As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Case Study: From Hidden Databases to Key Evidence with Belkasoft X’s SQLite Viewer
  
  
• Cyber Sundae DFIR
  Capability Access Manager Forensics in Windows 11
  
  
• Krzysztof Gajewski at CyberDefNerd
  Linux Artifacts: Timestamps of Last SUDO Command Execution
  
  
• Decrypting a Defense
  Secure Messaging, Accessing Locked Phones, Retention of Seized Devices, Software Source Code, & More
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Repeat Offenders
  
  
• Forensafe
  Investigating Android Google Keep
  
  
• M4shl3
  Ext2 and Ext3 Structure
  
  
• Magnet Forensics
  Investigating data exfiltration: key digital artifacts across Windows, Linux, and macOS
  
  
• Husam Shbib at Memory Forensic
  Linux Memory Forensics Challenge
  
  
• System Weakness
  [CyberDefenders Write-up] PhishStrike
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  How Do Threat Hunting Tools Find Outbound Connections?
  
  
• Adam at Hexacorn
  The Sweet16 – the oldbin lolbin called setup16.exe
  
  
• Adan Álvarez
  TrailDiscover
  
  
• Ahmed Belhadjadji
  How Malware Exploits Windows Environment Variables for Stealth Attacks
  
  
• Antonio Formato and Oleksiy Meletskiy at Antonio Formato
  What’s new in TI Mindmap | Sep 2024
  
  
• Arctic Wolf
  Anatomy of a Cyber Attack: The PAN-OS Firewall Zero-Day
  
  
• Avanan
  • New Phishing Campaign Exploiting Google App Scripts: What Organizations Need to Know
  • FedUp: Phishing from FedEx
  • Cloning Github Landing Pages for Credential Harvesting
    
    
• Ashitosh Deshnur at Barracuda
  Novel phishing techniques to evade detection: ASCII-based QR codes and ‘Blob’ URIs
  
  
• BI.Zone
  • Wreaking havoc in cyberspace: threat actors experiment with pentest tools
  • Core Werewolf hones its arsenal against Russia’s government organizations
    
    
• Jade Brown at Bitdefender
  Bitdefender Threat Debrief
  
  
• Brad Duncan at Malware Traffic Analysis
  2024-10-07 – Data dump (Formbook, possible Astaroth/Guildma, Redline Stealer, unidentified malware)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 05 – 11 ottobre
  
  
• Check Point
  • 7th October– Threat Intelligence Report
  • Operation MiddleFloor: Disinformation campaign targets Moldova ahead of presidential elections and EU membership referendum
  • September 2024’s Most Wanted Malware: Notable AI-Driven Techniques and Persistent RansomHub Threats
    
    
• CISA
  Update on SVR Cyber Operations and Vulnerability Exploitation
  
  
• Jacob Malimban at Cofense
  Tax Extension Malware Campaign: Threat Actors Target GitHub Comment Section to Bypass Secure Email Gateways
  
  
• Critical Start
  BianLian Ransomware: The Shift to RansomHub – A Detailed Analysis by the Critical Start CRU
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 34 – launchd embedded plist
  
  
• Cyfirma
  • THE CHANGING CYBER THREAT LANDSCAPE ASIA-PACIFIC (APAC) REGION — Volume 3
  • OSINT Investigation: Hunting Malicious Infrastructure Linked to Transparent Tribe
  • CYFIRMA INDUSTRY REPORT : FINANCE INDUSTRY
  • VILSA STEALER
  • YUNIT STEALER
  • CYFIRMA INDUSTRY REPORT : REAL ESTATE & CONSTRUCTION
  • IRAN STEPS UP EFFORTS IN U.S. ELECTION MEDDLING
    
    
• Cyfirma
  Weekly Intelligence Report – 11 Oct 2024
  
  
• Adel Karimi at Detect FYI
  Open Sourcing Venator
  
  
• Disconinja
  • 日本におけるC2サーバ調査(Week 40 2024)
  • 日本におけるC2サーバ調査(9月まとめ)
    
    
• Steve Behm at DomainTools
  Uncovering Domains Created by Octo2’s Domain Generation Algorithm
  
  
• Emanuele De Lucia
  Ransomware Report: Unveiling Trends in Attack Payouts and Negotiations
  
  
• Ervin Zubic
  Python for Discord OSINT: Automate Discord Threat Monitoring
  
  
• Flashpoint
  • PureLogs: The Low-Cost Infostealer with a High-Impact Threat
  • Justice Department Disrupts Russian Intelligence Spear-Phishing Efforts
    
    
• Fortra’s PhishLabs
  Active Phishing Campaign: Form Assembly Abuse
  
  
• Guillaume Valadon at GitGuardian
  Docker Zombie Layers: Why Deleted Layers Can Still Haunt You
  
