As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• CyberJunnkie
  Hackathon 24 Prequalifiers: Forensics Challenge “hacked” First blood Team deathstrik3
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  C2PA and Authenticated Disinformation
  
  
• Vladimir Katalov at Elcomsoft
  Outlook Forensic Toolbox Helps Access Deleted Messages
  
  
• Forensafe
  Investigating Android Life360
  
  
• Magnet Forensics
  • Unraveling the clues: RDP artifacts in incident response 
  • 5 iOS forensics evidence sources to capture before they expire
    
    
• Matt Linton at Open Source DFIR
  Operational Professionalizing vs Proceduralizing
  
  
• Salvation DATA
  • File Carving vs. Metadata Recovery: What’s the Difference?
  • Top 5 Data Carving Tools for Recovering Lost Files
    
    
• Sumuri
  Mastering Live Volatile Data Collection on Macs: A Forensic Examiner’s Guide
  
  
• Synacktiv
  Forensic analysis of bitwarden self-hosted server
  
  
• X1 Discovery
  • Dale vs. Deutsche Telekom AG Illustrates the Importance of Effective ECA to Attain Proportionality
  • Three Key eDiscovery Lesson from Domus BWW Funding v. Arch Insurance Company
  • Addressing Critical Information Governance Challenges from Departing Employees
    

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Beyond good ol’ Run key, Part 143
  • advpack.dll and IEAdvpack.dll logging capability
    
    
• Apophis
  • Enhancing YARA Rule Performance: Best Practices and Techniques
  • Malicious PowerShell Script Execution
    
    
• ASEC
  AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)
  
  
• AttackIQ
  • Emulating the Opportunistic and Lightweight Lumma Stealer
  • Response to CISA Advisory (AA24-290A): Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations
    
    
• Jeffrey at CatchingPhish
  Leave no data unsold; the story of one company listed 3x on DLS
  
  
• CERT Ukraine
  • Розповсюдження MEDUZASTEALER засобами Telegram, начебто, від імені технічної підтримки Резерв+ (CERT-UA#11603)
  • Тріада UAC-0050: кібершпигунство, фінансові злочини, інформаційно-психологічні операції
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 12 – 18 ottobre
  
  
• Check Point
  • 14th October – Threat Intelligence Report
  • Check Point Research Unveils Q3 2024 Brand Phishing Trends: Microsoft Remains Most Imitated Brand as Alibaba and Adobe Enter Top 10
    
    
• Yehuda Gelb at Checkmarx Security
  This New Supply Chain Attack Technique Can Trojanize All Your CLI Commands
  
  
• Chris Duggan
  Check out this tweet by @TLP_R3D
  
  
• CISA
  CISA, FBI, NSA, and International Partners Release Advisory on Iranian Cyber Actors Targeting Critical Infrastructure Organizations Using Brute Force
  
  
• Cisco’s Talos
  • UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants
  • Protecting major events: An incident response blueprint
    
    
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 35 – Persist through the NVRAM – The ‘apple-trusted-trampoline’
  
  
• CTF导航
  • APT-C-35（肚脑虫）组织针对南亚某制造公司的攻击活动分析
  • 记录一次BlackObfuscator去混淆流程
  • DLL Sideloading
    
    
• Cyberdom
  Azure Blob Storage PowerShell Scanning Script
  
  
• Cyble
  • Cyble Sensors Detect Attacks on SAML, D-Link, Python Framework
  • Hidden in Plain Sight: ErrorFather’s Deadly Deployment of Cerberus
  • Active Exploitation of SAML Vulnerability CVE-2024-45409 Detected by Cyble Sensors
  • Critical Vulnerability in Veeam Products Exploited by Ransomware Gangs
  • Vietnamese Threat Actor’s Multi-Layered Strategy on Digital Marketing Professionals
    
    
• Cyfirma
  Weekly Intelligence Report – 18 Oct 2024
  
  
• Danny Zendejas
  Tools Deep Dive: YARA Part ll
  
  
• Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
  • How Cyber Attackers Exploit IP Addresses the Key Strategies and Evasion Techniques
  • Hunting Strategies and Techniques of Malicious Processes Creating Network Traffic
    
    
• Detect FYI
  • Security Monitoring — Threat Modeling and Data Sources
  • Have you been keeping up with your low confidence detections?
  • Detection of “EDRSilencer”
    
    
• Disconinja
  日本におけるC2サーバ調査(Week 41 2024)
  
