As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Kroll
- Forensically Unpacking EventTranscript.db: An Investigative Series
- EventTranscript.db Research
- Parsing Diagnostic Data With Powershell and Enhanced Logging
- Parsing EventTranscript.db With KAPE and SQLECmd
- Forensic Quick Wins With EventTranscript.DB: Win32kTraceLogging
- EventTranscript.db vs .rbs Files and Their Relation to DiagTrack
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Some thoughts about Stuxnet - B. Krishna Sai Nihith
- Erik Hjelmvik at Netresec
Walkthrough of DFIR Madness PCAP - Forensafe
- John Lukach at Cloud 4n6ir
Volatility3 Profiles for Amazon Linux - Meisam Eslahi at ‘Cyber Security Hub’
Blue Team-System Live Analysis [Part 11]- Windows: User Account Forensics- NTUSER.DAT - Mohamed Hassan
DFIR Cheat Sheet - Kevin Breen at TechAnarchy
Analysing an O.MG cable
THREAT INTELLIGENCE/HUNTING
- Printnightmare
- Playing with PrintNightmare
- PrintNightmare: Using Network Detection and Response to Uncover CVE-2021-1675 and CVE-2021-34527 Exploitation Activity
- PrintNightmare: Here’s what you need to know and Talos’ coverage
- Why is PrintNightmare hard to detect?
- CVE-2021-34527 PrintNightmare
- What You Need to Know About PrintNightmare Vulnerability (CVE-2021-34527)?
- Stopping PrintNightmare
- Businesses Warned of a PrintNightmare
- PRINTNIGHTMARE NETWORK ANALYSIS
- PrintNightmare (CVE-2021-34527) allows domain controller capture
- Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)
- I Pity the Spool: Detecting PrintNightmare CVE-2021-34527
- CVE-2021-34527: Microsoft Releases Out-of-Band Patch for PrintNightmare Vulnerability in Windows Print Spooler
- Revil/Kaseya
- Lessons Learned From REvil’s Ransomware Attack On Kaseya
- It was a LONG weekend — Here’s the vital info on REvil and Kaseya VSA
- Kaseya Ransomware Attack – 5 Key Insights into this Malware campaign
- How CrowdStrike Falcon Stops REvil Ransomware Used in the Kaseya Attack
- In Kaseya Supply Chain Ransomware Attack History Repeats Itself
- Cybereason vs. REvil Ransomware: The Kaseya Chronicles
- REvil Ransomware Attacks: Implications for Kaseya, MSPs and Businesses
- REvil/Kaseya Incident Update
- Deconstructing the REvil Ransomware Attack on Kaseya VSA
- Elastic Security prevents 100% of REvil ransomware samples
- Kaseya supply chain attack: What you need to know
- With Kaseya Ransomware Attack, REvil Dismisses Mounting Global Scrutiny with More Large-Scale Targets
- Genetic Analysis and Lessons Learned from REvil Attack
- Kaseya CEO: “The impact of this incredibly sophisticated attack is very minimal”
- Malspam banks on Kaseya ransomware attack
- Revil Ransomware used in Kaseya
- Netskope Threat Coverage: REvil
- Understanding REvil: The Ransomware Gang Behind the Kaseya Attack
- The rising danger of ransomware: the Kaseya case, how it happened, and how to defend yourself
- REvil’s Grand Coup | Abusing Kaseya Managed Services Software for Massive Profits
- Kaseya, Sera. What REvil Shall Encrypt, Shall Encrypt
- Kaseya: Before and After
- Origin of the Kaseya Breach
- Diving Deeper Into the Kaseya VSA Attack: REvil Returns and Other Hackers Are Riding Their Coattails
- Kaseya supply‑chain attack: What we know so far
- Kaseya Supply Chain Ransomware Attack – Technical Analysis of the REvil Payload
- Stop the Next Kaseya Attack
- Hannah Cartier at Active Countermeasures
Malware of the Day – Attack Vectors: Google Apps Script - Cado Security
