As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Zach Stanford, Yogesh Khatri, and Phill Moore at CyberCX
Forensic Applications of Microsoft Recall - 0xdf hacks stuff
HTB Sherlock: Constellation - Adan Alvarez
Automating Incident Response in AWS: Blocking a Compromised Identity Center User - Alex Teixeira
Data Science & Exploratory Data Analysis: the Panda versus the Pony! - Brett Shavers
The Multiverse of a DFIR Case - Bret at Cyber Gladius
Incident Response Plan: Building System Imaging WinFE Tools - Cyber Triage
DFIR Artifacts for a Trojan Defense and Remote Access - Decrypting a Defense
Consumer AI Spying, NYPD Transparency (Failures), Facial Recognition Bans, Jail Surveillance & More - Django Faiola at ‘Appunti di Informatica Forense’
iOS Uber – Request a ride - Forensafe
Investigating iOS Voice Memos - Hal Pomeranz at ‘Righteous IT’
Working With UAC - Magnet Forensics
- Faishol Hakim at MII Cyber Security
Nahamcon-CTF 2024 — Forensic (1) - Nithin Chenthur Prabhu
Malware Development, Analysis and DFIR Series – Part III - St. Johns Data Consulting
- Joseph Alan at System Weakness
TryHackMe Linux Process Analysis Write-Up
THREAT INTELLIGENCE/HUNTING
- Adam Goss
Estimative Language: How to Assign Confidence to Your Assessments - Munaf Shariff at Altered Security
Breaking through Defender’s Gates – Disabling Tamper Protection and other Defender components - Nitzan Yaakov at Aqua
Muhstik Malware Targets Message Queuing Services Applications - Francis Guibernau at AttackIQ
Response to CISA Advisory (AA24-060A): #StopRansomware: Phobos Ransomware - BI.Zone
Sapphire Werewolf polishes Amethyst stealer to attack over 300 companies - Chris Scrivana at Bishop Fox
The Unmask IAM Permission: API Gateway Access Logging - Debjeet Banerjee at Black Hills Information Security
DLL Jmping: Old Hollow Trampolines in Windows DLL Land - Brad Duncan at Malware Traffic Analysis
2024-06-08: Three days of server scans and probes - BushidoToken
The CTI Analyst Challenge - CERT Ukraine
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 01 – 07 Giugno 2024 - Check Point
- Daniel Bohannon at Cloud Chronicles
Extending Cloud Console Cartographer With New Mappings - Cyberknow
Navigating The Ticketmaster Data Breach - Cyble
UNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence - Cyfirma
Weekly Intelligence Report – 07 June 2024 - Datadog Security Labs
A guide to threat hunting and monitoring in Snowflake - Dragos
- Ervin Zubic
Can We Adapt YARA to Fight DeFi Attacks? A Lazarus Group Case Study Sparks the Question - Esentire
- John Althouse at FoxIO
- Google Cloud Threat Intelligence
- Google Threat Analysis Group
TAG Bulletin: Q2 2024 - Ron Bowes at GreyNoise
What’s Going on With Check Point (CVE-2024-24919)? - Haircutfish
TryHackMe Room — Custom Alert Rules in Wazuh - Rindert Kramer at Hunt & Hackett
How to Achieve Eternal Persistence Part 3: How to access and recover replicated secrets - Huseyin Rencber
One Malicious File and Three Different AI - Ugur Koc and Bert-Jan Pals at Kusto Insights
Kusto Insights – May Update - Nischal Khadgi and Ujwal Thapa at Logpoint
APT28: Inside Forest Blizzard’s New Arsenal - Michael Haag at Splunk
- Microsoft Security
- Obsidian Security
A Practical Guide for Handling Unauthorized Access to Snowflake - Roberto Rodriguez at Open Threat Research
Rise of the Planet of the Agents 🤖: Creating an LLM-Based AI Agent from Scratch! - Plainbit
[Case #7] Alphapo/CoinsPaid Hot Wallet Hack - Positive Technologies
Cybersecurity threatscape: Q1 2024 - Pulsedive
Latrodectus - Qianxin
Operation Veles: Decade-Long Espionage Targeting the Global Research and Education Sector - Red Alert
Monthly Threat Actor Group Intelligence Report, April 2024 (KOR) - SANS Internet Storm Center
- Securelist
- Pierre Le Bourhis and Quentin Bourgue at Sekoia
PikaBot: a Guide to its Deep Secrets and Operations - Matthew Pines at SentinelOne
PinnacleOne ExecBrief | Chips and Spies – Insider Threats as China Seeks to Evade Controls - SOCRadar
Dark Web Profile: BlackSuit Ransomware - SonicWall
- Sophos
- Forrest Kasler at SpecterOps
One Phish Two Phish, Red Teams Spew Phish - Puja Srivastava at Sucuri
Hundreds of Websites Targeted by Fake Google Chrome Update Pop-Ups - Symantec Enterprise
RansomHub: New Ransomware has Origins in Older Knight - Clément Notin at Tenable
Stealthy Persistence with “Directory Synchronization Accounts” Role in Entra ID - Ernesto Fernández Provecho at Trellix
DarkGate again but… Improved? - Trend Micro
- Rodel Mendrez at Trustwave SpiderLabs
Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor - Avigayil Mechtinger, Shay Berkovich, and Gili Tikochinski at Wiz
Pause off my cluster: DERO cryptojacking takes a new shape
UPCOMING EVENTS
- Black Hills Information Security
- Magnet Forensics
