Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Whitepaper: Tracking Potentially Malicious Files with Evidence of Execution Esing Belkasoft Evidence Center

• Elcomsoft
  Unlocking BitLocker Volumes by Booting from a USB Drive

• Forensic8or
  • MemLabs: Lab 1- Beginner’s Luck (“Easy”)
  • MemLabs: Lab 2 – A New World (“Easy”)
  • MemLabs: Lab 3 – The Evil’s Den (“Easy- Medium”)
  • MemLabs: Lab 4 – Obsession (“Medium”)
  • MemLabs: Lab 5 – Black Tuesday (“Medium-Hard”)
  • MemLabs: Lab 6 – The Reckoning (“Hard”)

• Kinga Kieczkowska
  AirDrop Forensics 2

• Maxim Suhanov
  Storage Reserve blocks some tools from thoroughly wiping unallocated space

• Oxygen Forensics
  Revolutionary changes in Android logical extraction

• Peter Stewart
  DFA/CCSC Spring 2020 CTF – Wireshark – shell.pcapng Write-up

THREAT INTELLIGENCE/HUNTING

• 360 Total Security Blog
  XMRig variant mining Trojan rampantly doing evil

• AbdulRhman Alfaifi at U0041
  Impacket Remote Execution Tools – atexec.py

• Andrew Skatoff at ‘DFIR TNT’
  Detecting RunDLL32 ATT&CK Techniques

• Anomali
  Weekly Threat Briefing: Backdoors, Magecart, Spearphishing, Ransomware and More

• Awake Security
  SaaS Security Begins In the Browser: Why The Largest Chrome-Based Surveillance Campaign Undermines That

• Bitdefender Labs
  StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure

• Bromium
  Aggah Campaign’s Latest Tactics: Victimology, PowerPoint Dropper and Cryptocurrency Stealer

• Check Point Research
  • Would you like some RCE with your Guacamole?
  • Hole-y Guacamole!  Fixing critical vulnerabilities in Apache’s popular remote desktop gateway
  • Nexus Zeta – From Suspicious Alerts to Conviction

• Chris Long
  • Working Through Splunk’s Boss Of The Soc – Part 1
  • Working Through Splunk’s Boss Of The Soc – Part 2
  • Working Through Splunk’s Boss Of The Soc – Part 3

• Ben Reardon at Corelight
  Ripple20 Zeek package open sourced

• covert.io
  Mining DNS MX Records for Fun and Profit

• Crypsis Group
  Novel O365 Application Breach: Would You Click on My Little Quarantine?

• Cyber Polygon
  Threat Hunting in action

• DannyDodds
  Reverse Shells – simple

• Elastic
  • BSides SATX 2020 – Threat Hunting CTF with Elastic
  • Preventing “copy-paste compromises” (ACSC 2020-008) with Elastic Security
  • Elastic Security opens public detection rules repo

• Fox-IT
  A Second Look at CVE-2019-19781 (Citrix NetScaler / ADC)

• Frikkylikeme
  Indicators and webhooks with TheHive, Cortex and MISP — Open Source SOAR part 4

• Intezer
  Get Access to our Weekly Linux Threat Feed

• Jorge Orchilles at Scythe
  • SCYTHE Presents: Cuddling the Cozy Bear, Emulating APT29 by Jorge Orchilles – Cyber Junegle
  • SCYTHE Presents: #ThreatThursday – Ransomware

• Kaspersky Lab
  The hunt for Office 365 accounts

• Mercury ISS
  Part 2: A weekend dive into the attack

• Palo Alto Networks
  How to Start Threat Hunting

• ReversingLabs Blog
  Level up your YARA game

• SpecterOps
  • Automating DLL Hijack Discovery
  • GOing 4 A Hunt

• Trustwave SpiderLabs
  • GoldenSpy: Chapter Two – The Uninstaller 
  • Still Scanning IP Addresses? You’re Doing it Wrong
  • Hackers Leverage Cloud Platforms to Spread Phishing Under the Radar

