As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Adan Alvarez
  Gaining AWS Persistence by Updating a SAML Identity Provider
  
  
• Alexandre Dulaunoy
  Improve Your Forensic Analyses with hashlookup
  
  
• Alex Caithness at CCL Solutions
  When is an app not an app? Investigating WebAPKs on Android
  
  
• Andreas Arnold at Compass Security
  Email, Email on the Wall, Who Sent You, After All?
  
  
• Django Faiola at ‘Appunti di Informatica Forense’
  iOS Burner – Update
  
  
• Elan at DFIR Diva
  Kase Scenarios Orkla: Bounty Hunt Walkthrough
  
  
• Vladimir Katalov at Elcomsoft
  When Speed Matters: Optimizing Disk Imaging
  
  
• Forensafe
  Investigating Android Scoped Storage
  
  
• Forensicfossil
  • JUMPLIST
  • SOC Analyst Practical Lab
  • Recycle Bin Forensic
    
    
• Ian Whiffin at DoubleBlak
  • Sync Peers
  • It’s about time.
    
    
• Janantha MarasingheJanantha Marasinghe
  Living Off The Land ESXi
  
  
• Magnet Forensics
  7 essential Linux forensics artifacts every investigator should know
  
  
• Marco Neumann at ‘Be-binary 4n6’
  Withings HealthMate on iOS
  
  
• Mohamed Sultan
  Xintra – .NET Crash Dump Analysis
  
  
• Salvation DATA
  • A Step-by-Step Guide on Database Forensics in Pyramid Schemes Cases
  • Exploring Differences: Data Acquisition vs. Data Logging
    
    
• SANS
  • Advanced Evidence Collection: DFIR’s 2024 Mobile and Cloud Shift
  • Practical Applications of GenAI in a SOC
    
    
• ThreatBreach
  • [ Memory Forensics Mastery Part – 1 ] Understanding Memory & Basics of Memory Management
  • [ MMF Part – 1 ] Understanding Memory & Basics of Memory Management
    

THREAT INTELLIGENCE/HUNTING

• Faan Rossouw at Active Countermeasures
  Malware of the Day – IcedID Loader to ALPHV Ransomware Campaign
  
  
• Arctic Wolf
  The Dangers of Fileless Malware
  
  
• Matthew Eidelberg at Black Hills Information Security
  Proxying Your Way to Code Execution – A Different Take on DLL Hijacking 
  
  
• Bruce Sussman at Blackberry
  New BlackBerry Threat Report Uncovers Tactic that Amplifies Cyberattack Success and Severity
  
  
• BushidoToken
  • Examining Mobile Threats from Russia
  • The Russian APT Tool Matrix
    
    
• CERT-AGID
  • Nuova campagna Vidar attiva via PEC: sfrutta C2 su profili Steam e Telegram
  • Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 settembre
    
    
• Chainalysis
  In Large Operation, German Law Enforcement Seizes Servers of 47 Russia-centric No KYC Exchanges
  
  
• Check Point
  • 23rd September – Threat Intelligence Report
  • 10 Years of DLL Hijacking, and What We Can Do to Prevent 10 More
  • Wallet Scam: A Case Study in Crypto Drainer Tactics
    
    
• CISA
  ASD’s ACSC, CISA, and US and International Partners Release Guidance on Detecting and Mitigating Active Directory Compromises
  
  
• Jaeson Schultz at Cisco’s Talos
  Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam
  
  
• Corelight
  Want better network visibility? Don’t just go with the (Net)flow | Corelight
  
  
• CrowdStrike
  How CrowdStrike Hunts, Identifies and Defeats Cloud-Focused Threats
  
  
• CTF导航
  • Lazarus APT组织针对海事研究组织进行网络攻击活动
  • APT-C-00（海莲花）双重加载器及同源VMP加载器分析
  • 孔夫子APT组织最新攻击样本详细分析
    
    
• Cyble
  • Undetected Android Spyware Targeting Individuals In South Korea
  • Deluge of Threats to Water Utilities: Plugging the Leaks in Operational Technology Security
  • Nexe Backdoor Unleashed: Patchwork APT Group’s Sophisticated Evasion of Defenses
    
    
• Cyfirma
  Weekly Intelligence Report – 27 Sep 2024
  
  
• Qing Hong Kwa and Ryan Traill at Darktrace
  Lifting the Fog: Darktrace’s Investigation into Fog Ransomware
  
  
• Matt Muir and Andy Giron at Datadog Security Labs
  Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale
  
  
• Disconinja
  日本におけるC2サーバ調査(Week 38 2024)
  
  
• Flashpoint
  Two Russian Nationals Indicted in Operating Billion-Dollar Money Laundering Services
  
