Thanks to everyone that voted for this site for “Resource of the Year”. Congratulations to all of the winners!
2021 Forensic 4:cast Awards – Results

---

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’
  vLEAPP – Vehicle Logs Events And Properties Parser
  
  
• Howie Shia at Amnesty International
  Forensic Methodology Report: How to catch NSO Group’s Pegasus
  
  
• Bill Marczak, John Scott-Railton, Siena Anstis, and Ron Deibert at The Citizen Lab
  Independent Peer Review of Amnesty International’s Forensic Methods for Identifying Pegasus Spyware
  
  
• Hal Pomeranz
  Intro to SELinux
  
  
• Bob Rudis
  Packet Maze: Solving a CyberDefenders PCAP Puzzle with R, Zeek, and tshark
  
  
• The DFIR Report
  IcedID and Cobalt Strike vs Antivirus
  
  
• Wietze Beukema
  Windows Command-Line Obfuscation
  
  

THREAT INTELLIGENCE/HUNTING

• HiveNightmare
  • SAM Database Accessible To Non-Admins In Windows 10
  • HiveNightmare / SeriousSAM (CVE-2021-36934)
  • Security Advisory Regarding HiveNightmare
  • #HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10
  • HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11
  • Microsoft SAM File Readability CVE-2021-36934: What You Need to Know
  • HiveNightmare aka SeriousSAM vulnerability : what to do
  • HiveNightmare a.k.a. SeriousSam Local Privilege Escalation in Windows
    
    
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  How to check Pegasus Spyware on your iPhone
  
  
• Anomali
  Anomali Cyber Watch: China Blamed for Microsoft Exchange Attacks, Israeli Cyber Surveillance Companies Help Oppressive Governments, and More
  
  
• Austin Songer
  • Elastic Detection CLI — Docker Image
  • How to send Wazuh Alerts to JIRA
    
    
• Ben Martin at Sucuri
  Vulnerable Plugin Exploited in Spam Redirect Campaign
  
  
• Brad Duncan at Malware Traffic Analysis
  2021-07-21 – TA551 (Shathak) BazarLoader with  Cobalt Strike
  
  
• CERT-AGID
  • Sintesi riepilogativa delle campagne malevole nella settimana del 10 – 16 luglio 2021
  • Sintesi riepilogativa delle campagne malevole nella settimana del 17 – 23 luglio 2021
    
    
• CERT-FR
  CERTFR-2021-IOC-003 : 🇫🇷/🇬🇧  Campagne d’attaque du mode opératoire APT31 ciblant la France (21 juillet 2021)
  
  
• Check Point Research
  • 19th July – Threat Intelligence Report
  • Top prevalent malware with a thousand campaigns migrates to macOS
    
    
• Cisco’s Talos
  • Threat Source newsletter (July 22, 2021)
  • Security implications of misconfigurations
  • Threat Roundup for July 16 to July 23
    
    
• Shimon Noam Oren at Deep Instinct
  2021 Mid-Year Cyber Threat Landscape Report
  
  
• Dragos
  • MITRE Engenuity ATT&CK Evaluations for ICS – Results Released
  • How to Interpret the Results of the MITRE Engenuity ATT&CK® Evaluations for ICS
    
    
• Elliptic
  REvil Revealed – Tracking a Ransomware Negotiation and Payment
  
  
• Kyle Pellett, Ryan Gott, Tyler Fornes and Evan Reichard at Expel
  Incident report: Spotting SocGholish WordPress injection
  
  
• Gijs Hollestelle ​at Falcon Force
  FalconFriday — Direct system calls and Cobalt Strike BOFs — 0xFF14
  
  
• Roberto Martinez and Anton Ushakov at Group-IB
  The Fraud Family
  
  
• Ryan Robinson and Nicole Fishbein at Intezer
  New Attacks on Kubernetes via Misconfigured Argo Workflows
  
  
• Jonathan Johnson
  Dataset Prioritization
  
  
• Scythe
  • SCYTHE Presents: Beachhead Access in Industrial Control Systems
  • SCYTHE Presents: Gravwell Integration with SCYTHE
  • SCYTHE Presents: You can’t detect 0-day exploits but… you can detect what happens next
  • SCYTHE Presents: Malicious Uses of Blockchains
    
