As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- John Lukach at 4n6ir
Do NOT forget the AWS Amplify Logs - Derek Eiri
Lionel Notari’s iOS Unified Log Acquisition Tool - Steve Bunting at DFIR Review
How Did That Photo Get On That iPhone - Forensafe
Investigating iOS Calendar - Hal Pomeranz at ‘Righteous IT’
Orphan Processes in Linux - Izzy Spering at Huntress
Analyzing a Malicious Advanced IP Scanner Google Ad Redirection | Huntress Blog - Mailxaminer
- MSAB
- Salim Salimov
Studying “BazarCall to Conti Ransomware via Trickbot and Cobalt Strike”: Part 2 - The DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion
THREAT INTELLIGENCE/HUNTING
- Chris Brenton at Active Countermeasures
Check the Stats, Your Threat Hunting is Probably Broken - Anton Chuvakin
Testing in Detection Engineering (Part 8) - Any.Run
How to Use Cyber Threat Intelligence: the Basics - Haya Schulmann at APNIC
Abuse of dangling DNS records on cloud platforms - Madison Steel at AttackIQ
Cyber Sorcery: Confronting Lazarus Group – MagicRAT and TigerRAT Campaign - AWS Security
- Binary Defense
Qakbot Strikes Back: Understanding the Threat - Lawrence Abrams at BleepingComputer
Hosting firm’s VMware ESXi servers hit by new SEXi ransomware - Brad Duncan at Malware Traffic Analysis
2024-04-04: Koi Loader/Stealer activity - BushidoToken
Strengthening Proactive CTI Through Collaboration - CERT Ukraine
Фактор кібербезпеки - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 30 Marzo – 05 Aprile 2024 - Check Point
- CISA
Review of the Summer 2023 Microsoft Exchange Online Intrusion - Cisco’s Talos
- Dylan Duncan at Cofense
Recently Updated Rhadamanthys Stealer Delivered in Federal Bureau of Transportation Campaign - Bret at Cyber Gladius
Preventing DCSync Attacks - Cyberknow
Initial Access Broker to Ransomware - Cyble
Elevating the Stakes: The Enhanced Arsenal of the Fake E-Shop Campaign - Cyfirma
Weekly Intelligence Report – 05 Apr 2024 - Alex Teixeira at Detect FYI
What Threat Detection is NOT about — before they sell it to you! - DomainTools
The Resurgence of the “Manipulaters” Team – Breaking HeartSenders - Security Onion
Security Onion and the xz Vulnerability - Elastic Security Labs
500ms to midnight: XZ / liblzma backdoor - Emanuele De Lucia
XZ BackDoor (CVE-2024-3094): a Multi-Year Effort by an Advanced Threat Actor - Embee Research
- Eric Conrad
Detecting Command and Control frameworks via Sysmon and Windows Event Logging - Ervin Zubic
Phishing Attacks Exposed: Essential OSINT Investigation Tactics - Esentire
- g0njxa
Profiling Трафферы: GhostBusters (MMM) - Google Cloud Threat Intelligence
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies - Maddie Stone and James Sadowski at Google Threat Analysis Group
A review of zero-day in-the-wild exploits in 2023 - Neil Matani at Hackopia
How abuse and manipulation of access tokens leads to compromise - Alice Climent Pommeret at Harfanglab
Raspberry Robin And Its New Anti-emulation Trick - Intel471
Targeted Phishing Linked to ‘The Com’ Surges - Lou Dell’Italia and Blake Cahen at IronNet
Volt Typhoon Threat Report - Shachar Menashe, Jonathan Sar Shalom, and Brian Moussalli at JFrog
CVE-2024-3094 XZ Backdoor: All you need to know - Jonathan Johnson
- Kelvin W
Using Generative AI to Predict Cyberattacks - Kevin Beaumont at DoublePulsar
Inside the failed attempt to backdoor SSH globally — that got caught by chance - Brian Krebs at Krebs on Security
- Jake O’Donnell at Logz.io
The Challenges of Rising MTTR — And What to Do - Me!
