As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Atola Technology
Synology RAID Reassembly and Image Acquisition - David Spreadborough at Amped
Getting Started with Video Formats and Conversion - Cyber 5W
Network Forensics With Wireshark - Mike Wilkinson at Cyber Triage
DFIR Next Steps: What To Do After You Find A Suspicious Use Of Remote Monitoring & Management Tools - Danny Zendejas
Lets Defend Write-up - David Cowen at the ‘Hacking Exposed Computer Forensics’ blog
AWS Cloud Trail Downloader V2! - Decrypting a Defense
Online Privacy, Vehicle Surveillance, 5th Cir. Geofence Search Decision, CSAM Deepfakes, & More - Digital Forensics Myanmar
SSD Structure & SSD Forensics Guide - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
The Watermarking Paradox - Forensafe
Investigating Android GMX Mail - Denis Nagayuk & Francisco Dominguez at Hunt & Hackett
Introducing the Restart Manager Artifacts Tool - Joshua Hickman at ‘The Binary Hick’
Triple Trouble. iOS 16, Android 14, and iOS 17 Images Now Available! - Emilia Chau, Marin Gheorge, and Muhammad Jawad at Jumpsec Labs
Building Forensic Expertise: A Two-Part Guide to Investigating a Malicious USB Device (Part 2) - Lionel Notari
macOS Unified Logs – Mouse click and more - Magnet Forensics
Digital Forensics: Artifact Profile – Windows Recycle Bin - Mattia Epifani at Zena Forensics
A first look at iOS 18 forensics
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
The delayed import-table phantomDLL opportunities - Adam Goss
Intelligence Requirements Template (PDF + Word Doc Download) - John Natale at Akamai
How to Detect Suspicious API Traffic - AttackIQ
- Jade Brown at Bitdefender
- David Perez at Black Hills Information Security
Monitoring High Risk Azure Logins - Brad Duncan at Malware Traffic Analysis
- CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 7 – 13 settembre - Check Point
- Cisco’s Talos
- Corelight
Detecting NetSupport Manager Abuse | Corelight - CTF导航
威胁情报 | DarkHotel APT 组织 Observer 木马攻击分析 - Niels Groenveld at Cyber Threat Intelligence Training Center
YARA Rule Crafting: A Deep Dive into Signature-Based Threat Hunting Strategies - Cybereason
CUCKOO SPEAR Part 1: Analyzing NOOPDOOR from an IR Perspective - Cyberknow’s Newsletter
Australia & New Zealand Cyber Update #22 - Cyble
Stealthy Fileless Attack Targets Attendees of Upcoming US-Taiwan Defense Industry Event - Cyfirma
Weekly Intelligence Report – 13 Sep 2024 - Cyjax
Weekly Cyber Threat Intelligence Summary - Disconinja
- DomainTools
Retail Targeted Campaigns—Domain Fraud, Brand Impersonation, and Ponzi Schemes, oh my! - Arda Büyükkaya at EclecticIQ
Ransomware in the Cloud: Scattered Spider Targeting Insurance and Financial Industries - Elastic Security Labs
Kernel ETW is the best ETW - Esentire
- Google Cloud Threat Intelligence
- Billy Leonard at Google Threat Analysis Group
TAG Bulletin: Q3 2024 - GreyNoise
The Role of State-Sponsored Actors in Election Interference - GuidePoint Security
- HackTheBox
5 Active Directory misconfigurations (& how they’re exploited) - Hunt IO
Decoy Docs and Malicious Browser Extensions: A Closer Look at a Multi-Layered Threat - Harlan Carvey at Huntress
Detecting Malicious Use of LOLBins | Huntress - InfoSec Write-ups
- Intel471
- James H
Decrypting and Replaying VPN Cookies - Keisuke Shikano at JPCERT/CC
TSUBAME Report Overflow (Apr-Jun 2024) - Bert-Jan Pals at KQL Query
Use Cases For Sentinel Summary Rules - Brian Krebs at Krebs on Security
The Dark Nexus Between Harm Groups and ‘The Com’ - Mario Rojas at Maltego
Driving Strategic Decisions through Actionable Threat Intelligence Reports - Microsoft Security
- Miriam Wiesner at Microsoft Sentinel Blog
The power of Data Collection Rules: Collecting events for advanced use cases in Microsoft USOP - James Ross at MITRE-Engenuity
Know your Adversary’s next move with TIE - Namit Ranjan
- Day 9 of the 30-Day MYDFIR-SOC Analyst Challenge: Installing and Configuring Sysmon
- Day 10 of the 30-Day SOC-Analyst Challenge: Ingesting Sysmon and Microsoft Defender Logs into…
- Day 11 of the 30-Day SOC Analyst Challenge: Understanding and Defending Against Brute Force Attacks
- Day 12 of the 30-Day SOC Analyst Challenge: Setting Up an SSH Server and Reviewing Authentication…
- Day-13 of MYDFIR-SOC-Analyst Challenge : Installing Elastic Agent on Our SSH Server
- Natto Thoughts
