As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  iOS Forensics: how to perform a logical acquisition with libimobiledevice
  
  
• Ashley Pearson
  Volatility 3 Cheatsheet
  
  
• Doug Metz at Baker Street Forensics
  Collecting from Microsoft Teams using PowerShell
  
  
• Jess Garcia at DS4N6
  [BLOG]  DS4N6 – The Road So Far – Part II, by  Jess Garcia
  
  
• Forensafe
  • Windows Wireless Networks
  • Investigating Clubhouse
  • Investigating iCloud
    
    
• The DFIR Report
  Conti Ransomware
  
  
• Vignesh Mudliar at 4sysops
  Tracing emails in Microsoft 365 with PowerShell
  
  

THREAT INTELLIGENCE/HUNTING

• Advanced Intelligence
  From Dawn to “Silent Night”: “DarkSide Ransomware” Initial Attack Vector Evolution
  
  
• Anomali
  • Rise of the Chief Intelligence Officer (CINO)
  • Anomali Cyber Watch: Cozy Bear TTPs, Darkside Ransomware Shuts Down US Pipeline, Operation TunnelSnake Uses New Moriya Rootkit, and More
  • Threat Actors Use MSBuild to Deliver RATs Filelessly
    
    
• Anton Chuvakin
  SOC Trends ISACA Webinar Q&A
  
  
• Awake Security
  Catching the White Stork in Flight
  
  
• Azure Sentinel
  • What’s New: Azure Sentinel – SOC Process Framework Workbook
  • What’s new: Incident Team – collaborate in Microsoft Teams
  • What’s new: Hunting dashboard refresh
  • What’s New: Fusion Advanced Multistage Attack Detection Scenarios with Scheduled Analytics Rules
  • What’s new: IP entity page
    
    
• BI.Zone
  From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s…
  
  
• Pablo Ambite at BlackArrow
  Leveraging Microsoft Teams to persist and cover up Cobalt Strike traffic
  
  
• Blue Team Blog
  DarkSide Ransomware Operations – Preventions and Detections.
  
  
• Mike Behrmann at Blumira
  Incident Response Guide For Ransomware Attacks
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-05-14 – Email attachment from 10 days prior still pushing Urnsif (Gozi/ISFB)
  • 2021-04-29 – TA551 (Shathak) pushes IcedID (Bokbot)
  • 2021-04-28 – TA551 (Shathak) pushes Ursnif (Gozi/ISFB)
  • 2021-05-13 – Hancitor infection with Ficker Stealer and Cobalt Strike
    
    
• Censys
  Censys Search 2.0 Beta Announcement
  
  
• Check Point Research
  • 10th May – Threat Intelligence Report
  • The New Ransomware Threat: Triple Extortion
  • April 2021’s Most Wanted Malware: Dridex Remains in Top Position Amidst Global Surge in Ransomware Attacks
    
    
• CISA
  Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise
  
  
• Cisco’s Talos
  • Transparent Tribe APT expands its Windows malware arsenal
  • Threat Roundup for May 7 to May 14
    
    
• Cofense
  • Pipeline Phishing
  • HTML Phishing Email Opens the Door for Threat Actors
  • DARKSIDE Ransomware Operations Abuse Trusted Platforms
    
    
• CrowdStrike
  Response When Minutes Matter: Rising Up Against Ransomware
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 15 – xsanctl
  
  
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage 2.14.4 – Detect Exchange WebShells
  
  
• Cybereason
  • Inside the DarkSide Ransomware Attack on Colonial Pipeline
  • Defining XDR from an MSSP Perspective
  • Ransomware Attacks are Evolving – Is Your SOC Ready?
  • Solving the Ransomware Crisis
    
    
• Cyberint
  Colonial Pipeline Incident
  
  
• TIm Helmin and John Conwell at DomainTools
  Domain Blooms: Identifying Domain Name Themes Targeted By Threat Actors
  
  
• Mike Hoffman and Dr. Tom Winston at Dragos
  Recommendations Following the Colonial Pipeline Cyber Attack
  
  
• EclecticIQ
  Phishing Emails Impersonate Maritime Industry in Likely BEC Campaign
  
  
• Esentire
  • DLTMiner campaign targeting on-premise Microsoft Exchange servers using common IOCs
  • DOUBLEDROP Global Phishing Campaign
  • The Dark Side of the
    
