As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted weekly at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- Alexander Tasse
Sherlock — “Unit42” - Justin Seitz at Bullsh*t Hunting
Front Porch Digital Forensics - Digital Daniela
Investigating an Apache Log in the Linux Command Line - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Hexordia CTF – Week 3 - Elcomsoft
- Eric Capuano
Prefetch Analysis Lab - Forensafe
Investigating Apple Known Wi-Fi Networks - Huntress
LOLBin to INC Ransomware | Huntress - Lorena Carthy-Wilmot
Update to my Vipps App post - Marco Neumann at ‘Be-binary 4n6’
App K-9 Mail for Android - Microsoft Security
New Microsoft Incident Response guide helps simplify cyberthreat investigations - Salim Salimov
Studying “BazarCall to Conti Ransomware via Trickbot and Cobalt Strike”: Part 4-Memory forensics… - The DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Adam Goss
YARA Rules: Empower Your Security With Custom Detections - Anton Chuvakin
Reading the Mandiant M-Trends 2024 - Sanseo at ASEC
Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware) - Avertium
An Update on Akira Ransomware - Bitdefender
Exploring The Spectrum of Threat Intelligence Types - Niccolo Arboleda at Black Hills Information Security
At Home Detection Engineering Lab for Beginners - Lawrence Abrams at BleepingComputer
New Latrodectus malware attacks use Microsoft, Cloudflare themes - Censys
Analyse der ArcaneDoor-Bedrohungsinfrastruktur deutet auf mögliche Verbindungen zu chinesischen Akteuren hin - CERT-AGID
- Check Point
29th April – Threat Intelligence Report - CISA
Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity - Jonathan Munshaw at Cisco’s Talos
James Nutland studies what makes threat actors tick, growing our understanding of the current APT landscape - Ian Ahl at Cloud Chronicles
Déjà Vu or New View: Latest Okta Credential Stuffing Campaign - Cyble
Threat Actor profile: SideCopy - Darktrace
Attack trends: Cloud-Based Cyber-Attacks and the Rise of Alternative Initial Access Methods - DomainTools
- Flare
Using CTI to Help Predict Vulnerability Exploitability - Flashpoint
COURT DOC: Justice Department Charges Four Iranian Nationals for Multi-Year Cyber Campaign Targeting U.S. Companies - Google Cloud Threat Intelligence
Uncharmed: Untangling Iran’s APT42 Operations - Google Online Security Blog
- GreyNoise
2024 Verizon DBIR: Surviving the Year of the Vuln - IronPeak
The way of the Cookie - Jouni Mikkola at “Threat hunting with hints of incident response”
- Sunny Chau at Jumpsec Labs
Why sneak when you can walk through the front door – A Love letter to Password Spraying against M365 in Red Team Engagements - Bert-Jan Pals at KQL Query
Investigating Microsoft Graph Activity Logs - Lab539
A Summary of 6 Months Tracking AiTM Campaigns - Steve Spence at Lares Labs
SE101: Phishing Attack Overview and Breakdown - Yashvi Shah, Lakshya Mathur and Preksha Saxena at McAfee Labs
The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen - Microsoft Security
- MITRE-Engenuity
- Nasreddine Bencherchali
SigmaHQ Rules Release Highlights — r2024–04–29 - Netscout
DDoS Takes Center Stage on the Global Threat Landscape - Obsidian Security
MITRE ATT&CK v15: A Deeper Dive into SaaS Identity Compromise - Nik Earnest at OpenText
Unlocking insights: highlights from the 2024 Verizon Data Breach Investigations Report (DBIR) - Charles Coggins at Phylum
Devious Python Build Requirements - Red Alert
- Madhav Nakar at Red Canary
The detection engineer’s guide to Linux - ReliaQuest
Ransomware and Cyber Extortion in Q1 2024 - ReversingLabs
- SANS Internet Storm Center
- D-Link NAS Device Backdoor Abused, (Mon, Apr 29th)
- Linux Trojan – Xorddos with Filename eyshcjdmzg, (Mon, Apr 29th)
- Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474, (Tue, Apr 30th)
- Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd)
- nslookup’s Debug Options, (Sun, May 5th)
- Securelist
Managed Detection and Response in 2023 - Sekoia
Guarding Democracy: Assessing Cyber Threats to 2024 Worldwide Elections - Phil Stokes at SentinelOne
macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown - Sally Adam at Sophos
The State of Ransomware 2024 - SpecterOps
- Splunk
Hunting M365 Invaders: Dissecting Email Collection Techniques - Symantec Enterprise
Graph: Growing number of threats leveraging Microsoft API - Casey Smith at Thinkst Thoughts
A Bird’s-eye view: IceID to Dagon Locker (The DFIR Report) - Feike Hacquebord and Fernando Merce at Trend Micro
Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks - nyx geek at TrustedSec
Full Disclosure: A Look at a Recently Patched Microsoft Graph Logging Bypass – GraphNinja - Verizon
Verizon DBIR 2024
UPCOMING EVENTS
- Cado Security
CTF Challenge: Captured by Cado - Magnet Forensics
Ep. 16 // Exploring the Possibilities of iOS Shortcuts in Mobile Investigations - Mark Baggett
Guess What is Next on Infosec Toolshed - Security Onion
Security Onion Conference 2024 Save the Date and CFP
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Digital Forensics Now – Episode 17 - Archan Choudhury at BlackPerl
Phishing websites reporting playbooks-short - Black Hills Information Security
- BlueMonkey 4n6
sparse files tutorial – how to use them with Windows, Linux, and Mac OS - Breaking Badness
Breaking Badness Book Club with Dimitri Alperovitch - Cyber from the Frontlines
E9 Understanding the Current State of Ransomware - Cyber Social Hub
- Advantages to Virtualizing The Suspect Machine During an Investigation
- Brandon Epstein with Medex Forensics live at IACIS 2024
- Live from IACIS 2024 in Orlando Florida with Gene Shantz!
