As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  iLEAPP: an iOS logs, events, and plists parser
  
  
• Angry-Bender’s blog house
  Negative Decimal DWORD to Human Format
  
  
• Belkasoft
  Belkasoft CTF May 2021: Write-up
  
  
• Elcomsoft
  • A Tale of One iPhone Backup Password
  • The File System Dirty Bit
  • Guide: Forensically Sound Extraction of iPhone 5s, 6, 6s and SE with checkm8 Exploit
  • Forensically Sound checkm8 Based Extraction of iPhone 5s, 6, 6s and SE
    
    
• Forensafe
  • Investigating Microsoft Edge Web Browser and Application
  • Investigating Edge Chromium Web Browser
  • Investigating Prefetch
    
    
• Joshua Hickman at ‘The Binary Hick’
  The State of Android Health Data (Part 1) – Garmin
  
  
• Journal of Cyber Forensics and Advanced Threat Investigations
  Vol 2, No 1 (2021)
  
  
• Magnet Forensics
  How Are You Preparing Your Lab for Chromebook Acquisition and Analysis?
  
  
• Mattia Epifani at Zena Forensics
  Oh no! I have a wiped iPhone, now what?
  
  
• Peter Stewart
  Protected: Hack The Box – emo (Forensics Challenge)
  
  
• SANS
  Six Steps to Mobile Validation – Working Together for the Common Good
  
  

THREAT INTELLIGENCE/HUNTING

• 360 Total Security
  DarkSide’s Targeted Ransomware Analysis Report for Critical U.S. Infrastructure
  
  
• Vignesh Mudliar at 4sysops
  • Microsoft 365 Threat Explorer: Finding malicious emails
  • Taking action in Microsoft 365 Threat Explorer
    
    
• Adam at Hexacorn
  BYOT – Bring Your Own Telemetry
  
  
• Crane Hassold at Agari
  Cyber Threat Intelligence: How to Stay Ahead of Threats
  
  
• Anomali
  Anomali Cyber Watch: Microsoft Azure Vulnerability Discovered, MSBuild Used to Deliver Malware, Esclation of Avaddon Ransomware and More
  
  
• Mihai Neagu, Stefan Octavian Trifescu, George Mihali, and Aron Radu at Bitdefender Labs
  New WastedLoader Campaign Delivered Through RIG Exploit Kit
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-05-20 – Hancitor with Ficker Stealer, Cobalt Strike, and netping tool
  • 2021-05-21 – Racoon Stealer
  • 2021-05-21 – Qakbot (Qbot) infection with Cobalt Strike
  • 2021-05-18 – Quick post: Qakbot (Qbot) infection with Cobalt Strike
    
    
• Cado Security
  AWS and Azure: What’s the Security Difference?
  
  
• Check Point Research
  17th May – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Case Study: Incident Response is a relationship-driven business
  • Threat Roundup for May 14 to May 21
    
    
• Corelight
  • Introducing the C2 Collection and RDP inferences
  • C2 detections, RDP insights and NDR at 100G
  • Introducing RDP Inferences
    
    
• CrowdStrike
  • CrowdStrike Falcon Detects Kernel Attacks Exploiting Vulnerable Dell Driver (CVE-2021-21551)
  • Modernize Log Monitoring to Accelerate Digital Transformation
  • Response When Minutes Matter: When Good Tools Are Used for (R)Evil
  • What Is Detection Engineering? Understanding the Detection Engineering Life Cycle
  • Where Is the Cyber Insurance Market Going?
    
    
• Eric Sun at Cyberason
  Evaluating XDR Against EDR, SIEM and SOAR Solutions
  
  
• Cyberint
  • Raccoon Stealer
  • Avaddon Ransomware Attack Hits AXA Philippines, Malaysia, Thailand and Hong Kong
    
    
• Daniel Miessler
  Analysis of the 2021 Verizon Data Breach Report (DBIR)
  
  
• Brianna Leddy at Darktrace
  Double extortion ransomware
  
  
• Bernard Brode at DomainTools
  COVID-19 Has Changed DNS Attacks. Here’s How.
  
