As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Atola Technology
  Uncovering AFF4: File Format Essentials And Imaging
  
  
• Bret at Cyber Gladius
  Incident Response Plan: Windows Data Collection
  
  
• Brian Carrier at Cyber Triage
  Adaptive vs Static File Collections for DFIR
  
  
• Deagler’s 4n6 Blog
  • Hexordia Weekly CTF Challenge 2024 – Week 3 Writeup
  • Hexordia Weekly CTF Challenge 2024 – Week 4 Writeup
    
    
• Decrypting a Defense
  Connected Cars, FCC Fines, Biometric Bans, License Plate Readers & More
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  Hexordia CTF – Week 4
  
  
• Forensafe
  Investigating Samsung Clipboard
  
  
• Hal Pomeranz at ‘Righteous IT’
  Systemd Timers
  
  
• Justin De Luna at ‘The DFIR Spot’
  SUM UAL – Investigating Server Access with User Access Logging
  
  
• Lionel Notari
  iOS Unified Logs – Driving and Motion states
  
  
• MikeCyberSec
  Managing a DFIR Knowledge Base
  
  
• Jeremy McBroom at Yeah, I have a question…
  • Day 1 of Windows Forensic Examinations: Forensic Fundamentals
  • Day 2 of Windows Forensic Examinations: Master Boot Record
  • Day 3 of Windows Forensic Examinations: Master File Table
  • Day 4 of Windows Forensic Examinations: Windows Events
  • Day 5 of Windows Forensic Examinations: Pagefile, Swapfile & Hiberfil
    
    
• 博客园 – Pieces0310
  Alternatives of extracting chat messages of certain App – Pieces0310
  

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – AsyncRAT
  
  
• Adam Goss
  5 Cyber Kill Chain Challenges and How to Prevail
  
  
• Fortra PhishLabs
  Active Phishing Campaign: Meta Business Support Chat
  
  
• Any.Run
  How to Use Threat Intelligence Feeds
  
  
• Christine Barry at Barracuda
  Rhysida ransomware: The creepy crawling criminal hiding in the dark
  
  
• Brad Duncan at Malware Traffic Analysis
  2024-05-09: GootLoader activity
  
  
• CERT-AGID
  • Phishing multibanking sfrutta nome e loghi della Presidenza del Consiglio dei Ministri
  • Sintesi riepilogativa delle campagne malevole nella settimana del 4 – 10 Maggio 2024
    
    
• Chainalysis
  How To Use Blockchain Intelligence To Investigate Crypto Crime
  
  
• Check Point
  • 6th May – Threat Intelligence Report
  • Stop Chasing Breaches: Build a Resilient Security Architecture
  • April 2024’s Most Wanted Malware: Surge in Androxgh0st Attacks and the Decline of LockBit3
    
    
• Yehuda Gelb at Checkmarx Security
  Instant Breach: Malicious Package Compromise — Victim vs Attacker’s POV
  
  
• CISA
  #StopRansomware: Black Basta
  
  
• Permiso
  Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 1
  
  
• CTF导航
  • Dissecting Windows Malware Series – Creating Malware-Focused Network Signature – Part 5
  • Technical Deep Dive: Understanding the Anatomy of a Cyber Intrusion
  • Custom Beacon Artifacts
    
    
• Cyberdom
  Lost in the Cloud Logs – AWS CloudTrail – HIDDEN_DUE_TO_SECURITY_REASONS
  
  
• Cybereason
  Behind Closed Doors: The Rise of Hidden Malicious Remote Access
  
  
• Cyble
  In the Shadow of Venus: Trinity Ransomware’s Covert Ties 
  
  
• Cyfirma
  Weekly Intelligence Report – 10 May 2024
  
  
• Detect FYI
  • The Structure and Taxonomy of a Detection Knowledge Base
  • Security Monitoring — Developing Use Cases
  • The Effortless Solution: Automating IOCs Lookup Table Updates in Splunk
  • Impair Defenses [T1562.012]: Detect Linux Audit Logs Tampering (Part 1)
    