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • Virtual Cellebrite Day (UAE)
  • Join Us For “Nothing to see here? I beg to DFIR. – Episode 7
  • Digital Investigations for Mac & Windows: A Forensic Workshop

• Elan at DFIR Diva
  DFIR Related Events for Beginners – July 2020

• F-Secure
  Attack Detection Fundamentals

• Magnet Forensics
  • Tips & Tricks // Utilizing Magnet Free Tools – RAM Capture & Process Capture
  • The Cost of Ransomware

• X1
  Discover the New Expanded Features of X1 Social Discovery

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Class 11 – DFIR Python Study Group – Study Hall
  • Python __name__
  • Class 12 – DFIR Python Study Group

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up Ep.5 – David Cowen

• Kevin Ripa at SANS
  • Episode 68: Why are there so many different ways to represent data?
  • Episode 69: Understanding the Nibble in binary data.
  • Episode 70: This video is a description of Hexadecimal data.

• Adam Mashinchi
  Quickstart Guide to MITRE ATT&CK™

• Cellebrite
  • Trust But Verify: Digital Artifact Edition
  • 6 Reasons Why You Need Cellebrite UFED Cloud – #3
  • Leveraging BlackLight filters to sift through data

• Cyber June’Gle Virtual Summit
  Cyber June’Gle Virtual Summit

• CySecK
  Webinar on “Introduction to MITRE ATT&CK framework” – Samgacchadhwam Series webinar 14

• Detections Podcast
  Season 2 Episode 8: Building Certifications with Joshua Beaman

• Digital Forensic Survival Podcast
  DFSP # 228 – Psychology of Reporting

• Down the Security Rabbithole Podcast
  DtSR Episode 401 – Vyrus Lessons in Red to Blue

• Jason Nickola at ‘Trust Me I’m Certified’
  Turning adversity into altruism with Chris Sanders

• John Hubbard at ‘The Blueprint podcast’
  Privacy Laws: The Future Driver of Cyber Security

• Magnet Forensics
  The Magnet Team Shares a Few Comments from Our Customers

• MSAB
  • Webinar: An Introduction to Mobile Forensics
  • XRY 9.1, XAMN  5.1 & XEC 6.0.1  – Unlock more devices and extract data faster then ever

• Pass the SALT Conference
  Pass the SALT Conference

• Rasta Mouse
  • SharpC2 – Episode 8 [CoreAgentModule]
  • SharpC2 – Episode 9 [External Agent Modules]

• Recon InfoSec
  • Intro to Velociraptor -or- How to eliminate a red team in under 30min
  • Fortune 100 InfoSec on a State Government Budget

• SANS Institute
  • Welcome to the (Sock) Jungle | SANS OSINT Summit 2020
  • Leveraging Organizational Change to Build a Strong Security Culture
  • #LevelUpLabs | SANS@MIC Talk
  • Defending Lift and Shift Cloud Applications | SANS@MIC Talk

• This Month in 4n6
  This Month In 4n6 – June – 2020

MALWARE

• Active Countermeasures
  Malware of the Day – PittyTiger

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Wietze Beukema: almost 300 Windows 10 executables are vulnerable to DLL hijacking

• Deep Instinct Blog
  • The Snake Attacks Holding the Industrial Sector Ransom
  • Agent Tesla: A Lesson in How Complexity Get’s You Under the Radar

• Brad Duncan at Malware Traffic Analysis
  • 2020-06-30 – Valak (soft_sig: mas37) infection with IcedID (Bokbot)
  • 2020-07-01 – Valak (soft_sig: mas38) infection with IcedID (Bokbot)

• Click All the Things!
  AgentTesla: .rtf and Equation Editor

• Cofense
  • Phish Fryday – APIs and Automated Phishing Defense
  • “You’re Invited!” to Phishing Links Inside .ics Calendar Attachments
  • Phish Fryday – Cutting Through the Noise at IMAX

• Colin Hardy on YouTube (20mins)
  HTML Deobfuscation – Analysing HTML Guard Protected Code

