Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Whitepaper: Using Belkasoft Evidence Center to Uncover Cyber Threat Actors’ Persistence Mechanisms

• Roey Arato at Cellebrite
  How to Extract Evidence From Samsung Devices Using Cellebrite UFED

• CQURE Academy
  Hacking Summer Camp: Memory Analysis Guide, Part 1

• Elcomsoft
  • Live System Analysis: Discovering Encrypted Disk Volumes
  • The Four Ways to Deal with iPhone Backup Passwords

• Mark Baker at Input Ace
  Kelly-Frye, Daubert, Mohan, and Why You Need to Understand These Cases

• Jon Baumann at Ciofeca Forensics
  Revisiting Apple Notes (5): Encrypted Notes

• Ryan Benson at dfir.blog
  Another Google Search Parameter? For RLZ!

• Costas K
  Check out @sv2hui’s Tweet

• ThinkDFIR
  Certutil download artefacts

THREAT INTELLIGENCE/HUNTING

• Two new opportunities to improve your security and threat hunting skills from Red Canary and Veracode came out this week:
  Learning threat hunting and security skills

• Brian Donohue at Red Canary
  Breaking into infosec and learning new skills with Atomic Red Team

• Fletcher Heisler at Veracode
  Announcing Veracode Security Labs Community Edition

• Adam at Hexacorn
  Beyond good ol’ Run key, Part 125

• Randy Pargman and James Quinn at Binary Defense
  Hunting and Defeating Evasive Threats

• Nick Biasini at Cisco Talos
  Adversarial use of current events as lures

• Thierry Viaccoz at Compass Security Blog
  Make the most out of BloodHound

• Ben Reardon at Corelight
  Zeek in it’s sweet spot: Detecting F5’s Big-IP CVE10 (CVE-2020-5902)

• Dan Fein at Darktrace Blog
  Darktrace email finds: Two WeTransfer impersonation attacks caught by AI

• Mandy Andress at Elastic
  Protect your Elasticsearch deployments against attacks like “meow bot” — for free

• Joseph Hladik and Josh Fleischer at FireEye Threat Research
  Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant
  Managed Defense Investigates

• Cristina Martínez Carpintero at ‘Follow The White Rabbit’
  GNS3 – Prevención de intrusiones (IPS) y correlación de eventos (SIEM) por Cristina Martínez

• Anthony Giandomenico at Fortinet
  Offense and Defense – A Tale of Two Sides: Group Policy and Logon Scripts

• Bianca Soare at Heimdal Security
  DNS Security 101: The Essentials You Need to Know to Keep Your Organization Safe

• ijustwannaredteam
  The Curious Case of Aspnet_Compiler.exe

• Jorge Orchilles at Scythe
  • SCYTHE Presents: Porting Tools to SCYTHE: An SDK Proof of Concept
  • SCYTHE Presents: SCYTHE’s Ethical Hacking Maturity Model
  • SCYTHE Presents: #ThreatThursday – Emotet

• Kirtar Oza
  Windows Process Internals : A few Concepts to know before jumping on Memory Forensics

• Antonio Villalón at S2 Grupo (and in Spanish)
  IOC are dead, long live IOC!

• Marcus Edmonson at ‘Data Analytics & Security’
  • Detecting MITRE ATT&CK Technique: Part 1 – T1218.010 (regsvr32)
  • Detecting MITRE ATT&CK Technique: Part 2 – T1003.001 (LSASS Memory)

• Allen Butler at MaverisLabs
  Logging Bash History

• Securelist
  • Lazarus on the hunt for big game
  • APT trends report Q2 2020

• Jameel Haffejee at SensePost
  Covert Login Alerting

• Roberto Rodriguez at Threat Hunters Forge
  Mordor PCAPs  — Part 1: Capturing Network Packets from Windows Endpoints with Network Shell…

• Jason Lang at TrustedSec
  Thycotic Secret Server: Offline Decryption Methodology

• John Anderson at Trustwave SpiderLabs
  Are You Really Scanning What You Think?