    
• Dirk-jan Mollema
  Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes
  
  
• Esentire
  • SocGholish Sets Sights on Victim Peers
  • FIN7 Uses Trusted Brands and Sponsored Google Ads to Distribute MSIX Payloads
    
    
• Flashpoint
  COURT DOC: U.S. Charges Russian National with Developing and Operating LockBit Ransomware
  
  
• Fortinet
  Key Findings from the 2H 2023 FortiGuard Labs Threat Report
  
  
• g0njxa
  Profiling Traffic: Cerberus (ex-Amnesia)
  
  
• InfoSec Write-ups
  • WolvCTF 2024: Forensics Challenges
  • Defense against Ransomware
  • Incident Response: A Comprehensive Guide for Businesses and Cybersecurity Professionals
  • Start Threat Hunting with YARA Rules
    
    
• Intel471
  • Exploits, Access, Extortion: Know Your Enemy in 2024 and Beyond
  • Alleged LockBit Ransomware Gang Leader Named
    
    
• Intrinsec
  Matanbuchus & Co: Code Emulation and Cybercrime Infrastructure Discovery
  
  
• Jamy Casteel at Kroll
  An Offensive Security Perspective on Hacking the Cloud: Five AWS and Azure Cloud Security Threats to Focus On
  
  
• Kashinath T Pattan at Juniper Networks
  Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation
  
  
• KELA Cyber Threat Intelligence
  Catch Me If You Can: The LockBit Edition – Explained
  
  
• Brian Krebs at Krebs on Security
  U.S. Charges Russian Man as Boss of LockBit Ransomware Group
  
  
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – April Update
  
  
• Marcus Edmondson at ‘The Threat Hunter’s Dilemma’
  Stacking in Velociraptor in 1 Minute
  
  
• Priyanka Agarwal at Microsoft’s ‘Security, Compliance, and Identity’ Blog
  Using the Microsoft Purview Audit Search Graph API
  
  
• Mohammed AlAqeel (AlJawarneh)
  DFIR/DTR Tip: New Technique: Abusing WER for LSASS Memory Dumps (LSASS Shtinkering)
  
  
• Obsidian Security
  • Emerging Identity Threats: The Muddy Waters of Residential Proxies
  • Identity Threat Alert: Prevent Attackers from Bypassing the IdP to Log-in to Salesforce
    
    
• Grace Chi at Pulsedive
  Sharing, Compared Part 3: How Can We Improve?
  
  
• Tyler McGraw, Thomas Elkins, and Evan McCann at Rapid7
  Ongoing Social Engineering Campaign Linked to Black Basta Ransomware Operators
  
  
• Recorded Future
  • Iran-Aligned Emerald Divide Influence Campaign Evolves to Exploit Israel-Hamas Conflict
  • Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale
    
    
• Susannah Clark Matt at Red Canary
  MSIX and other tricks: How to detect malicious installer packages
  
  
• Resecurity
  Massive Dump of Hacked Salvadorean Headshots and PII Highlights Growing Threat-Actor Interest in Biometric Data
  
  
• SANS Internet Storm Center
  • Analyzing Synology Disks on Linux, (Wed, May 8th)
  • Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th)
  • Analyzing PDF Streams, (Thu, May 9th)
    
    
• Securelist
  • State of ransomware in 2024
  • APT trends report Q1 2024
    
    
• Douglas Bonderud at Security Intelligence
  Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709
  
  
• Anusthika Jeyashankar at Security Investigation
  Linux Event Logs and Its Record Types – Detect & Respond
  
  
• SOCRadar
  Dark Web Profile: APT31
  
  
• Ania Kacewicz and Cui Lin at Splunk
  Building At-Scale User Behavior Analytics for Splunk UBA: Enhance Performance of Account & Device Exfiltration Models
  
  
• Stephan Berger
  • Canarytokens: Catching Insider Threats (and Threat Actors?)
  • Today I Learned – Zsh History Timestamps
  • Removing Traces of RMM Tools
    
