Elastic Security Labs published a workflow on December 5, 2025 that shows how to automate detection-tuning requests with Kibana Cases, using custom fields, a detection to watch for toggled requests, and a webhook to create tickets and add links back to the case (Elastic Security Labs, 2025-12-05).

Overview

Kibana Cases lets you open, track, and enrich investigations with alerts, comments, files, visualizations, and external tickets via connectors such as ServiceNow, Jira, Slack, and webhooks (Cases overview, connector catalog). Custom fields for Cases (text/toggle) were added in Elastic 8.15, enabling standardized “tuning requested?” switches captured directly in the case form (custom fields in settings, Security app settings). You can attach alerts to cases from the Alerts UI or create a case from an alert, ensuring the detection context travels with the request (create/manage cases and attach alerts).

SANS ISC documented fresh AutoIt3-compiled droppers that embed payloads with FileInstall, write obfuscated bytes to %TEMP%, allocate RWX memory with VirtualAlloc, then execute shellcode via CallWindowProc. The samples include commodity payloads (e.g., Quasar RAT, Phantom stealer). DFIR teams should assume more of these will show up in email/download chains and prepare hunts and triage checklists now (SANS ISC diary). (isc.sans.edu)

Intrusion Flow

• Delivery: compiled AutoIt3 PE executable. AutoIt’s compiler bundles the tokenized script and any files added via FileInstall into the binary, enabling single-file distribution (AutoIt compiler docs). (autoitscript.com)
• Drop/Stage: the script calls FileInstall to extract embedded files at runtime; in the analyzed sample, it wrote artifacts like “inhumation” and “buncal” into %TEMP% (FileInstall reference; SANS ISC diary). (autoitscript.com)
• Decode: simple string arithmetic deobfuscates API names and payload bytes (e.g., shift by −1 per character), yielding resolved imports such as kernel32/user32 and shellcode buffers (SANS ISC diary). (isc.sans.edu)
• Load: the script allocates memory with VirtualAlloc using MEM_COMMIT | MEM_RESERVE (0x3000) and PAGE_EXECUTE_READWRITE (0x40), then copies the shellcode into the buffer (VirtualAlloc documentation). (learn.microsoft.com)
• Execute: CallWindowProc is invoked with a pointer into the shellcode, executing on the current GUI thread without creating a new thread-behavior that can blend in with benign GUI activity (CallWindowProc documentation; prior SANS note on this technique). (learn.microsoft.com)

Key Artifacts to Pull

• Disk
  • %TEMP% artifacts named by the script (e.g., embedded files like “inhumation”, “buncal”) and the original AutoIt3-compiled loader executable. Parse MFT/USN timestamps and look for same-second write/execute patterns (SANS ISC diary). (isc.sans.edu)
  • Prefetch for the loader EXE to confirm first/last run, run count, and child DLLs. PECmd supports all modern Prefetch formats (PECmd). (github.com)
  • Program execution artifacts: Amcache.hve commonly records executed PE metadata including path and SHA-1; use it to corroborate execution of the loader (Amcache background and path). (cybertriage.com)
• Memory
  • Dump live memory if possible. Look for RWX regions and injected code; Volatility’s malfind helps surface suspicious VADs with PAGE_EXECUTE permissions (Volatility malfind). (github.com)
• Logs/Telem
  • Sysmon Event ID 1 (process creation) for the loader and its child processes; Event ID 11 (FileCreate) for new files in %TEMP%. Enable network (ID 3) if applicable. Confirm Sysmon schema and event semantics in Microsoft’s reference (Sysmon docs). (learn.microsoft.com)

