As always, thanks to those who give a little back for their support!
If you haven’t seen, I’ve also been writing my thoughts on some of the articles posted when I can at patreon.com/thisweekin4n6!
FORENSIC ANALYSIS
- 0xdf hacks stuff
HTB Sherlock: Logjammer - CTF导航
Forensike, or Forensics for bad guys - Forensafe
Investigating iOS Threema - Scott Koenig at ‘The Forensic Scooter’
iLEAPP Parsers & Photos.sqlite Queries - Lee Kirkpatrick, Paul Jacobs, Sai Lakshmi Ghanasyam, Antoni Fertner, and Andy French at Sophos
Extracting data from encrypted virtual disks: six methods - Volexity
Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices - Jeremy McBroom at Yeah, I have a question…
- 博客园 – Pieces0310
Perform APK Downgrade Extraction on smartphones running Android 14 – Pieces0310
THREAT INTELLIGENCE/HUNTING
- Abhiram Kumar
Forensic Analysis of Linux Journals - Adam Goss
The Traffic Light Protocol: How to Classify Cyber Threat Intelligence - Alex Teixeira
How to prioritize a Detection Backlog? - Francis Guibernau at AttackIQ
Response to CISA Advisory (AA24-131A): #StopRansomware: Black Basta - Avast Threat Labs
Avast Q1/2024 Threat Report - Yue Zhu at AWS Security
Investigating lateral movements with Amazon Detective investigation and Security Lake integration - Christine Barry at Barracuda
Black Basta’s nasty tactics: Attack, assist, attack - Martin Zugec at Bitdefender
Bitdefender Threat Debrief | May 2024 - Brad Duncan at Malware Traffic Analysis
2024-05-14: DarkGate activity - Callum Wilson and Ineta Simkunaite at S-RM
Breaking new ground? Uncovering Akira’s privilege escalation techniques - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 Maggio 2024 - Check Point
13th May – Threat Intelligence Report - Corelight
Detecting the STRRAT Malware Family | Corelight - CTF导航
- Jane Ginn at Cyber Threat Intelligence Training Center
Kimsuky Abusing DMARC Protocol - Cyber Triage
How To DFIR Investigate with Cyber Triage and CrowdStrike Real Time Response - Cyble
- Cyfirma
Weekly Intelligence Report – 17 May 2024 - Mika Ayenson, Kseniia Ignatovych, and Justin Ibarra at Elastic
Rolling your own Detections as Code with Elastic Security - Jason Baker, Nic Finn, Grayson North, and Justin Timothy at GuidePoint Security
GRIT Ransomware Report: April 2024 - HP Wolf Security
HP Wolf Security Threat Insights Report Q1 2024 - Intel-Ops
Hunting Black Basta’s Cobalt Strike - Ed Chan at Jumpsec Labs
Adventures and Accidental Honeypots in Network Infrastructure: Unravelling Internet Shenanigans - Kijo Girardi
Advanced Hunting – API calls insight - Brian Krebs at Krebs on Security
How Did Authorities Identify the Alleged Lockbit Boss? - Louis Mastelinck
Microsoft Defender for Endpoint custom auditing alerts - Nasreddine Bencherchali
SigmaHQ Rules Release Highlights — r2024–05–13 - Palo Alto Networks
- Proofpoint
- Tyler McGraw at Rapid7
Ongoing Malvertising Campaign leads to Ransomware - Recorded Future
- Red Alert
Monthly Threat Actor Group Intelligence Report, March 2024 (KOR) - Justin Schoenfeld at Red Canary
How adversaries use Entra ID service principals in business email compromise schemes - ReliaQuest
- SANS Internet Storm Center
- Securelist
Incident response analyst report 2023 - Camille Singleton at Security Intelligence
Threat intelligence to protect vulnerable communities - Jeremy Scion, Livia Tibirna, and Pierre Le Bourhis at Sekoia
Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaigns - SOCRadar
Dark Web Profile: Dispossessor Ransomware - Dustin Eastman and Madeleine Tauber at Splunk
Threat Hunting in 2024: Must-Have Resources & Tasks for Every Hunter - Squiblydoo.blog
Impostor Certificates - Stairwell
Stairwell threat report: Black Basta overview and detection rules - Stephan Berger
The ‘Invisibility Cloak’ – Slash-Proc Magic - Symantec Enterprise
Springtail: New Linux Backdoor Added to Toolkit - Tenable
Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers - Trustwave SpiderLabs
2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies - Shilpesh Trivedi at Uptycs
Inside Our Discovery of the Log4j Campaign and Its XMRig Malware - Valdin
Revealing Spammer Infrastructure With Passive DNS – 226 Toll-Themed Domains Targeting Australia - WeLiveSecurity
- Itay Arbel and Amitai Cohen at Wiz
Unveiling the power of Wiz’s Security Graph with automated blast radius and root cause analysis for cloud incident response - Victor M. Alvarez at YARA-X
YARA is dead, long live YARA-X - Andy Gill at ZephrSec
Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS
UPCOMING EVENTS
