As always, thanks to those who give a little back for their support!

DFRWS APAC 2021 is almost here! Only a week and a half to go. The program has been released, and because it’s virtual, anyone can join easily through the magic of the Internets.
DFRWS APAC 2021

FORENSIC ANALYSIS

• Brian Maloney
  Your AV is Trying to Tell You Something: syslog.log
  
  
• Christiaan Beek
  VHD Forensics — the sequel
  
  
• Craig Ball at ‘Ball in your Court’
  What’s in a Name (or Hash Value)?
  
  
• Deagler’s 4n6 Blog
  Dumpster Diving in Google Photos Android App: “local_trash.db”
  
  
• Forensic Focus
  • How To Efficiently Decrypt TrueCrypt/VeraCrypt Encryption Using Passware
  • How To Extract Passwords From The Acquired Windows Registry With Passware
    
    
• Heather Mahalik
  Gaining Access 101: A Simple Guide to Data Extractions
  
  
• Francesca at ‘A DFIR Journey’
  Amazon Kindle and its Experimental Browser: the Start of a Forensic Analysis
  
  
• Joshua Hickman at ‘The Binary Hick’
  Clockin’ In with Google’s Wear OS
  
  
• Kevin Pagano at Stark 4N6
  Magnet Weekly CTF – Grand Prize Challenge
  
  
• Kovar & Associates
  • COMPARING CUAS TRACK DATA
  • Defining CUAS EFFECTIVENESSS
  • Counter UAS Test and Evaluation Series
    
    
• Kyle Cucci at SecurityLiterate
  Hunting BlackEnergy3 in Memory
  
  
• Magnet Forensics
  • Tips for Managing Cloud Workloads Securely
  • Remote Acquisition of Apple’s New M1-Based Endpoints with Magnet AXIOM Cyber
    
    
• Mattia Epifani at Zena Forensics
  A journey into IoT Forensics – Episode 5 – Analysis of the Apple HomePod and the Apple Home Kit Environment (aka thanks RN Team!)
  
  
• Bintang Nafsul Mutmainnah at MII Cyber Security Consulting Services
  Log Analysis in DFIR Using Jupyter Notebook
  
  
• Jonathan Greig at Open Source DFIR
  Container Forensics with Docker Explorer
  
  
• The DFIR Report
  Trickbot Still Alive and Well
  
  
• Trustwave SpiderLabs
  Microsoft Teams and Skype Logging Privacy Issue
  

THREAT INTELLIGENCE/HUNTING

• More Solarwinds! Including an update from Solarwinds on their investigation
  • New Findings From Our Investigation of SUNBURST
  • Start triage with already set YARA rules for SUNBURST
  • SUNSPOT: An Implant in the Build Process
  • SolarLeaks
  • Protecting Against Supply Chain Attacks by Profiling Suppliers
  • The Devil’s in the Details: SUNBURST Attribution
  • Nothing New Under the Sun: Wait Until it Bursts or Re-think the Approach?
  • FireEye & SolarWinds Follow-Up with Senior SOC Analyst Tony Robinson
  • Nation-states are taking their supply-chain attack strategy from the cybercriminal underground
  • Check out @likethecoin’s Tweet
  • Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
  • Robust Indicators of Compromise for SUNBURST
  • SolarWinds: Between The Clouds
  • Update on SolarWinds Supply-Chain Attack: SUNSPOT and New Malware Family Associations
  • SolarWinds Orion Breach – What It Means for the Industry Writ Large
  • Sunburst backdoor – code overlaps with Kazuar
  • SolarWinds: Insights into Attacker Command and Control Process
  • SolarWind Attack: Italy activates the Cyber ​​Security Nucleus
  • RisingSun: Decoding SUNBURST C2 to Identify Infected Hosts Without Network Telemetry
    
    
• AlienVault Labs
  A Global Perspective of the SideWinder APT
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-01-12 (Tuesday) – Pcap and malware for an ISC diary (Hancitor)
  • 2021-01-14 (Thursday) – Pcap and malware for an ISC diary (Rig EK)
  • 2021-01-15 – Emotet infection from Epoch 1 botnet
  • 2021-01-12 thru 2021-01-14 – Six items of malspam received by my admin email
  • 2021-01-13 (Wednesday) – Emotet epoch 2 infection with Trickbot gtag mor13
    