  
• DomainTools
  A Website Attacked 
  
  
• Elastic Security Labs
  Elevate Your Threat Hunting with Elastic
  
  
• Matthew at Embee Research
  Practical Examples of URL Hunting Queries – Part 1
  
  
• Eric Capuano
  Atomic & Stateful Detection Rules
  
  
• Esentire
  Bored BeaverTail Yacht Club – A Lazarus Lure
  
  
• Fortra’s PhishLabs
  Active Phishing Campaign: QR Code Attachment O365 Attack
  
  
• Josh A. Goldstein and Renée DiResta at Georgetown’s Center for Security and Emerging Technology
  Russia’s Global Information Operations Have Grown Up
  
  
• David French at Google Cloud Security Community
  Securing Your CI/CD Pipeline: Eliminate Long-Lived Credentials with Workload Identity Federation (1)
  
  
• Casey Charrier and Robert Weiner at Google Cloud Threat Intelligence
  How Low Can You Go? An Analysis of 2023 Time-to-Exploit Trends
  
  
• GuidePoint Security
  Quarterly GRIT Ransomware Report — Q3 2024
  
  
• HackTheBox
  Hack The Box unveils exclusive Business CTF data in new Cyber Attack Readiness Report
  
  
• Hornet Security
  • Ransomware-Umfrage zeigt: Fast jedes dritte Unternehmen war 2024 von Datenverlust betroffen
  • Hornetsecurity Q3 2024 Umfrage zu Ransomware-Angriffen
    
    
• Hudson Rock
  How Hackers Really Used Infostealers for the Biggest Recent Cyber Breaches
  
  
• Hunt IO
  • From Warm to Burned: Shedding Light on Updated WarmCookie Infrastructure
  • Introducing Code Search on AttackCapture: Uncover Exploit Code, Reverse Shells, C2 Configs, and More
    
    
• Huntress
  • Inside Adversary-in-the-Middle Attacks | Huntress
  • Detecting Malicious Use of LOLBins, Pt. II | Huntress
    
    
• Intel471
  How Adversaries Try to Interfere with the U.S. Election
  
  
• Francesco Iulio at Jumpsec Labs
  Active Cyber Defence – Taking back control
  
  
• Kevin Beaumont at DoublePulsar
  EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs
  
  
• Kostas
  EDR Telemetry Project
  
  
• Brian Krebs at Krebs on Security
  • Sudanese Brothers Arrested in ‘AnonSudan’ Takedown
  • Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach
    
    
• Daniel Jeremiah
  Unmasking Hidden Threats: Using Velociraptor for Process Hollowing Analysis
  
  
• Tom Burt at Microsoft Security
  Escalating cyber threats demand stronger global defense and cooperation
  
  
• Gourav Khandelwal, Akash Chaudhuri, Matthew Mesa, Sagar Patil, Uri Oren, Krithika Ramakrishnan at ‘Microsoft Security Experts’
  Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack
  
  
• Microsoft Sentinel Blog
  • Save money on your Sentinel ingestion costs with Data Collection Rules
  • What to do if your Sentinel Data Connector shows as [DEPRECATED]
    
    
• Natto Thoughts
  Ransom-War and Russian Political Culture: Trust, Corruption, and Putin’s Zero-Sum Sovereignty
  
  
• Guido Miggelenbrink at Outflank
  Introducing Early Cascade Injection: from Windows process creation to stealthy injection
  
  
• Aleksa Zatezalo at Praetorian
  Identifying SQL Injections in a GraphQL API
  
  
• Alex Capraro at ReliaQuest
  Ransomware and Cyber Extortion in Q3 2024
  
  
• Tyler Ramsbey at Rhino Security Labs
  CloudGoat: New Scenario and Walkthrough (sns_secrets)
  
  
• Phil Venables at Risk and Cyber
  Threat Hunting: Real World vs. Cyber World
  
  
• S2W Lab
  • Ransomware Landscape in H1 2024: Statistics and Key Issues
  • Unmasking CVE-2024-38178: The Silent Threat of Windows Scripting Engine
    
    
• SANS Internet Storm Center
  • Phishing Page Delivered Through a Blob URL, (Mon, Oct 14th)
  • Angular-base64-update Demo Script Exploited (CVE-2024-42640), (Tue, Oct 15th)
  • Scanning Activity from Subnet 15.184.0.0/16, (Thu, Oct 17th)
  • The Top 10 Not So Common SSH Usernames and Passwords, (Wed, Oct 16th)
    
    
• Securelist
  • Whispers from the Dark Web Cave. Cyberthreats in the Middle East
  • Beyond the Surface: the evolution and expansion of the SideWinder APT group
  • Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia
    
    
• Jonathan Reed at Security Intelligence
  What’s behind the 51% drop in ransomware attacks?
  
