As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Chris Ray at Cyber Triage
DFIR Breakdown: Impacket Remote Execution Activity – Smbexec - Forensafe
Investigating Android Nike Run Club - Johan Berggren
OpenRelik - Lina Lau at Xintra
Understanding Tokens in Entra ID: A Comprehensive Guide - Magnet Forensics
- Marco Fontani at Amped
10 Ways to Detect Deepfakes Created by Text-to-image Services and GANs - SecurityAura
- Sumuri
macOS 15 (Sequoia): What Forensic Examiners Need to Know - Terryn at chocolatecoat4n6
The Power of Storytelling in IT and Cybersecurity - Mike Cohen at Velociraptor Blog
Timelines in Velociraptor - Vikas Singh
PowerShell Command History Forensics
THREAT INTELLIGENCE/HUNTING
- Alex Necula
Fake captcha pages lead to LummaStealer - Andrea Fortuna
Favicon Forensics: hunting phishing sites with Shodan - Aon
Bypassing EDR through Retrosigned Drivers and System Time Manipulation - Arctic Wolf
Arctic Wolf Security Operations Report Reveals Threat Landscape Intensifies, Almost Half of Security Incidents Occur After Hours - Francis Guibernau at AttackIQ
Emulating the Petrifying Medusa Ransomware - Australian Cyber Security Centre
People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations - Ahmed Adekunle at AWS Security
Using Amazon Detective for IAM investigations - Tibor Luter at Black Cell
Tool Tip: Hunting APT Infrastructure with Validin - Ax Sharma at BleepingComputer
Clever ‘GitHub Scanner’ campaign abusing repos to push malware - Brad Duncan at Malware Traffic Analysis
- Matt Lembright at Censys
L’analyse de l’infrastructure de Fox Kitten révèle des schémas d’hébergement uniques et de nouveaux COI potentiels - CERT-AGID
- Il dominio italiano di Excite riutilizzato in una campagna di malspam via PEC
- Vidar compare ancora in una nuova campagna malspam che sfrutta le caselle PEC
- In atto una campagna di phishing bancario a tema SPID
- Lumma Stealer diffuso tramite notifica di falsa vulnerabilità di sicurezza sul proprio progetto GitHub
- Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 settembre
- Check Point
- Cofense
- Eliya Stein at Confiant
The Curious Case Of MutantBedrog’s Trusted-Types CSP Bypass - CTF导航
利用Cobalt Strike攻击配置文件的力量来逃避 EDR - Cyble
Solar Monitoring Solutions in Hacktivists’ Crosshairs - Cyfirma
- Cyfirma
Weekly Intelligence Report – 20 Sep 2024 - Danny Zendejas
Nuts and Bolts of Detection Engineering: Open Source Edition - Katie Knowles at Datadog Security Labs
Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence - Disconinja
日本におけるC2サーバ調査(Week 37 2024) - Doug Metz at Baker Street Forensics
Beyond Hashes: Simplifying Malware Identification with Python and MpCmdRun - Tommy Bumford at Elastic
Threat modeling: As easy as OATMEAL - Enisa
- Malcolm Heath at F5 Labs
A Single IP is Scanning Intensely, and Yields a List of Malware Loaders - g0njxa
The journey into Mac OS infostealers - George Glass, Keith Wojcieszek, Laurie Iacono at Kroll
August Threat Intelligence Spotlight Report - Google Cloud Threat Intelligence
- Hudson Rock
- Huntress
- Intel471
A Look at the Residential Proxy Market - Jaron Bradley and Ferdous Saljooki at Jamf
Jamf Threat Labs observes targeted attacks amid FBI warnings - John Southworth at PwC
COLDWASTREL of space - David Kennedy at Jumpsec Labs
NTLM Relaying – Making the Old New Again - Kenneth Kinion at Valdin
