (KOR) - Red Canary
Inside the 2024 Threat Detection Report - ReliaQuest
- Resecurity
- SANS Internet Storm Center
- What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th)
- Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th)
- Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th)
- 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th)
- Obfuscated Hexadecimal Payload, (Sat, Mar 16th)
- Sergey Puzan at Securelist
What’s in your notepad? Infected text editors target Chinese users - Dheeraj Kumar and Ella Dragun at Securonix
Securonix Threat Labs Monthly Intelligence Insights – February 2024 - Sekoia
Unveiling the depths of Residential Proxies providers - SOCRadar
Dark Web Profile: Meow Ransomware - Sean Gallagher, Anna Szalay, Andrew Brandt, and Chester Wisniewski at Sophos
The 2024 Sophos Threat Report: Cybercrime on Main Street - Duane Michael at SpecterOps
Misconfiguration Manager: Overlooked and Overprivileged - Splunk
- Stephan Berger
Azure Batch Misused for Crypto Mining - Ben Martin at Sucuri
What is .htaccess Malware? (Detection, Symptoms & Prevention) - Symantec Enterprise
Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption - Stefano Chierici at Sysdig
Cloud Threats deploying Crypto CDN - Dina Temple-Raston, Sean Powers, and Jade Abdul-Malik at The Record
Exclusive: After LockBit’s takedown, its purported leader vows to hack on - Viktor Sahin-Uppströmer at Truesec
Understanding the Threat: What is Business Email Compromise? - Arthur Erzberger at Trustwave SpiderLabs
Ukrainian Intelligence Claims Successful Compromise of the Russian Ministry of Defense - Raimundo Alcázar at VirusTotal
Know your enemies: An approach for CTI teams - Wesley Neelen at Zolder B.V.
Building a AITM attack tool in Cloudflare Workers (174 LOC)
UPCOMING EVENTS
- Cellebrite
5 Reasons You Can’t Miss the Cellebrite C2C User Summit 2024 - UnderDefense
Detecting invisible: blind EDR & passwords stealers on MacOS - Magnet Forensics
Ep. 14 // Logging La Vida Loca
PRESENTATIONS/PODCASTS
- ADF Solutions
A Spark of Hope Fighting Against CSAM: Conversation with Guidel Olivas - Adversary Universe Podcast
CrowdStrike CSO Shawn Henry on Election Security, Nation-State Threats and His FBI Career - Alexis Brignoni
Is support in life suppport? - Black Hat
- Millions of Patient Records at Risk: The Perils of Legacy Protocols
- How I Learned to Stop Worrying and Build a Modern Detection & Response Program
- REDIScovering HeadCrab – A Technical Analysis of a Novel Malware and the Mind Behind It
- AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers
- Deleting Your Domain? Preventing Data Leaks at TLD Scale
- Black Hills Information Security
- Breaking Badness
Breaking Badness Cybersecurity Podcast – 182. Call to ARMs - Cellebrite
Tips and Tricks on Cellebrite Inseyets Powered by Physical Analyzer - Cyber Social Hub
- Digital Forensic Survival Podcast
DFSP # 421 – Memory Lane: Fileless Linux Attacks Unraveled - Hardly Adequate
Hardly a Week 10 March 11, 2024 - InfoSec_Bret
Challenge – RegistryHive - Jai Minton
The Dark Tortilla Crypter is pretty harsh on your eyes – Malware Analysis - John Hammond
Don’t Use CyberChef. Use This Instead. - Justin Tolman at AccessData
FTK Feature Focus – Searching vs Filtering the content of Documents – Episode 61 - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Theory – Unpacking Approaches and Methods - Magnet Forensics
- MSAB
XAMN Viewer & XAMN Pro Comparison - MyDFIR
Active Directory Project (Home Lab) | Part 3 - Nextron Systems
THOR Legacy – Compromise Assessment on Windows XP - Off By One Security
Windows Internals What is the CONTEXT structure - Palo Alto Networks Unit 42
Active Campaigns Report | Beyond the Hunt Episode 1 | Unit 42 - Paraben Corporation
