As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Marco Fontani at Amped
  How Can I Find Which Are CCTV Video Files on a USB Drive?
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  dfir_ntfs: a forensic parser for NTFS filesystems
  
  
• DS4N6
  [NEWS]  DAISY documentation updated, including Demo version precooked content and RAM configurations
  
  
• Elcomsoft
  • Password Crackers’ Gold Mine: Browser Passwords
  • Breaking VeraCrypt: Obtaining and Extracting On-The-Fly Encryption Keys
    
    
• Erik Hjelmvik at Netresec
  Detecting Cobalt Strike and Hancitor traffic in PCAP
  
  
• Forensafe
  • Investigating Torch Web Browser
  • Solving Hunter Challenge with ArtiFast Windows
  • Investigating Windows Photos
    
    
• Rishi Dhamija at InfoSec Write-ups
  Getting Started With WireShark Part-2|Begginers Tutorial for wireShark|Filters and Protocol…
  
  
• John Lukach at Cloud 4n6ir
  Amazon Linux Metadata Repository
  
  
• Korstiaan Stam at Cloud Response
  CyberDefenders – Series (Malware Traffic Analysis 2 – Packet Analysis)
  
  
• LIFARS Cybersecurity
  Acquisition of Digital Evidence for Forensic Investigation
  
  
• Magnet Forensics
  CUPS Artifact Support for macOS
  
  
• Meisam Eslahi at ‘Cyber Security Hub’
  Blue Team-System Live Analysis [Part 10]- Windows: User Account Forensics- In-use and Locked Files…
  
  
• Alexander Jäger at Open Source DFIR
  Let’s talk about time
  
  
• Oxygen Forensics
  Similar Image Analysis Finds What Hashes Can’t
  
  
• Pieces0310
  Manually APK Downgrade for split apks – Pieces0310
  
  
• Roman Dedenok at Securelist
  Email spoofing: how attackers impersonate legitimate senders
  
  
• The DFIR Report
  WebLogic RCE Leads to XMRig
  
  
• ThinkDFIR
  You want me to deal with how many VMDKs!?
  
  

THREAT INTELLIGENCE/HUNTING

• Vignesh Mudliar at 4sysops
  Understanding the Microsoft 365 Threat protection status report
  
  
• Hannah Cartier at Active Countermeasures
  Malware of the Day – Malware Techniques: Data Exfiltration or Forcing a Host to Play Thunderstruck As Loud As Possible
  
  
• Anomali
  Anomali Cyber Watch: Attacks Against Israeli Targets, MacOS Zero-Days, Conti Ransomware Targeting US Healthcare and More
  
  
• Azure Sentinel
  • What’s new: customize entity page timeline!
  • What’s new: Detect credential leaks using built-in Azure Sentinel notebooks!
    
    
• Ben Bornholm at HoldMyBeer
  Part 3: Intro to threat hunting – Hunting the imposter among us with the Elastic stack and Sysmon
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-05-27 – IcedID (Bokbot) from Stolen Images Evidence.zip
  • 2021-06-01 – Hancitor infection with Cobalt Strike and netping tool activity
  • 2021-05-26 – Pcap only: Trickbot infection with Cobalt Strike
  • 2021-06-02 – TA551 (Shathak) Word docs push IcedID (Bokbot)
  • 2021-06-04 – Quick post: Qakbot (Qbot) with Cobalt Strike and spambot activity
  • 2021-06-03 – Quick post: BazarCall website to BazarLoader infection with Cobalt Strike
    
    
• Zakir Durumeric at Censys
  Censys Search 2.0 Official Launch Announcement
  
  
• Check Point Research
  • 31st May – Threat Intelligence Report
  • SharpPanda: Chinese APT Group Targets Southeast Asian Government With Previously Unknown Backdoor
  • Chinese APT group targets Southeast Asian government with previously unknown backdoor
    
    
• CISA
  CISA Releases Best Practices for Mapping to MITRE ATT&CK®
  
  
• Cisco’s Talos
  Threat Roundup for May 28 to June 4
  
  
• Jurgen at Correlated Security
  There is no single Cyber Threat Intelligence Vendor that does everything.
  
  
• Jason Trost at Covert.io
  Four Short Links on Malicious Lateral Movement Detection
  
  
• Hanno Heinrichs, Lukas Kupczyk, and Max Julian Hofmann at Crowdstrike
  Adversary Quest Walkthrough, Part 3: Four PROTECTIVE PENGUIN Challenges
  
  
• Csaba Fitzl at ‘Theevilbit’
  • Beyond the good ol’ LaunchAgents – 16 – Screen Saver
  • Beyond the good ol’ LaunchAgents – 17 – Color Pickers
    
    
• Cybereason
  Cybereason vs. REvil Ransomware
  
  
• EclecticIQ
  Rapid TTP Development and Syndicate Adoption Ignite Q2 Ransomware Explosion
  
  
• Esentire
  • IcedID Malware
  • Qakbot and Cobalt Strike
    
    
• Flashpoint
  Where Do Cybercriminals Stand on Ransomware Now?
  