  
• Dragos
  • When Intrusions Don’t Align: A New Water Watering Hole and Oldsmar
  • May 2021 Knowledge Pack Released
    
    
• DS4N6
  • [BLOG]  Threat Hunting with ML – Part 1 – Hunting for Anomalies, by  Jess Garcia
  • [BLOG]  Threat Hunting with AI – Multi-part Blog Post Series, by  Jess Garcia
  • [BLOG]  Threat Hunting with AI – Part 2 – Detecting the Solarwinds/Sunburst Campaign, by  Jess Garcia
    
    
• EclecticIQ
  Ransomware Is Everywhere, It Seems
  
  
• Apoorva Joshi, Disha Dasgupta, Craig Chamberlain at Elastic
  ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack
  
  
• David Finger at Fortinet
  FortiEDR Stands Out in MITRE Engenuity’s ATT&CK Evaluations
  
  
• Intrusion Truth
  Epilogue
  
  
• Keysight
  • Using public cloud? Why you need cloud visibility.
  • A Quick Look into Clubhouse’s Network Traffic
  • Playing Russian Roulette with a Russian Keyboard
    
    
• Luis Rocha at ‘Count Upon Security’
  FireEye Endpoint Security (HX) – Supplementary Tools
  
  
• McHugh Security
  Using the workflow taxonomy in MISP
  
  
• Mehmet Ergene
  Enterprise Scale Threat Hunting: Network Beacon Detection with Unsupervised ML and KQL — Part 2
  
  
• Microsoft 365 Security
  • How to deploy Sysmon and MMA Agent to receive logs in Azure Sentinel?
  • How to hunt for LDAP reconnaissance within M365 Defender?
    
    
• Microsoft Security
  • Mitigate OT security threats with these best practices
  • Protecting SAP applications with the new Azure Sentinel SAP threat monitoring solution
  • Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment
  • SimuLand: Understand adversary tradecraft and improve detection strategies
    
    
• Neil Fox at Varonis
  YARA Rules Guide: Learning this Malware Research Tool
  
  
• Palo Alto Networks
  • BazarCall: Call Centers Help Spread BazarLoader Malware
  • Breaking Down Ransomware Attacks
    
    
• Penetration Testing Lab
  Persistence – AMSI
  
  
• Sam Scholten and Crista Giering at Proofpoint
  BEC Taxonomy: Payroll Redirects
  
  
• Andrew Cook at Recon InfoSec
  An Encounter With TA551/Shathak
  
  
• Red Alert
  SectorC Group’s Threat Landscape in 2020
  
  
• Matt Graeber at Red Canary
  Tales from decrypt: Differentiating decryptors from ransomware
  
  
• RiskIQ
  DarkSide is Standing Down, But Its Affiliates Live On
  
  
• Security Art Work
  (Ciber) Inteligencia (V): Evaluación y difusión
  
  
• Sophos
  • Splunk integration for Sophos Firewall
  • The Active Adversary Playbook 2021
    
    
• Teymur Kheirkhabarov and Anton Medvedev at Bi.Zone
  Hunting for persistence via Exchange and Outlook capabilities
  
  
• David Fiser and Alfredo Oliveira at Trend Micro
  TeamTNT’s Extended Credential Harvester Targets Cloud Services, Other Software
  
  
• Tyranid’s Lair
  Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege
  
  
• Siddartha Sharma and Ashwin Vamshi at Uptycs
  Discovery of Simps Botnet leads ties to Keksec group
  
  
• Verizon
  Silver Sparrow and the Mysterious Insu File: Findings From Paranoid Telemetry
  
  
• Luigi Martire and Luca Mella at Yoroi
  A Lesson Learned from the Exchange Attack Waves
  
  

UPCOMING EVENTS

• Belkasoft
  [WEBINAR] Extracting and Analyzing Wickr App across Various Computer and Mobile Platforms using Belkasoft X
  
  
• John Sowden at Cellebrite
  Chat Capture: Add Unsupported Chats to Your Investigation
  
  
• Allie Mellen, Israel Barak, and Sam Curry at Cybereason
  Webinar: XDR or EDR: How Should Your SOC Choose?
  
  
• Microsoft and KPMG
  Automating Incident Response in Azure featuring KPMG
  
  
• Objective by the Sea
  Call for Papers
  
  

PRESENTATIONS/PODCASTS

• The Forensic Lunch with Dave Cowen and Matt Seyer
  Forensic Lunch 5/21/21 Magnet User Summit 2021!
  
  
• AhmedS Kasmani
  Malware Analysis: Agent Tesla Part 1/2 Extraction of final payload from dropper.
  