Corralling SCATTERED SPIDER with DNS History - Kevin Beaumont at DoublePulsar
Hacker group Handala Hack Team claim battery explosions linked to Israeli battery company. - Krebs on Security
- Swachchhanda Shrawan Poudel at Logpoint
How to use Logpoint pySigma Backend for threat detection - Lumen
Derailing the Raptor Train - Miriam Wiesner at Microsoft Sentinel Blog
The power of Data Collection Rules: Monitoring PowerShell usage - Britton Manahan at ModePUSH
Highway Blobbery: Data Theft using Azure Storage Explorer - Natto Thoughts
RansomWar in Real Time, Case Study 2: Louisiana and Norsk Hydro, 2019 - Abhinav Paliwal at Qualys
Black Basta Ransomware: What You Need to Know - Bret Kramer at Recon Infosec
Small Business, Big Target: Why Hackers Love Your Email - Recorded Future
“Marko Polo” Navigates Uncharted Waters With Infostealer Empire - Red Alert
- ReliaQuest
Threat Landscape Report: The PSTS Sector’s Unique Vulnerabilities - SANS Internet Storm Center
- Managing PE Files With Overlays, (Mon, Sep 16th)
- YARA-X’s Dump Command, (Sun, Sep 15th)
- 23:59, Time to Exfiltrate!, (Tue, Sep 17th)
- Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th)
- Time-to-Live Analysis of DShield Data with Vega-Lite, (Wed, Sep 18th)
- Fake GitHub Site Targeting Developers, (Thu, Sep 19th)
- Securelist
Exotic SambaSpy is now dancing with Italian users - Dheeraj Kumar and Sina Chehreghani at Securonix
Securonix Threat Labs Summer Intelligence Insights – 2024 - Sekoia
WebDAV-as-a-Service: Uncovering the infrastructure behind Emmenhtal loader distribution - Matthew Pines at SentinelOne
PinnacleOne ExecBrief | Cyber Gray Zone Risks in the Indo-Pacific - SOCRadar
Dark Web Profile: Just Evil - Stephan Berger
Today I Learned – NSG Flow Log - Sysdig
The Growing Dangers of LLMjacking: Evolving Tactics and Evading Sanctions - System Weakness
- Team Cymru
Talent and Technology: Bridging the Gap in Modern Threat Hunting Programs - Liv Matan at Tenable
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package - Ernesto Fernández Provecho, Pham Duy Phuc, and John Fokker at Trellix
The Iranian Cyber Capability - Trend Micro
- Kat Traxler at Vectra AI
Transitive Access Abuse – Data Exfiltration via Document AI by Kat Traxler - Alice Klimovitsky at Wiz
Cloud Logging Tips and Tricks - Heather Bates at ZScaler
Mitigating the Rising Tide of Malware and Ransomware Attacks
UPCOMING EVENTS
- Andreas Sfakianakis at ‘Tilting at windmills’
- Belkasoft
BelkaDay Conference Asia - Cellebrite
Revolutionizing Mobile Data Collection: Streamline Investigations with Cellebrite Inseyets - Magnet Forensics
Ep. 21 // Investigating the Intents – Better understanding “AppIntents” and their purpose
PRESENTATIONS/PODCASTS
- Black Hat
LinkDoor: A Hidden Attack Surface in the Android Netlink Kernel Modules - Breaking Badness
AI’s Role in Cybersecurity: From EDR Evolution to Generative AI Threats and Supply - Cellebrite
Cellebrite Pathfinder: On-Prem vs. Cloud Deployment – Which is Right for You? - Clint Marsden at the TLP – Digital Forensics Podcast
Episode 14 – AI and the future of log analysis, bug detection, forensics and AI ethical considerations with Jonathan Thompson - Cybereason
Malicious Life Podcast: Infighting and Treason in Russia’s Cyber World - Cyberwox
Automating Security Detection Engineering with Dennis Chow | #CyberStories EP 21 - Andrew Morris at GreyNoise
