As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- John Lukach at 4n6ir
Additional CloudFront Log Formats and Destinations - Paul Lorentz at Cellebrite
Don’t Lose Your Evidence: What’s at Stake with the iOS 18 Changes - Cyber Sundae DFIR
CapabilityAccessManager.db Deep Dive, Part 2 - Krzysztof Gajewski at CyberDefNerd
Who Knows What Happened to My Logs? Tracking Event Log Deletion - Django Faiola at ‘Appunti di Informatica Forense’
iOS Foursquare Swarm – Check-in App - Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
Bellingcat Challenge – Week 1 Writeup - Forensafe
Investigating Android Fitbit - Forensicfossil
BASIC SOC LAB - Guus Beckers at Fox-IT
Decrypting Full Disk Encryption with Dissect - Heather Chapentier
Google Keep Notes - Iram Jack
- Jon Baumann at Ciofeca Forensics
Apple Notes in iOS 18 - Anurag Sharma at Mail Xaminer
Gmail Email Forensics Analysis – Explore Internet Header - Radiant Capital
Radiant Capital Incident Update - Eric Wise at Wise Forensics
Mac Artifact Viewer
THREAT INTELLIGENCE/HUNTING
- Adam at Hexacorn
- Akash Patel
- Yakir Kadkoda and Assaf Morag at Aqua
300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks - ASEC
- Francis Guibernau at AttackIQ
Emulating the Financially Motivated Criminal Adversary FIN7 – Part 1 - Eric Russo at Barracuda
The SOC case files: XDR neutralizes threat-loaded external drive targeting MSP - John Dwyer and Eric Gonzalez at Binary Defense
Cleo MFT Mass Exploitation Payload Analysis - Jade Brown at Bitdefender
Bitdefender Threat Debrief - Jordan Drysdale and Kent Ickler at Black Hills Information Security
The Top Ten List of Why You Got Hacked This Year (2023/2024) - BushidoToken
Top 10 Cyber Threats of 2024 - CERT Ukraine
Цільові кібератаки UAC-0185 у відношенні Сил оборони та підприємств ОПК України (CERT-UA#12414) - CERT-AGID
- Chainalysis
Cryptocurrency in the War Zone: A Closer Look at Recent Events in Syria - Check Point
- Nick Biasini and Vitor Ventura at Cisco’s Talos
The evolution and abuse of proxy networks - Claroty
- Jamie Gale at CrowdStrike
Cloud Logs: The Unsung Heroes of Detection and Response - Cyble
- Security Risks in TP-Link Archer Router Could Lead to Unauthorized Access
- Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor
- Hacktivist Alliances Target France Amidst Political Crisis
- Romania Urges Energy Sector of Proactive Scanning Amid LYNX Ransomware Threat
- Cyble’s Latest Sensor Intelligence Report Reveals Surge in Malware, Phishing, and IoT Vulnerabilities
- Cyfirma
Weekly Intelligence Report – 13 Dec 2024 - Roman Faithfull at Cyjax
Phreak Out!: New Bluebox Extortion Group DLS Emerges - Datadog Security Labs
- Eliran Nissan at Deep Instinct
Forget PSEXEC: DCOM Upload & Execute Backdoor - Rohit Sadgune at Detect Diagnose Defeat Cyber Threat
Threat Hunting for ACBackdoor Cloud Attack - Disconinja
日本におけるC2サーバ調査(Week 49 2024) - Kali Fencl at DomainTools
How Domain Intelligence and Passive DNS Create A Fuller Domain Profile - Eclypsium
- Efstratios Lontzetidis
Greece’s 2024 Cyber Threat Landscape, Trends and Predictions - Elastic Security Labs
- Malcolm Heath at F5 Labs
Scanning For Credentials, and BotPoke Changes IPs Again - Flare
MOVEit Repackaged and Recycled - Flashpoint
China-Based Hacker Charged for Conspiring to Develop and Deploy Malware That Exploited Tens of Thousands of Firewalls Worldwide - Hai Ha Phan at Group-IB
Trust Hijacked: The Subtle Art of Phishing Through Familiar Facades - Raj at Hacking Articles
Abusing AD-DACL: WriteOwner - Harfanglab
2025 Threatscape report - Hudson Rock
Hudson Rock Launches CavalierGPT: The First Comprehensive Infostealer Intelligence AI Bot (Free) - Hunt IO
Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors - Huntress