  
• Sekoia
  ClickFix tactic: The Phantom Meet
  
  
• Huy Kha at Semperis
  • DCSync Attack Explained
  • Keberoasting Explained
    
    
• SentinelOne
  • PinnacleOne ExecBrief | China’s Great Power Means Great Responsibility
  • China’s Influence Ops | Twisting Tales of Volt Typhoon at Home and Abroad
    
    
• SOCRadar
  Dark Web Profile: Evil Corp
  
  
• SonicWall
  HORUS Protector Part 2: The New Malware Distribution Service
  
  
• Amit Panjawani and Andrew Brandt at Sophos
  From QR to compromise: The growing “quishing” threat
  
  
• Splunk
  • Introducing Splunk Attack Range v3.1
  • PowerShell Web Access: Your Network’s Backdoor in Plain Sight
  • Vulnerability Prioritization Is a Treat for Defenders
    
    
• Stephan Berger
  • Microsoft Defender XDR’s Deception Technology
  • bedevil: Dynamic Linker Patching
    
    
• Symantec Enterprise
  Ransomware: Threat Level Remains High in Third Quarter
  
  
• Karl Hiramoto at VirusTotal
  Unveiling Hidden Connections: JA4 Client Fingerprinting on VirusTotal
  
  
• Will Seaton, Viral Gandhi, Yesenia Barajas at ZScaler
  New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45%
  

UPCOMING EVENTS

• Any.Run
  How to Improve Threat Investigations
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2024-10-21 #livestream #infosec #infosecnews
  
  
• Cellebrite
  Client Spotlight with Innovative Driven: Real-World Impact
  
  
• Magnet Forensics
  Give your lab an investigative edge with Magnet One
  
  
• SANS
  SANS Threat Analysis Rundown with Katie Nickels | October 2024
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Digital Forensics Now Podcast – S2 E3
  
  
• Black Hills Information Security
  DLL Hijacking – A New Spin on Proxying your Shellcode
  
  
• BlueMonkey 4n6
  base64 explained – used for good (email, web) and for evil (malware)
  
  
• Breaking Badness
  The Future of Endpoint Security: AI, EDR, and SOC Evolution
  
  
• Cellebrite
  Cellebrite Inseyets for Enterprise, at a Glance 
  
  
• Clint Marsden at the TLP – Digital Forensics Podcast
  Episode 15 -Windows event log analysis with Hayabusa. The Sigma-based log analysis tool
  
  
• Cloud Security Podcast by Google
  EP194 Deep Dive into ADR – Application Detection and Response
  
  
• Cyber Secrets
  CSI Linux Conference 2024
  
  
• DEFCON
  DEF CON 32 – MaLDAPtive: Obfuscation and De-Obfuscation – Daniel Bohannon, Sabajete Elezaj
  
  
• Huntress
  Cyber Insurance Office Hours with Robert Cioffi | Fireside Chat
  
  
• InfoSec_Bret
  Challenge – Suspicious Python Package
  
  
• John Hammond
  Hackers Abuse MeshCentral for a RAT
  
  
• Law&Crime Network
  8 Creepy P. Diddy Videos Raising Alarm Bells After Sex Trafficking Arrest
  
  
• Magnet Forensics
  • Introduction to Magnet Axiom Cyber
  • Admitting visual evidence in the age of AI
    
    
• MSAB
  Early release – RAMalyzer
  
  
• MyDFIR
  Is This The Best Email Security Tool?
  
  
• Nuix
  • XLR8/24 Opening Address Sydney: Robert Mactier – Chairman, Nuix
  • XLR8/24 Keynote Sydney: Liesl Yearsley – CEO & Founder, Akin
  • XLR8/24 Keynote Sydney: Stephen Stewart – Field CTO, Nuix
  • XLR8/24 Keynote Sydney: Chris Stephenson – Head of AI Strategy & Operations, Nuix
  • XLR8/24 Keynote Syd: Brendan Dowling – Australian Ambassador, Cyber Affairs and Critical Technology
  • XLR8/24 Keynote Sydney: Jonathan Rubinsztein – CEO, Nuix
    
    
• OALabs
  Reverse Engineering LAB Setup Tutorial (updated)
  
  
• Off By One Security
  Tactical Multi-Factor Authentication (MFA) Bypass Attacks
  
  
• Paraben Corporation
  Capturing iCloud Sync Data
  
  
• Red Siege Information Security
  SIEGECAST: Modern Malware
  
  
• Sandfly Security
  De-Cloaking Linux Stealth Malware and Rootkits: sedexp, Diamorphine, and Reptile
  
  
• Sandfly Security
  Rob Joyce Interview – Linux Critical Infrastructure Threats
  
  
• SANS
  • Supply Chain Attacks: Why Security Leaders Must Act Now
  • Navigating the Al Frontier: The Next Wild Innovation
  • From Compliance to Leadership: What Every CISO Needs to Know
  • SANS FOR518: Mac & iOS Forensic Analysis & Incident Response
    
    
• SANS Cloud Security
  HANDS-ON WORKSHOP: Making the Switch to Azure Monitor Agent: Aviata Chapter 6
  
