As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Angry-Bender’s blog house
  DFIR Playbook – Windows Forensics(WIP APR21)
  
  
• John Walther at Carpe Indicium
  Cleaner Office365 logs with Excel and Magnet Custom Artifact Generator
  
  
• Heather Mahalik at Cellebrite
  UFED Fundamentals Matter – You Asked, We Answered
  
  
• Dexter Morgan at Data Forensics
  How to Find Who Deleted Records in SQL Server? Perfect Workarounds
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Another Bad Example from CAI
  
  
• Forensafe
  • Investigating Dropbox
  • Investigating Windows System Resource Usage Monitor (SRUM)
    
    
• LIFARS Cybersecurity
  Collecting and Analyzing NetFlow for Incident Response
  
  
• Luu Justin
  iOS App Forensics — A Closer Look at The MySudo Privacy App
  
  
• Marco Fontani at Amped
  Metadata: So Useful But Not So Reliable
  
  
• Debojyoti Chakraborty at McAfee Labs
  Steps to Discover Hidden Threat from Phishing Email
  
  
• Mike Brewer at DFW Forensics
  Incident Response in the Cloud Part 2 – Azure
  
  
• Oxygen Forensics
  Not so private: extracting data from PrivateSpace
  
  
• Heather Mahalik, John Bair, Alexis, Brignoni, Stephen Coates, Mike Dickinson, Mattia Epifani, Jessica Hyde, Vladimir Katalov, Scott Koenig, Paul Lorentz, Christophe Poirier, Lee Reiber, Martin Westman, Mike Williamson, Ian Whiffin, and Oleg Skulkin
  Six Steps To Successful Mobile Validation
  
  
• Jorge Díaz at Security Art Work
  ¿Es importante el registro SID de Windows?
  
  
• The DFIR Report
  Trickbot Brief: Creds and Beacons
  
  
• Andrew Case at Volatility Labs
  Highlighting Research from the Next Generation of Memory Forensics Practitioners
  
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • FTP.EXE Lolbin v2
  • Gup \o/ bin
  • Throwing LOLBIN a tar ball
  • Cur\o/bin
  • SleepStudy logs
  • Debug Environment Variable are \o/
  • Non-debugging uses of CDB
  • Beyond good ol’ Run key, Part 134
    
    
• Anastasios Pingios
  • Exploitation of data breaches for executive protection
  • Iran Cyber Operations Groups
    
    
• Anomali
  • Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More
  • Anomali Cyber Watch: Microsoft Office SharePoint Servers Targeted with Ransomware, New Commodity Crypto-Stealer and RAT, Linux Backdoor Targeting Users for Years, and More
    
    
• Anton Chuvakin
  Not the Final Answer on NDR in the Cloud …
  
  
• Azure Sentinel
  • Automate Incident Assignment with Shifts for Teams
  • Azure Sentinel Side-by-Side with Splunk via EventHub
    
    
• Randy Pargman at Binary Defense
  Intruder Tactics: Privilege Escalation
  
  
• Cloud Security Alliance
  Cloud Incident Response Framework
  
  
• DeTTECT
  v1.4.3
  
  
• Tim Helming at DomainTools
  The Power of DNS OSINT in Detecting Supply Chain Compromises
  
  
• EclecticIQ
  Credentials and Cryptocurrency Are Targets of Recent Exploits
  
  
• Nick Richard and Dimiter Andonov at Fire Eye Threat Research
  The UNC2529 Triple Double: A Trifecta Phishing Campaign
  
  
• Group-IB
  • GrelosGTM group abuses Google Tag Manager to attack e-commerce websites
  • Connecting the Bots: Hancitor fuels Cuba Ransomware Operations
    
    
• Hamza Ouadia at Snorlax Security
  Detecting Lateral Movement via Service Configuration Manager
  
  
• InfoSec Write-ups
  Blue Team Operations [Part 2]: How To Investigate Malware Incidents as a SOC Analyst
  
  
• Intrusion Truth
  An APT with no name
  
  
• Leonardo M. Falcon
  • Hunting evil with Sysmon events and Jupyter Notebooks (Part 1 – Setup)
  • Hunting on Sysmon events with Jupyter Notebooks (Part 2 – Process Execution)
    