- Intel471
- Isaac Dunham
Introduction to Detection Engineering with Sigma - Omar at Juniper Networks
Threat Hunting with passive DNS: Discovering the Attacker Infrastructure - KELA Cyber Threat Intelligence
The Role of a Threat Intelligence Analyst - Kostas
EDR Telemetry Project: Exciting New Updates and Insights - Brian Krebs at Krebs on Security
How Cryptocurrency Turns to Cash in Russian Banks - Marcus Edmondson at ‘The Threat Hunter’s Dilemma’
Unlocking the Power of Sysmon Event Logs: How to Parse and Analyze Security Data - Microsoft Security
Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine - Microsoft Security Response Center
Mitigating NTLM Relay Attacks by Default - Natto Thoughts
Bluesky Should Outsmart China’s Public Opinion Monitoring Tools to Safeguard Public Discourse - Netscout
2024 DDoS-for-Hire Landscape Part 4 - OSINord
Hunting The Secret Service’s $10M Joker: Timur Kamilevich Shakhmametov - Permiso
How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables - Positive Technologies
A look at India through the dark web: what hackers are after - Thomas Ford at Promon
App Threat Report: How do the top Android Apps perform against hooking - Red Alert
Monthly Threat Actor Group Intelligence Report, October 2024 (KOR) - Red Canary
- Resecurity
Cybercriminals Impersonate Dubai Police to Defraud Consumers in the UAE – Smishing Triad in Action - SANS Internet Storm Center
CURLing for Crypto on Honeypots, (Mon, Dec 9th) - Georgy Kucherin and Marc Rivero at Securelist
Careto is back: what’s new after 10 years of silence? - Anusthika Jeyashankar at Security Investigation
Threat Hunting with Zeek – Log Types and Use cases - Silent Push
Is Google Advertising Out to Lunch? Simple Pivots Catch an Ongoing Malvertising Campaign Hiding in Plain Sight - SOCRadar
- Angela Gunn, John Shier, and Hilary Wood at Sophos
The Bite from Inside: The Sophos Active Adversary Report - SpecterOps
Attacking Entra Metaverse: Part 1 - Sublime Security
Xloader deep dive: Link-based malware delivery via SharePoint impersonation - Symantec Enterprise
Likely China-based Attackers Target High-profile Organizations in Southeast Asia - Alessandro Brucato at Sysdig
Bedrock Slip: Sysdig TRT Discovers CloudTrail Logging Missteps - System Weakness
UPCOMING EVENTS
- Cellebrite
Deep Dive into Facebook - Magnet Forensics
Mobile Unpacked Ep. 24 // Split Personalities – understanding multiple user account purposes in Android
PRESENTATIONS/PODCASTS
- Adversary Universe Podcast
Cross-Domain Attacks: Know Them, Find Them, Stop Them - Alexis Brignoni
Digital Forensics Now Podcast – S2 E6 - Anuj Soni
Shellcode Analysis – Part 1: Extraction with x64dbg - ArcPoint Forensics
- Behind the Binary by Google Cloud Security
EP03 Ryan Chapman – From Software Cracking to Threat Hunting: A Reverse Engineering Story - Belkasoft
Alexis Brignoni “In-Depth Scrutiny of SEGB Files for Pattern of Life Data” - Black Hills Information Security
REKAST – Talkin’ Bout [infosec] News 2024-12-09 #infosecnews #cybersecurity #podcast #podcastclips - Breaking Badness
DNS Gone Rogue & DARPA’s Cyber Puzzle: Lessons in Security Innovation - Cellebrite
- Cloud Security Podcast by Google
EP202 Beyond Tiered SOCs: Detection as Code and the Rise of Response Engineering - Corelight
Corelight Delivers Static File Analysis With YARA Integration | Corelight - Digital Forensics Future (DFF)
S4: E5 Ediscovery Day—Career Advice from DFIR and ED Veterans - Huntress
Tradecraft Tuesday | When Apps Attack - InfoSec_Bret
SA -SOC282-257 – Deceptive Mail Detected - Intel471
Cybercrime Exposed Podcast: Raccoon Stealer - Magnet Forensics
- Malspace
Operation Crimson Palace - MSAB
