As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Brendan Bone at AccessData
  How to run FTK Imager from a flash drive (Imager Lite)
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Up to your knees in alterations
  
  
• Forensafe
  • Investigating UC Web Browser
  • Investigating Windows OneDrive
    
    
• Kevin Pagano at Stark 4N6
  Turbo Pt. 3 – Device Health Services Application Usage
  
  
• Maxim Suhanov
  Shadow copies become less visible
  
  
• Not a kween
  • Network Forensics – Wireshark
  • iPad Forensics – Fruit Pad
  • Windows Forensics
  • Mac Forensics – Fruit Book
  • CyberDefenders: African Falls
    
    
• Amber Schroader at Paraben Corporation
  iOS Backup vs iCloud–How can you compare?
  
  
• pat_h/to/file
  Windows 11 and ETW Quick Look
  
  
• The DFIR Report
  Hancitor Continues to Push Cobalt Strike
  
  
• John Patzakis at X1
  Relativity and X1 Publish Joint Legal Whitepaper on ESI Collection Best Practices
  
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  Filtering Netflow/IPFix
  
  
• Advanced Intelligence
  Ransomware-&-CVE: Industry Insights Into Exclusive High-Value Target Adversarial Datasets
  
  
• Anomali
  Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More
  
  
• Azure Sentinel
  What’s new: ASIM Authentication, Process, Registry and enhanced Network schemas
  
  
• Black Lantern Security
  Detecting LDAP Reconnaissance
  
  
• Brian Laskowski at Blumira
  PrintNightmare (CVE-2021-1675) PoC Exploit Code Released
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-06-30 – TA551 (Shathak) pushes Trickbot with DarkVNC and Cobalt Strike
  • 2021-07-02 – Astaroth/Guildma from Brazil malspam
    
    
• Cado Security
  • Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack
  • Ransomware Incident Response and Forensics – Before the Ransom
    
    
• Censys
  CVE-2018-18472: Western Digital My Book Live Mass Exploitation
  
  
• Check Point Research
  • 28th June – Threat Intelligence Report
  • IndigoZebra APT continues to attack Central Asia with evolving tools
    
    
• Cisco’s Talos
  • Threat Source newsletter (July 1, 2021)
  • REvil ransomware actors attack Kaseya in supply chain attack
  • Threat Roundup for  June 25 to July 2
    
    
• Cofense
  • Power Splunk with Cofense Triage Phishing Indicators
  • Miming, Mimecast? The latest attempt at exploiting SEGs
  • Covid-19 Variant Malware Evades Multiple SEGs
    
    
• CrowdStrike
  • New Ransomware Variant Uses Golang Packer
  • Stop Cloud Breaches With Threat Graph Cloud-Powered Analytics: Intelligent, Automated, Accurate
  • How to Use Scheduled Reports with Falcon Spotlight
    
    
• Csaba Fitzl at ‘Theevilbit’
  • Beyond the good ol’ LaunchAgents – 18 – X11 and XQuartz
  • GateKeeper – Not a Bypass (Again)
    
    
• Justyna Kucharczak at CyberArk
  Cryptomining Cloud Attack: Compromise Sensitive Console Access
  
  
• Cyberint
  MSPs Targeted in Ransomware  Attack
  
  
• Chad Anderson at DomainTools
  The Most Prolific Ransomware Families: A Defenders Guide
  
  
• Dragos
  June 2021 Knowledge Pack Released
  
  
• EclecticIQ
  EclecticIQ Intelligence Center 2.10 adds more STIX 2.1 support, built-in MITRE ATT&CK, Knowledge Packs
  
  
• Elastic
  • How the Elastic InfoSec team uses Elastic Security
  • Ingesting threat data with the Threat Intel Filebeat module
    
    
• Emanuele De Lucia
  Revil / Sodinokibi ransomware delivered through Kaseya VSA supply-chain attack
  
  
• Group-IB
  • REvil Twins
  • The Brothers Grim
    
    
• John Hammond at Huntress
  • Critical Vulnerability: PrintNightmare Exposes Windows Servers to Remote Code Execution
  • Rapid Response: Mass MSP Ransomware Incident
    
    
• Kevin Beaumont at DoublePulsar
  • Zero day for every supported Windows OS version in the wild — PrintNightmare
  • Kaseya supply chain attack delivers mass ransomware event to US companies
    