    
• Samuel Hassine at Luatix
  SEKOIA.IO Threat Intelligence in OpenCTI
  
  
• Malwar3ninja
  Check out @Malwar3Ninja’s tweet
  
  
• Mehmet Ergene
  The Hidden Problem that XDR has to Solve and Why You Should be Careful about XDR
  
  
• Michael Koczwara
  Cobalt Strike Hunting, Red Teams/Threat Actors TTP’s
  
  
• Microsoft Security
  • Incident Response Playbooks
  • Business email compromise campaign targets wide range of orgs with gift card scam
  • Business email compromise: How Microsoft is combating this costly threat
    
    
• MITRE Evaluations
  • OverWatch Threat Hunters Win the Race Against Carbanak in MITRE ATT&CK Evaluation
  • Stopping Carbanak+FIN7: How Microsoft led in the MITRE Engenuity® ATT&CK® Evaluation
    
    
• Owen at InSecurity
  Detecting Lateral Movement via WinRM Using KQL
  
  
• Palo Alto Networks
  • Detecting and Preventing Malicious Domains Proactively with DNS Security
  • File Transfer Threats: Risk Factors and How Network Traffic Visibility Can Help
    
    
• Sam Scholten And Crista Giering at Proofpoint
  BEC Taxonomy: Invoice Fraud
  
  
• Recorded Future
  China’s PLA Unit 61419 Purchasing Foreign Antivirus Products, Likely for Exploitation
  
  
• Red Alert
  SectorB Group’s Threat Landscape in 2020
  
  
• Justin Schoenfeld and Aaron Didier at Red Canary
  Rclone Wars: Transferring leverage in a ransomware attack
  
  
• RiskIQ
  TrickBot: Get to Know the Malware That Refuses to Be Killed
  
  
• Sergiu Sechel
  Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the…
  
  
• ShadowChasing1
  Check out @ShadowChasing1’s tweet
  
  
• Sophos
  • Using Sophos EDR to identify endpoints impacted by Dell kernel driver vulnerability CVE-2021-21551
  • Intervention halts a ProxyLogon-enabled attack
  • MTR in Real Time: Pirates pave way for Ryuk ransomware
  • New Lemon Duck variants exploiting Microsoft Exchange Server
    
    
• Symantec Enterprise
  Multi-Factor Authentication: Headache for Cyber Actors Inspires New Attack Techniques
  
  
• Tetra Defense
  Cause and Effect: SunCrypt Ransomware Analysis
  
  
• Trend Micro
  • MITRE ATT&CK for Containers: Why It Matters
  • Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party
    
    
• Mattias Wåhlén at Truesec
  Are The Notorious Cyber Criminals Evil Corp actually Russian Spies?
  
  
• Corsin Camichel at Vulnerability.CH
  Introducing COLT – Compromise to Leak Time
  
  
• Zach Stanford
  Stats from Hunting Cobalt Strike Beacons
  
  

UPCOMING EVENTS

• Binalyze
  Enterprise Forensics – An introduction to Binalyze AIR & Drone
  
  
• Cellebrite
  • Episode 15: I Beg to DFIR – LIVE
  • All about MyCellebrite Customer Portal
    
    
• Elan at DFIR Diva
  DFIR Related Events for Beginners – May, 2021
  
  
• Magnet Forensics
  • Ongoing: Magnet Virtual Summit
  • MVS Keynote: A Fireside Chat with Brian Krebs
    
    

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.49 – Jad Saliba & Geoff MacGillivray
  
  
• Chapin Bryce
  This Month In 4n6 – April – 2021
  
  
• AhmedS Kasmani
  Extract Comrat Malware Dll’s from Powershell Dropper
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-05-03
  • BHIS | Talkin’ Bout News 2021-05-05
    
    
• Breaking Badness podcast
  84. Take a Payload Off
  
  
• Bret Witt
  • SOC103 EventID: 65 (Malicious APK Detected) [Feb. 22, 2021, 11:11 a.m.]
  • SOC128 EventID: 62 (Malicious File Upload Attempt) [Feb. 22, 2021, 4:31 p.m.]
  • SOC102 EventID: 66 (Proxy – Suspicious URL Detected) [Feb. 22, 2021, 8:36 p.m.]
    