XEC User Levels - MyDFIR
MyDFIR Community Q&A - Sandfly Security
- SANS
- Security Conversations
Surveillance economics, Turla and Careto, and the AI screenshots nobody asked for - Snigdha Basu at The Citizen Lab
Rebekah Brown and John Scott-Railton on Distilling Cyber Policy podcast - Stephan Berger
BSides Munich: /proc for Security Analysts - Sumuri
How To Vote – SUMURI Gives Back 2024 Final Nominees - The Cyber Mentor
What is Broken Access Control? - Volatility Foundation
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
MALWARE
- Any.Run
Analysis of Nova: A Snake Keylogger Fork - Cyfirma
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia - Dr Josh Stroschein
- Muhammad Umair at Google Cloud Threat Intelligence
XRefer: The Gemini-Assisted Binary Navigator - hasherezade’s 1001 nights
- Tomoya Kamei at JPCERT/CC
Attack Exploiting Legitimate Service by APT-C-60 - Lookout Threat Lab
- McAfee Labs
- Jerome Tujague and Daniel Bunce at Palo Alto Networks
Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation - Christiaan Beek at Rapid7
Modular Java Backdoor Dropped in Cleo Exploitation Campaign - Stephan Berger
Shell Script Compiler (shc) - Catherine Loveria, Jovit Samaniego, and Gabriel Nicoleta at Trend Micro
Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion - ZScaler
MISCELLANEOUS
- Atola Technology
8 YouTube Must-Watch Channels for DFIR Professionals - Cado Security
- Mark Gillett at Esentire
Unlimited Logs: What Security Leaders Should Know - Forensic Focus
- GMDSOFT Tech Letter Vol 7. iPhone Call Recording Artifacts
- Understanding Digital Forensics Mental Health Stressors: Burnout And Insufficient Mental Health Support
- Digital Forensics Round-Up, December 11 2024
- Speeding Up And Simplifying Video Investigations With Amped Replay
- Forensic Focus Digest, December 13 2024
- HackTheBox
Master Active Directory security with HTB CAPE - InfoSec Write-ups
- Magnet Forensics
Introducing Magnet Verify: The next evolution of Medex - Maxim Suhanov
Multiple vulnerabilities in AMI file system drivers - Husam Shbib at Memory Forensic
Akira Challenge - Damien Gremes at NVISO Labs
Your Playbook to a better Incident Response Plan - Oxygen Forensics
Review: Top Oxygen Forensic® Detective updates of 2024 - Salvation DATA
Deleted File Recovery: Simple Steps to Restore Lost Data - Security Onion
State of the Onion 2024 - Raymond Chen at The Old New Thing
It rather involved being on the other side of this airtight hatchway: Disabling anti-malware scanning
SOFTWARE UPDATES
- Atola
Insight Forensic 5.6 – Now with Btrfs and LVM support - Airbus Cybersecurity
IRIS-Web v2.4.18 - Alexandre Borges
Malwoverview 6.1.1 - Amped
Amped Authenticate Update 35625: New Reflections Filter, Improved Deepfake Detection, Blacken Redaction, and More! - c3rb3ru5
Binlex v2.0.0-rc1 - Mandiant
Capa v8.0.1 - Digital Sleuth
winfor-salt v2024.19.4 - Dr Nestori Syynimaa at AADInternals
AADInternals-Endpoints 😈 - Federico Lagrasta
PersistenceSniper v1.17.1 - Oxygen Forensics
Oxygen Forensic© Detective v.17.1 Is Available Now - Nuix
New In Nuix Neo – Introducing V1.3 - Hasherezade
hollows_hunter v0.4.0 - IsoBuster
IsoBuster 5.5 released - Kathryn Hedley
Parse USBs v1.6 - Manabu Niseki
Mihari v8.0.1 - Martin Korman
Regipy 5.1.0 - Mazars Tech
AD_Miner v1.8.0 - Metaspike
Forensic Email Collector 4.0.287 Release Notes - MISP
FlowIntel 1.3.1 released and MISP integration - MSAB
Now available: XRY 10.12, XAMN 8.0, XEC 7.12 and KTE 10.12 - Ninoseki
Azuma v0.5.1 - OpenCTI
6.4.4 - Phil Harvey
ExifTool 13.08 - Justin Kohler at SpecterOps
Unwrapping BloodHound v6.3 with Impact Analysis - Xways
X-Ways Forensics 21.3 SR-7
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 