• Yusuf Arslan Polat at Threat Intelligence.blog
  OpBlueRaven: Unveiling Fin7/Carbanak – Part 1 : Tirion

UPCOMING WEBINARS/CONFERENCES

• AccessData
  Virtual Digital Investigation Conference, hosted by The Investigator

• Cellebrite
  • Digital Investigation Overview – Analyzer and Pathfinder Series – Part 1
  • Digital Investigation Overview – Analyzer and Pathfinder Series – Part 2
  • Episode 8: I Beg to DFIR – Working an investigation – Making sense of the data

• CFTIC 2020
  1st Workshop on Cyber Forensics &Threat Investigations Challenges in Emerging Infrastructures

• Virus Bulletin
  Announcing… VB2020 localhost

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  DFIR parsing of protobuf data in Python

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up – Ep.9 – Joshua Hickman

• Kevin Ripa at SANS
  • Episode 86: Reviewing the Output Created by KAPE
  • Episode 87: Introducing and Using Timeline Explorer
  • Episode 88: Comparing EZViewer to Other Free File Viewers
  • Episode 89: Finding Forensic Badness in 3 Minutes or Less
  • Episode 90:  Computers and the Internet can be a Wasteland of Evil

• Black Hills Information Security
  Webcast: Atomic Purple Team Framework and Life Cycle

• Breaking Badness podcast
  54. Watch Out For Script Kitties

• Heather Mahalik at Cellebrite
  Adding sysdiagnose logs into PA is as simple as a few simple clicks!

• CySecK
  CySecK Videos

• Detections Podcast
  Season 2 Episode 12: Going Mental Healthy with Ray [REDACTED]

• Digital Forensic Survival Podcast
  DFSP # 232 – Exam Process – Soup-to-Nuts

• Lee Whitfield at Forensic 4cast
  Forensic 4:cast Awards 2020 – Video

• John Hubbard at ‘The Blueprint podcast’
  Locking Down and Monitoring Cloud Infrastructure

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 120

• Life has no ctrl alt del – Cellebrite
  • SANS Digital Forensics and Incident Response Summit
  • Security Research For Mobile Devices
  • Incident Response Case Study – Backdoor VPN Subversion
  • Identifying File-to-Album Correlation Using iOS Photos.sqlite

• Magnet Forensics
  • Azure Acquisition in Magnet AXIOM Cyber
  • From the Training Team: MAGaK (Magnet AXIOM & GrayKey) Advanced iOS Examinations (AX301)

• Neil Fox
  #4 Behavioural Analysis Tools & Techniques

• Rasta Mouse
  SharpC2 – Episode 13 [Public Alpha Release]

• SANS Institute
  • How to Present Cyber Security Risk to Senior Leadership | SANS Webcast
  • How to work in ways that will make your boss take notice! | SANS Webcast
  • SANS OnDemand Interactive Live Lab Environment Demo: Local and Remote Lab Demonstrations
  • No SQL Injection in MongoDB Applications | SANS@MIC Talk
  • SANS OnDemand Interactive Live Lab Environment Demo: Local & Remote Lab Demonstrations

• VTO
  VTO Tips & Tricks: Screen Before Teardown

MALWARE

• Roman Kovac at WeLiveSecurity with a Q2 report as seen from ESET (36 page PDF)
  ESET Threat Report Q2 2020

• kate at 360 Total Security Blog
  New infection chain of njRAT variant

• Keith Chew at Active Countermeasures
  Malware of the Day – Orangeworm

• Adam at Hexacorn
  IDA colonoscopy

• Brad Duncan at Malware Traffic Analysis
  2020-07-21 – Emotet with Qakbot

• Cofense
  • Phish Fryday – Emotet Returns
  • Threat Actors Bypass Gateways with Google Ad Redirects

• Dan Lisichkin at Danus Minimus
  Zero2Auto – CruLoader Malware

• Max Heinemeyer at Darktrace Blog
  LeChiffre ransomware targets US distributor

• Lee Foster, Sam Riddell, David Mainor, and Gabby Roncone at Fire Eye Threat Research
  Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website
  Compromises and Fabricated Content to Push Narratives Aligned With
  Russian Security Interests

• Nicole Fishbein and Michael Kajiloti at Intezer
  Watch Your Containers: Doki Infecting Docker Servers in the Cloud

• Kaspersky Lab
  • Lazarus experiments with new ransomware
  • Analysis of WastedLocker targeted ransomware

• LIFARS Cybersecurity Blog
  Detecting Malware Capabilities With capa

• Jérôme Segura at Malwarebytes Labs
  Malspam campaign caught using GuLoader after service relaunch