    
• Chewing the FAT
  Episode 1
  
  
• Cybereason
  Malicious Life Podcast: China’s Unrestricted Cyberwarfare Part 1
  
  
• Data Rescue Labs
  • Digital Forensics – What you need to know. Part 1
  • Digital Forensics – What you need to know. Part 2
    
    
• Digital Forensic Survival Podcast
  DFSP # 272 – 4688
  
  
• FIRST
  2021 FIRST Special Interest Group (SIG) Update Webinars – Thursday May 6
  
  
• Gerald Auger at Simply Cyber
  • Want a Cyber Job and Have No IT Background?(Get it Now, Free!)
  • Vets into Cybersecurity with No Experience!
    
    
• John Hubbard at ‘The Blueprint podcast’
  • Blueprint Podcast Presents: Ask Us Anything – Live Q&A with Blue Team Instructors 4/30/2021
  • Chris Baker: Get A Handle On Your Vulnerabilities
  • Ask Us Anything! Cyber Defense Live Q&A #2 –  05/07/2021
    
    
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 208
  
  
• Magnet Forensics
  • Magnet Forensics: Dedicated to Helping Keep Companies and Communities Safe
  • Magnet AXIOM 5.0: Our Most Comprehensive and Flexible Version of AXIOM Ever
  • Search for Keywords Post-Processing in Magnet AXIOM
  • The All-New Media Explorer in Magnet AXIOM 5.0
  • Magnet AXIOM Cyber 5.0: Linux Support and Other Great Improvements
    
    
• Positivity Blue Team
  Lets Talk About Mental Health
  
  
• Recorded Future
  Navigating the Travel Industry with Threat Intelligence
  
  
• Velocidex Enterprises
  • Topic 01 Velociraptor Installation and Overview
  • Topic 02 VQL Fundamentals Pt 1
  • Topic 03 VQL Fundamentals Pt 2
  • Topic 04 Forensic Analysis Pt 1
    
    

MALWARE

• Alex Turing at 360 Netlab
  RotaJakiro, the Linux version of the OceanLotus
  
  
• Apr4h
  Manually Unpacking Remcos Malware
  
  
• Bogdan Vennyk
  Zero2Automated —  Custom Sample analysis
  
  
• Chuong Dong
  Darkside Ransomware
  
  
• CISA Analysis Reports
  • FiveHands Ransomware
  • MAR-10324784-1.v1: FiveHands Ransomware
    
    
• Caitlin Huey, Andrew Windsor, and Edmund Brumaghin at Cisco’s Talos
  Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs
  
  
• Cofense
  • Phishing Victims’ Initiative Exploited by BazarBackdoor Campaigns in Attempts to Avoid Detection
  • OneDrive’s Cloud Service Abused to Slip Malicious Links Past SEG
    
    
• Dylan Barker
  Malware Analysis Techniques: Tricks for the triage of adversarial software
  
  
• GoggleHeadedHacker
  Sodinokibi Ransomware Analysis
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #38: Hex view
  
  
• Mahmoud Morsy
  • Phishing Attacks 3_5_2021
  • Phishing Attacks 5_5_2021
  • NanoCore Malware
  • Phishing Attacks 6_5_2021
  • Phishing Attacks 7_5_2021
  • Phishing Attacks 8_5_2021
    
    
• Marco Ramilli
  MuddyWater: Binder Project (Part 2)
  
  
• Nadav Lorber at Morphisec
  Revealing the ‘Snip3’ Crypter, a Highly Evasive RAT Loader
  
  
• NCC Group Research
  RM3 – Curiosities of the wildest banking malware
  
  
• Nikhil Rathor at 0xthreatintel
  Unit180 (Lazarus) targets Japan!
  
  
• Omri Segev Moyal at ProferoSec
  Cuba Ransomware Group on a Roll
  
  
• Proofpoint
  New Variant of Buer Loader Written in Rust
  
  
• Chris Hoff at ReversingLabs
  It only takes one line of code to ruin your day
  
  
• SANS Internet Storm Center
  • PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd)
  • May 2021 Forensic Contest, (Wed, May 5th)
  • Quick and dirty Python: masscan, (Tue, May 4th)
  • Alternative Ways To Perform Basic Tasks, (Thu, May 6th)
  • Exposed Azure Storage Containers, (Fri, May 7th)
    
    
• Mark Lechtik and Giampaolo Dedola at Securelist
  Operation TunnelSnake: formerly unknown rootkit used to secretly control networks of regional organizations
  
  
• David Bisson at Security Intelligence
  What is Ghimob Malware?
  
