No Lodrina this week, taking a well deserved break after the recent SANS DFIR Summit, and her keynote.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrew Rathbun at AboutDFIR
  Introducing AboutDFIR’s KAPE Guide

• Abhiram Kumar
  Writing a simple Volatility plugin

• Andrew Malec
  • Investigating web shells
  • Defcon 2019 memory forensics CTF write up

• Belkasoft
  • WhatsApp Forensics on Computers (Windows PCs and Macs)
  • Unc0ver: What you should know about this new jailbreak for iOS devices
  • eDiscovery with Belkasoft
  • Dealing with Apple’s USB Restricted Mode

• Vico Marziale at Blackbag Technologies
  Exploring the Windows Activity Timeline, Part 3: Clipboard Craziness

• Bryan Ambrose at Data Digitally
  Downloading a DJI Drone flight log (from an iPhone)

• Cellebrite
  • Apple Computer and MacOS Basics
  • How AI and Machine Learning is Impacting Digital Investigations

• Shubham Sharma at Hacking Articles
  Forensic Investigation: Ghiro for Image Analysis

• Ian Whiffin at DoubleBlak
  Locations, Locations, Locations

• Marcus Thompson at ‘Professor Bike’
  Mapping Windows Event IDs, Policies, and Monitoring Recommendations

• Maxim Suhanov
  Offline shadow copies

• Mike Cohen
  • Velociraptor in the tool age
  • Triage with Velociraptor — Pt 4

• Didier Stevens at ‘SANS Internet Storm Center’
  Zone.Identifier: A Coupe Of Observations, (Sat, Jul 18th)

THREAT INTELLIGENCE/HUNTING

• SIGRED 
  • Amanda Berlin at Blumira
    What You Need to Know About SigRed: Windows DNS Vulnerability (CVE-2020-1350)
  • Sagi Tzadik at Check Point Research
    SIGRed – Resolving Your Way into Domain Admin: Exploiting a 17 Year-old Bug in Windows DNS Servers
  • Check Point Software
    SIGRed – this is not just another vulnerability- Patch now to stop the next cyber pandemic

• Bill Stearns at Active Countermeasures
  Improving Packet Capture Performance – 1 of 3

• Azure Sentinel
  Azure Sentinel: The connectors grand (CEF, Syslog, Direct, Agent, Custom and more)

• Bar Block at Deep Instinct
  How Your Regular Microsoft Office file is Open to Manipulation

• Blue Team Blog
  Cyber Threat Intelligence – What, Why (And How To Learn It For Free!)

• Brad Duncan at Malware Traffic Analysis
  • 2020-07-13 – Dridex infection
  • 2020-07-13 – Hancitor infection with Ursnif
  • 2020-07-14 – Pcap and malware for ISC diary (IcedID)
  • 2020-07-16 – Hancitor infection with info stealer
  • 2020-07-17 – Quick post: Emotet infection

• Nadim Kadiwala at Checkmate
  Detection of Data Exfiltration using PCR (Producer Consumer Ratio) on Elastic Stack

• Josh Campbell at Cyborg Security
  What the Heck is Threat Intelligence?

• CyCraft Technology Corp
  Understanding the MITRE ATT&CK APT29 Evaluation Results:

• Defensive Origins
  Atomic Purple Team

• DeTTECT
  v1.4.0

• Elastic
  • Improve network security with traffic filters on Elastic Cloud
  • Practical security engineering: Stateful detection

• F-secure
  • Attack Detection Fundamentals: C2 and Exfiltration – Lab #1
  • Attack Detection Fundamentals: C2 and Exfiltration – Lab #2
  • Attack Detection Fundamentals: C2 and Exfiltration – Lab #3

• Fire Eye Threat Research
  • SCANdalous! (External Detection Using Network Scan Data and Automation)
  • Financially Motivated Actors Are Expanding Access Into OT: Analysis of
    Kill Lists That Include OT Processes Used With Seven Malware Families

• Fortinet
  • ATP 29 Targeting SSL VPN Flaws
  • How Threat Researchers Leverage the Darknet to Stay Ahead of Cyber Threats

• Chiragh Arora at Hacking Articles
  Windows Persistence:  Port Monitors

• Intel 471
  Flowspec – TA505’s bulletproof hoster of choice

• Valentina Palacin at IntelForge
  Atomic Hunting with Atomic Red Team: Starting Your Threat Hunting Journey

• Jorge Orchilles at Scythe
  SCYTHE Presents: #ThreatThursday – Orangeworm

• Kris Oosthoek
  • What’s wrong with Cyber Threat Intelligence
  • Cyber Threat Intelligence: A Product Without A Process?