Detection Notes

• Static triage
  • AutoIt compiled loaders can often be identified by tooling and YARA. Community YARA rules flag AutoIt-compiled PEs; the ecosystem reports broad sightings of such rules in the wild (MalwareBazaar YARA: AutoIT_Compiled). (bazaar.abuse.ch)
  • Indicators in extracted content: look for tokens/FileInstall references, kernel32/user32 API usage via DllCall, and strings like VirtualAlloc/CallWindowProc after deobfuscation. Extraction/decompilation helpers exist, e.g., AutoIt-Ripper and myAut2Exe (use in a lab VM) (AutoIt-Ripper; myAut2Exe). (github.com)
• Behavior hunts (host)
  • Group signals: short-lived loader that (a) creates extensionless temp files, (b) immediately reads them, (c) spawns no obvious child interpreters, and (d) exhibits GUI-thread API usage. Correlate Sysmon ID 1 + 11 with the loader image path and %TEMP% targets (Sysmon docs). (learn.microsoft.com)
• Behavioral rationale
  • CallWindowProc is a legitimate GUI API that can invoke an arbitrary function pointer; adversaries use it to execute payloads without CreateThread, which can sidestep common thread-creation detections (CallWindowProc; SANS technique overview). (learn.microsoft.com)

Response Guidance

• Triage and containment
  • If the loader executed, isolate the endpoint, capture memory, and acquire a full disk image or triage package including %TEMP%, user profile AppData, Prefetch, Amcache.hve, and relevant Event Logs/Sysmon. Prioritize memory due to ephemeral RWX buffers (Volatility malfind). (github.com)
• Analysis workflow
  1. Identify the loader: check signature and entropy; run Detect-It-Easy or similar to fingerprint the packer/interpreter; scan with AutoIt-specific YARA (Detect-It-Easy project page; YARA AutoIT_Compiled). (github.com)
  2. Extract embedded resources: attempt AutoIt-Ripper/myAut2Exe; search for AU3 headers and exported resources; validate any decoded shellcode buffers before execution in a sandbox (AutoIt-Ripper; myAut2Exe). (github.com)
  3. Confirm behavior/lateral artifacts: correlate FileCreate in %TEMP% and subsequent memory execution; if payload families are indicated (e.g., Quasar/Phantom), pivot to family-specific hunts (SANS ISC diary discussion of payloads). (isc.sans.edu)
• Hardening and prevention
  • Application control: allow-list legitimate AutoIt use; block unsigned AutoIt-compiled executables from user-writeable paths. Preferably, distribute approved .a3x/.exe only via trusted software channels (AutoIt compiler behavior and formats). (autoitscript.com)
  • Telemetry: ensure Sysmon/EDR capture of process, file, and network activity; many detections for shellcode allocation hinge on correlating VirtualAlloc + immediate RWX execution with unusual temp-file stages (Sysmon overview; VirtualAlloc documentation). (learn.microsoft.com)

Takeaways

• Treat AutoIt3-compiled PEs that write to %TEMP% and then allocate RWX memory as high-priority investigations. Hunt for FileInstall use, temp-file stages, VirtualAlloc with RWX, and CallWindowProc execution. Instrument Sysmon, build YARA for AutoIt loaders, and keep an extraction/deobfuscation toolchain ready (SANS ISC diary; VirtualAlloc; CallWindowProc; AutoIt FileInstall). (isc.sans.edu)

Forensic Focus’ December 3 round-up flagged two updates worth immediate lab attention: Oxygen Forensic Detective v18.1 and Atola TaskForce 2025.11. Both change how we plan Android collections and triage storage with fewer clicks and less context switching (round-up).

Overview

• Oxygen Forensic Detective v18.1 adds Android “chain extractions” so you can sequence multiple methods (e.g., Physical → Full File System → Android Agent → ADB Backup) in one flow with automatic fallback handling, plus new iOS Agent screenshot capture and desktop artifacts (v18.1 notes).
• Earlier in the v18 series, Oxygen introduced “multi-source extraction via Android Agent,” letting you combine multiple logical categories and third-party apps into a single Agent run for one consolidated output (v18 highlights).
• Atola TaskForce firmware 2025.11 brings system-wide ZFS support (diagnostics, imaging, partition browsing) and LDAP integration for centralized authentication; it also adds QOL items like pinned folders and report/network tweaks (Atola blog, Forensic Focus coverage).