Ransomware Incident Response and Forensics – Post Breach - Check Point Research
5th July – Threat Intelligence Report - Cisco’s Talos
- Adam Meyers at CrowdStrike
The Evolution of PINCHY SPIDER from GandCrab to REvil - Tim Helming at DomainTools
We Know How To Prevent Ransomware - Jacob Benjamin at Dragos
Correcting Prevention Bias in Your OT Cyber Incident Response - Gijs Hollestelle at Falcon Forc
FalconFriday — Privilege Escalations to SYSTEM — 0xFF13 - Jack Cable
Ransomwhere - Jorge Orchilles and Tim Schulz at Scythe
SCYTHE Presents: Threat Thursday – Exfiltration Over Web Service: Exfiltration to Cloud Storage - Dray Agha at Jumpsec Labs
Securing against new offensive techniques abusing active directory certificate service - Anda Ioana Enescu Buyruk at Keysight
Keysight Connect #7 – When documents attack - Michael Koczwara
Cobalt Strike Beacons & Servers June 2021 - Jonah Kowall at Logz.io
Correlate CrowdStrike Data with Logz.io Cloud SIEM - McAfee Labs
- Mehmet Ergene
Hunting for Phishing Links Using Sysmon and KQL - Microsoft 365 Security
Why are Windows Defender AV logs so important and how to monitor them with Azure Sentinel? - pat_h/to/file
Detecting Kernel Hooking using eBPF - Rapid7
- Recorded Future
Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling - SANS Internet Storm Center
- DIY CD/DVD Destruction – Follow Up, (Sun, Jul 4th)
- Python DLL Injection Check, (Tue, Jul 6th)
- Microsoft Releases Patches for CVE-2021-34527, (Wed, Jul 7th)
- Using Sudo with Python For More Security Controls, (Thu, Jul 8th)
- Hancitor tries XLL as initial malware file, (Fri, Jul 9th)
- Scanning for Microsoft Secure Socket Tunneling Protocol, (Sat, Jul 10th)
- Clément Notin at Tenable
Don’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit… - Trend Micro
- Ashwin Vamshi at Uptycs
macOS: Bashed Apples of Shlayer and Bundlore - Vicente Díaz at VirusTotal
Having the right tool for the job
UPCOMING WEBINARS/CONFERENCES
- HTCIA
Challenges in Modern Phone Forensics - Magnet Forensics
July 15 11:30AM SGT // Tips & Tricks // Get to Evidence Faster with Media Explorer
PRESENTATIONS/PODCASTS
- AhmedS Kasmani
Analysis of AppleJeus Malware by Lazarus Group - Anastasios Pingios
BSides Athens 2021: .GR TLD hijacking - Black Hat
Fast Chat with Austin Murphy, CrowdStrike’s VP & GM, Falcon Complete - Black Hills Information Security
- BSides Amman 2021
BSides Amman 2021 - Cisco’s Talos
Talos Takes Ep. #60: Everything you need to know about the Kaseya situation - Digital Forensic Survival Podcast
DFSP # 281 – Fast Triage case study: persistence - Dump-Guy Trickster
- Gerald Auger at Simply Cyber
Exactly How I Get Things Done (My Secret to Crushing Life) - Iron Geek
OISF 2021 Videos - Justin Tolman at AccessData
FTK Feature Focus – Episode 17 – New Features in FTK - Magnet Forensics
- MalwareAficionado
Malware Analysis Fundamentals: Process Monitoring - SANS
- Q&A From the Executives and Ransomware: Stop, Collaborate, and Listen! Webcast
- Why take FOR585: Smartphone Forensic Analysis In-Depth
- Why take FOR585: Smartphone Forensic Analysis In-Depth OnDemand
- FOR585: Smartphone Forensic Analysis In-Depth
- STAR Webcast: Dissecting BadBlood: an Iranian APT Campaign
- DFIR Summit 2021
- What are the different roles in cybersecurity & how do you start? – FAQ w James Lyne, SANS Institute
- Do you need to know programming to get into Cybersecurity – FAQ w. James Lyne, SANS Institute
