As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Kroll
  • Forensically Unpacking EventTranscript.db: An Investigative Series
  • EventTranscript.db Research
  • Parsing Diagnostic Data With Powershell and Enhanced Logging
  • Parsing EventTranscript.db With KAPE and SQLECmd
  • Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
  • EventTranscript.db vs .rbs Files and Their Relation to DiagTrack
    
    
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Some thoughts about Stuxnet
  
  
• B. Krishna Sai Nihith
  • Week 9 – Magnet Weekly CTF
  • KarDi Bee X – Securinets Quals 2021
  • Google Keep – Notes and Lists: Mobile Artifacts
  • Little Tricks – StarCTF 2021
    
    
• Erik Hjelmvik at Netresec
  Walkthrough of DFIR Madness PCAP
  
  
• Forensafe
  • Investigating Windows 10 Notifications
  • Investigating PowerShell
    
    
• John Lukach at Cloud 4n6ir
  Volatility3 Profiles for Amazon Linux
  
  
• Meisam Eslahi at ‘Cyber Security Hub’
  Blue Team-System Live Analysis [Part 11]- Windows: User Account Forensics- NTUSER.DAT
  
  
• Mohamed Hassan
  DFIR Cheat Sheet
  
  
• Kevin Breen at TechAnarchy
  Analysing an O.MG cable
  
  

THREAT INTELLIGENCE/HUNTING

• Printnightmare
  • Playing with PrintNightmare
  • PrintNightmare: Using Network Detection and Response to Uncover CVE-2021-1675 and CVE-2021-34527 Exploitation Activity
  • PrintNightmare: Here’s what you need to know and Talos’ coverage
  • Why is PrintNightmare hard to detect?
  • CVE-2021-34527 PrintNightmare
  • What You Need to Know About PrintNightmare Vulnerability (CVE-2021-34527)?
  • Stopping PrintNightmare
  • Businesses Warned of a PrintNightmare
  • PRINTNIGHTMARE NETWORK ANALYSIS
  • PrintNightmare (CVE-2021-34527) allows domain controller capture
  • Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)
  • I Pity the Spool: Detecting PrintNightmare CVE-2021-34527
  • CVE-2021-34527: Microsoft Releases Out-of-Band Patch for PrintNightmare Vulnerability in Windows Print Spooler
    
    
• Revil/Kaseya
  • Lessons Learned From REvil’s Ransomware Attack On Kaseya
  • It was a LONG weekend — Here’s the vital info on REvil and Kaseya VSA
  • Kaseya Ransomware Attack – 5 Key Insights into this Malware campaign
  • How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack
  • In Kaseya Supply Chain Ransomware Attack History Repeats Itself
  • Cybereason vs. REvil Ransomware: The Kaseya Chronicles
  • REvil Ransomware Attacks: Implications for Kaseya, MSPs and Businesses
  • REvil/Kaseya Incident Update
  • Deconstructing the REvil Ransomware Attack on Kaseya VSA
  • Elastic Security prevents 100% of REvil ransomware samples
  • Kaseya supply chain attack: What you need to know
  • With Kaseya Ransomware Attack, REvil Dismisses Mounting Global Scrutiny with More Large-Scale Targets
  • Genetic Analysis and Lessons Learned from REvil Attack
  • Kaseya CEO: “The impact of this incredibly sophisticated attack is very minimal”
  • Malspam banks on Kaseya ransomware attack
  • Revil Ransomware used in Kaseya
  • Netskope Threat Coverage: REvil
  • Understanding REvil: The Ransomware Gang Behind the Kaseya Attack
  • The rising danger of ransomware: the Kaseya case, how it happened, and how to defend yourself
  • REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits
  • Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
  • Kaseya: Before and After
  • Origin of the Kaseya Breach
  • Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
  • Kaseya supply‑chain attack: What we know so far
  • Kaseya Supply Chain Ransomware Attack – Technical Analysis of the REvil Payload
  • Stop the Next Kaseya Attack
    
    
• Hannah Cartier at Active Countermeasures
  Malware of the Day – Attack Vectors: Google Apps Script
  
  
• Cado Security
  Ransomware Incident Response and Forensics – Post Breach
  
  
• Check Point Research
  5th July – Threat Intelligence Report
  
  
• Cisco’s Talos
  • InSideCopy: How this APT continues to evolve its arsenal
  • Threat Source newsletter (July 8, 2021)
  • Threat Roundup for July 2 to July 9
    
    
• Adam Meyers at CrowdStrike
  The Evolution of PINCHY SPIDER from GandCrab to REvil
  
  
• Tim Helming at DomainTools
  We Know How To Prevent Ransomware
  
  
• Jacob Benjamin at Dragos
  Correcting Prevention Bias in Your OT Cyber Incident Response
  
  
• Gijs Hollestelle ​at Falcon Forc
  FalconFriday — Privilege Escalations to SYSTEM  — 0xFF13
  
  
• Jack Cable
  Ransomwhere
  
  
• Jorge Orchilles and Tim Schulz at Scythe
  SCYTHE Presents: Threat Thursday – Exfiltration Over Web Service: Exfiltration to Cloud Storage
  