• CrowdStrike
  • The Fal.Con for Public Sector Conference Is On Demand With Recommendations for Securing Your Remote Workforce
  • System Recovery using Real Time Response
  • Python 2to3: Tips From the CrowdStrike Data Science Team

• Cybereason
  • Ransomware: Weapons of Mass Disruption
  • FakeSpy Masquerades as Postal Service Apps Around the World

• Darktrace Blog
  Mirai malware infects CCTV camera

• Fortinet
  • EKANS Ransomware Targeting OT ICS Systems
  • Into the Rabbit Hole – Offensive DNS Tunneling Rootkits

• F-secure Attack Detection Fundamentals series
  • Attack Detection Fundamentals: Initial Access – Lab #1
  • Attack Detection Fundamentals: Initial Access – Lab #2
  • Attack Detection Fundamentals: Initial Access – Lab #3
  • Attack Detection Fundamentals: Initial Access – Lab #4
  • Attack Detection Fundamentals: Code Execution and Persistence – Lab #1
  • Attack Detection Fundamentals: Code Execution and Persistence – Lab #2

• G Data Security
  Ransomware tries to worm

• Graham Cluley
  Websites of eight US cities poisoned by malware skimming the credit card details of residents

• InfoSec Topics
  Analysis and Deobfuscation of Malicious VBScript URSnif Dropper

• Journey Notes
  Magecart is back: Don’t let digital skimmers ruin your COVID recovery plans

• Luca Nagy at SophosLabs
  Glupteba: Hidden Malware Delivery in Plain Sight

• Malwarebytes Labs
  New Mac ransomware spreading through piracy

• oR10n Labs
  Reverse Engineering the Mustang Panda PlugX RAT – Extracting the Config

• Patrick Wardle at Objective-See
  OSX.EvilQuest Uncovered

• SANS Internet Storm Centre Handler Diaries
  • Video: YARA’s BASE64 Strings, (Sat, Jun 27th)
  • tcp-honeypot.py Logstash Parser & Dashboard Update, (Sun, Jun 28th)
  • Sysmon and Alternate Data Streams, (Mon, Jun 29th)
  • Elastalert with Sigma, (Wed, Jul 1st)
  • Setting up the Dshield honeypot and tcp-honeypot.py, (Wed, Jul 1st)
  • Happy FouRth of July from the Internet Storm Center, (Sat, Jul 4th)

• Secureworks
  Preparing for Post-Intrusion Ransomware

• Cisco Talos
  • Threat Spotlight: Valak Slithers Its Way Into Manufacturing and Transportation Networks
  • PROMETHIUM extends global reach with StrongPity3 APT

• Securityinbits
  Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI

• SentinelLabs
  • How a New macOS Malware Dropper Delivers VindInstaller Adware
  • Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set
  • Living Off Windows Land – A New Native File “downldr”

• TrendMicro
  US Local Government Services Targeted by New Magecart Credit Card Skimming Attack

• Trustwave SpiderLabs
  • PhishINvite with Malicious ICS Files
  • GoldenSpy Chapter 3: New and Improved Uninstaller

• VMware Carbon Black
  • TAU Threat Analysis: Bundlore (macOS) mm-install-macos
  • 6 Best Practices to Fight a New Breed of Insider Threats

• WeLiveSecurity
  • Thousands of MongoDB databases ransacked, held for ransom
  • Hundreds arrested after police crack encrypted chat network

• Yoroi
  Campagna di Attacco “Agenzia Entrate”

• Zero2Automated Blog
  De-crypting a TrickBot Crypter

• 0day in {REA_TEAM}
  Quick analysis note about GuLoader (or CloudEyE)

• ZScaler
  CyberGate RAT and RedLine Stealer Delivered in Ongoing AutoIt Malware Campaigns

• Coronavirus and remote workforce threats
  • New report: COVID-19 Threat Intelligence Insight from the Telco Security Alliance
  • Threat Intelligence to Protect a Remote Workforce
  • Mykings jumps on the Corona train
  • Remote access at risk: Pandemic pulls more cyber‑crooks into the brute‑forcing game

MISCELLANEOUS

• Alexis Brignoni at ‘Initialization Vectors’
  DFIR Python Study Group Syllabus

• Andrew Rathbun at AboutDFIR
  AboutDFIR RSS Starter Pack v2 released!