    
• Oliver Rochford at Brim Security’s Knowledge Funnel
  Analyzing Qakbot using Brim’s No-code threat hunting
  
  
• 0xC0DECAFE
  Resources on tracking adversary infrastructure
  
  
• Check Point
  • 11th January – Threat Intelligence Report
  • Going Rogue- a Mastermind behind Android Malware Returns with a New RAT
  • Cloud Threat Hunting: Attack & Investigation Series- Lateral Movement – Under the Radar
    
    
• Cyberint
  Rock Down to ElectroRAT Avenue
  
  
• Didier Stevens
  Decrypting TLS Streams With Wireshark: Part 3
  
  
• Eric Capuano at Recon InfoSec
  Detecting Threats with Graylog Pipelines – Part 3
  
  
• Etienne Maynie
  How to Check if an Android Phone has a Stalkerware Installed?
  
  
• Matthew Hosburgh at Expel
  Plotting booby traps like in Home Alone: Our approach to detection writing
  
  
• Flashpoint
  Joker’s Stash Shutting Down—for Good This Time
  
  
• Fox-IT
  Abusing cloud services to fly under the radar
  
  
• Huseyin Rencber
  DGA Nedir? Nasıl Tespit edilir & Engellenir?
  
  
• Intel 471
  Last Dash for Joker’s Stash: Carding forum may close in 30 days
  
  
• Nicole Fishbein at Intezer
  A Rare Look Inside a Cryptojacking Campaign and its Profit
  
  
• Jorge Orchilles at Scythe
  • SCYTHE Presents: #ThreatThursday – Egregor Ransomware with Sean Gallagher
  • SCYTHE Presents: #ThreatThursday – Egregor Ransomware
    
    
• Koen Van Impe
  • Cybersecurity Ethics: Establishing a Code for Your SOC
  • Use Elastic to represent MISP threat data
    
    
• MikeCyberSec
  Developing Sigma rules with Sysmon and ELK
  
  
• Olaf Hartong at Falcon Force
  Sysmon 13 — Process tampering detection
  
  
• Open Threat Research
  How to set up a Microsoft Defender for Identity Sensor on a Domain Controller
  
  
• Palantir
  Microsoft Defender Attack Surface Reduction recommendations
  
  
• Palo Alto Networks
  • xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement
  • Open Source Tool Release: Gaining Novel AWS Access With EBS Direct APIs
    
    
• PT Security
  Higaisa or Winnti? APT41 backdoors, old and new
  
  
• RiskIQ
  New Analysis Puts Magecart Interconnectivity into Focus
  
  
• Stefan Grimminck
  Running a fake power plant on the internet for a month
  
  
• Strategic Cyber
  Pushing back on userland hooks with Cobalt Strike
  
  
• Luke Leal at Sucuri
  • Obfuscation Techniques in Ransomweb “Ransomware”
  • Real-Time Phishing Kit Targets Brazilian Central Bank
    
    
• Flynn Weeks at The What2Log Blog
  The Struggle is Real: To Aggregate or Not to Aggregate
  
  
• Kaivalya Khursale at ZScaler
  New Phishing Trends and Evasion Techniques

UPCOMING EVENTS

• Kristian Lars Larsen at Data Narro
  Top Digital Forensics Conferences for 2021
  
  
• Magnet Forensics
  January 21 11:00AM ET: Tips & Tricks // Recovering and Analyzing Deleted Data in AXIOM
  
  
• Arman Gungor at Metaspike
  Email Forensics Workshop — CTF Edition
  
  
• Nik Alleyne at ‘Security Nik’
  SANS Stay Sharp series – Improve your Mastery of TShark Packet Analysis with SANS SEC582
  
  
• Semantics21
  • Jan 21 11AM UTC – Understand How To Use The S21 Auto Categoriser Built Into LASERi-X [r03]
  • Jan 21 7PM UTC – Understand How To Use The S21 Auto-Categoriser Built Into LASERi-X [r03]
    
    
• Johan Berggren at Google
  Timesketch Summit 2021
  
  
• Lesley Carhart
  PancakesCon 2!
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.33 – Doug Bryant Jr.
  
