As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Akash Patel
- Microsoft 365 Security: Understanding Built-in Detection Mechanisms and Investigating Log Events
- Memory Forensics Using Strings and Bstrings || MemProcFS/MemProcFS Analyzer: A Comprehensive Guide
- Unveiling Volatility 3: A Guide to Installation and Memory Analysis on Windows and WSL
- “Step-by-Step Guide to Uncovering Threats with Volatility: A Beginner’s Memory Forensics…
- Source of Logs in Azure(P4:- Virtual Machine Logs) || How to Acquire and Analyze a VM Disk Image…
- Source of Logs in Azure(P3 :- NSG/Storage Account Logs) : A Comprehensive Guide for Incident…
- Source of Logs in Azure(P1 :-Tenant Logs) || Source of Logs in Azure(P2 :- Tenant/Subscription…
- Azure Compute: Understanding VM Types and Azure Network Security for Incident Response
- “Azure Resource Groups and Role-Based Access Control: A Comprehensive Guide for Incident Response…
- David Spreadborough at Amped
Video Decoding: From File Conversion to Forensic Integrity - Krzysztof Gajewski at CyberDefNerd
Goodbye Activity History: Windows 10’s Timeline Feature Removed in Windows 11 - Forensafe
Solving Cellebrite CTF 2024 (Sharon) - Justin De Luna at ‘The DFIR Spot’
Lateral Movement – Remote Desktop Protocol (RDP) Artifacts - Magnet Forensics
Understanding the security impacts of iOS 18’s inactivity reboot - Paraben Corporation
Cryptocurrency and the Dark Web: A Guide to Investigation - Scott Koenig at ‘The Forensic Scooter’
iCloud Shared Photo Library: Forensic Artifacts Explained
THREAT INTELLIGENCE/HUNTING
- Bill Stearns at Active Countermeasures
TOR Network DOS Attack - Assaf Morag at Aqua
Threat Actors Hijack Misconfigured Servers for Live Sports Streaming - Julian Tuin, Stefan Hostetler, Jon Grimm, Aaron Diaz, and Trevor Daher at Arctic Wolf
Arctic Wolf Observes Threat Campaign Targeting Palo Alto Networks Firewall Devices - Australian Signals Directorate
Annual Cyber Threat Report 2023-2024 - Ayelen Torello at AttackIQ
Response to CISA Advisory (AA24-326A): Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization - Australian Cyber Security Centre
#StopRansomware: BianLian Ransomware Group - Avast Threat Labs
Gen Q3/2024 Threat Report - Barracuda
- Blackberry
Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign - CERT-AGID
- Check Point
- Tillson Galloway at Corelight
Detecting Quasar RAT Malware | Corelight - CrowdStrike
Unveiling LIMINAL PANDA: A Closer Look at China’s Cyber Threats to the Telecom Sector - Cyfirma
- Cyjax
- T(AI)WANted: How the global surge in AI likely caused an increase in Taiwan-targeted cybercrime
- Kairos extortion group turns to initial access brokers
- The Devil and the Termite: data-leak sites emerge for Chort and Termite extortion groups
- ContFRaversy in Ransomland: Tor-based site emerges for new French-speaking RaaS operation “ContFR”
- Dan Green at Push Security
Cross-IdP impersonation: Hijacking SSO to access downstream apps - Tonmoy Jitu at Denwp Research
Hidden World of xattr: Lazarus Group’s Abuse of “Rustyattr” to Evade Detection - Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
Threat Hunting for Cloud Snooping Attack - Detect FYI
Detection of “evil-winrm” - DeTTECT
v2.0.0 - Disconinja
日本におけるC2サーバ調査(Week 46 2024) - Raphael Galli at EclecticIQ
Financially Motivated Threat Actor Leveraged Google Docs and Weebly Services to Target Telecom and Financial Sectors - Eclypsium
Detecting Pacific Rim IOCs with Eclypsium - Ervin Zubic
Bitcoin Mixing Explained: Key Insights and Forensic Analysis Tips - F5 Labs
Black Friday Versus The Bots - Flashpoint
Phobos Ransomware Administrator Extradited from South Korea to Face Cybercrime Charges - Google Cloud Threat Intelligence
- Group-IB
- Hal Pomeranz at ‘Righteous IT’
Linux LKM Persistence - Hornet Security
