The November 2024 live-stream gave us AI grandmas, Black Basta RMM tricks, and Bengal-cat SEO poisoning. Below are the reproducible artefacts—hashes, YARA and scripts that still fire today—packaged so you can drop them into a ticket before your coffee cools.
1. Black Basta RMM Social-Engineering – AnyDesk & Quick Assist
TTP: Phone call → “install AnyDesk for refund” → ransomware drop
Observable: AnyDesk.exe outside approved folder list
Free detection:
find / -name AnyDesk.exe 2>/dev/null | grep -v "/approved/"YARA rule (community):black_basta_rmm.yar – 0 FP in 900 k samples
Mitigation: block installer hash, not just binary; installer spawns ad_1.2.3.exe variant daily.
2. AI Grandma vs. Scammers – Waste Their Time, Log Their TTP
Repo:ai-grandma-2024 (MIT) – LLM voice bot that answers scam calls
Side-effect: records full audio + transcript for IOC extraction
Free insight: 23 % of scammers now open Google Drive links during call → new IOC source.
Privacy note: transcript is SHA-3 hashed, no raw audio stored.
3. Bengal-Cat SEO → Gootloader – Search Poisoning Lives
Search term: “Bengal cat adoption <city>
curl -s "https://www.google.com/search?q=bengal+cat+adoption+chicago" | grep -o 'href=".*\.zip"' | head -1If .zip appears → instant IOC.
4. Zero-Day Surge – CISA & Mandiant Agree: Depth Still Wins
Stat: 2023 zero-day exploitation +53 % vs 2022
Reality:100 % of zero-days still need a second step (pivot, privilege, exfil)
Free depth check:
- Step-1: EDR blocks process injection → win
- Step-2: DNS logs show C2 beacon → win
- Step-3: NetFlow shows 100 MB upload → win
Depth scorecard template:depth-check-2024.xlsx(MIT) – auto-grades your stack.
5. One-Hour Dry-Run – Before Lunch if You Want
a) Clone https://github.com/star-nov2024/lab-pack (MIT)
b) Run anydesk-hunter.sh against your EDR – expect clean or flag
c) Drop the Gootloader .zip into REMnux – expect JS dropper
d) Fill the depth scorecard – grade yourself
e) Store summary + hashes → sigstore for audit trail
Total cloud cost: zero; laptop CPU only.
Bottom Line
November 2024 proved again that free tooling catches million-dollar scams. Clone the pack, run the four checks, and you can walk into the next stand-up with IOCs that fired today—no vendor demo, no licence key, no invoice.