  
• Kevin Ripa at SANS
  • Episode 157: IPv4 – Part 3
  • Episode 158: IPv4 – Part 4
  • Episode 159: IPv6 – Part 1
    
    
• Archan Choudhury at BlackPerl
  My Absence Explained | Plans for 2021 | Let’s Study Together
  
  
• Adam Pennington
  Check out @_whatshisface’s tweet
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 1/13/2021
  
  
• Breaking Badness podcast
  71. Throwing Caution to the SolarWinds
  
  
• Bret Witt
  • DFIR – Red Team Tools
  • DFIR – Red Team Tools 2
  • SOC110 EventID: 40 (Proxy – Cryptojacking Detected) [Jan. 2, 2021, 4:33 a.m.]
  • SOC103 EventID: 34 (Malicious APK Detected) [Jan. 1, 2021, 6:11 p.m.]
    
    
• Colin Hardy
  Zyxel Backdoor & A Known Plaintext Attack
  
  
• Cyber Security Interviews
  #109 – Amanda Berlin: Happier People Stay Longer
  
  
• Forensic Focus
  • Podcast: MSAB’s Mike Dickinson On The Rapidly Changing World Of Digital Forensics
  • Nuix Digital Investigations Solutions: Defeating Encryption And Password Protection
    
    
• Gerald Auger at Simply Cyber
  • Nox SOC Masterplan
  • What is Life Like in a SOC?  w/SOC Expert Brandon Poole
  • Cyber Resume Gold with Joe Hudson – Cyber Headhunter
    
    
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 201
  
  
• Markus Neis
  Cracking a soft cell is harder than you think
  
  
• Richard Davis at 13Cubed
  Profiling Network Activity with Volatility 3 – GeoIP from Memory
  
  
• Watson Infosec
  ELKSIEM Part 3 Packetbeat GeoInfo Maps Setup

MALWARE

• 0xthreatintel
  Spynote malware internals
  
  
• Bitdefender Labs
  • Darkside Ransomware Decryption Tool
  • Remcos RAT Revisited: A Colombian Coronavirus-Themed Campaign
    
    
• Chuong Dong
  Babuk Ransomware v3
  
  
• Jon Munshaw and Asheer Malhotra at Cisco’s Talos
  Microsoft Patch Tuesday for Jan. 2021 — Snort rules and prominent vulnerabilities
  
  
• Lior Rochberger at Cybereason
  Cybereason vs. Conti Ransomware
  
  
• Xiaopeng Zhang at Fortinet
  New Variant of Ursnif Continuously Targeting Italy
  
  
• Heimdal Security
  • MegaCortex Ransomware: The Cyber-Threat Looming Over Corporate Networks
  • Egregor Ransomware: Origins, Operating Mode, Recent Incidents
  • The Cyber Kill Chain Model: A Comprehensive Guide
  • What is a Malicious App and How to Spot One?
    
    
• John Hammond at Huntress Labs
  Malware Under The Microscope: Manual Analysis
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #22: IDA desktop layouts
  
  
• Ghanashyam Satpathy and Dagmawi Mulugeta at Netskope
  You Can Run, But You Can’t Hide: Advanced Emotet Updates
  
  
• Nik Alleyne at ‘Security Nik’
  • Continuing Malware Analysis – Static Analysis of BrbBot
  • Continuing Malware Analysis – Dynamic Analysis of BrbBot
  • Understanding Linux x32 calling conventions with Ghidra and GDB – CDECL
  • Continuing Malware Analysis – Ghyte / ZBot – Static and Dynamic Analysis
  • Continuing Dynamic Malware Analysis – DoomJuice – Static Analysis with Ghidra and Dynamic Analysis with x64dbg
  • Malware Analysis – Learning about Graftor malware with Ghidra and x64dbg
  • Suspicious(?) PDF Analysis – Remittance detail from …
  • Malware Analysis – Learning about PDF-XChange Viewer Ramsomware
    