Ransom-War In Real Time, Case Study 1: Conti, EvilCorp and Cozy Bear - Olaf Schwarz
uDev Persistence – A short comment - Palo Alto Networks
- Ansh Gaikwad at Qualys
TotalCloud Insights: Unmasking AWS Instance Metadata Service v1 (IMDSv1)-The Hidden Flaw in AWS Security - Rapid7
Ransomware Groups Demystified: Lynx Ransomware - Watson Brown at Recon Infosec
SigmaHQ Essentials – Building Robust Detection Capabilities - Tre Wilkins at Red Canary
Detecting brute-force attacks with a smart watchlist - ReliaQuest
- SANS
Enhance your Cyber Threat Intelligence with the Admiralty System - SANS Internet Storm Center
- Password Cracking & Energy: More Dedails, (Sun, Sep 8th)
- Wireshark 4.4’s IP Address Functions, (Mon, Sep 9th)
- Python Libraries Used for Malicious Purposes, (Wed, Sep 11th)
- Hygiene, Hygiene, Hygiene! [Guest Diary]
- Finding Honeypot Data Clusters Using DBSCAN: Part 2, (Fri, Sep 13th)
- YARA 4.5.2 Release, (Sat, Sep 14th)
- Sekoia
- SentinelOne
- Simone Kraus
Technique Inference Engine, Top 10 Ransomware Calculator and Stop Ransomware Advisory CISA - SOCRadar
Dark Web Profile: GlorySec - SonicWall
- Mark Parsons, Morgan Demboski, and Sean Gallagher at Sophos
Crimson Palace returns: New Tools, Tactics, and Targets - Jonas Bülow Knudsen at SpecterOps
ADCS Attack Paths in BloodHound — Part 3 - Stephan Berger
ScriptBlock Smuggling - Sucuri
- Symantec Enterprise
Ransomware: Attacks Once More Nearing Peak Levels - System Weakness
- Team Cymru
How Effective Threat Hunting Programs are Shaping Cybersecurity - Trustwave SpiderLabs
Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions - Rajat Goyal Aazim and Bill SE Yaswant at Zimperium
A Network of Harm: Gigabud Threat and Its Associates - Shruti Dixit and Jagadeeswar Ramanukolanu at ZScaler
Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics
UPCOMING EVENTS
- Adversary Universe Podcast
Coming Soon to Las Vegas: Adversary Universe Previews #FalCon2024 - Tony Burgess at Barracuda
September webinar lineup: EDR, MDR, XDR, and a new ransomware report - Black Hills Information Security
BHIS – Talkin’ Bout [infosec] News 2024-09-16 #livestream #infosec #infosecnews - Magnet Forensics
- MSAB
MSAB – Challenging the BFU Myth
PRESENTATIONS/PODCASTS
- Chris Brenton at Active Countermeasures
RITAv5 – The Video Series - Alexis Brignoni
Digital Forensics Now Podcast – S2 E1 - Black Hat
- Black Hills Information Security
- BlueMonkey 4n6
who gained root access on my Linux system – an analysis of sudo logs - Breaking Badness
Breaking Down Retail Targeted Campaigns: Domain Fraud, Copycats, and Ponzi Schemes - Cellebrite
Tip Tuesdays – Release Notes - Dwayne McDaniel at GitGuardian
Blue Team Con 2024: Sharing Security Insights and Defense Strategies in Chicago - Huntress
Unmasking OceanLotus: Defending the Defenders | Tradecraft Tuesday - InfoSec_Bret
Challenge – Compromised Network Printer - John Hammond
- Magnet Forensics
- Malspace
Vertex Project´s Journey and the APT1 Report´s Legacy - Mark Baggett
Cyber-crime investigators know what you do! | Infosec Toolshed S1 E10 - Microsoft Threat Intelligence Podcast
Citrine and Onyx Sleet: An Inside Look at North Korean Threat Actors - MSAB
XAMN Pro Timeline - MyDFIR
- Sysmon Setup Tutorial | Day 9
- Elasticsearch Ingest Data Tutorial | Day 10
- What is a Brute Force Attack? | Day 11
- Ubuntu Server 24.02 Installation | Day 12
- How To Install Elastic Agent on Ubuntu | Day 13
- How To Create Alerts and Dashboards in Kibana | Day 14 (1/4)
- Remote Desktop Protocol Introduction | Day 15 (High-Level)
- Red Siege Information Security
SiegeCast: Be Your Enemy - SANS
A Visual Summary of SANS AI Cybersecurity Summit 2024 - The Cyber Mentor
LIVE: Ransomware Investigation | Cybersecurity | Splunk | Blue Team - The Microsoft Security Insights Show
Microsoft Security Insights Show Episode 226 – Mark Simos - Yaniv Hoffman
Inside Hackers’ Secret Cyber Weapon
MALWARE
- 0day in {REA_TEAM}
[QuickNote] The Xworm malware is being spread through a phishing email - Any.Run
How to Analyze Malware in ANY.RUN Sandbox: Eric Parker’s Guide - Assaf Morag at Aqua
Hadooken Malware Targets Weblogic Applications - Cleafy
A new TrickMo saga: from Banking Trojan to Victim’s Data Leak - contagio
- 2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan – Terms and Conditions.msc)
- 2024-09-03 LUXY Ransomware / Stealer Sample