GreyNoise Reveals New Internet Noise Storm: Secret Messages and the China Connection - InfoSec_Bret
Challenge – Compromised Chat Server - John Hammond
- Magnet Forensics
- MSAB
XAMN Pro Working with Pictures Extended - MyDFIR
- How To Create Alerts and Dashboards in Kibana | Day 16 (2/4)
- How To Create Alerts and Dashboards in Kibana | Day 17 (3/4)
- Command and Control Introduction | Day 18 (High-Level)
- How To Create an Attack Diagram | Day 19
- Mythic Server Setup Tutorial | Day 20
- Mythic Agent Setup Tutorial | Day 21
- How To Create Alerts and Dashboards in Kibana | Day 22 (4/4)
- Oxygen Forensics
Oxygen and CloudNine: Device collection through production - Paraben Corporation
exFAT Data Processing in E3 - SANS Cloud Security
Join Simon Vernon for Aviata Chapter 6: Making the Switch to Azure Monitor Agent | September 19 - Security Conversations
Ep13: The Consolation of Threat Intel (JAG-S LABScon keynote) - The Cyber Mentor
LIVE: Blue Team with @MalwareCube | New Cert? | Cybersecurity | SOC | PJSA - Uriel Kosayev
MuddyWater Initial Access Trojan - WeLiveSecurity
ESET Research Podcast: EvilVideo
MALWARE
- 0x70RVS
Ransomed - contagio
- 2024-08-18 RAPTOR TRAIN NOSEDIVE – Mirai-type IoT Botnet Samples
- 2024-09-19 UNC1860 Iran APT – Temple of Oats ( OATBOAT, TEMPLEDOOR, SASHEYAWAY, OBFUSLAY, WINTAPIX, CRYPTOSLAY) Samples
- 2024-09-18 SAMBASPY Java RAT Samples
- 2024-09-18 Earth Baxia APT – RIPCOY + SWORDLDR Samples (Spear-Phishing and GeoServer Exploit used to Target APAC)
- Dr Josh Stroschein
- Tracing Stack Usage and Stack Frames in a Debugger
- 01 – Getting Started with the Lockbit Builder and Creating Sample Binaries
- Tool Spotlight: Performing Rapid Triage Analysis using ANY.RUN!
- 02 – Performing Basic Triage Analysis and Unpacking with x64dbg
- Learn How to Dissect Binary Files with the Creator of Malcat!
- 03 – Identifying Signs of Runtime-Linking and Building Context for API Hashes
- Elastic Security Labs
Code of Conduct: DPRK’s Python-fueled intrusions into secured networks - Esentire
Go Injector Leading to Stealers - Karsten Hahn at G Data Security
Sandbox scores are not an antivirus replacement - HackTheBox
Malware analysis for beginners (step-by-step) - Lasq MalfindLabs
hill Saturday Malware Analysis: Open Dir -> Obfuscated Python -> DONUT Launcher -> XWorm - Neil Tyagi at McAfee Labs
Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware - Nikhil “Kaido” Hegde
Taking a Midnight Walk with PEB and Phobos Ransomware - OALABS Research
Emmenhtal - Palo Alto Networks
- Security Onion
Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) INFECTION, SMTP EXFIL pcap from 2024-09-16 - VX-Underground
Ballin’ on a budget: A Quick Guide to Defining Malware with $0, Python3, and Windows - Zhassulan Zhussupov
Linux malware development 2: find process ID by name. Simple C example. - بانک اطلاعات تهدیدات بدافزاری پادویش
Trojan.Win32.Dustman
MISCELLANEOUS
- Adam at Hexacorn
Rundll32 goes to hell… - Any.Run
- Cellebrite
Solutions for Next-Gen Investigators - Chuan-lun (Johnson) Chou
Installing Security Onion - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 09/16/24 - Forensic Focus
- From Automation To Exploitation: The Growing Misuse Of Selenium Grid For Cryptomining & Proxyjacking
- Noel Lowdon, Director, Harper Shaw Investigation Consultants Ltd