    
• Callum Roxan and Sami Ruohonen at F-secure
  Prelude to Ransomware: SystemBC
  
  
• Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Matt Williams, Brendan McKeague, and Jared Wilson at Fire Eye Threat Research
  Shining a Light on DARKSIDE Ransomware Operations
  
  
• Flashpoint
  • DarkSide Ransomware Links to REvil Group Difficult to Dismiss
  • DarkSide Ransomware Group Faces XSS Ban, Servers Seized
    
    
• Fortinet
  • Protecting Critical Infrastructure: Colonial Pipeline, DarkSide, and Ransomware
  • Offensive Defense: Using Deception Against Ransomware Attacks
    
    
• Drew Schmitt at GuidePoint Security
  From ZLoader to DarkSide: A Ransomware Story
  
  
• HP Wolf Security
  Announcing HP Wolf Security, and a New Report Assessing Remote Working Cyber Risks
  
  
• InfoSec Write-ups
  SPYSE — Not Your Regular Internet Search Engine
  
  
• InQuest
  Dive Into Cobalt Strike
  
  
• Intezer
  7 Most Important AWS Security Tools
  
  
• Intrusion Truth
  Who is Mr. Zhao?
  
  
• Jason Trost at Covert.io
  Seven Short Links of Dictionary DGA Detection
  
  
• Scythe
  • SCYTHE Presents: Backdoors and Breaches Expansion Deck
  • SCYTHE Presents: The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation
  • SCYTHE Presents: #ThreatThursday – DarkSide Ransomware
  • SCYTHE Presents: Why assume breach?
    
    
• Devon Ackerman, Josh Mitchell, and Mario Ciccarelli at Kroll
  EPHEMERAL LOCKPICKER: Malware Leveraged for Novel Intrusion Lifecycle and LuckyDay Ransomware Delivery
  
  
• Raj Samani and Christiaan Beek at McAfee Labs
  DarkSide Ransomware Victims Sold Short
  
  
• McHugh Security
  • Using the Course of Action Taxonomies in MISP
  • Using the Data Classification Taxonomies in MISP
  • Using the Estimative Language Taxonomy in MISP
    
    
• Mehmet Ergene
  Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised Machine Learning and…
  
  
• Microsoft 365 Security
  • Analyzing Active Directory configuration with Azure Data Explorer
  • Using Microsoft Defender for Endpoint during investigation
  • How to roll out Microsoft LAPS via GPO and use the rid-500 account?
    
    
• Arnold Osipov at Morphisec
  AHK RAT Loader Used in Unique Delivery Campaigns
  
  
• Ramarcus Baylor at Palo Alto Networks
  DarkSide Ransomware Gang: An Overview
  
  
• Pat H at pat_h/to/file
  Gaining Threat-Intelligence the dodgy way
  
  
• PC’s Xcetra Support
  More on Yara And Building Rules
  
  
• Pukhraj Singh
  The SolarWinds hack pokes holes in Defend Forward – Observer Research Foundation
  
  
• ReaQta
  MITRE ATT&CK Carbanak+FIN7 Evaluation: ReaQta-Hive Achieves 100% Detection Coverage across the Cyber Kill Chain Autonomously and in Real-Time
  
  
• Rory Wagner
  • You’ve been hit, popped or breached?
  • PowerShell History
    
    
• Dmitry Galov, Leonid Bezvershenko, and Ivan Kwiatkowski at Securelist
  Ransomware world in 2021: who, how and why
  
  
• Secureworks
  Ransomware Groups Use Tor-Based Backdoor for Persistent Access
  
  
• Cisco
  • Threat Explainer: Supply Chain Attacks
  • New Firepower Forensic Guides Announced
    
    
• Limor Kessem at Security Intelligence
  Shedding Light on the DarkSide Ransomware Attack
  
  
• SentinelOne
  Meet DarkSide and Their Ransomware – SentinelOne Customers Protected
  
  
• Sophos
  • A defender’s view inside a DarkSide ransomware attack
  • IPs that Are Malicious Together, Stay Together
    
    
• Stefan Grimminck
  The implications of neglecting IPv6 on your internet facing services
  
  
• Teri Radichel
  Colonial Pipeline Hack
  
  
• Trend Micro
  What We Know About Darkside Ransomware and the US Pipeline Attack
  
