FOR308 Beta 2 is getting closer, starting September 8th! As this is a beta this is run at a discounted price before it goes live. You can register here!

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Wolfgang Sommergut at 4sysops
  Deep scriptblock logging: Record PowerShell commands in the event log
  
• Chris Vance at ‘D20 Forensics’
  • Rooting Samsung devices (2020) with Magisk [RESEARCH]
  • iOS – App Research: DJI Fly
  • Android – DJI Fly & The Pesky Problem of Preferences
  • iOS – Chipolo App Research and Encrypted Realm Databases
    
• Elcomsoft
  • iPhone 5 and 5c Passcode Unlock with iOS Forensic Toolkit
  • Behind the iPhone 5 and 5c Passcode Cracking
    
• Shubham Sharma at Hacking Articles
  Anti-Forensic: Swipe Footprint with Timestomp
  
• Scott Koenig guest posted on Smarter Forensics
  Does Photos.sqlite have relations with CameraMessagesApp? By Scott Koenig
  
• Oxygen Forensics
  Fast Data Extractions via QR code
  
• Sarah Edwards at Mac4n6
  Part 2: Step-by-step iPhone Setup for iOS Research (via @bizzybarney)

THREAT INTELLIGENCE/HUNTING

• Victor Vrabie, Bogdan Rusu, and Alexandru Maximciuc with Cristina Vatamanu at Bitdefender introduce their paper (8 page PDF) related to targeting Autodesk 3ds Max
  APT Hackers for Hire Used for Industrial Espionage
  
• Rafe Pilling and Tony Adams at Secureworks discuss disinformation in a half hour podcast
  Don’t Wait for Them to Find You: What You Need to Know Today About Nation-State Threat Actors
  
• Adam at Hexacorn
  certutil – one more GUI lolbin
  
• Ben Bornholm at HoldMyBeer
  Setting up Kolide and Osquery with client certificates for mutual TLS (mTLS)
  
• Thu Pham at Blumira
  How to Test Your SIEM’s Detections
  
• Check Point Research
  24th August – Threat Intelligence Bulletin
  
• ClearSky Research Team
  The Kittens Are Back in Town 3
  
• CrowdStrike
  • Finding Waldo: Leveraging the Apple Unified Log for Incident Response
  • Response When Minutes Matter: A Simple Clue Uncovers a Global Attack Campaign
    
• Cyberbit
  • Introducing the MITRE ATT&CK Enterprise Framework Collection
  • Red Team Training & Blue Team Training  What Is The Difference?
    
• Josh Campbell at Cyborg Security
  Threat Hunting & Threat Content Creation
  
• Mariana Pereira at Darktrace
  Darktrace email finds: Rare file type used to evade gateway tools
  
• Raj Chandel at Hacking Articles
  • Credential Dumping: Fake Services
  • Defense Evasion: Alternate Data Streams
  • SIEM: Log Monitoring Lab Setup with Splunk
  • Incident Response: Windows Account Management Event (Part 2)
  • Incident Response: Windows Account Management Event (Part 1)
    
• InfoSec matters
  Find and list Unsecured Azure Storage Blobs
  
• Josiah Smith at InQuest
  Detection in Depth
  
• Jorge Orchilles at Scythe
  • SCYTHE Presents: UniCon CTF – Know Your Payload
  • SCYTHE Presents: #ThreatThursday – Custom Threats
    
• Hugh Aver at Kaspersky
  The DeathStalker cyberspy group and its tool set
  
• Kirtar Oza series on memory forensics
  • Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 2] —…
  • Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 3] —…
    
• Maarten Goet
  Microsoft Threat Protection ‘Jupyter notebook’ #AdvancedHunting sample
  
• MENASEC – Applied Security Research
  New Trick to Detect Lateral Movement via Network File Shares
  
• Nextron Systems
  Use THOR in CrowdStrike Falcon X Real Time Response
  
• Maximilien Roberti at NVISO Labs
  Detecting the sudden appearance of events with ee-outliers and Elasticsearch
  
• Olaf Hartong at Falcon Force
  Falcon Friday — Detecting Malicious Browser Extensions and code signing- 0xFF01
  
• Phil Hagen and Brian Donohue at Red Canary
  Ransomware survival guide: A holistic approach to detection and mitigation
  
• Brandon Evans at SANS
  Detecting and Locking Down Network-Based Malware in Azure
  
• SentinelOne
  Defeating “Doki” Malware and Container Escapes with Advanced Linux Behavioral Detection
  
• Luke Leal at Sucuri Blog
  Magento Multiversion (1.x/2.x) Backdoor
  
• Kevin Dick at Tevora
  DIY Leaked Credential Search Engine – Part 1
  
• Posts from TrustedSec
  • Two Simple Ways to Start Using the MITRE ATT&CK Framework
  • Red Teaming With Cobalt Strike – Not So Obvious Features
    