MaliciousOauthAppDetections.json - MITRE Engage™
- Rakesh Krishnan at Netenrich
Red CryptoApp: A New Threat Group in the Ransomware World - Obsidian Security
How to Correctly Use Client IP Addresses in Okta Audit Logs to Improve Identity Security - Proofpoint
- Red Alert
Monthly Threat Actor Group Intelligence Report, January 2024 (JPN) - Nick Weber at Red Canary
The Trainman’s Guide to overlooked entry points in Microsoft Azure - Red Siege Information Security
SSHishing – Abusing Shortcut Files and the Windows SSH Client for Initial Access - ReliaQuest
SEO Poisoning - Sandfly Security
XZ SSH Backdoor Detection Strategies - SANS Internet Storm Center
- Sansec
Persistent Magento backdoor hidden in XML - Gerardo Santos at Security Art Work
ATT&CK: El juego de las casillas - Pedro Tavares at Segurança Informática
Beware: Venom RAT Strikes Latin America in Massive Phishing Campaign - SOCRadar
- Sophos
- Stairwell
Threat report: xz backdoor - Puja Srivastava at Sucuri
Magento Shoplift: Ecommerce Malware Targets Both WordPress & Magento CMS - Tamara Chacon at Splunk
Detecting Lateral Movement with Splunk: How To Spot the Signs - Floser Bacurio Jr., Bernadette Canubas, and Michaelo Oliveros at Trellix
SuperSize Me - Christopher Boyton at Trend Micro
Unveiling the Fallout: Operation Cronos’ Impact on LockBit Following Landmark Disruption - Thomas Millar at TrustedSec
Observations From Business Email Compromise (BEC) Attacks - Karla Agregado at Trustwave SpiderLabs
Phishing Deception – Suspended Domains Reveal Malicious Payload for Latin American Region - Greg Zemlin at Wiz
Defense in depth: XZ Utils
UPCOMING EVENTS
- Arctic Wolf
- Arman Gungor at Metaspike
Forensic Email Collector — Technology Showcase - Cellebrite
Empowering Investigations with Data from the Cloud - Hexordia
Hexordia Weekly CTF Challenge - Magnet Forensics
PRESENTATIONS/PODCASTS
- Black Hills Information Security
- Breaking Badness
Breaking Badness Cybersecurity Podcast – 185. BECieze the Day - Cellebrite
JOIN THE 101! The Best-In-Class Community for Digital Investigative Pros - Cyber Social Hub
- Cyberwox
Analyzing Attacker Recon to Malware Installation – TryHackMe Incident Handling with Splunk (Part 1) - Hardly Adequate
Catching up with Jacob Latonis - InfoSec_Bret
Challenge – ImageStegano - Jai Minton
UNDETECTED Discord MALWARE – Reverse Engineering Duvet Stealer, Electron malware used by HACKERS - John Hammond
- Justin Tolman at AccessData
Synthetic Media’s Impact on Forensic Investigations with Bert Lyons of MedEx Forensics - Karsten Hahn at Malware Analysis For Hedgehogs
Malware Analysis – JS to PowerShell to XWorm with Binary Refinery - Magnet Forensics
Simplifying the digital investigation of Apple devices - MSAB
XAMN Viewer Essentials – Part 2 - MyDFIR
Become a BETTER SOC Analyst | 5 Traits & Tips YOU MUST HAVE - Nuix
Nuix Discover An End to end Demonstration – with Emily Tice - Richard Davis at 13Cubed
The Ultimate Guide to Arsenal Image Mounter - Sandfly Security
Agentless File Integrity Monitoring on Linux to Detect Compromised Servers - SANS
- SANS Cyber Defense
- Security Conversations
Costin Raiu joins the XZ Utils backdoor investigation - The DFIR Report podcast