• SANS Internet Storm Center
  • Analyzing Metasploit ASP .NET Payloads, (Mon, Jul 27th)
  • In Memory of Donald Smith, (Mon, Jul 27th)
  • Python Developers: Prepare!!!, (Thu, Jul 30th)
  • All I want this Tuesday: More Data, (Tue, Jul 28th)
  • Building a .freq file with Public Domain Data Sources, (Fri, Jul 31st)
  • What pages do bad bots look for?, (Sat, Aug 1st)

• Fedor Sinitsyn at Securelist
  WastedLocker: technical analysis

• Phil Stokes at SentinelOne
  Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform

• Sophos
  • ProLock ransomware gives you the first 8 kilobytes of decryption for free
  • Emotet’s return is the canary in the coal mine

• Ben Martin at Sucuri Blog
  Reverse String WooCommerce WordPress Credit Card Swiper

• Aliakbar Zahravi at Trend Micro
  Ensiko: A Webshell With Ransomware Capabilities

• Vishal Thakur
  LOLSnif Malware

• WMC Global Threat Intelligence Team
  Deep Dive Into Cazanova Morphine Phishing Kit

• Shivang Desai at ZScaler
  Android Spyware Targeting Tanzania Premier League

MISCELLANEOUS

• Alexis Brignoni at ‘Initialization Vectors’
  DFIR Python Study Group Syllabus Part 2

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 7/31/2020

• Vitaliy Mokosiy at Atola
  Forensic RAID rebuild in Atola TaskForce 2020.7

• Anton Chuvakin
  Modern SIEM Mysteries

• Azure Sentinel
  Announcing the Azure Sentinel Hackathon winners

• Thu Pham at Blumira
  SIEM, SOC, SOAR & XDR Defined

• Jimmy Schroering at DME Forensics
  That was a weird one – A bug breakdown from our perspective

• Magnet Forensics
  • A Mid-Year Round-Up of Innovations in AXIOM
  • Exploring the New JSON Viewer in Magnet AXIOM

• Mail Xaminer
  Here’s How to Convert Gmail to PST Using Forensic Tool?

• MISP
  • Creating a MISP Galaxy, 101
  • Publishing open data from MISP

• Alexander Jäger at Open Source DFIR
  Set up a development environment for Timesketch

• Sam Etemad-Moghadam at ADF
  Using Smartphone Triage to Speed Your Investigations | Field Forensics

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — July 26 to August 1

• SANS
  Becoming an All-Around Defender: Social Engineering Your Way to Success

• VMware Carbon Black
  Carbon Black EDR’s All-New Live Query Capability and Enhanced Fileless Visibility

• John Patzakis at X1
  Federal Judge: Custodian Self-Collection of ESI is Unethical and Violates Federal Rules of Civil Procedure

SOFTWARE UPDATES

• ANSSI
  v10.0.14

• Atola
  TaskForce Changelog

• Cristhofer Munoz at Azure Sentinel
  What’s New: Incident Auto-refresh hits GA!

• Brim
  v0.14.0

• Ciphey
  The Great Orwellian Restructure

• Costas K
  WindowsTimeline parser (x64)

• Didier Stevens
  • Update: zipdump.py Version 0.0.20
  • Update: InteractiveSieve 0.9.1
  • Update: pecheck.py Version 0.7.11

• DME Forensics
  Download DVR Examiner 2.9.1

• Elcomsoft
  • Elcomsoft Explorer for WhatsApp fixes Google Drive backups
  • Elcomsoft Encrypted Disk Hunter discovers encrypted disk volumes on live systems

• Evimetry
  Release 3.2.6

• ExifTool
  ExifTool 12.03

• Hex Rays
  IDA Pro 7.5 SP2 released

• JPCERT
  v1.4.1

• Magnet Forensics
  Find Evidence Faster with a New JSON Viewer in Magnet AXIOM 4.3

• Malwoverview
  Malwoverview 3.1.2

• Metaspike
  Forensic Email Collector (FEC) Changelog

• MISP
  MISP 2.4.129 released (merge event improved, event block rule system, security fixes and many bugs fixed)

• Nextron Systems
  Sigma Scanning with THOR

• Tableau
  Tableau Firmware Update Revision History for 20.3

• Oxygen Forensics
  Oxygen Forensic® Detective v.12.6

• Sumuri
  • Recon Imager
  • Recon Lab
  • Recon ITR

• Velociraptor
  Release 0.4.7
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!