Last week to get your votes in for the Forensic 4Cast Awards! If you haven’t voted yet, you can votes here: don’t delay!

While I would love to win an award again, getting nominated as a top resource for the community is definitely something to be proud of (this will be my fifth year getting nominated). The nomination and every vote is very much appreciated 🙂

---

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Ali Hadi
  Linux Forensics
  
  
• Data Forensics
  • Instigate SQL Log Forensics Investigation Via SQL Server Log Analyzer
  • How to View Transaction Logs in SQL Server? All the Details
  • SQL Server Forensics To Carve Evidence From SQL Server MDF Database
    
    
• Forensafe
  • Investigating Windows Recycle Bin
  • Solving Injector Challenge with ArtiFast Windows
    
    
• InfoSec Write-ups
  PacketMaze Pcap Analysis Walkthrough
  
  
• Jonathan Greig at Open Source DFIR
  Windows Container Forensics
  
  
• Alex Ionescu at Praetorian
  Email Security (SPF, DKIM, and DMARC)
  
  
• Seif Shalaby at 0xSh3rl0ck
  Africa DFIR CTF Week 1
  
  

THREAT INTELLIGENCE/HUNTING

• Yelisey Boguslavskiy & AdvIntel Security & Development Team
  REvil Vanishes From Underground – Infrastructure Down
  
  
• Chris Sestito at Agari
  Catching Lookalike Domains with Image-Based Analysis
  
  
• Anomali
  • Anomali Cyber Watch: Global Phishing Campaign, Magecart Data Theft, New APT Group, and More
  • Cyber Threat Intelligence Combined with MITRE ATT&CK Provides Strategic Advantage over Cyber Threats
    
    
• Atomic Matryoshka
  Process Injection: Malware Lurking in the Shadows of Legitimate Programs (Part 1)
  
  
• Austin Songer
  How to send Wazuh Alerts to JIRA
  
  
• Gary Golomb at Awake Security
  Kaseya Supply Chain Breach – Threat Detection and Investigation with the Awake Security Platform
  
  
• Julian Gonzalez at Azure Sentinel
  Watchlist is now Generally Available
  
  
• Black Lantern Security
  Threat Matrices
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-07-12 – Trickbot gtag rob106
  • 2021-07-15 – TA551 (Shathak) Trickbot gtag zev1 with Cobalt Strike
    
    
• Cado Security
  • Triage analysis of Serv-U FTP user backdoor deployed by CVE-2021-35211
  • Resources for Investigating Cloud and Container Penetration Testing Tools
    
    
• Derek Abdine at Censys
  CVE-2021-35211: SolarWinds Serv-U  Active Exploitation
  
  
• Check Point Research
  • 12th July – Threat Intelligence Report
  • June 2021’s Most Wanted Malware: Trickbot Remains on Top
    
    
• Cisco’s Talos
  • Following the Money: Comparing cryptocurrency value to illicit mining activity
  • Threat Roundup for July 9 to July 16
  • Threat Source newsletter (July 15, 2021)
    
    
• CrowdStrike
  • Microsoft’s Incomplete Patch: Ongoing PrintNightmare for CVE-2021-1675, CVE-2021-34527
  • July 2021 Patch Tuesday: Greatest Number of Updates for Ongoing Zero-Day Vulnerabilities Year-to-Date
    
    
• Cyberint
  SonicWall SMA/SRA Ransomware Infection Vector
  
  
• Daniel Wyleczuk-Stern
  Azure Flow Log Analysis
  
  
• Justin Fier at Darktrace
  Egregor ransomware: Gone but not forgotten
  
  
• Tom at DefaultCredentials
  PowerShell for Rapid Incident Response – Process Enumeration (Part One)
  
  
• Sergio Caltagirone at Dragos
  2021 MITRE ATT&CK for ICS Evaluation Results Coming Soon
  
  
• EclecticIQ
  • Kaseya-MSP clients remain at very high risk of further targeted attacks
  • It’s Official: STIX & TAXII 2.1 Are Here!
  • Ransom Demands Hit a New Monetary Milestone
    
    
• Boris Taratine at Farsight Security
  Hunting for synthetic substances using DNSDB Search
  
  
• Flashpoint
  REvil Is Down, Not Out
  
  
• Maddie Stone and Clement Lecigne at Google Threat Analysis Group
  How we protect users from 0-day attacks
  
  
• Huntress
  Experts Weigh in on the State of Email-Based Threats
  
  
• Avigayil Mechtinger at Intezer
  Targeted Phishing Attack against Ukrainian Government Expands to Georgia
  
  
• Jan Geisbauer at Empty Datacenter
  hunting phish
  
  
• Scythe
  • SCYTHE Presents: Exfiltration Over Alternative Protocol
  • SCYTHE Presents: SCYTHE provides new insights on Vulnerability Assessments  in TAG Cybers New Report
    
