As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• ThinkDFIR
  Metaspike CTF – Week 5 – “Spot the DFIRence”
  
  
• Abhiram’s Blog
  • Mr EvilPepo [series] – TrollCAT CTF 2021
  • S3cr3t – TrollCAT CTF 2021
    
    
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Windows registry Transaction Logs in forensic analysis
  
  
• Brian Maloney
  Your AV is Trying to Tell You Something: rawlog.log
  
  
• DFIR Review
  • Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored
  • Using Photos.sqlite to Show the Relationships Between Photos and the Application they were Created with?
    
    
• Elcomsoft
  • NAS Forensics: Synology, ASUSTOR, QNAP, TerraMaster and Thecus Encryption Compared
  • Passcode Unlock and Physical Acquisition of iPhone 4, 5 and 5c
  • iPhone 4, iPhone 5 and iPhone 5c Physical Acquisition Walkthrough
  • Breaking Jetico BestCrypt
    
    
• InfoSec Write-ups
  Hacking Organizations One Document at a Time With Metadata
  
  
• James Smith at DFIR Madness
  • Incident Response Thumb Drive
  • Case 001 – The Timing of it All
    
    
• Josh Brunty
  Validation of Forensic Tools- A Quick Guide for the DFIR Examiner
  
  
• Jason Lackey at Keysight
  Meta Data and a PDF Self-Pwn
  
  
• Kyle Song
  Blog #24: APFS Parsing Bug in EnCase v20.x [EN]
  
  
• Marco Fontani at Amped
  Lens Distortion: Cameras May Change the Shape of Things
  
  
• MII Cyber Security Consulting Services
  • Digital Forensic Artifact of Anydesk Application
  • Remote Desktop Connection (mstsc.exe) Screen in a Memory Dump Analysis
    
    
• The DFIR Report
  Bazar, No Ryuk?
  
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Recoll – a perfect tool for Threat Intelligence Analysts and other Report Readers
  • Mitre Domin&trix
  • Beyond good ol’ Run key, Part 131
  • Desperate downloader lolbin
    
    
• Adam Chester at XPN
  Tailoring Cobalt Strike on Target
  
  
• Anomali
  Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs
  
  
• Azure Sentinel
  • Enhancing Azure Sentinel’s log ingestion capabilities with NXLog
  • Centralize your security response with Azure Sentinel & PagerDuty
    
    
• Ben Bornholm at HoldMyBeer
  IR Tales: The Quest for the Holy SIEM: Graylog + AuditD + Osquery
  
  
• BlueteamOps
  RDP Goodies
  
  
• Brian Laskowski at Blumira
  Detecting SolarWinds & Ransomware Attacks With Process Monitoring
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-02-01 – Files for an ISC diary (SystemBC with Cobalt Strike)
  • 2021-02-04 – Rig EK sends possible BuerLoader
  • 2021-02-05 – Spelevo EK sends Sharik/SmokeLoader
    
    
• Megan DeBlois at Censys
  From Hunting the Adversary to Hunting your Organization’s Infrastructure
  
  
• ClearSky Cyber Security
  CONTI Ransomware – Negotiation and Bitcoin Tracking
  
  
• Cyberint
  Turla – high sophistication Russian-nexus threat group
  
  
• Eclypsium
  In the Shadow of Sunburst: Hunting for Firmware Persistence in the Context of Supply Chain Attack IR
  
  
• Gianni Castaldi at Kusto King
  • Kusto Gym
  • Which data types do we have
    
    
• Hannah Suarez
  • YAML config for the Palantir Windows Event Forwarding Guidance
  • YAML config for the Palantir Windows Event Forwarding recommendations
  • Which Windows auditing events require failure and success logging?
  • YAML Config with Event IDs of Active Directory Domain Service Events with Criticality Info
  • YAML Config Snippet of JPCERT Lateral Movement Events to Monitor (Windows)
    
    
• Adam Army at Hurricane Labs
  Splunking the Zombie Apocalypse
  
  
• Microsoft Security
  What tracking an attacker email infrastructure tells us about persistent cybercriminal operations
  
  
• MWLab
  Logchecker
  
  
• Nasreddine Bencherchali
  Common Tools & Techniques Used By Threat Actors and Malware — Part II
  
  
• Nik Alleyne at ‘Security Nik’
  • Snort3 on Ubuntu 20 – The Initial Setup
  • Snort3 on Ubuntu 20  – Learning a little about our installation – Getting Help, Running Snort3, etc
  • Snort3 on Ubuntu 20 – Feeding and testing the pig – rules and PulledPork
  • Snort3 on Ubuntu 20  – Housekeeping – AppID, RNA, Performance Monitoring, Profiling, JSON Logging, Other config, etc.
    