- Digital Forensics Round-Up, September 18 2024
- Join Oxygen Forensics At The 2024 International User Summit
- The Impact Of Traumatic Material On DFIR Well-Being
- Enabling Smooth On-Scene Investigations With Detego Global’s Rapid Deployment Kits
- Forensic Focus Digest, September 20 2024
- Kaido Järvemets
- Namit Ranjan
- Day 14 of MYDFIR-SOC-Analyst-Challenge: Building SSH Brute Force Alerts and Dashboards
- Day 15 of MYDFIR-SOC-Analyst-Challenge: Understanding and Securing RDP
- Day 16 of MYDFIR-SOC-Analyst-Challenge: Creating Brute Force Alerts for Windows Server
- Day 17 of MYDFIR-SOC-Analyst Challenge: Creating Dashboards for RDP Activity
- Day 18 Of MYDFIR-SOC-Analyst-Challenge:Understanding Command and Control (C2) in Cybersecurity
- Day 19 of the 30-Day MYDFIR-SOC Analyst Challenge: Crafting an Attack Diagram
- Day 20 Of MYDFIR-SOC-Analyst Challenge:Setting Up Mythic C2 for SOC Analysts
- Day -21 Of MYDFIR-SOC-Analyst Challenge: Brute Force Attack & C2 Session with Mythic
- Nik Alleyne at ‘Security Nik’
Understanding Packet Crafting – The Windows IPv6 Vulnerability – CVE-2024-38063: Remote Kernel Exploitation via IPv6 - Victor Turegano at NVISO Labs
Emergency Accounts: Last Call! - Asad Narayanan at OpenText
Equipping threat hunters: Advanced analytics and AI part 1 - Amber Schroader at Paraben Corporation
Become a Digital Forensics Entrepreneur: A Quick Guide - Ryan McGeehan
Prioritizing Detection Engineering - Security Onion
- Did you know that you can run Security Onion in as little as 4GB RAM?
- Did you know that Security Onion provides both network AND host visibility?
- Did you know that Security Onion performs comprehensive analysis on both IT and OT (ICS/SCADA) networks?
- Did you know Security Onion works on both Internet-connected and airgap networks?
- Did you know Security Onion scales from small virtual machines all the way up to large enterprise deployments of hundreds of nodes and thousands of endpoint agents?
- Martin Bos at TrustedSec
Console Cowboys: Navigating the Modern Terminal Frontier - Tony Anscombe at WeLiveSecurity
Understanding cyber-incident disclosure
SOFTWARE UPDATES
- Acelab
PC-3000 Portable Pro - Adam at Hexacorn
Dexray v2.34 - Belkasoft
Belkasoft R 2.0 is released! - Brian Maloney
OneDriveExplorer v2024.09.20 - C.Peter
UFADE 0.9.3 - Canadian Centre for Cyber Security
Assemblyline Release 4.5.0.48 - Mandiant
Capa v7.3.0 - Nathan Eades at Cloud Chronicles
Introducing Azure Activity Log Axe: An Open-Source Tool to simplify and improve the analysis of Azure Activity logs - Digital Sleuth
winfor-salt v2024.13.7 - FalconForce
FalconHound – Minor update - Hex Rays
Unveiling IDA Pro 9.0: The New RISC-V Decompiler and Enhanced Disassembler Extensions - Magnet Forensics
Magnet Griffeye 24.4 and T3K.AI CORE now available! - Metaspike
Forensic Email Collector (FEC) Changelog – 4.0.200.1093 - Microsoft
msticpy – Hotfix for authentication error - MISP
MISP 2.4.198 released with many bugs fixed, security fixes and improvements. - Open Source DFIR
Plaso 20240826 released - OpenCTI
6.3.1 - Oxygen Forensics
Oxygen Forensic® Detective v.17 Updates - Passmark Software
OSForensics – V11.0 build 1012 20th September 2024 - reecdeep
Segugio - Rapid7
Velociraptor 0.73 Release - Xways
X-Ways Forensics 21.3 Preview 5
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 