    
• Andy Gill at Lares
  Detection and Mitigation Advice for PrintNightmare
  
  
• Malwarebytes Labs
  • Lil’ skimmer, the Magecart impersonator
  • Babuk ransomware builder leaked following muddled “retirement”
  • Shutdown Kaseya VSA servers now amidst cascading REvil attack against MSPs, clients
  • Beware password-spraying fancy bears
    
    
• Microsoft Security
  • MITRE ATT&CK® mappings released for built-in Azure security controls
  • Microsoft finds new NETGEAR firmware vulnerabilities that could lead to identity theft and full system compromise
    
    
• Nicholas Amon and Jon Baker at MITRE-Engenuity
  Security Control Mappings: A Starting Point for Threat-Informed Defense
  
  
• Nabil Adouani at StrangeBee
  Introducing TheHive Cloud Platform
  
  
• Nasreddine Bencherchali
  Understanding & Detecting C2 Frameworks — DarkFinger-C2
  
  
• Palo Alto Networks
  Threat Brief: Kaseya VSA Ransomware Attacks
  
  
• Proofpoint
  • Cobalt Strike: Favorite Tool from APT to Crimeware
  • Malware Masquerades as Privacy Tool
    
    
• Red Alert
  Monthly Threat Actor Group Intelligence Report, May 2021
  
  
• RiskIQ
  Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors
  
  
• Rootdevsec
  Securing Domain Controller Environments From The Ground Up — Print Spooler Edition
  
  
• SANS Internet Storm Center
  • DIY CD/DVD Destruction, (Sun, Jun 27th)
  • Diving into a Google Sweepstakes Phishing E-mail, (Tue, Jun 29th)
  • CFBF Files Strings Analysis, (Mon, Jun 28th)
  • June 2021 Forensic Contest: Answers and Analysis, (Wed, Jun 30th)
  • CVE-2021-1675: Incomplete Patch and Leaked RCE Exploit, (Wed, Jun 30th)
  • “inception.py”… Multiple Base64 Encodings, (Fri, Jul 2nd)
  • Kaseya VSA Users Hit by Ransomware, (Fri, Jul 2nd)
  • Finding Strings With oledump.py, (Sat, Jul 3rd)
    
    
• Secureworks
  Customer Advisory: Kaseya VSA Software Under Active Attack
  
  
• Security Intelligence
  • A Fly on ShellBot’s Wall: The Risk of Publicly Available Cryptocurrency Miners
  • Hunting for Windows “Features” with Frida: DLL Sideloading
    
    
• Sophos
  • MTR in Real Time: Hand-to-hand combat with REvil ransomware chasing a $2.5 million pay day
  • What to expect when you’ve been hit with REvil ransomware
  • Kaseya VSA supply chain ransomware attack
    
    
• Claire Tills at Tenable
  CVE-2021-1675: Proof-of-Concept Leaked for Critical Windows Print Spooler Vulnerability
  
  
• Trend Micro
  • Nefilim Ransomware Attack Through a MITRE Att&ck Lens
  • Top Countries With ICS Endpoint Malware Detections
  • PurpleFox Using WPAD to Target Indonesian Users
  • IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack
    
    
• Adam Todd at TrustedSec
  BITS Persistence for Script Kiddies
  
  
• Siddartha Sharma and Adhokshaj Mishra at Uptycs
  Evasive Techniques Used By Malicious Linux Shell Scripts
  
  
• Yoroi
  The “WayBack” Campaign: a Large Scale Operation Hiding in Plain Sight
  
  

UPCOMING EVENTS

• Belkasoft
  [Webinar] Viber Forensics with Belkasoft
  
  
• Cellebrite
  Introducing Cellebrite Premium ES
  
  
• Elan at DFIR Diva
  DFIR Related Events for Beginners – July 2021
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.57 – Julie Lewis
  
  
• Archan Choudhury at BlackPerl
  Cyber Security Incident Response – How SOC Responds, See LIVE
  
  
• Black Hat
  From Ransomware to RansomOps: Evolution of A Threat
  
  
• Black Hills Information Security
  • Talkin’ About Infosec News – 6/28/2021
  • 2021-07-01 – Attack Tactics 8 – Poison the Well – Jordan Drysdale & David Fletcher – 1 Hour
    
    
• Bret Witt
  • Malware Analysis – Excel 4.0 Macros
  • SOC147 EventID: 94 (SSH Scan Activity) [June 13, 2021, 4:23 p.m.]
    