Acquisition and Extraction (platform-specific)

Android with Oxygen Detective v18.1

1. Plan a chained Android run

• In Device Extractor, set the chain order so time-heavier but richer methods run first, with automatic fallback to lighter ones (e.g., Physical → FFS → Android Agent → ADB Backup) (v18.1 notes).
• Document the chosen order in the case record before you start (keeps later variance explainable).

2. Leverage Agent multi-source in the chain

• When the run reaches Android Agent, pre-select logical categories (calls, contacts, calendars, etc.) and multiple third-party apps to produce one combined extraction folder/file, minimizing repetitive passes over the handset (v18 highlights).

3. Respect method prerequisites

• Full File System (FFS) extraction in current Detective builds supports many Android 9-14 devices with SPL prior to July 2024 via a general Android vuln; verify the device’s SPL before triggering FFS to avoid dead ends (FFS method notes).
• Android Agent is intended for unlocked devices and focuses on logical/manual collection; it does not access internal memory apps/files like FFS does-set expectations and use Agent where appropriate (Android Agent guide).

4. Optional iOS screenshot capture

• If your scene includes iOS, v18.1 can record screenshots during extraction (iOS 12+) to quickly preserve on-screen context with proper logging (v18.1 notes).

Storage imaging with Atola TaskForce 2025.11

1. Image ZFS cleanly

• TaskForce now recognizes and works end-to-end with ZFS: diagnostics (File systems stage), partition browsing, and imaging-useful for servers/NAS/Linux estates common in enterprise cases (Atola blog).
• RAID autodetection now attempts reassembly when ZFS partitions are present; this shortens triage when metadata is missing or the layout is unknown (Atola blog).

2. Centralize user auth

• Enable the new LDAP option to authenticate users against AD/LDAP; TaskForce stores no passwords locally when LDAP is in use. Keep local accounts available as a contingency (Atola blog).

3. Quality-of-life tweaks

• Pin frequently used network targets/folders in the UI to speed repetitive imaging destinations (Atola blog).
• Expect improved parallel imaging performance estimates and report loading-useful during busy lab days (Forensic Focus coverage).

Artifact Locations and Paths

• Android Agent exports typical logical sets-calls, messages, contacts, calendars, Wi-Fi APs, Bluetooth pairs, basic file structure, and select third-party apps-into one consolidated extraction when you use the multi-source option. Treat this as a targeted logical capture, not an internal-app dump (Android Agent guide, v18 highlights).
• On storage, ZFS volumes will enumerate in TaskForce’s File systems stage alongside NTFS, ext*, XFS, Btrfs, APFS/HFS+, FAT, and ZFS; validate the enumerated topology before committing to a full image or a logical carve (Atola blog).

Analysis and Correlation

• Merge sources in Oxygen: after collection, merge FFS, physical, cloud, SIM, and OxyAgent/Android-Agent extractions into a single dataset to keep timelines/social graphs coherent (merge feature).
• Automate post-processing: Oxygen’s CLI can batch-import extractions, analyze images, and export reports-helpful for overnight queues after long scene days (CLI automation).
• For ZFS/RAID jobs, snapshot your Atola case state and export reports immediately after autodetection; re-attempts can change arrays as members drop in/out. Atola’s 2025.11 improves report handling and error logs for share connections, which helps with later reproduction (Atola blog).

Validation and Pitfalls

• Don’t over-promise Agent scope: Android Agent logical/manual extraction won’t touch internal app data; if you need app sandboxes or keychains, prioritize FFS/physical where legally and technically possible (Android Agent guide).
• Check SPL early: if SPL ≥ July 2024, your FFS path may be blocked-adjust the chain to avoid wasting time (e.g., pivot sooner to Agent or ADB backup) (FFS method notes).
• LDAP is great-test lockout behavior: validate how TaskForce handles directory outages, password expiry, and group changes before you flip the switch lab-wide (Atola blog).
• As always, keep the paperwork tight. Evidence management talks regularly remind us that documentation is what makes the data admissible-“no documentation, no evidence” still applies (round-up reference to talk).