  
• Rui Ataide, Andrew Nelson, and Hermes Bojaxhi at GuidePoint Security
  Update from the Trenches
  
  
• Alice Climent-Pommeret at Harfanglab
  HijackLoader evolution: abusing genuine signing certificates
  
  
• Hunt IO
  • Inside a Cybercriminal’s Server: DDoS Tools, Spyware APKs, and Phishing Pages
  • Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity
    
    
• Huntress
  Top 3 Cybersecurity Threats of 2024 (So Far) | Huntress
  
  
• Emanuele (Ebalo) Balsamo at InfoSec Write-ups
  APTs: Tactics, Techniques, and Procedures
  
  
• Intel471
  To Deliver Malware, Attackers Use the Phone
  
  
• Invictus Incident Response
  Cloud native incident response in AWS – Part II
  
  
• Jouni Mikkola at “Threat hunting with hints of incident response”
  Hunting for malicious scheduled tasks
  
  
• Koen Van Impe
  Extract hostnames and domains from DDoSia MISP object
  
  
• Bert-Jan Pals at KQL Query
  Unleash The Power Of DeviceTvmInfoGathering
  
  
• Brian Krebs at Krebs on Security
  Lamborghini Carjackers Lured by $243M Cyberheist
  
  
• Ugur Koc and Bert-Jan Pals at Kusto Insights
  Kusto Insights – September Update
  
  
• Lab52
  GRU military unit 29155
  
  
• Microsoft Security
  • File hosting services misused for identity phishing
  • Microsoft’s guidance to help mitigate Kerberoasting  
    
    
• Natto Thoughts
  Business Priorities of Chinese Cyber Range Providers Go Hand in Hand with State Cyber Capability Development
  
  
• Syd at Open Source DFIR
  Searching SQLite databases using GRR and osquery
  
  
• Palo Alto Networks
  • Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
  • Lynx Ransomware: A Rebranding of INC Ransomware
    
    
• Recorded Future
  • Outmaneuvering Rhysida: How Advanced Threat Intelligence Shields Critical Infrastructure from Ransomware
  • Play Offense with Powerful Enhancements to Ransomware Detection in Recorded Future Threat Intelligence
    
    
• Red Alert
  • Monthly Threat Actor Group Intelligence Report, July 2024 (ENG)
  • Monthly Threat Actor Group Intelligence Report, August 2024 (KOR)
    
    
• SANS Internet Storm Center
  • macOS Sequoia: System/Network Admins, Hold On!, (Mon, Oct 7th)
  • From Perfctl to InfoStealer, (Wed, Oct 9th)
  • GPTHoney: A new class of honeypot [Guest Diary], (Thu, Oct 10th)
  • Wireshark 4.4.1 Released, (Sun, Oct 13th)
    
    
• Security Investigation
  Threat Intelligence Feeds: Simple Solution with Big Security Impact
  
  
• Sekoia
  Mamba 2FA: A new contender in the AiTM phishing ecosystem
  
  
• Siddhant Mishra
  My Recent Journey In Detecting Cobalt Strike
  
  
• Silent Push
  “Don’t feed the toll troll”: Silent Push tracks new threat actor (IMP-1G) engaging in SMS phishing activities, targeting US and Canadian public services. 100+ IOFA domains discovered, with only 10% known to authorities.
  
  
• SOCRadar
  The Rise of Initial Access Brokers on the Dark Web
  
  
• Ryan Fetterman and Tamara Chacon at Splunk
  Macro-ATT&CK 2024: A Five-Year Perspective
  
  
• Stephan Berger
  tmate – Instant Terminal Sharing (or How To Backdoor a Linux Server)
  
  
• Trevor Steen at The Random Adventure That Is Life (RATIL)
  Databricks Security Alerts in Azure
  
  
• Mohamed Fahmy, Bahaa Yamany, Ahmed Kamal, and Nick Dai at Trend Micro
  Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against UAE and Gulf Regions
  
  
• Justin Bollinger at TrustedSec
  EKUwu: Not just another AD CS ESC
  
  
• WeLiveSecurity
  • Mind the (air) gap: GoldenJackal gooses government guardrails
  • Telekopye transitions to targeting tourists via hotel booking scam
    
    
• Chris Champa at Wiz
  Cloud Logging Tip & Tricks: Getting the most value out of your cloud logs
  
  
• Aazim Yaswant at Zimperium
  Expanding the Investigation: Deep Dive into Latest TrickMo Samples
  

UPCOMING EVENTS

• Cado Security
  CTF Challenge: Captured by Cado
  
  
• Cyacomb
  New Cyacomb Examiner Plus 3.1 & Operational User Experience
  
  
• Gerald Auger at Simply Cyber
  Malware Analysis with The Cyber Yeti
  
  
• Magnet Forensics
  • Introduction to Magnet Axiom Cyber
  • Admitting visual evidence in the age of AI
    