  
• Drew Kirkpatrick at TrustedSec
  Simple Data Exfiltration Through XSS
  
  
• VirusTotal
  • Context is king (part I) – Crowdsourced Sigma rules
  • Compliant, easy and actionable integration of VirusTotal in 3rd-party products – Welcome VT Augment
    
    
• We are OSINTCurio.us
  Searching with Shodan
  
  
• ZScaler
  • ThreatLabZ Ransomware Review: The Advent of Double Extortion
  • Magecart Attacks in 2021
    
    

UPCOMING EVENTS

• Association of Corporate Investigators
  How a Digital Detective Approach can enhance your Investigation
  
  
• Cellebrite
  • Part 1: On-The-Scene Computer Triage Simplified: Helping You Effectively Tackle Cases
  • Part 2: Leverage Key Capabilities to Surface Digital Intelligence From Windows PC Artifacts
  • Part 3: Advanced macOS artifacts – Understand and Analyze Unified Logs and KnowledgeC with Inspector
    
    
• Israel Barak and Jason Forcht at Cybereason
  Webinar: Cybereason vs. DarkSide Ransomware
  
  
• Austin Jackson and Eric Sigman at Cyborg Security
  Thinking Like a Threat Actor, Pt. 2
  
  
• Jeff McJunkin
  Top Active Directory Attacks: Understand, then Prevent and Detect
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.50 – Special 50th Episode
  
  
• A Conference for Defense
  3 2 A Novel SIEM Solution That Doesn’t Cost an Arm and a Leg
  
  
• Archan Choudhury at BlackPerl
  Best Tools for Forensic Data Acquisition | MagnetRam, FTK Imager, Dumpit | Windows Forensics
  
  
• Black Hat
  • Faking a Factory: Creating and Operating a Realistic Honeypot
  • What the Log?! So Many Events, so Little Time…
    
    
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-05-10
  • BHIS | EMERGENCY WEBCAST: OK, let’s talk about ransomware… With John Strand | 1-Hour
  • Webcast: Ok, Let’s Talk About Ransomware
  • BHIS | Your Free and Open Source EDR Options! | John Strand | 1 Hour
  • Talkin’ About Infosec News – 5/10/2021
    
    
• Breaking Badness podcast
  85. Vulnerabilities Are An Endless Cycle
  
  
• Bret Witt
  • SOC133 EventID: 69 (Suspicious Request to New Registered Domain) [Feb. 28, 2021, 7:57 p.m.]
  • SOC125 EventID: 58 (Suspicious Rundll32 Activity) [Feb. 14, 2021, 12:13 p.m.]
  • SOC127 EventID: 60 (SQL Injection Detected) [Feb. 14, 2021, 1:05 p.m.]
    
    
• Digital Forensic Survival Podcast
  DFSP # 273 – CSA Cloud Threats 3
  
  
• Gerald Auger at Simply Cyber
  Cybersecurity Thought Leader (John Strand dropping knowledge)
  
  
• John Hubbard at ‘The Blueprint podcast’
  Josh Johnson: PowerShell for the Blue Team
  
  
• Kovar & Associates
  Understanding CUAS
  
  
• Positivity Blue Team
  Mythical Malware Analysis
  
  
• Recorded Future
  Malware Party Tricks and Cybersecurity Trends
  
  
• SANS Institute
  • Ransoming Critical Infrastructure: Ransomware Attack on Colonial Pipeline  – SANS Emergency Webcast
  • Ransoming Critical Infrastructure: Colonial Pipeline – Snippet from SANS Emergency Webcast
    
    
• The Digital Forensics Files Podcast
  Jessica Hyde of Magnet Forensics Joins Tyler Hatch of DFI Forensics
  
  

MALWARE

• 0day in {REA_TEAM}
  Quick analysis note about DealPly (Adware)
  
  
• 4rchib4ld Victory Road
  Tomorrow night ? Honeymoon on Ice(loader) ?
  