    
• NIST
  NIST Offers Tools to Help Defend Against State-Sponsored Hackers
  
  
• One Night in Norfolk
  DPRK Targeting Researchers II: .Sys Payload and Registry Hunting
  
  
• Roberto Rodriguez at Open Threat Research Blog
  Creating and Starting a Windows Service Remotely Using NtObjectManager Via Remote Procedure Calls (RPC) Over SMB
  
  
• Jay Chen, Aviv Sasson and Ariel Zelivansky at Palo Alto Networks
  Hildegard: New TeamTNT Malware Targeting Kubernetes
  
  
• Recorded Future
  Top 6 MITRE ATT&CK Techniques Identified in 2020, Defense Evasion Tactics Prevail
  
  
• Sartaj Ahmed Shaik
  • My Azure Security Engineer Associate Az-500 Journey
  • Integrating Adversary Emulation using Infection Monkey with Azure Sentinel
  • Getting Started with Azure DevOps Security Scanner
    
    
• Sophos
  MTR casebook: Uncovering a backdoor implant in a SolarWinds Orion server
  
  
• Dean Ward at Stack Overflow
  A deeper dive into our May 2019 security incident
  
  
• Mike Cohen at Velocidex
  • Detecting DLL Hijacking With VQL
  • Migrating from OSQuery to Velociraptor
    
    
• WeLiveSecurity
  • Kobalos – A complex Linux threat to high performance computing infrastructure
  • Operation NightScout: Supply‑chain attack targets online gaming in Asia
    
    
• WMC Global
  Threat Actor Update: Kr3pto
  
  
• xorl %eax, %eax
  Why tasking is important in a threat intelligence team (using NSA’s UTT as example)
  
  

UPCOMING EVENTS

• Cellebrite
  How Cryptocurrency Investigations Are Tipping the Scales in Ransomware, Fraud and Theft Cases
  
  
• Cellebrite
  Introduction to the New Commander 7.18
  
  
• Elan at DFIR Diva
  DFIR Related Events for Beginners – February, 2021
  
  
• Leszek Miś
  Free Workshop: Threat Detection and Hunting with PurpleLabs #1 [16 February]
  
  
• Magnet Forensics
  • February 11 11:00AM ET: Tips & Tricks // Rebuilt Desktops
  • February 10 8:00AM/11:00AM ET: Emoting Over Emotet And Maldoc
    
    
• Eric George at PhishLabs
  ҰourDoma1п.org: How Look-alike Domains Drive BEC, Ransomware, and Phishing Attacks
  
  
• SANS
  HR + Cybersecurity
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.36 – Phill Moore
  
  
• Kevin Ripa at SANS
  • Episode 166: Collecting Machine Config on Mac – Part 3
  • Episode 167: Digital Forensics & Knot Tying
  • Episode 168: Apple Forensics: Magic Keystrokes – alt/option key
    
    
• Black Hills Information Security
  Talkin’ About Infosec News – 2/1/2021
  
  
• Breaking Badness podcast
  74. An Empty Emotet
  
  
• Bret Witt
  SOC102 EventID:6 (Proxy – Suspicious URL Detected) [Aug. 29, 2020, 3:33 p.m.]
  
  
• Cellebrite
  • Report Writing for Digital Forensics
  • Learn more about Cellebrite Physical Analyzer’s new built-in content search feature.
    
    
• Check Point Research
  SolarWinds Explained
  
  
• Chris Sienko at the Cyber Work podcast
  Moving up in cybersecurity: From help desk to FireEye to CEO
  
  
• Cyber Security Interviews
  #112: Douglas Brush – Pain Is Inevitable, Suffering Is Optional
  
  
• Detection: Challenging Paradigms
  Episode 2: Dane Stuckey
  
  
• Detections podcast
  BSD Goes O.MG
  
  
• Digital Forensic Survival Podcast
  DFSP # 259 – Wincore Processes Revisited part 1
  
  
• Life has no CTRL ALT DEL with Heather Mahalik
  Report Writing for Digital Forensics
  
  
• Magnet Forensics
  Tips & Tricks // Magnet AXIOM Cyber Remote Agent
  
  
• Nuix
  • Nuix January 2021 Product Update
  • Detecting Malicious Activity and Performing Forensic Collections with Nuix Adaptive Security
  • Adding Names Normalization to Nuix Discover
  • Overcoming Growing Microsoft 365 Usage with the Nuix Connector
  • Nuix and the Microsoft 365 Connector
    