  
• SANS Cyber Defense
  • Automating Log Analysis
  • OSINT & Vicarious Trauma
  • Next Gen SOC
  • The Python Security Pickle
    
    
• Security Conversations
  ESET Israel wiper malware, China’s Volt Typhoon response, Kaspersky sanctions and isolation
  
  
• The Defender’s Advantage Podcast
  How to Run an Effective Tabletop Exercise
  

MALWARE

• Cyber Geeks
  Call stack spoofing explained using APT41 malware
  
  
• Cybereason
  THREAT ANALYSIS: Beast Ransomware
  
  
• Dark Atlas
  Fog Ransomware – Technical Analysis
  
  
• Dr Josh Stroschein
  Malware Analysis with The Cyber Yeti
  
  
• Elastic Security Labs
  Tricks and Treats: GHOSTPULSE’s new pixel-level deception
  
  
• Emanuele De Lucia
  “Hey ESET, Wait for the Leak”: Dissecting the “OctoberSeventh” Wiper targeting ESET customers in Israel
  
  
• Gary at ‘o_0 wtf?’
  • Introducing… meh, a random “malware” generation tool
  • meh: Bypass Order, Shellcode Execution and Target OS
    
    
• Herbie Zimmerman at “Lost in Security”
  2024-10-12 Async RAT
  
  
• Lathashree K at K7 Labs
  AwSpy – New Spyware Targets South Korean Android users
  
  
• Leandro Fróes at Netskope
  New Bumblebee Loader Infection Chain Signals Possible Resurgence
  
  
• Ovi Liber
  RambleOn Android Spyware (December 2022)
  
  
• Phylum
  Trojanized Ethers Forks on npm Attempting to Steal Ethereum Private Keys
  
  
• Pulsedive
  Cronus: Ransomware Threatening Bodily Harm
  
  
• Puja Srivastava at Sucuri
  Fake “Fix It” Pop-Ups Target WordPress Sites via Malicious Plugin to Download Trojan
  
  
• Trend Micro
  • Water Makara Uses Obfuscated JavaScript in Spear Phishing Campaign, Targets Brazil With Astaroth Malware
  • Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions
  • Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data
    
    
• Rajat Goyal at Zimperium
  The Mobile Malware Chronicles: Necro.N – Volume 101
  

MISCELLANEOUS

• Arch Cloud Labs
  Running Arch Cloud Labs On $1
  
  
• Hayden Covington at Black Hills Information Security
  Clear, Concise, and Comprehensive: The Formula for Great SOC Tickets
  
  
• Brett Shavers
  • Trust me. I’m an Expert.
  • AI in the DFIR Crosshairs
  • Reproducibility of results is required in science. But AI results are not reproducible…what now, DFIR?
    
    
• Fabian Mendoza at DFIR Dominican
  DFIR Jobs Update – 10/14/24
  
  
• Lesley Carhart at Dragos
  The Shifting Landscape of OT Incident Response
  
  
• Forensic Focus
  • GMDSOFT Tech Letter: Analysis Of Baidu Cloud Artifacts
  • Digital Forensics Round-Up, October 16 2024
  • Transforming Offender Management With Detego Global’s Acclaimed DFIR Tools
  • Forensic Focus Investigator Well-Being Survey 2024
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  • Disk Images: How read-write disk images have gone sparse
  • Disk Images: Performance
  • Who’s been accessing my storage? Reading a disk’s history
    
    
• Matt Suiche
  Bob and Alice in Kernel-land – Part 3
  
  
• SANS
  • ICS/OT Cybersecurity & AI: Considerations for Now and the Future (Part II)
  • The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future
    
    
• Gabriel Hardy-Françon at StrangeBee
  Transforming data overload into actionable intelligence
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv and Engine Update 35082
  
  
• ANSSI
  orc2timeline
  
  
• Apache
  Apache Tika – Release 3.0.0 – 10/15/2024
  
  
• Brian Maloney
  OneDriveExplorer v2024.10.16
  
  
• Datadog Security Labs
  GuardDog v2.0.5
  
  
• Digital Sleuth
  winfor-salt v2024.15.5
  
  
• Kathryn Hedley
  parseusbs
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 4.0.231.1071
  
  
• OpenCTI
  6.3.6
  
  
• Oxygen Forensics
  Remote WhatsApp and WhatsApp Business extraction using Oxygen Remote Explorer
  
  
• Phil Harvey
  ExifTool 12.99
  
  
• SigmaHQ
  pySigma v0.11.17
  
  
• Syne’s Cyber Corner
  Osprey – An Alternative to the Hawk PowerShell Module for Email Compromise Investigations
  
  
• Xways
  • Excire
  • X-Ways Forensics 21.3 Beta 5
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!