  
• g0njxa
  Approaching stealers devs : a brief interview with WhiteSnake
  
  
• David French at Google Cloud Security Community
  • Practical Techniques for Monitoring Your Security Data Pipeline (2 of 2)
  • Practical Techniques for Monitoring Your Security Data Pipeline (1 of 2)
    
    
• Google Cloud Threat Intelligence
  • Staying a Step Ahead: Mitigating the DPRK IT Worker Threat
  • LummaC2: Obfuscation Through Indirect Control Flow
    
    
• HP Wolf Security
  HP Wolf Security Threat Insights Report: September 2024
  
  
• Hudson Rock
  Sextortion Is About to Get Much Worse with Infostealers – A Red Flag for Victims
  
  
• Hunt IO
  Echoes of Stargazer Goblin: Analyzing Shared TTPs from an Open Directory
  
  
• Zuri Cortez and Tony Black at Huntress
  Unlocking SIEM: The Role of Smart Filtering | Huntress
  
  
• Intrinsec
  A stalker in the box: infrastructure linking PandorahVNC and Mesh Central
  
  
• Invictus Incident Response
  Cloud native incident response in AWS – Part I
  
  
• Jack’s Substack
  Detecting a business email compromise (BEC) threat actor
  
  
• Brian Krebs at Krebs on Security
  • Timeshare Owner? The Mexican Drug Cartels Want You
  • U.S. Indicts 2 Top Russian Hackers, Sanctions Cryptex
    
    
• Raúl Redondo at Lares Labs
  Kerberos IV – Delegations
  
  
• Microsoft Security
  Storm-0501: Ransomware attacks expanding to hybrid cloud environments
  
  
• Microsoft Security Experts
  • Detecting AiTM Phishing via 3rd-Party Network events in Unified Security Operations Platform
  • The power of Data Collection Rules: Detect Disabling Windows Defender Real-Time Protection
    
    
• Natto Thoughts
  Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON
  
  
• OpenText
  • Equipping threat hunters: Advanced analytics and AI – Part 2
  • 2024 threat hunter perspectives: Key insights from OpenText’s latest report
    
    
• Palo Alto Networks
  • Inside SnipBot: The Latest RomCom Malware Variant
  • Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz
  • Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
    
    
• Proofpoint
  Security Brief: Actor Uses Compromised Accounts, Customized Social Engineering to Target Transport and Logistics Firms with Malware
  
  
• Luke Rusten at Recon Infosec
  Effective Threat Hunting
  
  
• Recorded Future
  Rhadamanthys Stealer Adds Innovative AI Feature in Version 0.7.0
  
  
• Red Canary
  • Keep track of AWS user activity with SourceIdentity attribute
  • Intelligence Insights: September 2024
    
    
• Resecurity
  Iranian Cyber Actors (IRGC) – Targeting the 2024 U.S. Presidential Election
  
  
• SANS Internet Storm Center
  • Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd)
  • Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th)
  • OSINT – Image Analysis or More Where, When, and Metadata [Guest Diary], (Wed, Sep 25th)
  • DNS Reflection Update and Odd Corrupted DNS Requests, (Wed, Sep 25th)
    
    
• Securelist
  • How the Necro Trojan infiltrated Google Play, again
  • From 12 to 21: how we discovered connections between the Twelve and BlackJack groups
  • Threat landscape for industrial automation systems, Q2 2024
    
    
• Gerardo Santos at Security Art Work
  Wish List del hunter y la madurez del SOC/TH
  
  
• Doug Bonderud at Security Intelligence
  Ransomware on the rise: Healthcare industry attack trends 2024
  
  
• Felix Aimé and Maxime A. at Sekoia
  SilentSelfie: Uncovering a major watering hole campaign against Kurdish websites
  
  
• Huy Kha | Senior Identity & Security Architect at Semperis
  Password Spraying Detection in Active Directory
  
  
• Jordan Riddles at SonicWall
  2024 SonicWall Threat Brief: Healthcare’s Escalating Cybersecurity Challenge
  
  
• Teri Radichel
  AWS GuardDuty Adds New Suspicious Shell Creation and Privilege Escalation Findings
  
  
• ThreatFabric
  Octo2: European Banks Already Under Attack by New Malware Variant
  
  
• Jack Burgess at Triangle Wave Security
  Defensible Options for MITRE Coverage
  
  
• Trustwave SpiderLabs
  • Why Do Criminals Love Phishing-as-a-Service Platforms?
  • HTML Smuggling: How Blob URLs are Abused to Deliver Phishing Content
    
    
• Bernardo.Quintero at VirusTotal
  VirusTotal AI-Generated Conversations: Threat Intel Made Easy
  
  
• Patrick Garrity at VulnCheck
  Exploring Targeted Technologies and Countries of the Flax Typhoon Botnet
  
  
• Merav Bar and Amitai Cohen at Wiz
  Tracking cloud-fluent threat actors – Part one: Atomic cloud IOCs
  

UPCOMING EVENTS

• CYBER 5W
  ShadowMe #1 – Solving a Real-World Case Leveraging Volume Shadow Copies!
  