    
• Paraben Corporation
  • E3 Platform Triage Overview with Founder
  • Cloud Forensics Discord Data with Token
    
    
• SANS
  • FOR578 Cyber Threat Intelligence Course Update – 6th day
  • SolarWinds – A SANS Lightning Summit Recap
  • Mini Workshop: Attack & Defend
  • Social Engineering: What It Is, Why It Matters, and What You Can Do
  • Hacking Your Brain: Using Proven Psychology Techniques to Set and Smash Goals
  • Starting a Career as an Ethical Hacker
  • Defending Critical Infrastructure
  • Cybersecurity Career Success for Neurodivergent Individuals
  • Protecting Your Digital Identity
  • Now What? – Pursuing Cybersecurity After Graduation
  • Next-Level App Hacking: Threat Modeling for Better Attacks
  • Move Along; Nothing to See Here… Or Is There?
  • Cybersecurity Careers: Where Do You Fit?
  • DNS: What It Is, What It Does, and How to Defend It
  • Cracking the Mystery: Quantum Cryptography and The Future of Cybersecurity
  • Cybersecurity is Like Ice Cream. There Are a Whole Lot of Flavors
  • Can People Hack Nuclear Plants?
  • Part 1: Rekt Casino Hack – Business Security Strategy, Policies, and Leadership Gone Wrong
  • SOLARWINDS – A SANS Lightning Summit
    
    
• Security Unlocked
  BEC: Homoglyphs, Drop Accounts, and CEO Fraud
  
  
• This Week In 4n6
  This Month In 4n6 – January – 2021
  
  

MALWARE

• 0xthreatintel
  • Uncovering APT-C-41 (StrongPity) Backdoor
  • APTs targets nCoV-19 Vaccine Researchers
    
    
• 360 Netlab
  New Threat: Matryosh Botnet Is Spreading
  
  
• 360
  安全预警：利用Android可穿戴扩展通知功能进行自我传播的蠕虫木马分析
  
  
• Jan Vojtěšek and Jan Rubín at Avast Threat Labs
  Backdoored Browser Extensions Hid Malicious Traffic in Analytics Requests
  
  
• Kryptos Logic
  Trickbot masrv Module
  
  
• Bogdan Vennyk
  When Red Team became Blue Team
  
  
• BushidoToken
  Amadey Trojan distributed by DPRK-affiliated APT groups
  
  
• Click All the Things!
  XLSB: Analyzing a Microsoft Excel Binary Spreadsheet
  
  
• Colin Hardy
  Emotet is Dead
  
  
• Aaron Jewitt at Elastic
  How to build a malware analysis sandbox with Elastic Security
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #25: Disassembly options
  
  
• Josh Stroschein
  Maldocs – Getting Started with Excel 4 Macros (XLM Macros)
  
  
• Denis Sinegubko at Sucuri
  Whitespace Steganography Conceals Web Shell in PHP Malware
  
  
• Jérôme Segura at Malwarebytes Labs
  Credit card skimmer piggybacks on Magento 1 hacking spree
  
  
• Mario Henkel
  Decrypting AzoRult traffic for fun and profit
  
  
• Nadav Lorber at Morphisec
  CinaRAT Resurfaces With New Evasive Tactics and Techniques
  
  
• SANS Internet Storm Center
  • Wireshark 3.4.3 Released, (Sun, Jan 31st)
  • Excel spreadsheets push SystemBC malware, (Wed, Feb 3rd)
  • New Example of XSL Script Processing aka “Mitre T1220”, (Tue, Feb 2nd)
  • Taking a Shot at Reverse Shell Attacks, CNC Phone Home and Data Exfil from Servers, (Mon, Feb 1st)
  • VBA Macro Trying to Alter the Application Menus, (Fri, Feb 5th)
  • Abusing Google Chrome extension syncing for data exfiltration and C&C, (Thu, Feb 4th)
  • YARA v4.0.5, (Sat, Feb 6th)
    
    
• Danny Bradbury at SecTor 2021
  When Malware Developers Slip Up
  
  
• Jim Walter at SentinelLabs
  Zeoticus 2.0 | Ransomware With No C2 Required
  
  
• Sophos
  Agent Tesla amps up information stealing attacks
  
  
• Tony Lambert at “Where DFIR Meets IT”
  • Working with macOS DMG and PKG files on Linux
  • How Qbot Uses Esentutl
    