- ACFTI
- Archan Choudhury at BlackPerl
Sigma Ninja Talk Show | Monday - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2024-05-20 - Magnet Forensics
Magnet User Summit 2024 Keynote: The Road Ahead - Simply Cyber
Ransomware Negotiations Extraordinaire, Kurtis Minder
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Digital Forensics Now Podcast – Episode 18 - BlueMonkey 4n6
Basic intro to The Sleuth Kit command line tools - Clint Marsden at the TLP – Digital Forensics Podcast
- Cyber from the Frontlines
E11 Threat Modeling 101 - Cyber Social Hub
Acquisition, Assessment, Triage, and Forensic Timelines… Oh My! - Cybereason
Malicious Life Podcast: Unmasking Secrets: The Rise of Open-Source Intelligence - Huntress
- InfoSec_Bret
Challenge – Royal Ransom - John Hammond
- Magnet Forensics
- Matthew Toussain
Studying for GIAC with Voltaire - Microsoft Security Insights Show
Microsoft Security Insights Show Episode 210 – XSPM - MSAB
XAMN Pro Miniseries – Working with multiple data sources - MyDFIR
Cybersecurity SOC Analyst Lab – Network Analysis (Malware) - Phil Hagen
Channel Trailer - Salvation DATA
Why Digital Forensics Laboratory Is Irreplaceable? - SANS
How Accurate is Your Recovery Timeline? | The Incident Commander Series Ep. 1 - The Defender’s Advantage Podcast
Investigations Into Zero-Day Exploitation of the Ivanti Connect Secure Appliances - The DFIR Report podcast
DFIR Discussions: From IcedID to Dagon Locker Ransomware in 29 Days
MALWARE
- Ali Paşa Turhan at Docguard
Analysis of Agent Tesla: Malicious Excel File - ASEC
- Malware Distributed as Copyright Violation-Related Materials (Beast Ransomware, Vidar Infostealer)
- Romance Scams Urging Coin Investment
- Distribution of DanaBot Malware via Word Files Detected by AhnLab EDR
- Initial Access to IIS Web Servers Detected by AhnLab EDR
- ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information
- Elastic Security Labs
Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID - Mayur Sewani at Forcepoint
From Document to Script: Insides of Darkgate’s Campaign - Karsten Hahn at G Data Security
GoTo Meeting loads Remcos RAT via Rust Shellcode Loader - Itochu Cyber & Intelligence
Unraveling the Shinigami’s prank hidden in spam emails - Kyle Cucci at SecurityLiterate
“Beeeeeeeeep!”. How Malware Uses the Beep WinAPI Function for Anti-Analysis - OALABS Research
Python Malware Triage – Creal Stealer - Charles Coggins at Phylum
- Pierre Lee and Cyris Tseng at Trend Micro
Tracking the Progression of Earth Hundun’s Cyberespionage Campaign in 2024 - Zhassulan Zhussupov
Malware and cryptography 27: encrypt/decrypt files via A5/1. Simple C/C++ example.
MISCELLANEOUS
- Any.Run
A Guide to ANY.RUN’s YARA Search - Avertium
Revisiting Phishing: A Guide - Joe St Sauver at DomainTools
New Draft Rule on Ransomware Payments and Cyber Incident Reporting - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
COPA v Wright – The Trial with an Explosive End - Paul Asadoorian at Eclypsium
Windows Supply Chain Validation Cheat Sheet - Oleg Afonin at Elcomsoft
iCloud Extraction Turns Twelve - Forensic Focus
- Kaido Järvemets
KQL Query – Identifying Failed Azure Arc-enabled Servers Extension Installations - Magnet Forensics
What’s new in Magnet Witness - Jeff Schnegelberger at Microsoft Sentinel Blog
PART 3 – Ingesting AWS GovCloud Microsoft Sentinel in Azure Commercial - Oxygen Forensics
- ReversingLabs
ReversingLabs Search Extension for Splunk Enterprise - Salvation DATA
Essential Tools for a Digital Private Investigator - SANS
- SOC Fortress
Wazuh Rule Writing With CoPilot AI Module - Sally Adam at Sophos
The role of law enforcement in remediating ransomware attacks
SOFTWARE UPDATES
- Sergiy Pasyuta at Atola
Script to automatically create iSCSI targets - Amped
Amped Authenticate Update 33562: New Diffusion Model Deepfake Filter, New Features for the Video Mode, and Much More! - Arsenal Recon
- Belkasoft
Belkasoft X v.2.5 Released: Introducing BelkaGPT, a Revolutionary Offline AI-Assistant; Massive Updates In the Mobile Passcode Brute-Force and Other Improvements. - Belkasoft
What’s new in Belkasoft X v.2.5 - Brian Maloney
OneDriveExplorer v2024.05.17 - Elcomsoft
Elcomsoft Phone Viewer 5.52 improves Signal and Telegram support - GCHQ
CyberChef v10.18.6 - Google
Timesketch 20240508.1 - IntelOwl
v6.0.2 - Metaspike
Forensic Email Collector 4.0 Release Notes - MSAB
Now released – XRY 10.9.1 - OpenCTI
6.1.2 - Martin Korman
Regipy 4.2.1 - Sigma
Release r2024-05-13 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!