- 2024-09-19 X-WORM RAT (Phishing) Samples
- 2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples
- 2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples
- Tonmoy Jitu at Denwp Research
Dissecting Lumma Malware: Analyzing the Fake CAPTCHA and Obfuscation Techniques – Part 2 - Dr Josh Stroschein
The AddressOfEntryPoint and Tips for Finding Main - Dr. Web
Void captures over a million Android TV boxes - Emanuele De Lucia
Malware’s Shared Secrets: Code Similarity Insights for Ransomware Gangs Activities Tracking - Ryan Robinson and Joakim Kennedy at Intezer
There’s Something About CryptBot: Yet Another Silly Stealer (YASS) - Jay Kurup at Morphisec
Threat Analysis: Morphisec Protects Against PEAKLIGHT In-Memory Malware - Tom Clare at Netskope
Advancing C2 Beacon Detection for Malleable Frameworks - OALABS Research
AutoIt Credential Flusher - Pepe Berba
Acquiring Malicious Browser Extension Samples on a Shoestring Budget - Karlo Zanki at ReversingLabs
Fake recruiter coding tests target devs with malicious Python packages - Squiblydoo.blog
Quick abuse reports with certReport - Lenart Bermejo, Sunny Lu, and Ted Lee at Trend Micro
Earth Preta Evolves its Attacks with New Malware and Strategies - Unpacme
UnpacMe 8.5.0 – Lightning Fast MalwareID Mode - Zhassulan Zhussupov
Malware and cryptography 32: encrypt payload via FEAL-8 algorithm. Simple C example.
MISCELLANEOUS
- Adam at Hexacorn
Rundll32.exe bomb - Andrea Fortuna
macOS Sequoia and DFIR: what investigators need to know - Belkasoft
Join Belkasoft Research: Inside the Fight Against Child Sexual Abuse Material - Brett Shavers
Why DFIR Investigative Thinking is Critical—and Why It’s So Hard to Teach - Cellebrite
Exploring Mobile Data Collection in MDM Environments - Chuan-lun (Johnson) Chou
- Fabian Mendoza at DFIRDominican
DFIR Jobs Update – 09/09/24 - Forensic Focus
- Join The Refuge Tech Safety Summit 2024
- GMDSOFT Tech Letter: How YouTube Cache Files Reveal User Behavior
- Digital Forensics Round-Up, September 11 2024
- Detego Global Partners With Better Direct For U.S.-Wide DFIR Rollout
- Share What You’re Seeing In DFIR By Taking Part In Magnet Forensics’ State Of Enterprise DFIR Survey
- Video Formats And Conversion: A New Blog Series By Amped Software
- Howard Oakley at ‘The Eclectic Light Company’
- Jeffrey Appel
Configure File Integrity Monitoring (FIM) using Defender for Endpoint - Kaido Järvemets
- Keith McCammon
- Magnet Forensics
- The State of Enterprise DFIR: Share what you’re seeing in our survey!
- Magnet One now available: Experience the future of digital investigations today!
- Preserve now, process later: Safeguarding sensitive cloud data for HR investigations and eDiscovery
- Get mobile support notifications for previously connected, unsupported devices with Magnet One
- Integrating Magnet Graykey and Magnet Axiom with Magnet One for faster mobile investigations
- Looking back on the Magnet Forensics Open House
- Morten Knudsen
- Mike Cyze at OpenText
The future of threat hunting - Oxygen Forensics
- Keith McCammon at Red Canary
The CrowdStrike outage: Detection and defense in depth - Sandfly Security
Free Sandfly Linux Incident Response License - Security Onion
Did you know that you can configure Security Onion to only record PCAP for Suricata NIDS alerts? - Neil Watkiss at Sophos
Standing on the Windows platform, waiting for change - Angel Garrow at tcdi
The Evolution of Mobile Device Collections - Dante Fazio at The Metadata Perspective
Cellebrite CCO & CCPA From a Seasoned Point Of View - John Patzakis at X1
Three Key eDiscovery Lessons from Domus BWW Funding v. Arch Insurance Company
SOFTWARE UPDATES
- Amped
Amped Replay Update 34739: Automated Watermarking, Motion Detection Improvements, and More! - Belkasoft
What is new in v.2.0 of Belkasoft Remote Acquisition - Canadian Centre for Cyber Security
Assemblyline Release 4.5.0.45 - Datadog Security Labs
GuardDog v2.0.4 - Digital Sleuth
winfor-salt v2024.13.6 - Eric Zimmerman
ChangeLog - Foxton Forensics
Browser History Examiner — Version History – Version 1.21.0 - Hasherezade
PE-Bear v0.7.0 - Magnet Forensics
- Manabu Niseki
Mihari v7.6.4 - Microsoft
msticpy – AI documentation assistant, BinaryEdge TI provider and other misc fixes - SigmaHQ
pySigma v0.11.14 - Xways
- YARA
YARA v4.5.2
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 