Reporting Notes (chain of custody, reproducibility)

• Oxygen: record the exact chain order, method outcomes, version/build, and any Agent multi-source selections in the notes; v18.1 also tweaks evidence tagging/notes, which can clarify your audit trail (v18.1 notes).
• Atola: export diagnostics and imaging reports immediately after ZFS enumeration/reassembly; the 2025.11 update improved report loading and logging, making it easier to reconcile target paths and share errors later (Atola blog).

Tools

• Oxygen Forensic Detective v18.1: chain extractions, iOS Agent screenshots, additional artifacts (v18.1 notes). Multi-source Android Agent from v18 still applies for consolidated logicals (v18 highlights). Core method references: FFS coverage window (FFS method notes), Android Agent scope (Android Agent guide).
• Atola TaskForce/TaskForce 2 2025.11: ZFS, LDAP, pinned folders, and assorted fixes/perf gains (Atola blog, Forensic Focus coverage). Hardware/platform overview and automation options are on the product page if you’re integrating at scale (TaskForce 2 page).

Takeaways

• Update your SOPs this week to: (1) use Oxygen’s chained Android flows with Agent multi-source to cut repeats, and (2) enable Atola ZFS handling + LDAP in the lab for smoother storage triage and access control. Test on known-good devices/images before first live use (v18.1 notes, Atola blog).

Koi and Malwarebytes disclosed a long-running extension operation (“ShadyPanda”) where multiple Chrome/Edge add-ons accumulated trust for years and then flipped to spyware/RCE via hourly command tasks. The operators reached ~4.3M installs across phases; one cluster polls api.extensionplay[.]com hourly to fetch and execute arbitrary JavaScript, and another (e.g., WeTab) streams browsing data in real time. Google removed affected Chrome Web Store items; at disclosure time some Microsoft Edge Add-ons remained available. Treat this as a browser-level backdoor that bypasses traditional endpoint controls and exposes SaaS sessions and cookies. (Koi, Malwarebytes, BleepingComputer, SecurityWeek, The Register).

Google published the Android Security Bulletin for December 2025 with patch levels 2025-12-01 and 2025-12-05. The most severe issue is a critical Framework vulnerability that enables remote denial of service; Google also notes two CVEs under limited, targeted exploitation. Source code patches land in AOSP within 48 hours of publication, then vendors integrate and ship updates. Verify exposure by checking each device’s reported patch level. (Android bulletin, Dec 1, 2025; Google Support: check patch level)

CISA has added CVE-2021-26829-a stored cross-site scripting flaw in OpenPLC ScadaBR’s system_settings.shtm-to the Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation due date of December 19, 2025 (date added November 28, 2025) (NVD record with KEV metadata). The bug affects ScadaBR through 1.12.4 on Windows and through 0.9.1 on Linux (NVD). Forescout’s honeypot reporting shows hacktivists moving from initial access to disruptive actions in roughly a day, including use of default credentials and UI defacement via this XSS vector (Forescout Vedere Labs; The Hacker News summary, Nov 30, 2025). ScadaBR deployments often run on Apache Tomcat; Tomcat access logs default under $CATALINA_BASE/logs and can be configured with the AccessLogValve (Tomcat 8.5 docs).

Help Net Security’s November 28 roundup highlighted two releases we should operationalize in IR: Action1’s Intune-integrated third-party patching with risk-based prioritization, and Synack’s agentic AI “Sara Pentest.” Used together, they tighten mean time to remediate across Windows/macOS/Linux and turn pentest output into triage signals you can act on during containment and eradication (Help Net Security, Nov 28, 2025).