Making an investigations account - Sumuri
SUMURI Podcast Episode 020 – How do ICAC task forces REALLY work? w/ Debbie Garner - The Defender’s Advantage Podcast
Director of NSA’s Cybersecurity Collaboration Center on Trends in 2024 - The DFIR Report podcast
DFIR Discussions: SEO Poisoning to Domain Control: The Gootloader Saga Continues - The X-Terminator (X-Ways Clips Channel)
MALWARE
- ASEC
- Ben Lee
Malware Analysis IoT Case Study — Mirai/Echobot - Max Gannon at Cofense
SVG Files Abused in Emerging Campaigns - Cyber 5W
Matanbuchus Loader Detailed Analysis - Dr Josh Stroschein – The Cyber Yeti
Ease Shellcode Analysis with SCLauncher! Learn how to wrap shellcode into a PE file - Amit Tambe at F-Secure
Android malware disguised as wedding invitation sent to senior citizens - Yurren Wan at Fortinet
VCURMS: A Simple and Functional Weapon - Fortra’s PhishLabs
Dark Web Actors Overwhelmingly Target Card Data, Finance in Q4 - G Data Security
RisePro stealer targets Github users in “gitgub” campaign - Brian Baskin at Ghetto Forensics
Huntress CTF 2023 – Unique Approaches to Fun Challenges - Igor Skochinsky at Hex Rays
Igor’s Tip of the Week #178: Field representation attributes - Nicole Fishbein at Intezer
.NET Malware 101: Analyzing the .NET Executable File Structure - Josh Mitchell and Marc Messer at Kroll
LESLIELOADER – Undocumented Loader Observed - Kyle Cucci at SecurityLiterate
Unpacking Strela Stealer - ZePeng Chen and Wenfeng Yu at McAfee Labs
Android Phishing Scam Using Malware-as-a-Service on the Rise in India - Jan Michael Alcantara at Netskope
From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites - Amanda Tanner, Anthony Galiette and Jerome Tujague at Palo Alto Networks
Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled - Karlo Zanki at ReversingLabs
BIPClip: Malicious PyPI packages target crypto wallet recovery passwords - RussianPanda
The GlorySprout or a Failed Clone of Taurus Stealer - SonicWall
- Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun at Trend Micro
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign - Jason Reaves and Joshua Platt at Walmart
NewBot Loader - Zhassulan Zhussupov
Malware development: persistence – part 24. StartupApproved. Simple C example.
MISCELLANEOUS
- Fabian Mendoza at AboutDFIR
AboutDFIR Site Content Update – 03/15/2024 - Shelby Perry at Active Countermeasures
PCAPchu: Real Big Phish - Brett Shavers at ‘The X-Ways Forensics Practitioner’s Guide/2E’
XWF Practitioner’s Guide, 3rd Edition - Cado Security
Cado Introduces Support of SaaS Environments to Expedite Response to Microsoft 365 Compromises - Forensic Focus
- Christa Miller at Forensic Horizons
Artificial Intelligence in Forensic Sciences: A (Book) Review - Magnet Forensics
- Matt Shannon at F-Response
Apple OSX and Full Disk Access - MISP
Introducing Standalone Functionality to MISP Modules – A New Era of Flexibility and Efficiency - Prodaft
What Is Traffic Light Protocol (TLP) in Cybersecurity? - Grace Chi at Pulsedive
Pulsedive Plan Updates - Sarah Wisbar at SANS
Beyond Management: Becoming a Leader in Your SOC - John Patzakis at X1
Microsoft 365 Modern Attachments Pose Significant eDiscovery Challenges and Risk
SOFTWARE UPDATES
- Andrea Palmieri
seads – Search Engine ADs Scanner - Digital Detective
NetAnalysis® v3.7 and HstEx® v5.7 Released - Elcomsoft
Bootloader-level extraction for 16.7.6 and 15.8.2 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.79 - Foxton Forensics
Browser History Examiner — Version History – Version 1.20.5 - Mazars Tech
AD_Miner v1.2.0 - Open Source DFIR
Plaso 20240308 released - OpenCTI
6.0.7 - Prowler
Prowler - Sigma
r2024-03-11 - Three Planet Software
- Rapid7
Velociraptor 0.72 Release - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 