  
• Monte de Jesus, Fyodor Yarochkin, and Paul Pajares at Trend Micro
  New Panda Stealer Targets Cryptocurrency Wallets
  
  
• Lloyd Macrohon and Rodel Mendrez at Trustwave SpiderLabs
  Pingback: Backdoor At The End Of The ICMP Tunnel
  
  
• Joshua Platt and Jason Reaves at Walmart
  BuerLoader Updates
  
  
• Jon Paterson at Zimperium
  Flubot vs. Zimperium
  
  
• Aniruddha Dolas, Mohd Sadique, and Manohar Ghule at ZScaler
  Catching RATs Over Custom Protocols
  
  

MISCELLANEOUS

• Andreas Sfakianakis at ‘Tilting at windmills’
  ENISA’s Ad-Hoc Working Group on Cyber Threat Landscapes
  
  
• Berla
  iVe 3.2 Feature Spotlight: Enhanced Tag Reports
  
  
• Cyberwox Academy
  • Splunk 7.x Fundamentals Part 1
  • Blue Team Junior Analyst Course Review
    
    
• David Stenhouse at Data Mutz
  Running a One-Person Business – 5 Things I Have Learned
  
  
• Df challenge
  Digital Forensics Challenge 2021
  
  
• Jess Garcia at DS4N6
  [BLOG]  DS4N6 – The Road So Far – Part I, by  Jess Garcia
  
  
• Olga Koksharova at Elcomsoft
  Our Guidelines For The World Password Day
  
  
• Esentire
  Five Common Mistakes to Avoid in Digital Forensics and Incident Response (IR)
  
  
• Forensic Focus
  • Farid Emrani, President & CEO, Logicube
  • How To Improve Videos And Images Using MD-VIDEO
  • Register For Webinar: Enterprise Forensics – An Introduction To Binalyze AIR And DRONE
  • What The Tech? Using FTK Imager
    
    
• LockBoxx
  NCCDC 2021 Red Team Review
  
  
• Magnet Forensics
  • Linux Support and Other Great Improvements in Magnet AXIOM Cyber 5.0
  • Run Magnet AXIOM Cyber in Microsoft Azure
  • The All-New Media Explorer in Magnet AXIOM 5.0
  • Search for Keywords Post-Processing in Magnet AXIOM
  • Process Evidence up to 50% Faster* with AXIOM and AXIOM Cyber 5.0
  • 6 New Linux Artifacts and Why They Matter
    
    
• Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’
  InfoSec101 CheatSheet
  
  
• Reddit
  Arbitrary code execution found in ExifTool. Make sure to update to 12.24+
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — April 25 to May 1
  
  
• SANS
  • List of Resource Links from SANS New to Cyber Summit 2021
  • SANS ICS Hot Take: Cloud Security Transcript
  • SANS DFIR Stay Sharp Courses – Same quality, less time, targeted skill training
    
    

SOFTWARE UPDATES

• Andrew Oliveau
  BeaconHunter
  
  
• Berla
  iVe Software v3.2 Release
  
  
• Binalyze
  IREC Version 2.6.2
  
  
• Brian Maloney
  SEPparser Released
  
  
• Cellebrite
  Cellebrite Pathfinder v8.6 delivers significant progress towards enterprise readiness, scalability, and process performance improvements.
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Intaforensics
  Lima V2.9: The Birth, Evolution & Futureproofing Of Forensic Case Management
  
  
• JPCERT
  LogonTracer v1.5.3
  
  
• mac_apt
  20210506
  
  
• Magnet Forensics
  Magnet AXIOM 5.0: Our Most Comprehensive and Flexible Version of AXIOM Ever
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog
  
  
• Mihari
  v2.3.1
  
  
• MSAB
  XRY 9.4.2
  
  
• OpenText
  Tableau Firmware Update Revision History for 21.2
  
  
• Xways
  X-Ways Forensics 20.3 Preview 3
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!