  
• Dragos
  What to Expect at the Dragos Industrial Security Conference (DISC) in 2024
  
  
• Magnet Forensics
  Revolutionizing digital forensics with Magnet One
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  REKAST – Talkin’ Bout [infosec] News 2024-09-23 #infosecnews #cybersecurity #podcast #podcastclips
  
  
• BruCON
  BruCON 0x10
  
  
• Dan Nutting at Cloud Security Podcast by Google
  EP191 Why Aren’t More Defenders Winning? Defender’s Advantage and How to Gain it!
  
  
• CQURE Academy
  Hacks Weekly #59 Webinars: Active Directory Security Management: From Threat Detection to Effective Response
  
  
• Cyberwox
  How To Become A Splunk Power User (SPLK-1002)
  
  
• Huntress
  A Holiday Hacker Grab Bag of Azure M365 Treats
  
  
• InfoSec_Bret
  Challenge – Malicious AutoIT
  
  
• Intel471
  Why Russia is a Hotbed of Cybercrime
  
  
• John Hammond
  Where Does Malware Go On Your Computer?
  
  
• Magnet Forensics
  • Mobile Minute Episode 3: How to use the advanced options of Mobile View in Magnet Axiom
  • Introduction to Magnet Axiom Cyber
  • Ep. 21 // Investigating the Intents – Better understanding “AppIntents” and their purpose
    
    
• Microsoft Threat Intelligence Podcast
  The Inside Scoop on Using KQL for Cloud Data Security
  
  
• MSAB
  XRY Options Menu Revisited
  
  
• MyDFIR
  • What is a Ticketing System? | Day 23
  • osTicket Setup Tutorial | Day 24
  • Investigate SSH Brute Force Attack | Day 26
  • osTicket + ELK Integration | Day 25
  • Investigate RDP Brute Force Attack | Day 27
  • Investigate Mythic Agent | Day 28
  • Elastic Defend Setup Tutorial | Day 29
    
    
• Paraben Corporation
  • Go through data triage of Windows 11
  • E3 Forensic Platform adding APFS Image
    
    
• SANS
  SANS DFIR Summit 2024
  
  
• SANS Cloud Security
  HANDS-ON WORKSHOP: Attack and Detect Kubernetes: Aviata Chapter 4
  
  
• Security Conversations
  Exploding beepers, critical CUPS flaws, Windows Recall rebuilt for security
  
  
• The Defender’s Advantage Podcast
  How Threat Actors Bypass Multi-Factor Authentication
  
  
• Uriel Kosayev
  Back to the Future of the Cyber Landscape
  
  
• Yaniv Hoffman
  The Devastating GitLocker Attack How Ransomware Struck GitHub #github #cybersecurity
  

MALWARE

• Any.Run
  • Kransom Ransomware: New Threat Using DLL-Sideloading to Hijack Popular RPG
  • How to Intercept Data Exfiltrated by Malware via Telegram and Discord
    
    
• Cofense
  Exploiting Social Media: TikTok Links Used to Hijack Microsoft Accounts
  
  
• Contagio
  2024-09-23 SNIPBOT RomCom Multi-Stage RAT Samples
  
  
• Digital Daniela
  Advanced Static Malware Analysis With Ghidra
  
  
• Dr Josh Stroschein
  • 04 – Walking the PEB, Enhancing IDA’s Output w/ Structures, and Unlocking the Key to Runtime-Linking
  • 05 – How Lockbit Uses the DLL Name as a Seed for API Hashing
    
    
• Elastic Security Labs
  Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse
  
  
• Boudewijn Meijer and Rick Veldhoven at Fox-IT
  Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation
  
  
• Marius Benthin and Karsten Hahn at G Data Security
  BBTok Targeting Brazil: Deobfuscating the .NET Loader with dnlib and PowerShell
  
  
• Hex Rays
  • Unveiling IDA Pro 9.0: Introducing the FLIRT Manager And Thousands Of New Signatures
  • Unveiling IDA Pro 9.0: The New nanoMIPS Disassembler and Decompiler
    
    
• Enoch Root at Kaspersky Lab
  Data exfiltration using RAMBO & PIXHELL | Kaspersky official blog
  
  
• Nikhil Hegde at Netskope
  DCRat Targets Users with HTML Smuggling
  
  
• Nikhil “Kaido” Hegde
  Process Injection in BugSleep Loader
  
  
• Security Onion
  Quick Malware Analysis: SNAKE KEYLOGGER (VIP RECOVERY) with FTP EXFIL PCAP from 2024-09-17
  