- Why Being a Destructive Architect is the Way Forward for Black in Tech
- Ransomware and Healthcare: A Deadly Combination
- Sileniia
Introduction to Browser Forensics - Watson Infosec
MALWARE
- 0verfl0w_ at 0ffset
New TA402/MOLERATS Malware – Decrypting .NET Reactor Strings - Avast Threat Labs
Decoding Cobalt Strike: Understanding Payloads - Ben Martin at Sucuri
Magecart Swiper Uses Unorthodox Concatenation - CISA
MAR-10337802-1.v1: DarkSide Ransomware - Zachary Bailey at Cofense
Extracting Pesky Chanitor DLLs - Fernando Martinez at AlienVault Labs
Lazarus campaign TTPs and evolution - Igor Skochinsky at Hex Rays
Igor’s tip of the week #47: Hints in IDA - Intezer
- Lab52
Quick review of Babuk ransomware builder - Mahmoud Morsy
- Marco Ramilli
Babuk Ransomware: The Builder - Kiran Raj & Kishan N at McAfee Labs
Zloader With a New Infection Technique - S2W Lab
- Idan Weizman & Antonio Pirozzi at SentinelLabs
Conti Unpacked | Understanding Ransomware Development As a Response to Detection - Joseph C Chen, Kenney Lu, Jaromir Horejsi, and Gloria Chen at Trend Micro
BIOPASS RAT: New Malware Sniffs Victims via Live Streaming - Walmart
- Fernando Tavella and Matías Porolli at WeLiveSecurity
Bandidos at large: A spying campaign in Latin America
MISCELLANEOUS
- 4n6lady
Cybersecurity: The Path to Your Beginning (THM) - Adam at Hexacorn
Wine tasting, again - Marco Fontani at Amped
How Do I Play a Video Frame-by-Frame and Comment Relevant Stills? - Belkasoft
Belkasoft Digital Forensics Survey 2021 - Binalyze
June 2021 Binalyze Product Updates - Forensic Focus
- Anthony Giandomenico at Fortinet
6 Important Best Practices for Preparing for Data Breaches and Security Incidents - IntaForensics
How Lima v2.9 can improve productivity as well as profitability - Lee Holmes at Precision Computing
Powershell Cookbook 4th Edition Now Available! - Magnet Forensics
- New in AXIOM Cyber 5.2: Find Files and Folders During Remote Collection Faster Than Ever
- Magnet AXIOM 5.2: Beta Available for Cross-Case Searches and More Facebook Public Data Acquisition
- Cross-Case Searching for Tagged Identifiers in Project Prague Beta
- Index Searching Endpoints for Targeted Collections
- MSAB
MSAB sales engineer awarded for his digital forensic work - RiskIQ
Here’s How Much Threat Activity is in Each Internet Minute - Barnaby Page at SentinelOne
Cyber Insurance: Navigating A Tough New World In the Age of Ransomware - Tony Anscombe at WeLiveSecurity
Ransomware: To pay or not to pay? Legal or illegal? These are the questions … - Yulia Samoteykina at Atola
SOFTWARE UPDATES
- AccessData
Forensic Tools 7.4.2 Service Pack 1 - AceLab
The New PC-3000 Mobile Software Update Ver. 1.4.5 is Available! - Amped
Amped Replay Update 21282: Smart Processing, Detailed Reporting and Improved Format Support - Apache Tika
Release 1.27 – 06/30/2021 - Atola
Atola Insight Forensic 5.0 - Binalyze
Release the DRONE! : Meet your 24/7 Available DFIR expert - Cellebrite
Now Available: Cellebrite Digital Collector v3.2 - Didier Stevens
New Tool: texteditor.py - EclecticIQ
Introducing EclecticIQ Endpoint Response 3.0 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.29 - Foxton Forensics
Browser History Examiner — Version History – Version 1.16.3 - MISP
MISP 2.4.145 and 2.4.146 released (Improved warning-lists) - radare2
5.4.0 - Security Onion
Security Onion 2.3.60 Heavy Node Hotfix - Yarp
1.0.32
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!