    
• Guillaume André at Synacktiv
  Understanding and evading Microsoft Defender for Identity PKINIT detection
  
  
• Triskele Labs
  Unveiling the shadows: understanding token theft
  
  
• Raunak Parmar at White Knight Labs
  Abusing Azure Logic Apps – Part 1
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2024-05-13
  
  
• Cellebrite
  Cellebrite Case-To-Closure (C2C) Summit
  
  
• Magnet Forensics
  Bring your teams and their digital evidence together with Magnet Review
  
  
• SANS
  Masterclass with Leading CISOs: Elevating Cybersecurity Talent
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  Hacktivism and the JACKALs Behind It
  
  
• Black Hills Information Security
  REKAST – Talkin’ Bout [infosec] News 2024-05-06 #infosecnews #cybersecurity #podcast #podcastclips
  
  
• Cellebrite
  Tip Tuesdays – New Chat Conversations View on Physical Analyzer
  
  
• Cloud Security Podcast by Google
  EP171 GenAI in the Wrong Hands: Unmasking the Threat of Malicious AI and Defending Against the Dark Side
  
  
• Cyber from the Frontlines
  E10 Threat Hunting : All You Need to Know!
  
  
• Cyberwox
  Investigating Exploitation to Malware Delivery with Splunk
  
  
• Erik Hjelmvik at Netresec
  Kubernetes Cryptojacking
  
  
• Gridware
  INSIGHTS EP#2: Expert Breaks Down Business E-mail Compromise, a $51 Billion Cyber Threat
  
  
• Huntress
  The Product Lab: M365, SIEM, and Huntress Command Center Updates
  
  
• InfoSec_Bret
  Challenge – DLL Stealer
  
  
• Jai Minton
  WASABI WALLET MALWARE – Reverse Engineering a malicious MSI and Java Archive Malware Downloader
  
  
• John Hammond
  These Files Don’t Show Their Extension
  
  
• Justin Tolman at AccessData
  • Complete Install of FTK Standalone 8.0 – May 2024
  • FTK Over the Air – Ep3 – Rob Fried – What is the Tool and Who is the Solution?
  • FTK Over The Air – Ep2 – IACIS Podcast Joint Episode!
    
    
• Magnet Forensics
  • Optimizing remote acquisition by threat type
  • Ep. 16 // Exploring the Possibilities of iOS Shortcuts in Mobile Investigations
    
    
• Microsoft Threat Intelligence Podcast
  Behind the Scenes of the XZ vuln with Andres Freund and Thomas Roccia
  
  
• MSAB
  XAMN Pro Miniseries – Planning an investigation
  
  
• MyDFIR
  • Cybersecurity SOC Analyst Lab – Brute Force (SSH)
  • 5 BEGINNER Cybersecurity Projects
    
    
• OALabs
  Zombieware
  
  
• Off By One Security
  Solving Research Problems Dynamically with Frida and Love
  
  
• Securizame
  Una caña con Lawwait – Episodio 40 – María José Montes Díaz
  
  
• SentinelOne
  LABScon23 Replay | macOS Components Used in North Korean Crypto-Heists
  

MALWARE

• 0day in {REA_TEAM}
  [QuickNote] Qakbot 5.0 – Decrypt strings and configuration
  
  
• 0xdf hacks stuff
  • Go Binary Analysis with gftrace
  • Einladen mso.dll Reverse Engineering
    
    
• ASEC
  • LNK File Disguised as Certificate Distributing RokRAT Malware
  • CHM Malware Stealing User Information Being Distributed in Korea
  • Case of Malware Distribution Linking to Illegal Gambling Website Targeting Korean Web Server
  • RemcosRAT Distributed Using Steganography
    
    
• Xusheng Li at Binary Ninja
  Debugging WinDbg with Binary Ninja For Fun and Profit
  
  
• CERT Polska
  APT28 campaign targeting Polish government institutions
  
  
• Digital Daniela
  • Signature Based Dection with CAPA
  • Malware Analysis: Investigating Portable Executeable Headers
    
