As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Kevin Pagano at Stark 4N6
  Charging Battery with Turbo DB
  
  
• Magnet Forensics Weekly CTF
  • Magnet Weekly CTF, Week 12 [Final] Solution Walk Through
  • Magnet Weekly CTF Challenge Week 12 Writeup – Last But Not Least
  • Magnet CTF Week 11 – DNS Cache Analysis… sort of
  • Magnet CTF Week 12: Merry Hacksmas
  • Magnet Weekly CTF (Week 12) – Warren’s Final Memory
  • Magnet Weekly CTF – Week 12
    
    
• Mattia Epifani at Zena Forensics
  • A journey into IoT Forensics – Episode 3 – Analysis of an Ematic Android TV OS Box (aka thanks VTO Labs for sharing!)
  • A journey into IoT Forensics – Episode 4 – Analysis of an iRobot Roomba 690 (aka thanks VTO Labs for sharing!)
    
    
• Yogesh Khatri at ‘Swift Forensics’
  Introducing ios_apt – iOS Artifact Parsing Tool
  

THREAT INTELLIGENCE/HUNTING

• Another week of Solarwinds news
  • Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds
  • Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack
  • Why the Sunburst Malware Was So Unique and What We’ve Learnt From it
  • Sunburst_host2uid
  • SUPERNOVA – Everything you need to know to Reverse Engineer an APT WebShell
  • SolarWinds Cyberattack: Threat Intelligence Primer
  • Using Microsoft 365 Defender to protect against Solorigate
  • Microsoft Internal Solorigate Investigation Update
  • Extracting Security Products from SUNBURST DNS Beacons
  • SolarWinds Attribution: Are We Getting Ahead of Ourselves?
  • Solarwinds Sunburst: Haven’t We Been Here Before?
  • Crowdsourced Cybersecurity warned SolarWinds users about SUPERNOVA Malware
  • SolarWinds: Cyber strategists are back to the drawing board – Hindustan Times
    
    
• 360 Netlab
  DNSMon: 用DNS数据进行威胁发现(2)
  
  
• Adepts of 0xCC
  The worst of the two worlds: Excel meets Outlook
  
  
• Anton Chuvakin
  Role of Context in Threat Detection
  
  
• Awake Security
  Threat Hunting for CVE-2020-1350: Microsoft DNS Server Vulnerability
  
  
• Azure Sentinel
  New Year – New Official Azure Sentinel PowerShell Module!
  
  
• Ben Bornholm at HoldMyBeer
  Create a custom Splunk search commands with Python3
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2020-12-24 (Thursday) – Dridex infection example
  • 2020-12-28 (Monday) – Quick post: Emotet activity resumes after Christmas break
  • 2020-12-29 (Tuesday) – Quick post: Emotet infection with Trickbot and spambot traffic
    
    
• Check Point Research
  28th December – Threat Intelligence Report
  
  
• Didier Stevens
  Decrypting TLS Streams With Wireshark: Part 2
  
  
• Hannah Suarez at DomainTools
  Useful Sources of Domain and DNS Logging
  
  
• Holybugx at InfoSec Write-ups
  Finding The Origin IP Behind CDNs
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: Red Team and Threat-Led Penetration Testing Frameworks
  
  
• Kirtar Oza
  Threat Hunting & Incident Investigation with Osquery
  
  
• Koen Van Impe
  • How to Support Defenders with the Permissible Actions Protocol
  • Handle phishing e-mails with a phishing alert button and TheHive
    
    
• MDSec
  Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams
  
  
• OGEE
  • Get status of Microsoft Defender Firewall (osquery)
  • List all users and processes (osquery)
  • Find suspicious launch daemons on Mac (osquery)
  • Windows User Sticky Key Values (osquery)
  • osquery schedule and CPU performance
  • How to determine if Windows command line auditing is enabled (osquery)
  • List resources used by osquery executable
    
    
• Eric Capuano at Recon InfoSec
  Detecting Threats with Graylog Pipelines – Part 1
  
  
• RiskIQ
  RiskIQ’s New JARM Feature Supercharges Incident Response
  
  
• Threat Hunting
  Cyber Threat Intelligence Pros and Cons
  
  
• Pukhraj Singh
  The Competition Continuum and noncontact operations in cyberspace

UPCOMING EVENTS

• Elan at DFIR Diva
  DFIR Related Events for Beginners – January 2021

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.31 – Kim Bradley
  
  
• Bret Witt
  SOC104 EventID: 36 (Malware Detected) [Dec. 1, 2020, 10:23 a.m.]
  