PRESENTATIONS/PODCASTS
- Black Hills Information Security
Backdoors & Breaches – Introducing TRIMARC Expansion Deck - Alex Caithness at CCL Solutions
Time travelling with SQLite Journals and WAL - Clint Marsden at the TLP – Digital Forensics Podcast
Episode 4 – NIST SP 800-61 Computer Security Incident Handling Guide (Containment,Eradication and Recovery) - Cloud Security Podcast by Google
EP175 Meet Crystal Lister: From Public Sector to Google Cloud Security and Threat Horizons - Dr Josh Stroschein – The Cyber Yeti
🔴 Malware Mondays Episode 03 – Network Simulation and Analysis with Fakenet-NG and Wireshark - FIRST
Episode 43: Satoshi Okada and Takuho Mitsunaga, Toyo University, FIRSTCON24 Speakers - Hardly Adequate
Catching up with Jaeger - InfoSec_Bret
Challenge – Malicious WordPress Plugin - Jai Minton
MALWARE on GitHub | `Cracked Software` Reverse Engineering via Debugging, FLOSS, and API monitoring - John Hammond
- Karsten Hahn at Malware Analysis For Hedgehogs
The real reason antivirus software detects cracks - Magnet Forensics
- Mark Baggett
Mini CTF Part 1 – Link in description - Microsoft Security Insights Show
Microsoft Security Insights Show Episode 212 – Michael Zambotti - Microsoft Threat Intelligence Podcast
Threat Landscape Update on Grandoreiro and Luna Tempest - MSAB
XAMN Pro Miniseries Part 5 – Filtering - MyDFIR
- Off By One Security
Reverse Engineering macOS Malware - Phil Hagen
DFIR Fundamentals – Timestamp Formats - SANS
- SANS Cloud Security
HANDS-ON WORKSHOP: Prevent Remote Code Executions with Private Endpoints: Aviata Chapter 2 - SANS Cyber Defense
Next-Gen Labs: Preventing Data Loss and Insider Threats - The CyberWire
The curious case of the missing IcedID. - The Defender’s Advantage Podcast
Lessons Learned from Responding to Cloud Compromises
MALWARE
- 0day in {REA_TEAM}
[QuickNote] DarkGate – Make AutoIt Great Again - Artem Baranov
Windows Rootkits Guide - Any.Run
- ASEC
- Shannon Mong at Binary Defense
Wineloader – Analysis of the Infection Chain - Flashpoint
Understanding Seidr Infostealer Malware - Fortinet
- Meriam Senouci at Fortra’s PhishLabs
Active Phishing Campaign: Tax Extension Help Lure - Banu Ramakrishnan at G Data Security
In Bad Company: JScript RAT and CobaltStrike - Phylum
npm Package Caught Stealing Crypto Browser Extension Data - ptwistedworld
Obfuscated .BAT file to Remcos RAT - Karlo Zanki at ReversingLabs
Python downloader highlights noise problem in open source threat detection - Ax Sharma at Sonatype
Russia-linked ‘Lumma’ crypto stealer now targets Python devs - Taz Wake
Linux IR – AI-Assisted Malware Analysis - Zhassulan Zhussupov
Malware and cryptography 28: RC4 payload encryption. Simple Nim example. - بانک اطلاعات تهدیدات بدافزاری پادویش
Bot.Win32.Torzhok
MISCELLANEOUS
- Aaron Clark at Active Countermeasures
Building and Running Zeek on Windows Server 2022 - Adam at Hexacorn
- Belkasoft
Case Study: Leveraging Belkasoft X for a Multi-Source Fraud Investigation - Security Onion
Security Onion Documentation printed book now updated for Security Onion 2.4.70! - Doug Metz at Baker Street Forensics
Installing the latest SIFT Workstation in WSL - Forensic Focus
- Forensic Focus Podcast Ep. 85 Recap: AI-Powered License Plate Reading With Amped DeepPlate
- Staying Ahead In DFIR: Embracing Continuous Education And Professional Development
- Cyber Unpacked: A New Webinar Series From Magnet Forensics Exploring Enterprise DFIR
- UPCOMING WEBINAR – XAMN Pro: “Turn The Dials To 10”
- Digital Forensics Round-Up, June 05 2024
- Forensic Focus Digest, June 07 2024
- Magnet Forensics
Ramping up digital media investigations: T3K.AI CORE soon available in Magnet Griffeye products - Md. Abdullah Al Mamun
Building Python AI Program to Tag SIEM Logs - Marias Sandbu
How does Windows Recall work? - Kyle Avery at Outflank
EDR Internals for macOS and Linux - Oxygen Forensics
Built-in Malware Detection for Files and Emails - Salim Salimov
Installing Mitre Caldera 4 on Ubuntu VM - The Security Noob
The Security Noob interviews Kevin Pagano of stark4n6
SOFTWARE UPDATES
- Amped
Amped DVRConv and Engine Update 34011 - CCL Solutions
CCL releases significant RabbitHole upgrade helping users understand and report on more data than ever before - Crowdstrike
Falconpy Version 1.4.4 - Datadog Security Labs
GuardDog v1.9.0 - Digital Sleuth
winfor-salt v2024.10.5 - Elcomsoft
ElcomSoft Phone Breaker 10.14: faster, better, more convenient - Erki Suurjaak
Skyperious v5.6 - GCHQ
CyberChef v10.18.7 - IntelOwl
v6.0.4 - k1nd0ne
VolWeb 2.1.1 - Mazars Tech
AD_Miner v1.4.0 - MISP
MISP 2.4.193 released with many bugs fixed, API improvements and security fixes - OpenCTI
6.1.10 - Phil Harvey
ExifTool 12.86 - SpyderForensics
SQLite_Forensics - xaitax
TotalRecall
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 