    
• Cellebrite
  • How To Create a Template for Associated File CDRs – CDR Template Editor Series, Part 2
  • Ask the Expert: Selective File System Extraction in Cellebrite UFED by Heather Mahalik
  • Episode 14: iBeg to DFIR – Cloud Forensics
    
    
• Check Point Research
  The State of Ransomware
  
  
• Cisco’s Talos
  Talos Takes Ep. #59: How to secure the devices that secure your home network
  
  
• Cyber Secrets
  • CSI Linux 2021.2: Case Management & Starting a Case
  • CSI Linux 2021.2: Routing all your traffic through CSI TorVPN
  • CSI Linux 2021.2: Routing CSI Linux through the Whonix Gateway
    
    
• Cyber Security Interviews
  #121 – Shannon Brazil: Teach Business to Tech People
  
  
• Digital Forensic Survival Podcast
  DFSP # 280 – Malware Fast Triage
  
  
• Gerald Auger at Simply Cyber
  Top 5 Mistakes People Breaking Into Cybersecurity Are Making
  
  
• John Hammond
  • Dark Web Documentary 01 Getting Setup with Tails Linux
  • Tor Search Engines – 02 Dark Web Documentary
  • “Hire a Hacker” ??? 03 Dark Web Documentary
    
    
• John Hubbard at SecHubb
  Cyber Threat Intelligence Explained and How Install MISP Threat Intelligence Platform with Docker
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 16 – Installation of FTK
  
  
• Magnet Forensics
  • An Introduction to Project Prague Beta
  • New in AXIOM Cyber 5.2: Find Files and Folders During Remote Collection Faster Than Ever
  • Magnet AXIOM 5.2: Beta Available for Cross-Case Searches and More Facebook Public Data Acquisition
  • Index Searching Endpoints for Targeted Collections
    
    
• MSAB
  New release: XRY 9.5, XAMN 6.1 and AS & AAL Support for Qualcomm Devices
  
  
• Nishkarsh Agarwal
  HeroCTF: MEMORY FORENSICS!
  
  
• Paraben Corporation
  E3 Forensic Platform Processing TikTok Data
  
  
• Positivity Blue Team
  Getting Noticed in Infosec w/ Dave Kennedy
  
  
• SalvationDataOfficia
  HUAWEI Harmony OS  – Firstly Supported by SPF Pro!
  
  
• SANS Institute
  • SANS Cyber Solutions Fest
  • Will you mentor me?: How to ask for help
    
    
• Security Unlocked
  Simulating the Enemy
  
  
• The Digital Forensics Files Podcast
  Dave McKay, of Blackstone Foreniscs, Talks Video Forensics with Tyler Hatch of DFI Forensics
  
  
• Tom Ueltschi
  “DESKTOP-Group” – Tracking a Persistent Threat Group (using Email Headers)
  
  

MALWARE

• 360 Netlab
  Mirai_ptea Botnet is Exploiting Undisclosed KGUARD DVR Vulnerability
  
  
• AK1001
  Analyzing Cobalt Strike PowerShell Payload
  
  
• Fernando Martinez and Ofer Caspi at AlienVault Labs
  REvil’s new Linux version
  
  
• Luigino Camastra, Igor Morgenstern and Jan Vojtěšek at Avast Threat Labs
  Backdoored Client from Mongolian CA MonPass
  
  
• Kryptos Logic
  TrickBot and Zeus
  
  
• Dmitry Melikov at InQuest
  The Magnificence of Agent Tesla
  
  
• Fortinet
  • Spear Phishing Campaign with New Techniques Aimed at Aviation Companies
  • Diavol – A New Ransomware Used By Wizard Spider?
    
    
• Patrick Schläpfer at HP Wolf Security
  Snake Keylogger’s Many Skins: Analysing Code Reuse Among Infostealers
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #46: disassembly operand representation
  
  
• Hansindu Maniyangama at InfoSec Write-ups
  Identify Malware Threats: Malware Terminology (Part 2)
  
  
• Mahmoud Morsy
  • Phishing Attacks 28_6_2021
  • IOCs 28_6_2021
  • Phishing Attacks 29_6_2021
  • IOCs 29_6_2021
  • Phishing Attacks 30_6_2021
  • IOCs 30_6_2021
  • IOCs 1_7_2021
  • Phishing Attacks 1_7_2021
  • IOCs 2_7_2021
  • Phishing Attacks 2_7_2021
    