  
• Dray Agha at Jumpsec Labs
  Securing against new offensive techniques abusing active directory certificate service
  
  
• Anda Ioana Enescu Buyruk at Keysight
  Keysight Connect #7 – When documents attack
  
  
• Michael Koczwara
  Cobalt Strike Beacons & Servers June 2021
  
  
• Jonah Kowall at Logz.io
  Correlate CrowdStrike Data with Logz.io Cloud SIEM
  
  
• McAfee Labs
  • New Ryuk Ransomware Sample Targets Webservers
  • Hancitor Making Use of Cookies to Prevent URL Scraping
    
    
• Mehmet Ergene
  Hunting for Phishing Links Using Sysmon and KQL
  
  
• Microsoft 365 Security
  Why are Windows Defender AV logs so important and how to monitor them with Azure Sentinel?
  
  
• pat_h/to/file
  Detecting Kernel Hooking using eBPF
  
  
• Rapid7
  • Introducing the Manual Regex Editor in IDR’s Parsing Tool: Part 1
  • Introducing the Manual Regex Editor in IDR’s Parsing Tool: Part 2
    
    
• Recorded Future
  Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling
  
  
• SANS Internet Storm Center
  • DIY CD/DVD Destruction – Follow Up, (Sun, Jul 4th)
  • Python DLL Injection Check, (Tue, Jul 6th)
  • Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th)
  • Using Sudo with Python For More Security Controls, (Thu, Jul 8th)
  • Hancitor tries XLL as initial malware file, (Fri, Jul 9th)
  • Scanning for Microsoft Secure Socket Tunneling Protocol, (Sat, Jul 10th)
    
    
• Clément Notin at Tenable
  Don’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit…
  
  
• Trend Micro
  • Tracking Cobalt Strike: A Trend Micro Vision One Investigation
  • Threats Ride on the Covid-19 Vaccination Wave
    
    
• Ashwin Vamshi at Uptycs
  macOS: Bashed Apples of Shlayer and Bundlore
  
  
• Vicente Díaz at VirusTotal
  Having the right tool for the job
  
  

UPCOMING WEBINARS/CONFERENCES

• HTCIA
  Challenges in Modern Phone Forensics
  
  
• Magnet Forensics
  July 15 11:30AM SGT // Tips & Tricks // Get to Evidence Faster with Media Explorer
  
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Analysis of AppleJeus Malware by Lazarus Group
  
  
• Anastasios Pingios
  BSides Athens 2021: .GR TLD hijacking
  
  
• Black Hat
  Fast Chat with Austin Murphy, CrowdStrike’s VP & GM, Falcon Complete
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-07-06
  • BHIS | PreShow Banter™ — Intro Sec Con & The Birth of PreShowBanterCon-A-Thon 2021!™
  • BHIS | How to Build a Phishing Engagement – Coding TTP’s – Ralph May
  • Pushing Your Way In
    
    
• BSides Amman 2021
  BSides Amman 2021
  
  
• Cisco’s Talos
  Talos Takes Ep. #60: Everything you need to know about the Kaseya situation
  
  
• Digital Forensic Survival Podcast
  DFSP # 281 – Fast Triage case study: persistence
  
  
• Dump-Guy Trickster
  • [1] Lokibot analyzing – defeating GuLoader with Windbg (Kernel debugging) and Live C2
  • [2] Lokibot analyzing – spoofing GULoader and LokiBot C2 [part1] – Own implementation in Python
    
    
• Gerald Auger at Simply Cyber
  Exactly How I Get Things Done (My Secret to Crushing Life)
  
  
• Iron Geek
  OISF 2021 Videos
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 17 – New Features in FTK
  
  
• Magnet Forensics
  • Malware Analysis Fundamentals: Process Monitoring
  • Malware Analysis Fundamentals: Process Monitoring
    
    
• MalwareAficionado
  Malware Analysis Fundamentals: Process Monitoring
  
  
• SANS
  • Q&A From the Executives and Ransomware: Stop, Collaborate, and Listen! Webcast
  • Why take FOR585: Smartphone Forensic Analysis In-Depth
  • Why take FOR585: Smartphone Forensic Analysis In-Depth OnDemand
  • FOR585: Smartphone Forensic Analysis In-Depth
  • STAR Webcast: Dissecting BadBlood: an Iranian APT Campaign
  • DFIR Summit 2021
  • What are the different roles in cybersecurity & how do you start? – FAQ w James Lyne, SANS Institute
  • Do you need to know programming to get into Cybersecurity – FAQ w. James Lyne, SANS Institute
  • Why Being a Destructive Architect is the Way Forward for Black in Tech
  • Ransomware and Healthcare: A Deadly Combination
    
    
• Sileniia
  Introduction to Browser Forensics
  
  
• Watson Infosec
  • WatsonInfoSec Network Rebuild
  • Watsoninfosec VMware ESXI Rebuild
  • WatsonInfoSec LAB Build Part Three
    
    

MALWARE

• 0verfl0w_ at 0ffset
  New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings
  