  
• Archan Choudhury at BlackPerl
  Linux Memory Capture and Analysis | Volatility Tutorial  for Linux Memory Forensics
  
  
• Black Hat
  The Hunt for Major League IoT-ICS Threats: A Deep Dive into IoT Threat Terrain
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-05-17
  • Webcast: Your Free and Open Source EDR Options!
  • BHIS | Backdoors & Breaches LIVE! – 2021-05-19
    
    
• Breaking Badness podcast
  86. A Pain in the Gas
  
  
• Bret Witt
  • SOC101 EventID: 87 (Phishing Mail Detected) [April 4, 2021, 11 p.m.]
  • SOC143 EventID: 90 (Password Stealer Detected) [April 26, 2021, 11:03 p.m.]
  • SOC141 EventID: 88 (Phishing URL Detected) [April 4, 2021, 11:10 p.m.]
    
    
• Cellebrite
  • All the options for iOS extractions in UFED
  • Learn more about .UFD vs .UFDX
  • Control what is parsed from devices with updated Selective App Decoding in Physical Analyzer
    
    
• Cisco’s Talos
  Talos Takes Ep. #54: Incident response is just as much about the relationships as anything else
  
  
• Cyber Secrets
  CSI Linux 2021.2 Beta – Demo for upgrading from 2021.1
  
  
• CyberDefenders
  • Working with AD1 files – FTKImager
  • BrimSecurity Suricata Setup Walkthrough
    
    
• Didier Stevens
  Making Sense Of Encrypted Cobalt Strike Traffic
  
  
• Sharon D. Nelson and John W. Simek at Digital Detectives
  Startling Stats from the BakerHostetler Data Security Incident Response Report
  
  
• Jess Garcia at DS4N6
  [BLOG]  RSA Conference ’21 – “Me, My Adversary & AI” – Wrap-Up & Community Resources Announced, by  Jess Garcia
  
  
• Gerald Auger at Simply Cyber
  Top 5 Mentee/Mentor Power Tips (Identify and Maximize Mentoring)
  
  
• John Hubbard at ‘The Blueprint podcast’
  Jamie Williams: Adversary Emulation
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Theory – Process Injection
  
  
• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.51 – Alyssa Miller
  
  
• OALabs
  Reverse Engineering Warzone RAT – Part 1
  
  
• Positivity Blue Team
  Awesome OSINT
  
  
• Radware
  Radware Threat Researchers Live: Episode 10
  
  
• Recorded Future
  Unpacking the Emotet Takedown
  
  
• SANS
  • iOS Third Party Apps Analysis  how to use the new reference guide poster
  • FOR500: Windows Forensic Analysis course: What to expect
  • Why take the FOR500: Windows Forensic Analysis course
  • Why take FOR500: Windows Forensic Analysis course OnDemand
  • I Want to Work in Cybersecurity…Whatever That Means! – SANS New to Cyber Summit 2021
  • How to Become a Cybersecurity Expert: Stories and Lessons from SANS’ Nik Alleyne
    
    
• Velocidex Enterprises
  • A walkthrough of a typical DFIR case with Velociraptor
  • Topic 05 Forensic Analysis Pt 2
  • Topic 06 Interactive triage & Proactive Hunting
  • Topic 07 Extending VQL and API
    
    

MALWARE

• 0day in {REA_TEAM}
  REVERSING WITH IDA FROM SCRATCH (P35)
  
  
• Avast Threat Labs
  Binary Reuse of VB6 P-Code Functions
  
  
• Jarosław Jedynak at CERT Polska
  Karton Gems 3: Malware extraction with malduck
  
  
• Fortinet
  • Newly Discovered Function in DarkSide Ransomware Variant Targets Disk Partitions
  • Analyzing the History of Ransomware Across Industries
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #40: Decompiler basics
  
  
• Ravishanka Silva at InfoSec Write-ups
  TryHackMe — Basic Malware RE Walkthrough
  
  
• Radu Emanuel Chiscariu at Keysight
  Darkside Ransomware Behavior and Techniques
  
  
• lab52
  Literature lover targeting Colombia with LimeRAT
  
  
• LIFARS Cybersecurity
  • A Rust-based Buer Malware Variant Has Been Spotted in the Wild
  • Should I Pay the Ransom? How to Negotiate with Attackers?
    