    
• George Karantzas and Constantinos Patsakis at ‘Journal of Cybersecurity and Privacy’
  An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors
  
  
• Yuma Masubuchi at JPCERT/CC
  Attack Exploiting XSS Vulnerability in E-commerce Websites
  
  
• Krishna Sai Marella
  Splunk and using to set up a detection lab
  
  
• Malwarebytes Labs
  • SonicWall warns users of “imminent ransomware campaign”
  • Ransomware’s Russia problem
    
    
• MDSec
  Investigating a Suspicious Service
  
  
• Microsoft 365 Security
  What I’ve learned from doing a year of Cloud Forensics in Azure AD?
  
  
• Microsoft Security
  • Microsoft to acquire RiskIQ to strengthen cybersecurity of digital transformation and hybrid work
  • Microsoft discovers threat actor targeting SolarWinds Serv-U software with 0-day exploit
  • Microsoft delivers comprehensive solution to battle rise in consent phishing emails
    
    
• Matthew Green and Mike Cohen at Velocidex
  Velociraptor vs. PrintNightmare
  
  
• Frank Duff at MITRE-Engenuity
  Making Sense of ATT&CK Evaluations Data: Who Really Won and How to Avoid Common Pitfalls
  
  
• NCC Group Research
  • NCC Group Research at Black Hat USA 2021 and DEF CON 29
  • Detecting and Hunting for the Malicious NetFilter Driver
  • CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
    
    
• James Robinson and Nathan Smolenski at Netskope
  How to Build Your Cyber Crystal Ball Using Step-by-Step, Systematically Modeled Threats
  
  
• Nicolas Bareil at ‘Just Another Geek’
  Detecting Golden Ticket attacks
  
  
• Palo Alto Networks
  • Diagnosing the Ransomware Deployment Protocol (RDP)
  • Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, “MagicSocks” Tools
  • Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)
    
    
• Proofpoint
  Operation SpoofedScholars: A Conversation with TA453
  
  
• Brian Donohue at Red Canary
  Atomic Red Team adds tests for cloud and containers
  
  
• RiskIQ
  Taking a Closer Look at a Malicious Infrastructure Mogul
  
  
• Hyunmin Suh at S2W Lab
  W3 July | EN | Story of the week: Ransomware on the Darkweb
  
  
• SANS Internet Storm Center
  • One way to fail at malspam – give recipients the wrong password for an encrypted attachment , (Wed, Jul 14th)
  • USPS Phishing Using Telegram to Collect Data, (Tue, Jul 13th)
  • Multiple BaseXX  Obfuscations, (Fri, Jul 16th)
  • BASE85 Decoding With base64dump.py, (Sat, Jul 17th)
  • Video: CyberChef BASE85 Decoding, (Sun, Jul 18th)
    
    
• Mark Lechtik, Paul Rascagneres, and Aseel Kayal at Securelist
  LuminousMoth APT: Sweeping attacks for the chosen few
  
  
• Secureworks
  • Incident Response preparation phase in cybersecurity
  • Threat Hunting Principles
    
    
• Security Investigation
  • Threat Hunting using Sysmon – Advanced Log Analysis for Windows
  • Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes
  • Malware Hiding Techniques in Windows Operating System
  • APT-Hunter – Threat Hunting Tool For Windows Event Logs
  • Timeline Explorer – Tool For Incident Responders and Malware Analyst
    
    
• SentinelOne
  • How to Defeat Adversaries With Real-Time Cyber Threat Intelligence
  • PrintNightmare | Latest Patch Almost Puts Microsoft Vulnerability to Bed
    
    
• Thomas Roccia
  Security Highlight #4
  
  
• Jon Clay at Trend Micro
  Survey: Phishing & Ransomware Attacks are Top Concerns
  
  
• Alexander Andersson at Truesec
  How the Kaseya VSA Zero Day Exploit Worked
  
  
• ZecOps
  Threat Actors are Working Together. Defenders Should Collaborate Too!
  
  
• Deepen Desai at ZScaler
  ThreatLabZ June 2021 Report: Deconstructing Kaseya Supply-Chain Attack and the Minebridge RAT Campaign
  
  

UPCOMING EVENTS

• Cybereason
  CISO Roundtable: Ransomware Attacks and the True Cost to Business
  
  
• Magnet Forensics
  July 22 11:00AM ET // Tips & Tricks // Get Your OSINT with Public Social Media Data
  
  
• NinjaRMM
  Jurassic SOC
  
  
• PhishLabs
  Webinar: Q2 2021 Threat Trends & Intelligence
  
  
• VetSec
  VetSec, Inc. Announces VetSecCon 2021!
  