  
• Avast Threat Labs
  Decoding Cobalt Strike: Understanding Payloads
  
  
• Ben Martin at Sucuri
  Magecart Swiper Uses Unorthodox Concatenation
  
  
• CISA
  MAR-10337802-1.v1: DarkSide Ransomware
  
  
• Zachary Bailey at Cofense
  Extracting Pesky Chanitor DLLs
  
  
• Fernando Martinez at AlienVault Labs
  Lazarus campaign TTPs and evolution
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #47: Hints in IDA
  
  
• Intezer
  • Global Phishing Campaign Targets Energy Sector and its Suppliers
  • Covering the Infection Chain: Analyze Documents and Scripts with Intezer Analyze
    
    
• Lab52
  Quick review of Babuk ransomware builder
  
  
• Mahmoud Morsy
  • Phishing Attacks 7_7_2021
  • Phishing Attacks 6_7_2021
  • Phishing Attacks 8_7_2021
  • IOCs 8_7_2021
  • Phishing Attacks 8_7_2021
  • IOCs 9_7_2021
    
    
• Marco Ramilli
  Babuk Ransomware: The Builder
  
  
• Kiran Raj & Kishan N at McAfee Labs
  Zloader With a New Infection Technique
  
  
• S2W Lab
  • Analysis of Lazarus malware abusing Non-ActiveX Module in South Korea
  • Deep analysis of KPOT Stealer
    
    
• Idan Weizman & Antonio Pirozzi at SentinelLabs
  Conti Unpacked | Understanding Ransomware Development As a Response to Detection
  
  
• Joseph C Chen, Kenney Lu, Jaromir Horejsi, and Gloria Chen at Trend Micro
  BIOPASS RAT: New Malware Sniffs Victims via Live Streaming
  
  
• Walmart
  • TA505 adds GoLang crypter for delivering miners and ServHelper
  • Amadey stealer plugin adds Mikrotik and Outlook harvesting
    
    
• Fernando Tavella and Matías Porolli at WeLiveSecurity
  Bandidos at large: A spying campaign in Latin America
  
  

MISCELLANEOUS

• 4n6lady
  Cybersecurity: The Path to Your Beginning (THM)
  
  
• Adam at Hexacorn
  Wine tasting, again
  
  
• Marco Fontani at Amped
  How Do I Play a Video Frame-by-Frame and Comment Relevant Stills?
  
  
• Belkasoft
  Belkasoft Digital Forensics Survey 2021
  
  
• Binalyze
  June 2021 Binalyze Product Updates
  
  
• Forensic Focus
  • Research Roundup: New Tools And Techniques And Ensuring Their Quality
  • Key Benefit Of Binalyze Forensic Features For SIEM Solutions
    
    
• Anthony Giandomenico at Fortinet
  6 Important Best Practices for Preparing for Data Breaches and Security Incidents
  
  
• IntaForensics
  How Lima v2.9 can improve productivity as well as profitability
  
  
• Lee Holmes at Precision Computing
  Powershell Cookbook 4th Edition Now Available!
  
  
• Magnet Forensics
  • New in AXIOM Cyber 5.2: Find Files and Folders During Remote Collection Faster Than Ever
  • Magnet AXIOM 5.2: Beta Available for Cross-Case Searches and More Facebook Public Data Acquisition
  • Cross-Case Searching for Tagged Identifiers in Project Prague Beta
  • Index Searching Endpoints for Targeted Collections
    
    
• MSAB
  MSAB sales engineer awarded for his digital forensic work
  
  
• RiskIQ
  Here’s How Much Threat Activity is in Each Internet Minute
  
  
• Barnaby Page at SentinelOne
  Cyber Insurance: Navigating A Tough New World In the Age of Ransomware
  
  
• Tony Anscombe at WeLiveSecurity
  Ransomware: To pay or not to pay? Legal or illegal? These are the questions …
  
  
• Yulia Samoteykina at Atola
  • Atola Insight Forensic Gets New High-Performance Hardware!
  • Imaging 3 sources with Atola Insight Forensic and its new DiskSense 2 hardware unit
    
    

SOFTWARE UPDATES

• AccessData
  Forensic Tools 7.4.2 Service Pack 1
  
  
• AceLab
  The New PC-3000 Mobile Software Update Ver. 1.4.5 is Available!
  
  
• Amped
  Amped Replay Update 21282: Smart Processing, Detailed Reporting and Improved Format Support
  
  
• Apache Tika
  Release 1.27 – 06/30/2021
  
  
• Atola
  Atola Insight Forensic 5.0
  
  
• Binalyze
  Release the DRONE! : Meet your 24/7 Available DFIR expert
  
  
• Cellebrite
  Now Available: Cellebrite Digital Collector v3.2
  
  
• Didier Stevens
  New Tool: texteditor.py
  
  
• EclecticIQ
  Introducing EclecticIQ Endpoint Response 3.0
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.29
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.16.3
  
  
• MISP
  MISP 2.4.145 and 2.4.146 released (Improved warning-lists)
  
  
• radare2
  5.4.0
  
  
• Security Onion
  Security Onion 2.3.60 Heavy Node Hotfix
  
  
• Yarp
  1.0.32
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!