• Yaniv Shasha at Azure Sentinel
  Sending enriched Azure Sentinel alerts to 3rd party SIEM and Ticketing Systems

• Belkasoft
  Lifting USB Restricted Mode is Supported

• Blue Team Blog
  Incident Response – What, Why (And How To Learn It  For Free!)

• Cellebrite
  • How Cellebrite Frontliner Simplifies Digital Data Collection At The Crime Scene
  • How Accessing and Preserving Video Evidence With The Right Solution Is Critical To Investigations
  • BlackBag Customer Experience Improvements

• Craig Wilson at Digital Detective
  Find Panel Syntax

• Elcomsoft
  ElcomSoft Certified: Digital Forensics Trainings and Trainer Certification Programs

• Eric Conrad
  Check out @eric_conrad’s tweet

• Forensic Focus
  • Forensic Focus Forum Round-Up
  • Mitigating Risk Through Standardization

• Foxton
  Cyber Challenge Walkthrough – Apr 2020

• Shusei Tomonaga at JPCERT/CC
  Migrate Volatility Plugins 2 to 3

• Lenny Zeltser
  How You Can Write Better Threat Reports

• Magnet Forensics
  • AFF4 & AFF4-L — An Open Standard for Forensic Imaging
  • Introducing Custom Targeted Locations with Magnet AXIOM Cyber
  • Expanded Office 365 Unified Audit Log Capabilities with Magnet AXIOM Cyber
  • Zoom Artifact Support in Magnet AXIOM
  • Skype Warrant Returns in Magnet AXIOM

• MikeCyberSec
  Automating PCAP Parsing with Linux CLI, Bash & Security Onion

• Richard Frawley at ADF
  What is Computer Triage? Computer Forensics Field Triage Process Model

• Ryan Campbell at ‘Security Soup’
  • Weekly News Roundup — June 21 to June 27
  • Weekly News Roundup — June 28 to July 4

• SANS
  Becoming an All-Around Defender: Beware of Flying Baby Syndrome

• Santosh Khadsare
  • 4N6 Sunday  – Digital Forensics Hidden Truths (Part I)
  • 4N6 Sunday – Digital Forensics Hidden Truths (Part II): Data Recovery

• Threat Intelligence Academy
  Check out @AcademyThreat’s tweet

• Tyler Hudak at TrustedSec
  Are You Looking for Ants or Termites?

• Steve Watson at VTO Labs
  Data Recovered from Phone Submerged in Water for 5 YEARS

SOFTWARE UPDATES

• Plaso
  Plaso 20200630 released

• Cellebrite
  Performance updates to Cellebrite Physical Analyzer 7.35

• Debernal
  Fvol

• Didier Stevens
  Update: base64dump.py Version 0.0.12

• Elcomsoft
  Elcomsoft System Recovery adds BitLocker support

• Eric Zimmerman
  ChangeLog

• F-Response
  F-Response v 8.0.1.62 Released

• GetData
  29 June 2020 – 5.2.2.9662

• Mount Image Pro
  29 Jun 2020 – v7.1.2.1885

• Grzegorz Tworek
  DecodeRDPCache

• iNPUT-ACE
  iNPUT-ACE Version 2.6

• Magnet Forensics
  Updates in Magnet AXIOM 4.2 Include Support for AFF4, Skype Warrant Returns, and WhatsApp

• Manabu Niseki
  EML Analyzer

• Microsoft
  Windows File Recovery

• Microsoft Threat Intelligence Center
  msticpy — 0.6.0/1 Release

• MSAB
  New release: XRY 9.1, XAMN 5.1 and XEC Export 6.0.1

• Ryan Benson at dfir.blog
  Unfurl CLI version (and now on PyPI)

• Saleh Bin Muhaysin
  CB_TaskManager

• Xways
  • X-Ways Forensics 19.9 SR-8
  • X-Ways Forensics 20.0 Beta 5

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!