  

PRESENTATIONS/PODCASTS

• Me! (Apologies for the audio quality)
  Getting started in DFIR: Testing 1,2,3
  
  
• Archan Choudhury at BlackPerl
  • Incident Response Automation using The Fastest & Most Complete Enterprise Forensics Suite- Binalyze
  • DFIR Talk Show- Join the Bridge & Talk to me | Day- 1
    
    
• Black Hills Information Security
  • Talkin’ About Infosec News – 7/6/2021
  • The Birth of PreShowBanterCon-A-Thon 2021!™
  • Webcast: How to Build a Phishing Engagement – Coding TTP’s
  • BHIS | [Post]Show Banter™ — Job Hunting with Jason Blanchard
  • BHIS | No SPAN Port? No Tap? No Problem! – John Strand
  • Talkin’ About Infosec News – 7/12/2021
  • BHIS | PreShow Banter™ — Chopped Banter
    
    
• Breaking Badness
  91. When Security Hits a Rough Patch
  
  
• Bret Witt
  • DFIR – HTTP Basic Auth.
  • DFIR – Disclose The Agent
  • DFIR – Shellshock Attack
  • DFIR – Port Scan Activity
    
    
• Check Point Research
  Cyber Academy – Viruses, Worms and Trojans Iframe
  
  
• Cisco’s Talos
  Talos Takes Ep: #61: SideCopy sounds so familiar, but I just can’t put my finger on it…
  
  
• Cyber Threat Intelligence Training Center
  BorderlessCyber Conference Session
  
  
• Didier Stevens
  Adding BASE85 To basedump64.py
  
  
• Digital Forensic Survival Podcast
  DFSP # 282 – Lateral MM Fast Triage
  
  
• Dump-Guy Trickster
  • Fast API resolving of REvil Ransomware related to Kaseya attack
  • Dancing with COM – Deep dive into understanding Component Object Model
    
    
• Griffeye
  Webinar: A walkthrough of the new interface and features in Analyze 21.1
  
  
• John Hammond
  • JScript Deobfuscation – More WSHRAT (Malware Analysis)
  • Discussion: Technical Assessment of AV/EDR Effectiveness
    
    
• Scythe
  SCYTHE Presents: Attack, Detect, and Respond a UniChat with Ed Amoroso and Bryson Bort
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 18 – Creating Indexed File Reports
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 210
  
  
• Magnet Forensics
  • Magnet AUTOMATE 2.12: Streamline Your Mobile Workflows with Watch Folders Merge
  • Magnet ATLAS: Advanced Integration with Magnet AUTOMATE and Magnet REVIEW
    
    
• MSAB
  XAMN Investigates: Part Three
  
  
• SANS Institute
  • SANS Cyber Solutions Fest – Level SOC & SOAR
  • Transition to Cyber Security From a Non-Cyber Role: Creative Ways to Land Your Dream Cyber Role
    
    
• SecurityNinja
  SOC109 – Emotet Malware Detected
  
  
• StealthBay
  Podcast Episode 1 – Starting Your Cyber Security Career
  
  
• WolfCast
  WolfCast – Episode 04 – Recruitment – Quest for Knowledge
  
  

MALWARE

• Ryan Blevins at Any.Run
  Introduction to Malware Analysis
  
  
• Kryptos Logic
  Adjusting the Anchor
  
  
• Cofense
  • Nested Archives Help to Evade SEGs and Deliver BazarBackdoor
  • Hat Trick: Office Macros, VBS and CVEs highlight TrickBot’s June Debut
    
    
• Cryptax
  • Investigating Android malware with Pithus
  • A basic / test locker for Android
    
    
• Cybereason
  Cybereason vs. Prometheus Ransomware
  
  
• Raul Alvarez at Fortinet
  DLL Side-Loading Technique Used in the Recent Kaseya Ransomware Attack
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #48: Searching in IDA
  
  
• Karlo Licudine at AccidentalRebel
  Making a RAT
  
  
• Krishna Sai Marella
  Ransomware but as a PowerShell script- Analysing Fileless malware
  
  
• Mahmoud Morsy
  • Phishing Attacks 11_7_2021
  • IOCs 11_7_2021
    
    
• Marcus Edmonson at ‘Data Analytics & Security’
  To Catch a Hacker in My Home Lab
  
  
• Varadharajan Krishnasamy, Karthickkumar, and Sakshi Jaiswal at McAfee Labs
  REvil Ransomware Uses DLL Sideloading
  
  
• McHugh Security
  Building CCCS’ AssemblyLine for Static Analysis
  
  
• Microsoft Security
  Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
  
  
• Nikhil Rathor at 0xthreatintel
  Analyzing SilentMoon — Turla Trojan!
  