From OneNote to RansomNote: An Ice Cold Intrusion
MALWARE
- Artem Baranov at A blog about rootkits research and the Windows kernel
GMER – the art of exposing Windows rootkits in kernel mode - Adam Goss
How to Automatically Deploy a Malware Analysis Environment - AK1001
Unpacking the Endgame: Strategies for Quick Dumping Final Stage Malware — Part 1 - Anthony Weems
Xzbot - Any.Run
Quickly Check if a Sample is Malicious with ANY.RUN’s Process Tree - ASEC
- Cyber 5W
How to analyze JavaScript obfuscation - Dr Josh Stroschein
Malware Mondays Episode 01 – Identifying Malicious Activity in Process Monitor (ProcMon) Data - Dr. Ali Hadi at ‘Binary Zone’
- Pei Han Liao at Fortinet
Byakugan – The Malware Behind a Phishing Attack - Anuradha and Preksha at McAfee Labs
Distinctive Campaign Evolution of Pikabot Malware - One Night in Norfolk
North Korea’s Post-Infection Python Payloads - Penetration Testing Lab
Persistence – DLL Proxy Loading - Plainbit
- ReversingLabs
Malicious helpers: VS Code Extensions observed stealing sensitive information - SonicWall
- Sakthi Chandra at ZScaler
Exposing the Dark Side of Public Clouds – Combating Malicious Attacks on Workloads
MISCELLANEOUS
- AK1001
Mastering Malware Analysis: A Journey through SANS FOR610 and GREM Certification - Belkasoft
Why choose Belkasoft X for digital forensics and cyber incident response? - Brett Shavers
Let me break your mind, DFIR. - Joseph Naghdi at Computer Forensics Lab | Digital Forensics Services | Digital Detectives
Digital Forensics Investigations and What Digital Forensic Investigators Do - Dr. Brian Carrier at Cyber Triage
How To Investigate Endpoints with Cyber Triage and Windows Defender - Elan at DFIR Diva
Free & Affordable Training News Monthly: March – April 2024 - Forensic Focus
- Howard Oakley at ‘The Eclectic Light Company’
APFS: Containers and volumes - Kevin Pagano at Stark 4N6
Forensics StartMe Updates (4/1/2024) - MISP
MISP – Elastic Stack – Docker Lab - Salvation DATA
How Does a Computer Forensics Expert Witness Prepare for Testifying in Court? - SANS
A Visual Summary of SANS New2Cyber Summit 2024 - The Leahy Center for Digital Forensics & Cybersecurity
CyberRange Team: Creating The Perfect Sandbox Environment
SOFTWARE UPDATES
- Apache
Tika – Release 2.9.2 – 3/26/2024 - Arsenal Recon
Arsenal Image Mounter Changelog – v3.11.282 - Atola
Insight Forensic 5.5 – Image 3 iSCSI drives in parallel - Brim
v1.7.0 - Datadog Security Labs
GuardDog v1.5.7 - Digital Detective
NetAnalysis® v3.8: Enhanced Browser Support for Digital Forensic Investigations - Digital Sleuth
winfor-salt v2024.6.1 - Security Onion
Security Onion 2.3.300 now available! - Eric Zimmerman
ChangeLog - Federico Lagrasta
PersistenceSniper v1.16.0 - GCHQ
CyberChef v10.15.1 - Martin Willing
Microsoft-Analyzer-Suite (Community Edition) - Metaspike
Forensic Email Collector (FEC) Changelog – v3.89.0.16 - OpenCTI
6.0.9 - Passware
Passware Kit 2024 v2 Now Available - Phil Harvey
ExifTool 12.82 – “GM PDR” - radare2
5.9.0 – Codename “Hyperborean” - Serviço de Perícias em Informática
IPED Fix Release - Unpacme
UnpacMe 8.0.0 – YARA Rule Management, Shared Rules, AV Detects, .NET Analysis, Icons, and Much More - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 