Intrusion Flow

Unpatched third-party applications remain one of the most common footholds; CISA’s KEV catalog is the authoritative list of CVEs actively exploited in the wild and should drive emergency patching during an incident (CISA KEV overview). Typical flow we see:

Holiday IR Playbook: Web Skimming and Credential-Stuffing at Retail Scale

Retailers see elevated risk during Black Friday and Cyber Monday, with advisories emphasizing exposure management (fix misconfigurations, enforce MFA, patch web apps and infrastructure) and pre-staging detections for web skimming and credential-stuffing to shorten time-to-containment. (cybersecasia.net)

Intrusion Flow

• Client-side web skimming (Magecart-style)

  • Initial access: exploit public-facing apps/CMS, stolen admin creds, or supply-chain injection to place malicious JavaScript. (trustwave.com)
  • Data capture: injected script hooks payment/checkout DOM, validates card data (e.g., Luhn), and encodes exfil (often Base64). (trustwave.com)
  • Exfiltration: outbound beacons via XHR/WebSocket/IMG requests, sometimes disguised as analytics or image loads. (akamai.com)
  • Server-side variants: malware persists in templates/filesystems or databases; data is staged and periodically exfiltrated to reduce noise. (sansec.io)

• Credential-stuffing → ATO (account takeover)

CERT-FR issued a bulletin on November 27, 2025 describing an active supply-chain campaign against npm packages that began on November 23, 2025, has affected 700+ packages, executes via a preinstall script to harvest secrets, self-propagate, and in some cases destroy user data; they advise hunting for bun_environment.js, auditing installed versions, temporarily freezing updates, and rotating exposed secrets. (cert.ssi.gouv.fr)

Intrusion Flow

• Initial execution (developer laptop or CI): Compromised npm package versions add a package.json preinstall that runs setup_bun.js, which installs or locates the Bun runtime and launches a large payload bun_environment.js. (wiz.io)
• Credential theft and exfiltration: The payload enumerates environment variables and config files and invokes TruffleHog to capture credentials, then exfiltrates to attacker-created GitHub repositories often labeled with Shai-Hulud-themed descriptions; cross-victim exfiltration has been observed. (cert.ssi.gouv.fr)
• Persistence and remote control: The malware registers a self-hosted runner named “SHA1HULUD” and drops a .github/workflows/discussion.yaml workflow so that creating a GitHub Discussion executes arbitrary commands on the victim’s self-hosted runner; a formatter_*.yml workflow is used to collect GitHub Actions secrets into actionsSecrets.json. (wiz.io)
• Self-replication: Stolen npm tokens and GitHub access allow the actor to publish trojanized versions of additional packages under compromised maintainers, driving rapid worm-like spread across ecosystems. (wiz.io)
• Destructive fallback: Analyses report a “dead man’s switch” that may delete user data (e.g., the home directory) when the malware cannot exfiltrate or persist; CERT-FR also warns about possible user-data deletion. (about.gitlab.com)

Key Artifacts to Pull

• Project and dependency state:
  • package.json, package-lock.json, yarn.lock, pnpm-lock.yaml (to diff against clean versions announced by vendors such as Postman and PostHog). (blog.postman.com)
• On-disk indicators:
  • setup_bun.js and bun_environment.js in package tarballs or node_modules; auxiliary files cloud.json, contents.json, environment.json, truffleSecrets.json. (wiz.io)
  • Suspicious GitHub workflows: .github/workflows/discussion.yaml and formatter_*.yml. (wiz.io)
• GitHub infrastructure state:
  • Presence of self-hosted runners named “SHA1HULUD.” Use the GitHub REST API to list runners at org/repo scope during triage. (wiz.io)
• Package manager caches and global install context:
  • npm cache directory (default on POSIX: ~/.npm with _cacache) for corroborating when/what versions were fetched. (docs.npmjs.com)

Example triage commands (read-only where possible):

Wireshark 4.6.1 and 4.4.11 shipped on November 19, 2025 with fixes for two dissector crash issues; installers for Windows and macOS plus source are available now (Wireshark news). The patched issues are BPv7 (Bundle Protocol v7) and Kafka dissectors that could crash when parsing crafted traffic or trace files (wnpa-sec-2025-05, wnpa-sec-2025-06). Wireshark notes discovery during internal testing and no known in-the-wild exploitation, but a crash during triage still means lost analyst time and potentially missed signal (BPv7 advisory, Kafka advisory). The 4.6.1 release is also the first maintenance for the 4.6 branch (4.6.1 release notes).