Monthly Threat Report November 2024: Weitere Sicherheitsverletzungen und neue EU-Vorschriften - Hunt IO
- Jonathan Johnson at Huntress
You Can Run, But You Can’t Hide: Defender Exclusions | Huntress - Intel471
A Look at Trending Chinese APT Techniques - Intrinsec
PROSPERO & Proton66: Tracing Uncovering the links between bulletproof networks - Invictus Incident Response
This Is How We Do It: Resolving Microsoft Cloud Incidents Like Pros - Brian Krebs at Krebs on Security
- Kroll
- L M
- Anish Bogati at Logpoint
Strela: A newcomer in Stealer Family - Lumen
One Sock Fits All: The use and abuse of the NSOCKS botnet - Amr Thabet at MalTrak
Fileless Attacks at a Glance: Weaponizing Powershell & Microsoft Legitimate Apps - MaverisLabs
Hunting Malicious Shortcut (.LNK) Files Using the VirusTotal API - Suneel Sundar at MITRE-Engenuity
Good Work Becomes Better Work - Natto Thoughts
Salt Typhoon: Churning Up a Storm of Consternation - Orange Cyberdefense
The hidden network - Outpost24
Threat Context monthly: Executive intelligence briefing for November 2024 - Palo Alto Networks
- FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
- Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 21)
- Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware
- Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples
- Valeriya Besedina at Positive Technologies
Cybersecurity threatscape: Q3 2024 - Proofpoint
Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape - Recorded Future
Russia-Aligned TAG-110 Targets Asia and Europe with HATVIBE and CHERRYSPY - Red Alert
Monthly Threat Actor Group Intelligence Report, September 2024 (ENG) - Red Canary
Intelligence Insights: November 2024 - Red Hot Cyber
- Lucija Valentić at ReversingLabs
Differential analysis raises red flags over @lottiefiles/lottie-player - Anastasia Sentsova, Sean O’Connor and Will Thomas at SANS
Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? - SANS Internet Storm Center
- Exploit attempts for unpatched Citrix vulnerability, (Mon, Nov 18th)
- Detecting the Presence of a Debugger in Linux, (Tue, Nov 19th)
- Increase In Phishing SVG Attachments, (Thu, Nov 21st)
- An Infostealer Searching for « BIP-0039 » Data, (Fri, Nov 22nd)
- Decrypting a PDF With a User Password, (Sat, Nov 23rd)
- Jeremy Scion at Sekoia
Helldown Ransomware: an overview of this emerging threat - Silent Push
“Not what the doctor ordered”: Silent Push maps out illegal pharmacy infrastructure. 2,500+ active IOFA domains and dedicated IPs discovered, primarily served via US-based hosts. - Simone Kraus
Misconception of lone wolves in cyberspace - SOCRadar
- Splunk
- Spur
The Threat of Residential Proxies to Sanctions Compliance - Aiden Mitchell at Sublime Security
Hidden credential phishing within EML attachments - System Weakness
- Trellix
- Luke Bremer at TrustedSec
A 5-Minute Guide to HTTP Response Codes - Sean Koessel, Steven Adair, and Tom Lancaster at Volexity
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access - Wiz
Wiz observes exploitation in the wild of PAN-OS vulnerabilities
UPCOMING EVENTS
- Magnet Forensics
- Off By One Security
Shutting Down Blockchains! …with Hossam M. Hamed
PRESENTATIONS/PODCASTS
- Alexis Brignoni
Digital Forensics Now Podcast – S2 E5 - Black Hills Information Security
- Breaking Badness
From Wingdings to Warfare: Inside the Wildest Cybersecurity Stories - Cellebrite
#TipTuesdays – Media Origin Review - Cyber Secrets
Lumon Radio: The Grand Manifesto of OSINT EPISODE 2 – CSI LINUX & OSINT - Cyber Social Hub
Don’t Miss NEW Cyber Social Hub with the all NEW interface! - Cyberwox
My Week As a Cybersecurity Engineer at FAANG (Incident Commander, Automation and Incident Response) - Eclypsium
BTS #42 – The China Threat - Future of Threat Intelligence
Threat hunter Ryan Chapman on Critical Security Mistakes Against Ransomware - Huntress
- InfoSec_Bret