  
• Adepts of 0xCC
  A physical graffiti of LSASS: getting credentials from physical memory for fun and learning
  
  
• Malwarebytes Labs
  • Avaddon ransomware campaign prompts warnings from FBI, ACSC
  • Threat spotlight: DarkSide, the ransomware used in the Colonial Pipeline attack
  • Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity
  • Why MITRE ATT&CK matters—Choosing alert quality over quantity
  • iPhone calendar spam attacks on the rise
    
    
• Nikhil Rathor at 0xthreatintel
  In depth analysis of Stop Ransomware
  
  
• Jeroen Beckers at NVISO Labs
  Android overlay attacks on Belgian financial applications
  
  
• SANS Internet Storm Center
  • Who is Probing the Internet for Research Purposes?, (Sat, May 8th)
  • Correctly Validating IP Addresses: Why encoding matters for input validation., (Mon, May 10th)
  • Number of industrial control systems on the internet is lower then in 2020…but still far from zero, (Wed, May 12th)
  • “Open” Access to Industrial Systems Interface is Also Far From Zero, (Fri, May 14th)
    
    
• Shaquib Izhar
  Malware analysis (Part2) — Digital forensic of malicious files
  
  
• Jagadeesh Chandraiah, Pankaj Kohli, Xinran Wu, and Szabolcs Lévai at Sophos
  Fake Android and iOS apps disguise as trading and cryptocurrency apps
  
  
• Verizon
  2021 Data Breach Investigations Report
  
  
• VMRay
  Threat Bulletin: Exploring the Differences and Similarities of Agent Tesla v2 & v3
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 5/8/2021
  
  
• Belkasoft
  Belkasoft X review by Pablo Croci
  
  
• Ben Bornholm at HoldMyBeer
  Getting started with Autopsy multi-user cluster
  
  
• Amina Zilic at Binalyze
  Introducing DRONE: A Revolutionary Approach to Remote Forensics and Compromise Assessment.
  
  
• BushidoToken
  CTI-Lexicon
  
  
• Cyber 5W course release
  Cyber 5W
  
  
• Elan at DFIR Diva
  Get Your Start Careers Just Launched!
  
  
• Erik Hjelmvik at Netresec
  Running NetworkMiner in Windows Sandbox
  
  
• Forensic Focus
  • DRONE: A Revolutionary Approach To Remote Forensics And Compromise Assessment
  • The Integrated Future Of Mobile Forensics
  • The GrayKey Difference: Logical vs File System
  • Announcing Binalyze DRONE — Calling All Beta Testers
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #39: Export Data
  
  
• Joshua James
  Welcome to the Africa Digital Forensics CTF
  
  
• Justin Kohler at SpecterOps
  BloodHound Enterprise vs. BloodHound Open-Source
  
  
• Marco Fontani at Amped
  Wrapping Up Video Evidence Pitfalls: Now You Know What You Didn’t Know
  
  
• SANS
  • SANS ICS Site Visit Plan
  • FOR528: Ransomware for Incident Responders – New DFIR Course Coming Soon
  • Cut Through the Noise: Ransomware – What to Communicate to Your Workforce
  • Ransomware: Leadership Perspective
  • Introduction to ICS Security
    
    
• Sophos
  How the Sophos Managed Threat Response team helped put a dangerous online sextortionist behind bars for 75 years
  
  
• Lesley Carhart
  Reasonable IR Team Expectations
  
  
• Vadim Sedletsky at CyberArk
  Opportunistic vs. Targeted Ransomware Attacks
  
  
• John Patzakis at X1
  X1 Social Discovery Case Law Update
  
  
• Yulia Samoteykina at Atola
  The Story of TaskForce in 11 Acts
  
  

SOFTWARE UPDATES

• Alexis Brignoni at ‘Initialization Vectors’
  CLEAPP it! – ChromeOS Logs Events And Protobuf Parser
  
  
• DME Forensics
  DVR Examiner 3.0.2 is now available!
  
  
• F-Response
  Newest F-Response (CE, CE+C, EE, Univ) release now with Cloud Browsing
  
  
• Forensafe
  ArtiFast Clubhouse Artifact Parser
  
  
• Geoffrey Czokow at Hex Rays
  Announcing version 7.6 for IDA Freeware!
  
  
• iNPUT-ACE
  iNPUT-ACE Version 2.6.2
  
  
• James Duffy
  Delta
  
  
• mac_apt
  20210512
  
  
• Martin Willing
  MemProcFS-Analyzer
  
  
• Medex Forensics
  Medex
  
  
• Mihari
  v2.4.0
  
  
• Velociraptor
  Release 0.5.9
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!