  
• Group-IB
  FontPack: A dangerous update
  
  
• Craig Bowser at GuidePoint Security
  Examining the EO Mandate on Logging
  
  
• Mike Flouton at Barracuda
  Threat Spotlight: Post-delivery email threats
  
  
• Amr Thabet at MalTrak
  COM Objects P.2: Your Stealthy Fileless Attack
  
  
• Malwarebytes Labs
  • Cobalt Strike, a penetration testing tool abused by criminals
  • Kimsuky APT continues to target South Korean government using AppleSeed backdoor
  • JBS says it is recovering quickly from a ransomware attack
  • Ransomware to be investigated like terrorism
    
    
• Matt Fuller
  AWS Accounts as Security Boundaries — 97+Ways Data Can be Shared Across Accounts
  
  
• Mehmet Ergene
  • Detecting Initial Access: HTML Smuggling and ISO Images — Part 1
  • Detecting Initial Access: HTML Smuggling and ISO Images — Part 2
    
    
• Nasreddine Bencherchali
  Understanding & Detecting C2 Frameworks — HARS
  
  
• Carol Hildebrand at Netscout
  Egypt Under Attack
  
  
• Palo Alto Networks
  • Cortex XSOAR for Nobelium Spear Phishing Attacks Rapid Response
  • TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations
    
    
• Taha Karim at ‘Objective-See’
  OSX/Hydromac
  
  
• Sam Scholten and Crista Giering at Proofpoint
  BEC Taxonomy: Extortion 
  
  
• Recorded Future
  Threats to Asian Communities in North America, Europe, and Oceania
  
  
• Red Alert
  SectorD Group’s Threat Landscape in 2020
  
  
• Michael Haag and Shane Welcher at Red Canary
  What is normal? Profiling System32 binaries to detect DLL Search Order Hijacking
  
  
• SANS Internet Storm Center
  • Video: Cobalt Strike & DNS – Part 1, (Sun, May 30th)
  • Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update, (Sun, May 30th)
  • Quick and dirty Python: nmap, (Mon, May 31st)
  • Guildma is now using Finger and Signed Binary Proxy Execution to evade defenses, (Mon, May 31st)
  • Wireshark 3.4.6 (and 3.2.14) released, (Wed, Jun 2nd)
  • DShield Data Analysis: Taking a Look at Port 45740 Activity, (Thu, Jun 3rd)
  • Russian Dolls VBS Obfuscation, (Fri, Jun 4th)
  • Strange goings on with port 37, (Thu, Jun 3rd)
    
    
• Secureworks
  • Prevent the 3 Most Common Ransomware Attack Vectors
  • Making MITRE Matter: Stopping Ransomware
    
    
• Ben Potter at Securing The Cloud
  Protecting Amazon S3 Data from Ransomware
  
  
• Juan Andrés Guerrero-saade at SentinelLabs
  NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks
  
  
• Sean Gallagher at Sophos
  AMSI bypasses remain tricks of the malware trade
  
  
• Jonathan Johnson at SpecterOps
  Evadere Classifications
  
  
• Chris Camejo at TrustedSec
  Real or Fake? When Your Fraud Notice Looks Like a Phish
  
  
• WeLiveSecurity
  • ESET Threat Report T1 2021
  • Zero‑day in popular WordPress plugin exploited to take over websites
    
    

UPCOMING EVENTS

• Amped
  Register Today to Our Free Webinar “Getting Started With Video Evidence”
  
  
• Magnet Forensics
  • June 9 // 11:00AM ET: GNU/Linux Examinations with AXIOM
  • June 10 // 11:00AM ET: Tips & Tricks // Getting Tactical: Search for Keywords After Processing an Image
    
    
• NCC Group
  Conference Talks – June 2021
  
  
• The 5th International Workshop on Big Data Analytic for Cyber Crime Investigation and Prevention
  The 5th International Workshop on Big Data Analytic for Cyber Crime Investigation and Prevention
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.53 – Kevin Pagano
  
  
• Belkasoft
  BelkaCTF #2 (Drugdealer case): Solutions
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-06-01
  • Webcast: Getting Started in Pentesting The Cloud: Azure
  • Talkin’ About Infosec News – 6/1/2021
    
    
• Bret Witt
  • SOC117 EventID: 50 (Suspicious .reg File) [Feb. 6, 2021, 1:58 p.m.]
  • SOC121 EventID: 53 (Proxy – Malicious Executable File Detected) [Feb. 7, 2021, 12:19 p.m.]
  • SOC108 EventID: 54 (Malicious Remote Access Software Detected) [Feb. 7, 2021, 1:21 p.m.]
  • SOC122 EventID: 55 (Android Banker Malware Detected) [Feb. 7, 2021, 6:21 p.m.]
    