  
• nullteilerfrei
  Install Ghidra 10.0.1 on Ubuntu 20
  
  
• Robert Simmons at ReversingLabs
  Data Exfiltrator
  
  
• Jaeki Kim at S2W Lab
  Matryoshka : Variant of ROKRAT, APT37 (Scarcruft)
  
  
• Sally Adam at Sophos
  The State of Ransomware in Education 2021
  
  
• Avinash Kumar at ZScaler
  Targeted Attack on Government Organizations Delivers Netwire RAT
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 7/15/2021
  
  
• Vitaliy Mokosiy
  How we built DiskSense 2 for Atola Insight Forensic
  
  
• Amina Zilic at Binalyze
  The Fourth Step to Forensic Readiness: Secure Evidence Collection
  
  
• Cellebrite
  • 2021 Digital Intelligence Benchmark Report
  • 2021 Digital Intelligence Benchmark Report: Despite Lockdown Drop in Crime, Investigations Still Slowed by Digital Evidence
  • Cellebrite’s Been Nominated for 11 Forensic 4:Cast Awards
    
    
• Didier Stevens
  sysmon’s DNS QueryStatus Field
  
  
• Elastic
  • Free training fundamentals courses from Elastic Enterprise Search
  • How does search solve data problems?
    
    
• Robert Graham at Errata Security
  Ransomware: Quis custodiet ipsos custodes
  
  
• Tegan Parsons at First Response
  CaseNotes – An Interview with John Douglas
  
  
• Forensic Focus
  • Register For Webinar: Selecting The Best Hardware-Based Forensic Imager To Streamline The Evidence Collection Process
  • 2021 2Q MD-Series Release Note Highlights
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: Property lists and preferences
  
  
• IntaForensics
  Everything you need to know about Payment Card Forensic Investigations (PFI)
  
  
• Keysight
  • Looking Into QUIC Packets in your Network
  • Road To QUIC
    
    
• Magnet Forensics
  See What’s New in the Magnet Digital Investigation Suite
  
  
• Marco Fontani at Amped
  How Do I Correct a Jaggy (Interlaced) Video?
  
  
• Maxim Suhanov
  Playing with case-insensitive file names
  
  
• Nik Alleyne at ‘Security Nik’
  • Continuing Linux Kernel Development – Learning about processes information
  • Continuing Linux Kernel Development – My second Linux Kernel Module (LKM) – Adding parameters
  • Beginning Linux Kernel Development – My First Linux Kernel Module (LKM) – Hello World
  • Beginning Function Calls Hooking via LD_PRELOAD Environment Variable
    
    
• Oxygen Forensics
  Work Smarter with New Smart Filters in Oxygen Forensic® Detective
  
  
• Passware
  New Articles on the Passware Knowledge Base
  
  
• Patrick J. Siewert at ‘Pro Digital Forensic Consulting’
  Three Myths About Digital Forensics as a Practice
  
  
• Kathy Collins at Professionally Evil Insights
  A New Consultant’s 1st Con – Wild West Hackin Fest – Way West 2021
  
  
• Jean Maes at Red Team Tips
  The importance of personal branding and networking
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — July 11 to July 17
  
  
• SANS
  • Instructor Spotlight: Jason Fossen for SEC505 PowerShell
  • Why You Need Automation to Achieve Compliance in the Cloud – Part 1
  • Introduction to ICS Security Part 2
  • To the Moon! Skyrocket Your Cyber Career with Continuous Education
    
    
• SentinelOne
  Top 50 Subreddits for Cybersecurity and Infosec
  
  
• John Patzakis at X1
  Pre-Collection Keyword Searches: Where Angels May Fear to Tread but Not Attorneys with the Right eDiscovery Software
  
  
• Yulia Samoteykina at Atola
  The Story of Atola Insight hardware
  
  

SOFTWARE UPDATES

• Arsenal
  Sdba Parser
  
  
• Didier Stevens
  • Update: FileScanner Version 0.0.0.7
  • New Tool: dnsresolver.py
  • Update: base64dump.py Version 0.0.16
    
    
• Elcomsoft
  • Elcomsoft Phone Viewer 5.31 update previews OneDrive deleted files metadata
  • Updated Elcomsoft iOS Forensic Toolkit Simplifies macOS Installs, Fixes Corrupted File System Extraction
  • iOS Forensic Toolkit 7.02 simplifies macOS installations, fixes corrupted file system extraction
    
    
• Eric Zimmerman
  ChangeLog
  
  
• Event Log Explorer
  Check out @eventlogxp’s tweet
  
  
• Yogesh Khatri
  20210717
  
  
• Costas K
  MFTBrowser.exe (x64) v.0.0.19.0
  
  
• Mihari
  v3.1.0
  
  
• PassiveDNS
  PassiveDNS
  
  
• Security Onion
  Security Onion 2.3.60 Filebeat Pipeline Hotfix
  
  
• Xways
  X-Ways Forensics 20.3 Beta 4
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!