Challenge – Windows Memory Dump - Insane Forensics
OT Office Hours: Everything You Need to Know about Tabletop Exercises - Microsoft Threat Intelligence Podcast
Between Two Gregs: An Update on the North Korean Threat Landscape - MSAB
- MyDFIR
- Nixintel Open Source Intelligence & Investigations
Telegram For Cyber Investigators - Off By One Security
The Darknet Marketplace (DNM) Bible – Should I do a series walking through it? - SANS
SANS Threat Analysis Rundown with Katie Nickels | November 2024 - Security Conversations
Russian APT weaponized nearby Wi-Fi networks in DC, new macOS zero-days, DOJ v Chrome - Sumuri
Instructional Video – How To Nominate for SUMURI Gives Back 2024 - The Microsoft Security Insights Show
Microsoft Security Insights Show Episode 236 – Jess Dodson - John Patzakis at X1 Discovery
Industry Experts Address Information Governance Challenges in Microsoft 365 - Yaniv Hoffman
REVERSE ENGINEERING USING GHIDRA (NSA Tool) | Ghidra Tutorial With OTW
MALWARE
- Adam at Hexacorn
How to debug Windows service processes in the most old-school possible way… - Any.Run
6 Common Persistence Mechanisms in Malware - ASEC
- Cofense
- CTF导航
- Andy Giron, Ian Kretz, Matt Muir, and Sebastian Obregoso at Datadog Security Labs
MUT-8694: An NPM and PyPI Malicious Campaign Targeting Windows Users - M, Mohanasundaram and Neil Tyagi at McAfee Labs
Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation - Jan Michael Alcantara at Netskope
Python NodeStealer Targets Facebook Ads Manager with New Techniques - OALABS Research
Spectre Ops - Phylum
Python Crypto Library Updated to Steal Private Keys - Anna Širokova at Rapid7
A Bag of RATs: VenomRAT vs. AsyncRAT - Sean Gallagher and Morgan Demboski at Sophos
Sophos MDR blocks and tracks activity from probable Iranian state actor “MuddyWater” - Tehtris
Cryptbot downloader: A deep cryptanalysis - Hara Hiroaki at Trend Micro
Spot the Difference: Earth Kasha’s New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella - Viktor Šperka at WeLiveSecurity
Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine - Zhassulan Zhussupov
Linux malware development 3: linux process injection with ptrace. Simple C example.
MISCELLANEOUS
- Adam at Hexacorn
Portability of old Windows programs… - Brett Shavers
- Brian Maloney
What Is Lyman - Cellebrite
- Antoinette Hodes at Check Point
Small Devices, Big Bills - Fabian Mendoza at DFIR Dominican
DFIR Jobs Update – 11/18/24 - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Signed and SEALed - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Generative AI and eDiscovery – Adoption in the Courts – Part 2 - Jackson Evans-Davies at Dragos
The 4th Annual Dragos Capture the Flag (CTF) Results Are In! - Forensic Focus
- Ken Pryor at ‘No Pryor Knowledge’
Catching Up - Matt Linton at Open Source DFIR
About Burnout in Cybersecurity - Grace Chi at Pulsedive
Black Friday 2024 - The Random Adventure That Is Life (RATIL)
SANS 2024 Holiday Hack Challenge – Act 1 - The Security Noob.
The Security Noob Interviews Amy Moles the CEO & Co-Founder of ArcPoint Forensics
SOFTWARE UPDATES
- Alexis Brignoni
- Amped
Amped FIVE Update 35517: Macro Bookmark Renaming, Change Frame Rate Using Timestamp, Timestamp Duration Macro, Variable Frame Rate Writing, More Updates to Advanced File Info, and Much More - Brian Maloney
OneDriveExplorer v2024.11.20 - Didier Stevens
Update: base64dump.py Version 0.0.26 - Elcomsoft
iOS Forensic Toolkit 8.62: bug fixes and performance enhancements - Raj Upadhyay
FACT v2.0 - MISP
MISP 2.4.200 and 2.5.2 released – Post Hack.lu/CTI-Summit release with many new features - Nextron Systems
THOR Evolution: THOR 10.7 Stable Release and the Approach of 11 TechPreview - Obsidian Forensics
Unfurl v2024.11 - OpenCTI
6.4.1 - radare2
5.9.8 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 