- Live from IACIS 2024 in Orlando with Bill Oettinger
- Live in Orlando, FL at the 2024 IACIS Annual Training Event with Alan Thomas
- Live from IACIS 2024 in Orlando Florida with Gene Shantz!
- Advantages to Virtualizing The Suspect Machine During an Investigation
- Cyberwox
Modern Detection Engineering w/ Jimmy Vo | CYBER STORIES EP 15 - Security Onion
Sneak Peek: New Detections Feature coming in Security Onion 2.4.70! - Gerald Auger at Simply Cyber
Uncover Hidden Data! Try This Dynamic DFIR Lab for Expert Prefetch Analysis! (Must Try!) - Hardly Adequate
- Jai Minton
- Karsten Hahn at Malware Analysis For Hedgehogs
Malware Simulators cannot test Antivirus Software - Magnet Forensics
- MSAB
XRY Device Manual - MyDFIR
- Off By One Security
Creative Windows Evasion and Forensics - SANS
- SentinelOne
LABScon23 Replay | From Vulkan to Ryazan – Investigative Reporting from the Frontlines of Infosec - The Defender’s Advantage Podcast
M-Trends 2024 with Mandiant Consulting Vice President Jurgen Kutscher - Velocidex Enterprises
Velociraptor Release 0.72 Video Walkthrough
MALWARE
- 0ffset Training Solutions
Identifying Cross References with Capstone Disassembler and PEFile - Artem Baranov
Guntior – the story of an advanced bootkit that doesn’t rely on Windows disk drivers - Alex.Turing, Acey9, and heziqian at XLab
Playing Possum: What’s the Wpeeper Backdoor Up To? - BI.Zone
Scaly Wolf’s new loader: the right tool for the wrong job - Mostafa Farghaly at Cyber 5W
Malware Manual unpacking - Elastic Security Labs
- Esentire
D3F@ck Loader, the New MaaS Loader - Cara Lin and Vincent Li at Fortinet
New “Goldoon” Botnet Targeting D-Link Devices - Google Cloud Threat Intelligence
From Assistant to Analyst: The Power of Gemini 1.5 Pro for Malware Analysis - Kelvin Winborne
No Dev Team? No Problem: Writing Malware and Anti-Malware With GenAI - Swachchhanda Shrawan Poudel at Logpoint
Kapeka: A new toolkit in Arsenal of SandStorm - Nithin Chenthur Prabhu
Malware Development, Analysis and DFIR Series – Part II - OALABS Research
COSMU File Infector - S2W Lab
- SonicWall
- Ben Martin at Sucuri
Mal.Metrica Redirects Users to Scam Sites - Mike Blinkman at System Weakness
Static Malware Analysis: Techniques & Challenges - Bernardo Quintero at VirusTotal
Analyzing Malware in Binaries and Executables with AI - VMRay
HyperScaling Malware Analysis - Zhassulan Zhussupov
Malware development trick 38: Hunting RWX – part 2. Target process investigation tricks. Simple C/C++ example. - Santiago Vicente at ZScaler
Zloader Learns Old Tricks
MISCELLANEOUS
- CCL Solutions
Incident Investigation – Part 2: Working with the Incident Investigations team - Cyborg Security
Intel 471 Acquires Cyborg Security to Expand Its Cyber Threat Intelligence Portfolio with Innovative Threat Hunting Capabilities - Elan at DFIR Diva
Free & Affordable Training News Monthly: April – May 2024 - F-Response
F-Response and USB Detective - Forensic Focus
Digital Forensics Round-Up, May 01 2024 - Google Cloud Threat Intelligence
Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints - Kevin Beaumont at DoublePulsar
Breaking down Microsoft’s pivot to placing cybersecurity as a top priority - Magnet Forensics
- Mail Xaminer
Digital Forensics Triage Explanation Along With CFFTPM Tutorial - Mohit at Mailxaminer
Digital Forensics Triage Explanation Along With CFFTPM Tutorial - MSAB
Interim Report Q1, January to March 2024 - Oxygen Forensics
- Prodaft
Threat Hunting vs. Incident Response: What’s the Difference? - Macie Thompson at Recon Infosec
Plan for When… - SANS
- Insane Incident Incursion Recursion: Mastering Incident Response Reporting Regulations
- Deploying Multi Factor Authentication – The What, How, and Why
- Spring 2024 Update: Explore the Latest Enhancements to SANS FOR585: Smartphone Forensic Analysis In-Depth
- How AI and ML are Changing Mobile Device Forensics Investigations
- Unveiling the 2024 SANS | GIAC Cyber Workforce Research Report: Building and Sustaining Mid-Level Cybersecurity Roles
- Building a Cloud Security Flywheel: Lessons from the Field
SOFTWARE UPDATES
- Alexis Brignoni
- Cellebrite
- Cyber Triage
3.10 adds Linux, Domain Controllers, and Fuzzy Malware Scanning for DFIR - Digital Sleuth
winfor-salt v2024.8.2 - Elcomsoft
Passcode removal requirement dropped for most checkm8 extractions - Metaspike
Forensic Email Collector (FEC) Changelog – 4.0.63.1276 - Nextron Systems
THOR’s Power Unleashed: Multi-Threading for the Masses - Dr. Mike Cohen and Carlos Canto at Rapid7
Velociraptor 0.7.2 Release: Digging Deeper than Ever with EWF Support, Dynamic DNS and More - Securizame
Wintriage: Publicada la versión 28042024 / Released version 28042024 - Sigma
r2024-04-29 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!