    
• Elastic Security Labs
  Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four
  
  
• Fortinet
  zEus Stealer Distributed via Crafted Minecraft Source Pack
  
  
• Connor Ford at LRQA Nettitude Labs
  Emulation with Qiling
  
  
• Malware Musings
  Tofsee (part 1): Static Analysis
  
  
• Yashvi Shah and Preksha Saxena at McAfee Labs
  From Spam to AsyncRAT: Tracking the Surge in Non-PE Cyber Threats
  
  
• Monty Security
  From OSINT to Disk: Wave Stealer Analysis
  
  
• James Chambers at NCC Group
  Ghidra nanoMIPS ISA module
  
  
• Phylum
  • Modern Python Build Hooks
  • Malicious Go Binary Delivered via Steganography in PyPI
  • Adding Spurious Wheels to PyPI
    
    
• Dr. Anton Tkachenko at Promon
  AI deobfuscators: Why AI won’t help hackers deobfuscate code (yet)
  
  
• Phil Stokes at SentinelOne
  macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge
  
  
• System Weakness
  • Beware: ‘Brokewell’ Malware Threatens Banking Security
  • New Cuttlefish malware infects all devices to steal credentials
    
    
• Kevin Haubris at TrustedSec
  XZ Utils Made Me Paranoid
  
  
• Muhammed Irfan V A at ZScaler
  HijackLoader Updates
  

MISCELLANEOUS

• Jessica Hyde at Hexordia
  Magnet User Summit 2024 Recap
  
  
• Brett Shavers
  Ethics of Plagiarism Allegations
  
  
• CCL Solutions
  Incident Investigation – Part 3: Recovering from a cyber incident
  
  
• Cellebrite
  Crafting a Strong Digital Intelligence Framework for Life Sciences Enterprises 
  
  
• F-Response
  An Interview with Jason Hale of USB Detective
  
  
• Forensic Focus
  • Digital Forensics Round-Up, May 08 2024
  • Forensic Focus Digest, May 10 2024
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  APFS: Log entries
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (5/1/2024)
  
  
• Neil H.
  Conflicts of Interest in Cyber
  
  
• nullteilerfrei
  Ghidra Font Size for Presentations
  
  
• Oxygen Forensics
  • How Artificial Intelligence empowers digital forensics
  • Role-based access to Oxygen Analytic Center
    
    
• Salvation DATA
  • How to Resolve MS SQL Database in Recovery State?
  • Smartphone Forensics: How Do Experts Extract Data from Locked Devices?
    
    
• SANS
  • Building a Generative AI-Powered Cybersecurity Workforce
  • NIS2: Transforming SOC Challenges Into Opportunities
    
    
• Sarah Edwards at Mac4n6
  I’m Back Baby!
  
  
• Chester Wisniewski at Sophos
  Defenders assemble: Time to get in the game
  
  
• Ekaterina Makhinova at StrangeBee
  TheHive Cloud Platform Is Now SOC 2 Type 1 Compliant
  
  
• Sucuri
  • What is HTTP Error 429: Too Many Requests
  • What is HTTP Error 502 Bad Gateway & How to Troubleshoot It
    
    
• Bernardo Quintero at VirusTotal
  VirusTotal’s Mission Continues: Sharing Knowledge, Protecting Together
  

SOFTWARE UPDATES

• Datadog Security Labs
  GuardDog v1.7.0
  
  
• Digital Detective
  DCode™ – The Digital Detective’s Companion Across Time
  
  
• Digital Sleuth
  winfor-salt v2024.8.4
  
  
• Google
  Timesketch 20240508
  
  
• Yogesh Khatri
  mac_apt v1.7.5-dev
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.0.70.1246
  
  
• Microsoft
  msticpy v2.12.0
  
  
• MISP
  MISP 2.4.192 released with many performance improvement, fixes and updates.
  
  
• PuffyCid
  Artemis v0.9.0 – Released!
  
  
• Xways
  X-Ways Forensics 21.2 Preview 5
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!