    
• SANS Internet Storm Center
  • New version of Sysinternals released, Process Hollowing detection added in Sysmon, new registry access detection added to Procmon https://docs.microsoft.com/en-us/sysinternals/, (Mon, Jan 11th)
  • Using the NVD Database and API to Keep Up with Vulnerabilities and Patches – Tool Drop: CVEScan (Part 3 of 3), (Mon, Jan 11th)
  • Hancitor activity resumes after a hoilday break, (Wed, Jan 13th)
  • Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file, (Thu, Jan 14th)
  • Throwback Friday: An Example of Rig Exploit Kit, (Fri, Jan 15th)
  • Obfuscated DNS Queries, (Fri, Jan 15th)
    
    
• Phil Stokes at SentinelLabs
  FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts
  
  
• Sophos
  New Android spyware targets users in Pakistan
  
  
• VinCSS
  [RE019] From A to X analyzing some real cases which used recent Emotet samples
  
  
• VMRay
  Malware Analysis Spotlight: OSAMiner Uses Run-Only AppleScripts to Evade Detection
  
  
• Matías Porolli at WeLiveSecurity
  Operation Spalax: Targeted malware attacks in Colombia
  
  
• Yoroi
  Opening “STEELCORGI”: A Sophisticated APT Swiss Army Knife

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 1/12/2021
  
  
• Marco Fontani at Amped
  Introducing “Video Evidence Pitfalls: Because You Don’t Know What You Don’t Know”
  
  
• Dany at Digitella
  Importance of Community in Cyber Security
  
  
• Digital Guardian
  New Rule Would Require Banks to Disclose Breaches in 36 Hours
  
  
• Garry Dukes at DME Forensics
  Feature Fridays – Preview and Export
  
  
• Oleg Afonin at Elcomsoft
  DFU Mode Cheat Sheet
  
  
• Forensic Focus
  • Jad Saliba, Founder & CTO, Magnet Forensics
  • Year In Review: 2020 MD-Series Product Highlights
    
    
• Francesca at ‘A DFIR Journey’
  BTL1 Certification – My Experience
  
  
• IntaForensics
  Forensic Access Acquires IntaForensics
  
  
• Kringlecon writeups
  • Holiday Hack 2020: Investigate S3 Bucket
  • Holiday Hack 2020: ‘Zat You, Santa Claus? featuring KringleCon 3: French Hens
  • SANS Holiday Hack Challenge 2020 write-up
  • My KringleCon 2020 HolidayHack Writeup
  • Check out @CyberRaiju’s tweet
    
    
• Sysmon.works
  Check out @olafhartong’s tweet
  
  
• Oxygen Forensics
  Samsung device data extraction in Oxygen Forensic® Detective
  
  
• Amber Schroader at Paraben Corporation
  The GDPR & The CCPA a Quick Look with a Forensic Twist
  
  
• Pavel Yosifovich
  Parent Process vs. Creator Process
  
  
• Richard Frawley at ADF
  Digital Forensic Screenshots with OCR for Mobile Devices | ADF Triage
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — December 27 to January 2
  
  
• Silicon Shecky
  Holiday CTF review
  
  
• ThinkDFIR
  Metaspike CTF – Week 4 – “IM APparently making this harder than it was meant to be”
  
  
• Try Hack Me
  Cyber Defence
  
  
• UK Forensic Science Regulator
  Forensic Science Regulator Annual Report
  
  
• Martijn Grooten at Virus Bulletin
  In memoriam: Yonathan Klijnsma
  

SOFTWARE UPDATES

• Active Countermeasures
  AC-Hunter v5.0.0 Is in the Wild!
  
  
• Atola
  Atola Insight 4.17 with AFF4 support
  
  
• Belkasoft
  Belkasoft X Update: Agent-based MTK Acquisition & Other Improvements
  
  
• Brim
  What’s new in Brim v0.22.0?
  
  
• Eric Zimmerman
  ChangeLog
  
  
• JPCERTCC
  v1.5.1
  
  
• LIFARS
  Introducing The New Logchecker Tool Developed By LIFARS
  
  
• RecuperaBit
  Version 1.1.4
  
  
• Spitzbuaamy
  Cryptolaemus to MISP
  
  
• Xways
  X-Ways Forensics 20.1 SR-3

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!