• Red Alert
  Monthly Threat Actor Group Intelligence Report, May 2020

• Sandor Tokesi at Forensics Exchange
  Hunters after ransomwares

• Security Intelligence
  • New Research Exposes Iranian Threat Group Operations
  • Deciphering Between Incident Management and Crisis Management

• Shadow Group
  Snakes Strike from the Darkness——SideWinder APT organizes the summary report of the activities in the first half of 2020

• Markel Picado and Sean Gallagher at Sophos
  RATicate upgrades “RATs as a Service” attacks with commercial “crypter”

• SpecterOps
  • Audio Unit Plug-ins
  • Requesting Azure AD Request Tokens on Azure-AD-joined Machines for Browser SSO
  • Persistent AWS access with role chain juggling

• Bitst0rm
  Copy pasting the copy-paste adversary for  ̶l̶u̶l̶z̶ science.

• The DFIR Report
  (Dharma) Ransomware again…But I changed the RDP port!?!?!

• Christopher Paschen at TrustedSec
  A Developer’s Introduction to Beacon Object Files

• Brian Hussey at Trustwave SpiderLabs
  GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software

• Sudeep Singh and Kaivalya Khursale at ZScaler
  New Voicemail-Themed Phishing Attacks Use Evasion Techniques and Steal Credentials

###UPCOMING WEBINARS/CONFERENCES

• Darlene Alvar at Amped
  Register for Webinar: Image and Video Analysis for Mobile Phone Investigations

• Cellebrite
  Corporate data theft case study: End to end digital investigative review

• Bret Peters at ADF
  Best 2021 Digital Forensic Conferences to Attend | In-Person or Online

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Usage of xLEAPP new features: Module selection & Timeline
  • xLEAPP Timeline generation for the artifact developer
  • Class 15 – DFIR Python Study Group

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up Ep.7 – Tarah Melton

• Kevin Ripa at SANS
  • Episode 76: Investigating the Windows Registry using Registry Explorer – Part 1
  • Episode 77: Investigating the Windows Registry using Registry Explorer – Part 2
  • Episode 78: What is the Windows Registry transaction log?
  • Episode 79: Stop Beating up on Free Tools!
  • Episode 80: Learning about the KAPE tool.

• Black Hat
  How Automating Incident Response Secures Your Security Posture

• Black Hills Information Security
  Webcast: What About Ransomware?

• Cellebrite
  New capabilities by UFED 7.34 and Introduction to Blackbag – A Cellebrite Company – ON DEMAND

• CrowdStrike
  New Podcast Series: The Importance of Cyber Threat Intelligence in Cybersecurity

• Demux
  Getting started with iNPUT-ACE V2.6 video

• Detections Podcast
  Season 2 Episode 10: Red and Blue Adventure Time with BSDBandit

• Digital Forensic Survival Podcast
  DFSP # 230 – User Activity Artifacts

• Jason Nickola at ‘Trust Me I’m Certified’
  Making CTFs count at any point in your story with Ed Skoudis

• John Hubbard at ‘The Blueprint podcast’
  Training Yourself in a Quarantined World

• Jorge Orchilles
  Purple Team Exercises

• Karissa Breen Industries
  Episode 36: Clint Marsden

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 118

• Neil Fox
  #3 Static Analysis Tools & Techniques

• Nothing to See Here? I Beg to DFIR
  Episode 6: Nothing to See Here? I Beg to DFIR – How to use iOS Screen Time and Android Digital Wellbeing Apps to Find Valuable Information

• OALabs
  How To Sinkhole A Botnet

• SANS Institute
  • Course Preview: Successful Infosec Consulting, Getting Clients Deep Dive | SANS@MIC Talk
  • What Do I Need to Know About CVE-2020-5902; the F5 Networks BigIP RCE Vulnerability
  • Git’ing Users for OSINT: Analysis of All GitHub Users | SANS@MIC Talk