    
• MSAB
  A New Way To Train In Mobile Forensics Is On The Horizon Part 2
  
  
• Recorded Future
  State of Ransomware: New Tactics, Bigger Ransoms, Tougher Defenses
  

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  How CrowdStrike Tracked INDRIK SPIDER from Origin to Takedown
  
  
• Ali Hadi
  ShadowMe
  
  
• Belkasoft
  Mastering the DFIR Investigative Mindset with Brett Shavers | BelkaDay 2024
  
  
• Breaking Badness
  Cracking the Code: API Security, Mobile Myths, and Real-World Threats
  
  
• Cellebrite
  Tip Tuesdays – Importing CLBE Files for #2024CellebriteCTF
  
  
• Cyberwox
  • Detecting Attacker Enumeration in Microsoft 365 Exchange ~ #DetectionOpportunities EP 7
  • Hack The Box CDSA Certification Review | Worth it for Cybersecurity & SOC Analysts?
    
    
• Desi at Hardly Adequate
  S02E36 – Chat with Chris
  
  
• Dr Josh Stroschein
  Enabling Rule Profiling in Suricata – Compiling from Source
  
  
• Gerald Auger at Simply Cyber
  Decoding Detection As Code: A Deep Dive with Wade Wells (S1: E2 )
  
  
• Hudson Rock
  Exposing Information Stealers | Protecting Identities Online
  
  
• Huntress
  Tradecraft Tuesday | Spooky Stories from the SOC
  
  
• InfoSec_Bret
  Challenge – Bash Script
  
  
• John Hammond
  • Github Intentionally Lets You Read Deleted & Private Commits
  • REAL Ransomware Chat Logs
  • Bruteforcing Windows Defender Exclusions
    
    
• John Hubbard at ‘The Blueprint podcast’
  • From Clues to Containment – Unraveling A Gift Card Fraud Scheme with Mark Jeanmougin
  • How GenAI is Changing Your SOC for the Better with Seth Misenar
    
    
• Magnet Forensics
  • Generative AI – taking discovery by storm and the impact on digital investigations
  • AI-powered media investigation in Magnet Griffeye: Get to the vital evidence faster
    
    
• Malspace
  The Darkside of TheMoon
  
  
• Microsoft Threat Intelligence Podcast
  Gingham Typhoon’s Cyber Expansion Into the South Pacific
  
  
• MSAB
  XRY Option Menu Additions
  
  
• MyDFIR
  CyberDefenders SOC Analyst Lab – Web Server Analysis (Tomcat)
  
  
• Off By One Security
  Reverse Engineering Android Spyware …with LaurieWired
  
  
• Sandfly Security
  Find and de-cloak Linux stealth rootkits instantly.
  
  
• SANS
  Undecided about taking the new FOR589: Cybercrime Intelligence Course?
  
  
• SANS Cloud Security
  GENAI Security: Risks and Challenges
  
  
• Sarah Edwards at Mac4n6
  Sikkerhetsfestivalen 2024 – Lillehammer, Norway
  
  
• Security Conversations
  Typhoons and Blizzards: Cyberespionage and national security on front burner
  
  
• The Microsoft Security Insights Show
  Microsoft Security Insights Show Episode 230 – Red Canary and CfS
  
  
• Threat Forest
  Threat Hunting: Scheduled tasks
  
  
• Yaniv Hoffman
  Dark Web Kingpin EXPOSED! The Fall of Incognito Market
  

MALWARE

• Alex Necula
  • Malware Analysis Part 6. StealC and how to decode its Strings.
  • Malware Analysis Part 7. Vidar Stealer
    
    
• Any.Run
  • New PhantomLoader Malware Distributes SSLoad: Technical Analysis
  • 5 Characteristics of Good Threat Intelligence Feeds
  • Private AI Assistant for Malware Analysis in ANY.RUN Sandbox
    
    
• Chris Neal at Cisco’s Talos
  Ghidra data type archive for Windows driver functions
  
  
• contagio
  2024-10-03 Amnesia Stealer Samples
  
  
• Cyble
  MisterioLNK: The Open-Source Builder Behind Malicious Loaders
  
  
• Dr. Web
  Hidden cryptocurrency mining and theft campaign affected over 28,000 users
  
  
• Fabio Pensa
  MarsStealer quick analysis
  
  
• G Data Security
  • Exploring GenAI in Cybersecurity: Gemini for Malware Analysis
  • Malware by the (Bit)Bucket: Unveiling AsyncRAT
    