    
• Ghanashyam Satpathy and Jenko Hwong at Netskope
  Not Laughing: Malicious Office Documents using LoLBins
  
  
• Mislav Sever at ReversingLabs
  ReversingLabs SDK for Python
  
  
• VinCSS
  [RE023] Quick analysis and removal tool of a series of new malware variant of Panda group that has recently targeted to Vietnam VGCA
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 7/2/2021
  
  
• Alex Verboon at ‘Anything about IT’
  Use Microsoft Endpoint Configuration Manager to stop the Windows Print Spooler Service
  
  
• Amina Zilic at Binalyze
  The Third Step to Forensic Readiness: Evidence Collection Requirements
  
  
• Cellebrite
  • Cellebrite Shines at This Year’s Techno Security and Digital Forensics Conference
  • Six Steps to Mobile Validation
  • Selective File System Extraction in Cellebrite UFED
    
    
• Vladimir Katalov at Elcomsoft
  How to Remove Restrictions from Adobe PDF Files
  
  
• Faith Opiyo at CyberSecFaith
  Building my Home Lab – Architecture
  
  
• Forensic Focus
  • How To Speed Up Your Investigation With Enriched Timeline Capabilities
  • Grayshift Virtual Briefing Room – July 8th
  • FTK Feature Focus: Optimizing Processing Options Part 2
  • Free DRONE Version For Print Nightmare Exploit Scanning & Workaround (CVE-2021-1675)
  • Exterro Participates In Gen CybHER Camp At Dakota State University
  • MSAB Brings Enhanced Physical Support Options For MTK, Exynos, And EDL Devices
  • Automating And Sharing Digital Forensics Knowledge Through Hansken
    
    
• IntaForensics
  The Ethics of Ransomware: Is it Ever Okay to Pay?
  
  
• Josh Brunty
  • Thoughts on Atomic Habits (Chapters 15-17)
  • Thoughts on IR Team Building Exercise
    
    
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (7/1/2021)
  
  
• Ben Kast at LMG Security
  5 Tips for Using Off-Band Encrypted Systems to Bolster Your Incident Response Capabilities
  
  
• Magnet Forensics
  • Index Searching Endpoints for Targeted Collections
  • Cross-Case Searching for Tagged Identifiers in Project Prague Beta
    
    
• Marco Fontani at Amped
  How Do I Adjust the Playback Speed of a Video?
  
  
• Oxygen Forensics
  The Oxygen Forensic Guide to iPhone Support
  
  
• Pavel Yosifovich
  Processes, Threads, and Windows
  
  
• SANS
  • NEW DFIR FOR532: Enterprise Memory Forensics In-Depth Coming Soon
  • Instructor Spotlight: AJ Yawn
  • The Summit for You on Managing Human Risk – SANS 2021 Security Awareness Summit
  • Recommended Sources for Ransomware Information
    
    

SOFTWARE UPDATES

• Alfie Champion
  C3 Relay Rumbler
  
  
• ANSSI DFIR-ORC
  v10.0.20
  
  
• Belkasoft
  What’s new in Belkasoft X v.1.8
  
  
• Binalyze
  Print Nightmare Bug Scanner & Remediator (CVE-2021-1675)
  
  
• CISA
  Ransomware Readiness Assessment CSET v10.3
  
  
• Costas K.
  MFTBrowser.exe (x64)
  
  
• CrowdStrike
  CrowdStrike Services Releases AutoMacTC 1.2.0
  
  
• Didier Stevens
  Update: xmldump.py Version 0.0.7
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Foxton Forensics
  • Browser History Viewer — Version History – Version 1.4.1 – July 01, 2021
  • Browser History Examiner — Version History – Version 1.16.2 – July 01, 2021
    
    
• Magnet Forensics
  • Magnet AXIOM 5.2: Beta Available for Cross-Case Searches and More Facebook Public Data Acquisition
  • New in AXIOM Cyber 5.2: Find Files and Folders During Remote Collection Faster Than Ever
    
    
• MSAB
  Released today: XRY 9.5, XAMN 6.1
  
  
• Nir Sofer
  View TCP connections problems
  
  
• Passware
  Passware Kit 2021 v3 Now Available
  
  
• Security Onion
  Security Onion 2.3.60 now available!
  
  
• Tylabs
  Quicksand Initial release
  
  
• Xways
  • X-Ways Forensics 20.3 Beta 3
  • X-Ways Forensics 20.2 SR-5
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!