    
• Trend Micro
  • Finding and Decoding Multi-Step Obfuscated Malware
  • New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker
    
    
• VMRay
  Analyzing a DLL in a Sandbox: Speeding up Analysis of an APT Implant
  
  

MISCELLANEOUS

• Jessica Hyde at DFIR Training
  DFIR Review Year in Review
  
  
• N00b_H@ck3r
  Why I Think Security Blue Team’s BTL1 Certification is the Gold Standard for SOC Analysts
  
  
• Bill Stearns at Active Countermeasures
  Alternative DNS Techniques
  
  
• Olga Milishenko at Atola
  Imaging RAID 5 array with read errors on multiple drives
  
  
• Brett Shavers at DFIR Training
  Something new from DFIR Training for YOUR website or blog!
  
  
• Cellebrite
  Gain When You Train – Matt McFadden and Mike Anderson set out eight reasons why consistent digital training for police officers is so important
  
  
• Cisco’s Talos
  • Interview with a LockBit ransomware operator
  • A ransomware primer
    
    
• Danny Dodds
  Getting into Information Security.
  
  
• Digital Corpora
  • Please try the new corpora browser
  • Downloads has been transitioned from GMU to S3!
    
    
• Santosh Khadsare
  DIGITAL FORENSICS OLYMPIAD 2021
  
  
• DME Forensics
  Meet Nick
  
  
• 4n6lady
  • Digital Forensics Course Development — Phase 0
  • Digital Forensics Course Development — Phase 1
    
    
• Forensic Focus
  • iOS Screentine And Android Digital Wellbeing Apps
  • Oxygen Forensic Detective From Oxygen Forensics
  • Afrozulla Khan, Founder Of Nyayik Vigyan, Owner Of Forensic Science Application
  • New Version Of AccessData’s Software Expands Data Collection Capabilities From Off-Network Endpoints
  • Are You Looking To Get #DFIRfit In 2021?
    
    
• Grayshift
  Grayshift Introduces Android Support on GrayKey
  
  
• Jason Wilkins
  Walk, Don’t Run!@
  
  
• Kinga Kieczkowska
  My experience with CompTIA exams
  
  
• Lifars
  What Is Hash Function? What Is It Used For and Why Is It Important?
  
  
• Magnet Forensics
  • Announcing AXIOM Support for GrayKey Android Images: 
  • Meet the Magnet Forensics’ Training Team: Justin Almanza
  • Persistence with the Magnet AXIOM Cyber Agent
    
    
• Oxygen Forensics
  Analyze mobile devices data with your eDiscovery solution
  
  
• Red Canary
  Detecting WMI: Your top questions answered
  
  
• Ryan Campbell at ‘Security Soup’
  • Weekly News Roundup — January 24 to January 30
  • Weekly News Roundup — January 31 to February 6
    
    
• Ryan Chapman
  Is Incident Response experiencing a bubble?
  
  
• SANS
  Cyber Camp Winter 2020 – Important Notes from talks and workshops
  
  
• Trail of Bits
  PDF is Broken: a justCTF Challenge
  
  
• John Patzakis and Ashley Aranega
  The Reddit Evidence Hotbed: Three Important Tips for Reddit Web Investigations
  
  
• Xavier Mertens at /dev/random
  Network Flows Visualization With Nanoleaf Light Panels
  
  

SOFTWARE UPDATES

• Acelab
  Sign up for Free Webinar on Flash Data Recovery!
  
  
• Joe Security
  Joe Sandbox v31 – Emerald
  
  
• Belkasoft
  What’s new in Belkasoft X v.1.2
  
  
• CyberChef
  v9.24.4
  
  
• CyLR
  CyLR 2.2.0
  
  
• Elcomsoft
  iOS Forensic Toolkit 6.70: Full Support for iPhone 4, 5 and 5c
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.17
  
  
• Nextron Systems
  THOR Seed v0.18 Improves Integration with Microsoft Defender ATP
  
  
• Volatility3
  Volatility 3 1.0.1
  
  
• Flynn Weeks at The What2Log Blog
  What2Log Update: Alder
  
  
• UCD Centre for Cybersecurity & Cybercrime Investigation
  The Freetool project
  
  
• MemProcFS
  Version 3.8
  
  
• Vound
  Intella 2.4.1 Release Notes
  
  
• Xways
  • X-Ways Forensics 20.1 SR-5
  • X-Ways Forensics 20.2 Preview 1
    
    
• YARA
  v4.0.5
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!