    
• HaxRob
  FASTCash for Linux
  
  
• Nicole Fishbein at Intezer
  Technical Analysis of a Novel IMEEX Framework
  
  
• Nicolas Falliere at JEB in Action
  Deobfuscation ratings, inlining “fat” functions, and breaking opaque predicates
  
  
• Nextron Systems
  In-Depth Analysis of Lynx Ransomware
  
  
• Securelist
  Awaken Likho is awake: new techniques of an APT group
  
  
• SonicWall
  • HORUS Protector Part 1: The New Malware Distribution Service
  • CoreWarrior Spreader Malware Surge
    
    
• Cris Tomboc and King Orande at Trustwave SpiderLabs
  Pronsis Loader: A JPHP-Driven Malware Diverging from D3F@ck Loader
  
  
• ZScaler
  • Shining Light on the Dark Angels Ransomware Group
  • Technical Analysis of DarkVision RAT
    

MISCELLANEOUS

• Atola Technologies
  Level Up Your Forensic Skills: CTF Challenges in Digital Forensics
  
  
• Cheng Wang, Karthikeyan KM, and Randy Patrick at AWS Security
  Improve security incident response times by using AWS Service Catalog to decentralize security notifications
  
  
• Erik Goldoff, Ray Van Hoose, and Max Boehner at Black Hills Information Security
  Blue Team, Red Team, and Purple Team: An Overview
  
  
• Brett Shavers at DFIR.Training
  Engage with the DFIR Community!
  
  
• Chris Elgee
  Fun with GIAC Exam Prep!
  
  
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 10/07/24
  
  
• Elan at DFIR Diva
  Free & Affordable Training News Monthly: Sept – Oct, 2024
  
  
• Esentire
  How Generative AI Can Be Used to Enable Better Security Outcomes
  
  
• Forensic Focus
  • Detect Deepfakes In Amped Authenticate With The Diffusion Model Deepfake Filter
  • Revolutionize Cloud Investigation And Response Automation
  • Magnet Forensics & NCMEC announce NCMEC GID in Magnet Griffeye products for U.S. ICAC investigations
  • Decrypt Lenovo ThinkPads With BitLocker TPM Using Passware Kit 2024 v4
  • Transforming eDiscovery And Legal Investigations With Detego Global’s Digital Forensics Tools
  • Forensic Focus Digest, October 11 2024
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  • Disk Images: Introduction
  • Disk Images: Tools
    
    
• Lab539
  AiTM Feed – Conditional Access
  
  
• Magnet Forensics
  Real-time hash matching against NCMEC: Now in Magnet Griffeye products 
  
  
• Simone_Oor at Microsoft’s ‘Security, Compliance, and Identity’ Blog
  How to use Log Analytics log data exported to Storage Accounts
  
  
• OpenText
  • Series wrap – The rise of the threat hunter
  • OpenText™ Cybersecurity 2024 Global Ransomware Survey: Supply chain and AI-powered attack fears intensify
    
    
• Oxygen Forensics
  Remote capture of disk and disk partition images
  
  
• Permiso
  Product Update: IP and Code Threat Detection Now Available for GitHub and Atlassian’s Suite of Products, Including Confluence and Jira
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.4.110!
  
  
• Matthew Pines & Dakota Cary at SentinelOne
  PinnacleOne ExecBrief | Are You Actuarially In Good Hands?
  
  
• Dion Mulaj at System Weakness
  Wazuh Setup: A dive into the open-source SIEM & XDR
  

SOFTWARE UPDATES

• Canadian Centre for Cyber Security
  Assemblyline Release 4.5.0.53
  
  
• Costas K
  MFT Browser
  
  
• Digital Sleuth
  winfor-salt v2024.15.2
  
  
• Falco
  Blog: Introducing Falco 0.39.1
  
  
• GMDSOFT
  MD-Series Release Note Highlights : 2024 Q3 Review
  
  
• Google
  Timesketch 20241009
  
  
• Joachim Schict
  Mft2Csv v2.0.0.51
  
  
• Passware
  Passware Kit 2024 v4 Now Available
  
  
• Phil Harvey
  ExifTool 12.98
  
  
• radare2
  5.9.6
  
  
• Sandfly Security
  Sandfly 5.2 – Linux Stealth Rootkit File and Directory De-Cloaking
  
  
• Security Onion
  • Security Onion 2.4.110 Hurricane Helene Edition now available including new AI Summary feature and much more!
  • Security Onion 2.4.110 Hotfix 20241010 now available!
    
    
• Ulf Frisk
  MemProcFS Version 5.12
  
  
• Volatility Foundation
  Volatility 3 2.8.0
  
  
• Xways
  • X-Ways Forensics 21.2 SR-9
  • Excire
  • X-Ways Forensics 21.3 Beta 4
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!