    
• Mahmoud Morsy
  Phishing Attacks 17_5_2021
  
  
• Malwarebytes Labs
  • 4 things you should know about testing AV software with VirusTotal’s free online multiscanner
  • Bizarro: a banking Trojan full of nasty tricks
  • Royal Mail phish deploys evasion tricks to avoid analysis
    
    
• Craig Schmugar at McAfee Labs
  Scammers Impersonating Windows Defender to Push Malicious Windows Apps
  
  
• Neil Fox
  Zero2auto review, 0x02 initial stagers
  
  
• Robert Giczewski
  • Python stealer distribution via excel maldoc
  • Having fun with a Ursnif VBS dropper
  • Trickbot tricks again [UPDATE]
  • Trickbot tricks again
    
    
• SANS Internet Storm Center
  • Ransomware Defenses, (Mon, May 17th)
  • From RunDLL32 to JavaScript then PowerShell, (Tue, May 18th)
  • May 2021 Forensic Contest: Answers and Analysis, (Wed, May 19th)
  • Locking Kernel32.dll As Anti-Debugging Technique, (Fri, May 21st)
  • New YouTube Video Series: Everything you ever wanted to know about DNS and more!, (Thu, May 20th)
  • And Ransomware Just Got a Bit Meaner (yes… it is possible), (Thu, May 20th)
  • “Serverless” Phishing Campaign, (Sat, May 22nd)
  • Video: Making Sense Of Encrypted Cobalt Strike Traffic, (Sun, May 23rd)
    
    
• Securelist
  Bizarro banking Trojan expands its attacks to Europe
  
  
• Marco Figueroa at SentinelLabs
  Caught in the Cloud | How a Monero Cryptominer Exploits Docker Containers
  
  
• VinCSS
  [RE022] Phần 1: Phân tích nhanh mẫu mã độc giả mạo công văn của Uỷ ban Kiểm tra Trung ương
  
  
• WeLiveSecurity
  • Take action now – FluBot malware may be on its way
  • Android stalkerware threatens victims further and exposes snoopers themselves
    
    
• Sudeep Singh and Sahil Antil at ZScaler
  Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors
  
  

MISCELLANEOUS

• 4n6lady
  To Pay or Not to Pay — That is the Ransomware Question
  
  
• Barry Grundy
  cheatsheets-forensic
  
  
• Bluesmoke4n6
  Keeping Up Your Knowledge in the COVID Era
  
  
• Bobby Balachandran at Exterro
  Fortifying the Forensics Toolkit (FTK) Portfolio with Exterro Infrastructure
  
  
• Cellebrite
  CLBX Specification
  
  
• DME Forensics
  Alpha, Bug-off, Beta – Major Release Testing at DME
  
  
• Forensic Focus
  • The Dos And Don’ts Of Mobile Forensics
  • FTK Feature Focus: Reporting System Summary
  • Digital Forensics Standards In Q1 2021
    
    
• iNPUT-ACE
  Video Literacy: What Every Investigator Needs to Know [Course]
  
  
• Dai Mochinaga at JPCERT/CC
  JPCERT/CC participated in the Locked Shields 2021
  
  
• Oxygen Forensics
  We Enhanced Samsung Support, Again!
  
  
• Richard Frawley at ADF
  macOS Forensics: Live Scan Macs with T2 or M1 chips | ADF Triage Tools
  
  
• SANS
  SANS Technology Institute Research Review Journal
  
  
• SANS
  Now Open | SANS 2021 Threat Hunting Survey
  
  
• VetSec
  What’s the deal? The SANS MSISE Core Comprehensive Exam
  
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv Update 20711: Important New Formats and Codecs
  
  
• Arsenal
  Arsenal Image Mounter v3.4.141
  
  
• Belkasoft
  Belkasoft R is released!
  
  
• Blackberry
  PETree
  
  
• Cellebrite
  Now Available: Cellebrite Physical Analyzer and Cellebrite UFED Cloud v7.45
  
  
• Ciphey
  Fixed major bug
  
  
• CSI Linux
  CSI Linux 2021.1
  
  
• Didier Stevens
  • Update: re-search.py Version 0.0.17
  • Update: 1768.py Version 0.0.6
    
    
• Jess Garcia at DS4N6
  [BLOG]  DAISY: Say Hi to the New DS/AI-for-DFIR Virtual Machine!, by  Jess Garcia, Project Lead.
  
  
• Elcomsoft
  iOS Forensic Toolkit 8.0 beta brings forensically-sound checkm8 extraction for select iPhone & iPad models
  
  
• ExifTool
  ExifTool 12.26 (production release)
  
  
• MISP
  MISP 2.4.143 released (10 year anniversary edition)
  
  
• SANS
  SANS SIFT Update Spring 2021
  
  
• Security Onion
  Security Onion 2.3.51 Now Available!
  
  
• Swisscom
  Forensic helper scripts for KAPE and RegRipper
  
  
• Vound
  Intella 2.4.2 Release Notes
  
  
• Xways
  X-Ways Forensics 20.2 SR-3
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!