• Diana Lopera at Trustwave SpiderLabs
  RATs and Spam: The Node.JS QRAT
  
• Xavier Mertens at /dev/random
  Monitoring MISP with Nagios

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • So Many Logs, So Little Time: Efficient Windows Event Log Analysis
  • Case Collaboration Made Easy with BlackLight
    
• Paula Januszkiewicz at Cqure Academy
  Forensics and Prevention In The New Reality
  
• Kroll
  • Conducting Efficient Insider Threat Investigations using KAPE
  • Webcast: Child Exploitation Investigation – Express Analysis with KAPE

PRESENTATIONS/PODCASTS

• Forensic Lunch
  Forensic Lunch 8/28/20 – Willi Ballenthin
  
• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up – Ep.13 – Elan Wright
  
• Kevin Ripa at SANS
  • Episode 106: The TWO Serial Numbers of a USB Device – Part 1 – 3 Min Max Series
  • Episode 107: The TWO Serial Numbers of a USB Device – Part 2
  • Episode 108: The TWO Serial Numbers of a USB Device – Part 3
    
• Breaking Badness podcast
  58. Worse for Malware
  
• Heather Mahalik at Cellebrite
  • Steps for loading Google Takeout into Cellebrite Physical Analyzer.
  • Episode 8: I Beg to DFIR – Working an Investigation: Making Sense of the Data
    
• Detections Podcast
  • Season 2 episode 15: Honey I Shrunk the Blue Team
  • Season 2 Episode 16: Once Upon a Time in Bug Bounty
    
• Digital Forensic Survival Podcast
  DFSP # 236 – Apple FSEvents
  
• Magnet Forensics
  • What’s New In Magnet AXIOM Cyber 4.4
  • Strengthen Your Cases with Web Page Data in Magnet AXIOM 4.4
  • How to Use the MAGNET Web Page Saver
  • Expose Evidence of Timestomping in Magnet AXIOM 4.4
    
• SalvationData
  VIP-Main Features-SOP-SalvationDATA DVR Forensics Solution
  
• SANS Institute
  The Human Side of Threats: Why it Matters that Adversaries are Human Too | Security Awareness Forum

MALWARE

• Make sure to catch Andy Greenberg’s story at Wired about an employee approached to launch what ended up being a foiled ransomware attack at a Tesla factory in Reno
  A Tesla Employee Thwarted an Alleged Ransomware Plot
  
• Mobile spyware research at 360 Core Security
  手机色情软件中的“偷拍者”
  
• Keith Chew at Active Countermeasures
  Malware of the Day – Saefko
  
• Check Point Research
  • An Old Bot’s Nasty New Tricks:  Exploring Qbot’s Latest Attack Methods
  • Gozi: The Malware with a Thousand Faces
    
• CISA Analysis Reports
  • AR20-239B: MAR-10301706-2.v1 – North Korean Remote Access Tool: VIVACIOUSGIFT
  • AR20-239C: MAR-10257062-1.v2 – North Korean Remote Access Tool: FASTCASH for Windows
  • AR20-239A: MAR-10301706-1.v1 – North Korean Remote Access Tool: ECCENTRICBANDWAGON
    
• Josh Campbell at Cyborg Security
  The Rise of Doxware – Capable Ransomware
  
• DannyDodds
  Types of Malware
  
• Darcie Gainer at Duo
  Case Study: Duo and Umbrella Thwart Malware & Phishing Attacks at Texas A&M
  
• Andrew Davis at FireEye
  Emulation of Malicious Shellcode With Speakeasy
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #04: More selection!
  
• Fleming Shi at Journey Notes
  Threat Spotlight: Ransomware
  
• Kaspersky Lab
  • SpiKey: Eavesdropping on keys
  • How to launch malicious macros unnoticed on macOS
    
• Jagaimo Kawaii at lab52
  A twisted malware infection chain
  
• Marco Ramilli
  How to Reverse Office Droppers: Personal Notes
  
• Lars at nullteilerfrei
  Programmatically NOP the Current Selection in Ghidra
  
• SANS Internet Storm Center
  • Tracking A Malware Campaign Through VT, (Mon, Aug 24th)
  • Keep An Eye on LOLBins, (Tue, Aug 25th)
  • Malicious Excel Sheet with a NULL VT Score, (Wed, Aug 26th)
  • Example of Malicious DLL Injected in PowerShell, (Fri, Aug 28th)
    
• Sebdraven
  RTF Royal Road drops a new backdoor MFC and links with Goblin Panda
  
• Ivan Kwiatkowski, Pierre Delcher, and Maher Yamout at Securelist
  Lifting the veil on DeathStalker, a mercenary triumvirate
  