• Tribe of Hackers Podcast
  Emily Crose, aka @hexadecim8
  

MALWARE

• 360 Total Security
  Panther Ransomware Strikes Again

• Andreas Klopsch at ‘Malware and Stuff’
  Deobfuscating DanaBot’s API Hashing

• Joe Security
  TrickBot’s new API-Hammering explained

• CISA Analysis Reports
  • AR20-198B: MAR-10296782-2.v1 –  WELLMESS
  • AR20-198A: MAR-10296782-1.v1 – SOREFANG
  • AR20-198C: MAR-10296782-3.v1 – WELLMAIL

• Cisco’s Talos
  Threat Roundup for July 10 to July 17

• Austin Jackson at Cyborg Security
  Python Malware On The Rise

• Willi Ballenthin and Moritz Raabe at Fire Eye Threat Research
  capa: Automatically Identify Malware Capabilities

• Kai Lu at Fortinet
  Analysis of .NET Thanos Ransomware Supporting Safeboot with Networking Mode

• G Data Security
  Hidden Miners

• Intezer
  • Community Ghidra Plugin is Here
  • Accelerate Memory Forensics with Intezer Analyze

• Johannes Bader
  The Defective Domain Generation Algorithm of BazarBackdoor

• Malware, meet Mr Poke and Mr Stick
  Zero2Auto custom sample analysis

• Malwarebytes Labs
  It’s baaaack: Public cyber enemy Emotet has returned

• Marco Ramilli
  Introducing PhishingKitTracker

• PWC
  How WellMess malware has been used to target Covid-19 vaccines

• SANS Internet Storm Center
  • Maldoc: VBA Purging Example, (Sun, Jul 12th)
  • VBA Project Passwords, (Mon, Jul 13th)

• Securelist
  The Tetrade: Brazilian banking malware goes global

• Luke Leal at Sucuri
  Spox Phishing Kit Harvests Chase Bank Credentials

• Steven Du, Gabrielle Mabutas, and Luis Magisa at TrendMicro
  Updates on ThiefQuest, the Quickly-Evolving macOS Malware

• Marc-Etienne M.Léveillé at WeLiveSecurity
  Mac cryptocurrency trading application rebranded, bundled with malware

• Xavier Mertens at /dev/random
  • Detecting Code ReUse in Ghidra With Intezer’s Plugin
  • Simple DGA Spotted in a Malicious PowerShell
    

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 7/18/2020

• Muna Assi at Cellebrite
  Boost eDiscovery and Corporate Investigations with Cellebrite’s Computer Access Solutions

• Craig Wilson at Digital Detective
  Deciphering Seagate Date Codes

• Vladimir Katalov at Elcomsoft
  • checkra1n Installation Tips & Tricks
  • checkra1n, USB Restrictions and Breaking Into Locked iPhones

• Olaf Hartong at Falcon Force
  Using Azure Pipelines to validate my Sysmon configuration

• Forensic Focus
  Virtualizing The Digital Forensics Lab

• Heather Mahalik at Smarter Forensics
  DFIRSummit Laugh Track

• Jason Wilkins at ‘Noob to Pro Forensics’
  DFIR Lab – Tools and Tips

• Mike Williamson at Magnet Forensics
  Vault Apps, Forensic Examinations, and Magnet AXIOM

• Nik Alleyne at ‘Security Nik’
  Get a Free copy of “Hack and Detect” or “Mastering TShark Network Forensics” when you register for my upcoming SANS SEC582 Mastering  TShark Packet Analysis class

• Oxygen Forensics
  6 Month Checkup at Oxygen Forensics

• ADF
  • Tactical Site Exploitation of iOS and Android Devices | Translate Text
  • Forensic Acquisition: Take Screenshots of Mobile Devices | Investigate

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — July 12 to July 18

• SANS
  The history behind the SANS DFIR Summit characters

SOFTWARE UPDATES

• Didier Stevens
  • Update XORSearch Version 1.11.4
  • Update: oledump.py Version 0.0.51

• DS4n6
  ds4n6

• Elcomsoft
  Advanced Office Password Recovery 6.60 adds Hancom Office, iWork 2020 v10 support

• John Lukach at Cloud 4n6ir
  Getting Started – Snapshot 4n6ir Imager

• Microsoft
  ProcMon for Linux

• Monolith Forensics
  Report Redesign – v1.3.0

• Paraben Corporation
  Remote Imaging, Discord, and 100+ Viewers Push the E3 Platform to the top of DFIR tool choices

• Passware
  Passware Kit 2020 v3 Now Available

• radare2
  4.5.0 Codename: Organized Chaos

• Velociraptor
  Release 0.4.6
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!