  
• Jim Walter at SentinelOne
  Kryptina RaaS | From Unsellable Cast-Off to Enterprise Ransomware
  
  
• VMRay
  Advantage Attacker: EDR Bypass Tools | Scarecrow
  
  
• Jason Reaves, Joshua Platt and Jonathan McCay at Walmart
  Diving into Rilide
  
  
• Zoltán Rusnák at WeLiveSecurity
  Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023
  

MISCELLANEOUS

• 0ut3r Space
  Worth checking ep.3
  
  
• Brett Shavers
  • Empowering 1,000 DFIR Professionals with a DFIR Investigative Mindset
  • Should DF Be Separated from IR?
    
    
• Cellebrite
  Cellebrite Patents its Remote Mobile Collection Capabilities for Businesses
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 09/23/24
  
  
• FIRST
  From Fukuoka to Copenhagen: LAC’s Insights on the Latest Cyber Threat Trends
  
  
• Forensic Focus
  • Navigating The Cloud – Expert Insights On Emerging Cloud Threats And Complexities
  • The Cado Platform From Cado Security
  • Digital Forensics Round-Up, September 25 2024
  • UPCOMING WEBINAR – Revolutionizing Digital Forensics With Magnet One
  • Translating Digital Data Has Never Been Easier
  • Detego Global Announces Exclusive Webinar To Showcase Advanced Capabilities Of Detego v4.17
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Which disk format?
  
  
• Ludovic Paillard
  SEC699 – Write up
  
  
• Magnet Forensics
  • How Magnet Forensics is helping non-profits in the protection of children 
  • Uncovering insider threats with remote endpoint forensics: a case study 
    
    
• Microsoft Security Experts
  Microsoft Intern Experience – Through the eyes of DART Incident Response (IR) interns
  
  
• Namit Ranjan
  • Day 22 Of MYDFIR-SOC-Analyst Challenge:Building SOC Alerts and Dashboards
  • Day 23 of the MYDFIR-30-Day SOC Analyst Challenge:Tracking Alerts with a Ticketing System
  • Day-25 Of MYDFIR-SOC-Analyst Challenge:Integrating OS Ticket with ELK Stack
  • Day 24 Of MYDFIR-30-Days-SOC-Analyst Challenge:How to Set Up and Configure OS Ticket for Our SOC…
  • Day 26 Of MYDFIR-SOC-Analyst Challenge :Investigating SSH Brute Force Alerts in a SOC Environment
  • Day 27 Of MYDFIR-SOC-Analyst Challenge:Investigating RDP Brute Force Attack
  • Day-28 Of MYDFIR-SOC-Analyst Challenge:Investigating Mythic C2 Framework
    
    
• Oxygen Forensics
  • Spotting a new kind of fake iPhone
  • Speech-to-text capabilities in Oxygen Forensic® Detective
    
    
• Security Onion
  Did you know Security Onion includes our own custom web interfaces for Alerts, Dashboards, Hunt, Cases, Detections, PCAP, Grid Health, and Administration?
  
  
• Thomas Roccia at SecurityBreak – Medium
  FabricUI: Your Prompt Collection
  
  
• Sygnia
  Executive Guide to Incident Response Readiness
  
  
• TrustedSec
  • Pull Your SOCs Up
  • Missing: Data Classification, Part 2 – Looking at System Classification
    
    
• Heather Bates at ZScaler
  Identifying Phishing Attacks: Common Types, Key Tactics, and Prevention Tips
  

SOFTWARE UPDATES

• Atola
  TaskForce 2024.9 update – Templates for target files
  
  
• ADF Solutions
  ADF Latest Version Release Preview
  
  
• Airbus Cybersecurity
  IRIS-Web v2.4.13
  
  
• Brim
  v1.18.0
  
  
• C.Peter
  UFADE 0.9.4
  
  
• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.51
  
  
• Cellebrite
  What’s New in Inspector 10.9
  
  
• Michael Karsyan at Event Log Explorer blog
  Event Log Explorer Goes 64-bit: Unlocking the Power of Large-Scale Event Analysis
  
  
• Mandiant
  flare-floss v3.1.1
  
  
• OpenCTI
  6.3.3
  
  
• Passmark Software
  OSForensics – V11.0 build 1013 24th September 2024
  
  
• Phil Harvey
  ExifTool 12.97
  
  
• StrangeBee
  TheHive 5.4 is out: dark mode, better reporting and more
  
  
• Three Planet Software
  Apple Cloud Notes Parser v0.18
  
  
• Xways
  • X-Ways Forensics 21.2 SR-8
  • Viewer Component
  • X-Ways Forensics 21.3 Beta 1
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!