    
• Cellebrite
  • A Cellebrite Master Class Series – Tapping into the Mind of a Digital Investigator
  • Steganography: How Data is Hidden Then Revealed Using Digital Forensics
  • Internship Experience at Cellebrite – Learning How to Clear Digital Forensics Backlogs
  • Static and Dynamic Analysis of Android APKs – From Start to Finish
    
    
• Cyber Secrets
  CSI Linux Geolocation V1.0 Demo
  
  
• CyberDefenders
  Volatility 2 Setup Walkthrough
  
  
• Daniel Lunghi at SSTIC
  Taking Advantage of PE Metadata, or How To Complete your Favorite Threat Actor’s Sample Collection
  
  
• Day Cyberwox
  Cybersecurity Homelab: Configuring pfsense Interface & Rules
  
  
• Didier Stevens
  Cobalt Strike & DNS – Part 1
  
  
• Digital Forensic Survival Podcast
  DFSP # 276 – CVSS Fast Analysis
  
  
• DuMp-GuY TrIcKsTeR
  Real-Time Solving CyberDefenders “DumpMe” MemoryForensics Challenge in 1 hour
  
  
• FIRST
  • FIRST SIG Updates: May 6-June 3, 2021
  • FIRSTCON21 | Virtual Edition 2.0 – Live Sessions
  • FIRSTCON21 | Virtual Edition 2.0 – PRECON Sessions
  • FIRSTCON21 | Virtual Edition 2.0 – Sponsor Sessions
    
    
• Gerald Auger at Simply Cyber
  Top 25 OSINT Tools (Whats Hot🔥! Whats Not!)
  
  
• John Hubbard
  • Mark Morowczynski & Thomas Detzner: Microsoft Incident Response Playbooks
  • NEW SOC Analyst Certification for 2021! Announcing the GIAC GSOC Security Operations Certification!
    
    
• Koen Van Impe
  MISP and Threat Intelligence
  
  
• Magnet Forensics
  • New in AXIOM Cyber 5.1: Get More Data from the Cloud, Email, and Chromebooks
  • Magnet AXIOM 5.1: Collect More from the Cloud and Filter Out Irrelevant Media with Magnet.AI
  • Investigate Media More Efficiently with Smarter Tools: From Magnet.AI to OCR
  • Acquiring Publicly Available Facebook Information
    
    
• Nuix
  • Improve Digital Forensic Capabilities with Nuix
  • Bitmindz – Custom Hardware for Maximum Forensics Performance
    
    
• SANS
  • Ransoming Critical Infrastructure: Emergency Webcast Transcript
  • Ransomware – Do You Pay It Or Not? – Experts debate the costs ethics around paying ransomware – SANS
    
    
• This Month In 4n6
  This Month In 4n6 – May – 2021
  
  

MALWARE

• Theresa Lanowitz at AT&T Cybersecurity
  Ransomware and energy and utilities
  
  
• Oana Asoltanei, Alin Mihai Barbatei, and Silviu Stahie at Bitdefender Labs
  Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android
  
  
• Rolf Rolles at Möbius Strip Reverse Engineering
  Hex-Rays, GetProcAddress, and Malware Analysis
  
  
• Erica Mixon at Blumira
  Ransomware vs. Malware: What’s the Difference?
  
  
• Vanja Svajcer, Caitlin Huey, and Kendall McKay at Cisco’s Talos
  Necro Python bot adds new exploits and Tezos mining to its bag of tricks
  
  
• Colin Hardy
  Clubhouse Malware – Analysis of an Agent Tesla Infection Campaign
  
  
• Cyble
  • Nucleus Software Becomes Victim of the BlackCocaine Ransomware
  • Kimsuky APT Group Distributes Fake Security App Disguised as KISA Security Program
  • Prometheus: An Emerging APT Group Using Thanos Ransomware to Target Organizations
    
    
• Bar Block at Deep Instinct
  The Ransomware Conundrum – A Look into DarkSide
  
  
• Xiaopeng Zhang at Fortinet
  Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #42: Renaming and retyping in the decompiler
  