• Rajesh Nataraj at Sophos News
  Lemon_Duck cryptominer targets cloud apps & Linux
  
• Mac and mobile teams at Trend Micro
  XCSSET Mac Malware: Infects Xcode Projects, Uses 0Days
  
• Emiliano Martinez at VirusTotal Blog
  Learn how malware operates so you can defend yourself against it
  
• VMRay
  Threat Bulletin: WastedLocker Ransomware
  
• Zero2Automated Blog
  DBatLoader/ModiLoader Analysis – First Stage
  
• Atinderpal Singh and Sudeep Singh at ZScaler
  LinkedIn Job Seeker Phishing Campaign Spreads Agent Tesla

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 8/26/2020
  
• Mark Spencer at Arsenal Recon
  Are there dumb questions in digital forensics?
  
• Masashi Crete-Nishihata, Jakub Dalek, Jeffrey Knockel, Nicola Lawford, Caroline Wesley, and Mari Zhou at Citizen Lab on surveillance and censorship
  Censored Contagion II: A Timeline of Information Control on Chinese Social Media During COVID-19
  
• Adrian at ‘Agood cloud’
  Upgrading Cortex 3.0.1/ES5.6 to Cortex 3.1.0RC1/ES7.8
  
• Berla
  • iVe 3.0 Feature Spotlight: Centralized Dashboard
  • iVe 3.0 Feature Spotlight: Accessible Collections
  • iVe 3.0 Feature Spotlight: Secure Sharing
    
• Cellebrite
  Advocating for the Use of Digital Intelligence
  
• Limor Wainstein at Cybereason
  Time for an Upgrade: How to Switch from Symantec to Cybereason
  
• DannyDodds
  Types of Attacks
  
• Jimmy Schroering at DME Forensics Inc.
  DME’s Development Team
  
• Forensic Focus
  • How To Review Text Chats With Nuix Investigate
  • SANS DFIR Summit 2020 Recap
  • Forensic Focus Forum Round-Up
  • BYOB To A CTF To Improve Your DFIR Game
  • Case Study: How Turn-By-Turn Driving Directions Uncovered A Killer’s Lies
    
• Haydn Johnson at Hackerrolls
  Winlogbeat & ELK
  
• Lifars
  Advantages of Cyber Incident Retainers
  
• Magnet Forensics
  • Expose Evidence of Timestomping with the NTFS Timestamp Mismatch Artifact in Magnet AXIOM 4.4
  • Recover iOS App Screen Layouts with the New iOS Home Screen Items Artifact
  • Ingesting Web Page Saver Results into Magnet AXIOM
  • Exporting URLs from Magnet AXIOM for Use with Web Page Saver
  • Creating Export Templates in Magnet AXIOM
  • Customize Your Exports with Magnet AXIOM
    
• MISP
  MISP service monitoring with Cacti
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — August 23 to August 29
  
• Heather Williams at Swimlane
  Automating DFIR with SOAR
  
• Thomas Roccia
  Security infographics
  
• Trend Micro
  Removing Open Source Visibility Challenges for Security Operations Teams
  
• John Patzakis at X1
  Intelligent ESI Collection Integrated with Relativity Can Cut eDiscovery Costs by 90 Percent

SOFTWARE UPDATES

• Anomali
  Anomali Automation Streamlines Investigations, Eases Threat Intelligence Analyst Workloads
  
• Berla
  iVe v3.0 Release
  
• Brim
  v0.16.0
  
• Ciphey
  Major bug fixes
  
• Costas K
  • WindowsTimeline Clipboard Text Carver  (Win10 x64)
  • WindowsTimeline parser (x64)
    
• Cyber Triage
  Cyber Triage 2.13.1: Feedback-Driven Upgrades (See, We Listen!)
  
• Didier Stevens
  New Tool: XORSearch.py
  
• Elastic
  Alerting and anomaly detection for uptime and reliability
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 6.40: iPhone 5 and 5c passcode unlock
  
• ExifTool
  ExifTool 12.05
  
• F-Response
  F-Response v 8.0.1.68 Released
  
• Magnet Forensics
  • Strengthen Your Cases with Webpage Data in Magnet AXIOM 4.4
  • New Updates to Magnet Web Page Saver
    
• Malwoverview
  Malwoverview 4.0.3
  
• MobilEdit
  • Beta of MOBILedit Forensic Express 7.3 released!
  • New MOBILedit User Guide officially released
    
• MSAB
  XRY- First To Market With Support For iOS 14 Plus Bypassing Of Locked LG Qualcomm Devices
  
• Regipy
  1.6.2
  
• Sigma
  sigmatools 0.18.1
  
• Ulf Frisk
  Version 3.4

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!