  
• Chris Sienko at the Cyber Work podcast
  The 5 pillars of cybersecurity framework
  
  
• Didier Stevens
  Process Explorer & VirusTotal: Fixed!
  
  
• Gerald Auger at Simply Cyber
  Simply Cyber 2020 Retrospective and Upcoming in 2021
  
  
• Kirtar Oza
  DFIR Musing 3 – Decoding UserAssist Key (with a few caveats)
  
  
• Passware
  What’s New video on Passware Kit 2021 v1 release
  
  
• This Month in 4n6
  This Month In 4n6 – December – 2020
  
  
• Watson Infosec
  • ELKSIEM Part1 Build Guide
  • ElasticStack Part 2 Security xpack
    

MALWARE

• 0xC0DECAFE
  • Never upload ransomware samples to the Internet
  • How to decompress zlib compressed binary blobs [Python]
  • Learn how to analyze Mach-O files
  • How to disable protection mechanisms to train buffer overflows [Linux]
    
    
• CERT Polska
  Set up your own malware analysis pipeline with Karton
  
  
• Avigayil Mechtinger at Intezer
  Early Bird Catches the Worm: New Golang Worm Drops XMRig Miner on Servers
  
  
• Ryan Campbell at ‘Security Soup’
  Quick Post: Mummy Spider Delivers Emotet Maldocs for the Holidays
  
  
• SANS Internet Storm Center
  • Quickie: Bit Shifting With translate.py, (Sun, Dec 27th)
  • Want to know what’s in a folder you don’t have a permission to access? Try asking your AV solution…, (Tue, Dec 29th)
  • End of Year Traffic Analysis Quiz, (Thu, Dec 31st)
  • Strings 2021, (Fri, Jan 1st)
    

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 12/31/2020
  
  
• Bobby Balachandran at Exterro/AccessData
  A Letter From the CEO: FTK Roadmap and Our Exciting Path Forward
  
  
• Alex Teixeira
  What does it mean to be a threat detection engineer?
  
  
• Amped
  • Our Top 20 in 2020
  • A Farewell to Tip Tuesday and a Collection of All 2020 Tips
    
    
• Yulia Samoteykina at Atola
  Atola’s 2020. The Year in Review
  
  
• Belkasoft
  Year 2020 recap from Belkasoft
  
  
• Brett Shavers at DFIR Training
  DFIR Training 2020 Year-in-Review
  
  
• Devisha Rochlani
  Antivirus Artifacts
  
  
• Elcomsoft
  2020 in Review: What Was New in Desktop and Mobile Forensics
  
  
• Haydn Johnson at Hackerrolls
  Connect to Splunk with Python
  
  
• LockBoxx
  Book Update
  
  
• Ryan Benson at dfir.blog
  A Year of #DailyDFIR
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — December 27 to January 2
  
  
• Doug Burks at Security Onion
  Security Onion 2 in 2020 and 2021
  
  
• Shell is Only the Beginning
  Beyond the Technical – Advise for those starting in Infosec
  
  
• ThinkDFIR
  Metaspike CTF – Week 2 – “As per my previous email”
  
  
• My wrap up for 2020!
  2020 Wrap Up
  

SOFTWARE UPDATES

• Belkasoft
  Belkasoft X Minor Update
  
  
• Didier Stevens
  Update: rtfdump.py Version 0.0.10
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Mac_apt
  20201228
  
  
• Mostafa Yahia
  Virustotal-python-API
  
  
• Plaso
  Plaso 20201228 released
  
  
• OSForensics
  V8.0 build 1005 29th December 2020
  
  
• Passcovery
  Passcovery Suite 20.12 Comes with GPU Acceleration on AMD Radeon RX 6000 Series
  
  
• Timesketch
  20201229
  
  
• Xways
  X-Ways Forensics 20.1 SR-1
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!