  
• John Hammond
  PowerPoint Phishing Malware Analysis – HackTheBox Cyber Apocalypse CTF
  
  
• Kota Kino at JPCERT/CC
  PHP Malware Used in Lucky Visitor Scam
  
  
• Taha Karim at Confiant
  OSX/Hydromac: A new macOS malware leaked from a Flashcards app
  
  
• Mahmoud Morsy
  • Phishing Attacks 30_5_2021
  • Phishing Attacks 31_5_2021
  • Phishing Attacks 3_6_2021
  • Phishing Attacks 4_6_2021
  • Phishing Attacks 5_6_2021
    
    
• Hasherezade at Malwarebytes Labs
  Revisiting the NSIS-based crypter
  
  
• Jason Reaves and Joshua Platt at Walmart
  WastedLoader or DridexLoader?
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 6/5/2021
  
  
• abuse.ch
  abuse.ch gets a new home at BFH
  
  
• ACE Lab
  PC-3000 Mobile: «Hard Key» method with new features
  
  
• Alexandre Dulaunoy
  Check out @adulau’s tweet
  
  
• Ville Koch at Compass Security
  Security Best Practices for On-Premise Environments
  
  
• Brett Shavers at DFIR Training
  Don’t be led down the DFIR Garden Path
  
  
• Kelsey LaBelle at DomainTools
  DomainTools Reflects on LGBTQ+ Representation in Infosecurity
  
  
• Elan at DFIR Diva
  DFIR Related Events for Beginners – June 2021
  
  
• Expel
  • How to measure SOC quality
  • Someone in your industry got hit with ransomware. What now?
    
    
• Forensic Focus
  • Emre Tınaztepe, Founder & CEO, Binalyze
  • Nuix White Paper: A Different Approach In Every Element Of Digital Forensics In Policing
    
    
• Foxton Forensics
  • Examining internet history in forensic images
  • Recovering deleted internet history from Volume Shadow Copies
    
    
• Jeremy Young at Huntress
  Endpoint Protection: Promises vs. Reality
  
  
• Josh Brunty
  • Starting My Doctorate Journey
  • Thoughts on Atomic Habits (Chapters 1-3)
  • ITEC Module 1 Readings
    
    
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (6/1/2021)
  
  
• LIFARS Cybersecurity
  Importance Of Documenting Incident Response Process
  
  
• Magnet Forensics
  • Investigate Media More Efficiently with Smarter Tools: From Magnet.AI to OCR
  • Acquiring Publicly Available Facebook Information
  • Magnet Virtual Summit 2021 Wrap-Up
    
    
• Malware Musings
  Malwear Musings (my merchandise) Sale
  
  
• Alisha Cales at Paraben Corporation
  Digital Forensic Software and Training for Law Enforcement Grant Awarded for the First Quarter of 2021
  
  
• Ryan McGeehan
  Troubles with quantified risk
  
  
• SANS
  • Build, Hack, and Defend Azure Identity
  • A Visual Summary of SANS CloudSecNext Summit
    
    
• Security Intelligence
  • The Future of Threat Hunting and Zero Trust: 8 Innovations to Watch at RSA
  • Ransomware Attack Response Should Extend Beyond Money to Your Team’s Morale
    
    
• Sophos
  Sophos TechVids: Discover our extensive library of support videos
  
  
• Teri Radichel
  Kevin Mandia on the Solar Winds Hack
  
  

SOFTWARE UPDATES

• AccessData
  Exterro Announces the Launch of FTK Central, a Digital Forensic Platform Designed to Find Evidence Faster, Increase Analysis Speed, Enhance User Collaboration and Reduce Case Backlog
  
  
• ANSSI DFIR-ORC
  v10.0.19
  
  
• Atola
  TaskForce Changelog
  
  
• Didier Stevens
  New Tool: cs-dns-stager.py
  
  
• DS4N6
  [BLOG]  DAISY v0.5.1 released with minor fixes and improvements
  
  
• Elcomsoft
  Forensic Disk Decryptor 2.18 extracts VeraCrypt on-the-fly encryption keys
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Hancom
  New Release highlight of MD-NEXT v1.90.1
  
  
• Lares
  Introducing Sysmon Config Pusher
  
  
• Magnet Forensics
  • Magnet AXIOM 5.1: Collect More from the Cloud and Filter Out Irrelevant Media with Magnet.AI
  • New in AXIOM Cyber 5.1: Get More Data from the Cloud, Email, and Chromebooks
    
    
• Oxygen Forensics
  Oxygen Forensic® Detective v.13.6
  
  
• radare2
  5.3.0 – Root Powder Goety
  
  
• Xways
  Viewer Component
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!