    
• Chris Hall at Lacework
  Threat Research with Snowflake & VirusTotal
  
  
• Malwarebytes Labs
  • StopRansomware.gov brings together information on stopping and surviving ransomware attacks
  • Pegasus spyware has been here for years. We must stop ignoring it
  • The life and death of the ZeuS Trojan
    
    
• Mehmet Ergene
  Implementing RITA using KQL
  
  
• Michael Haag
  Suricata…. for Windows
  
  
• Michael Koczwara
  Cobalt Strike Hunting — simple PCAP and Beacon Analysis
  
  
• Microsoft 365 Security
  Everything about Service Principals, Applications, and API Permissions
  
  
• Microsoft Security
  When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
  
  
• MITRE-Engenuity
  • ATT&CK Evaluations for ICS — Round 1 TRITON Results
  • The evolution of a matrix: How ATT&CK for Containers was built
    
    
• National Security Agency
  NSA,  CISA, and FBI detail Chinese State-Sponsored Actions, Mitigations
  
  
• Nocte Defensor
  Sysmon  Detection Rules, Playbooks, and Alerts
  
  
• PhishLabs
  • Threat Evasion Techniques: Restricting by Location
  • Qbot Leads Payload Volume in Q2
    
    
• Ekaterina Kilyusheva at Positive Technologies
  How to detect a cyberattack and prevent money theft
  
  
• Matt Lombana at Praetorian
  Threat Intelligence: Tools for Making Your Blue Team Smarter
  
  
• Proofpoint
  New Threat Actor Uses Spanish Language Lures to Distribute Seldom Observed Bandook Malware
  
  
• Daniel Smith at Radware
  Why Understanding Cyber Criminals Behavior and Tools is Vital
  
  
• Red Alert
  Domains for fake websites related to Tokyo Olympic
  
  
• Rory Wagner
  Threat Intelligence & Intrusion Analysis
  
  
• SANS Internet Storm Center
  • Summer of SAM – incorrect permissions on Windows 10/11 hives, (Tue, Jul 20th)
  • New Windows Print Spooler Vulnerability – CVE-2021-34481, (Mon, Jul 19th)
  • Lost in the Cloud: Akamai DNS Outage, (Thu, Jul 22nd)
  • Uncovering Shenanigans in an IP Address Block via Hurricane Electric’s BGP Toolkit (II), (Fri, Jul 23rd)
  • Agent.Tesla Dropped via a .daa Image and Talking to Telegram, (Sat, Jul 24th)
  • Active Directory Certificate Services (ADCS – PKI) domain admin vulnerability, (Sat, Jul 24th)
    
    
• Secureworks
  Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran
  
  
• Security Investigation
  • Magecart Attack – Incident Investigation and The Key Takeaways
  • How to Detect Privilege Escalation Attacks and UAC Bypass on Windows
  • Google Cloud Scale Threat Detection using Chronicle
  • Credential Stuffing Attack Prevention and Detections
    
    
• Travis Green
  Behavorial xbits with Suricata
  
  
• Trend Micro
  TeamTNT Campaigns Emphasize Importance of Addressing Cloud Security Gaps
  
  
• Vishal Thakur
  Malware Tracker — 2nd Edn July 21
  
  
• Lukas Stefanko at WeLiveSecurity
  Some URL shortener services distribute Android malware, including banking or SMS trojans
  
  

UPCOMING EVENTS

• Black Hills Information Security
  DevOps for Hackers with Hands-On Labs w/ Ralph May (4-Hour Workshop)
  
  
• Matt “Rudy” Benton at MaverisLabs
  Digital Marathon (An Olympics OSINT CTF)
  
  
• SANS Institute
  • SANS Cyber Solutions Fest – Level MITRE ATT&ACK®
  • SANS Threat Analysis Rundown – Kaseya VSA attack
    
    

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Vehicle Digital Forensics – How to access logical files in a QNX partition
  • vLEAPP usage run.
    
    
• Black Hat
  • Incident Response With Wendi Whitmore
  • Understanding the Threat Landscape With Juan Andres Guerrero-Saade of SentinelLabs
  • Diverse Perspectives in Threat Intelligence
    
    
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-07-19
  • Talkin’ About Infosec News – 7/21/2021
  • Webcast: No SPAN Port? No Tap? No Problem!
    
    
• Breaking Badness
  Voices from Infosec with Paul Vixie
  
  
• Bret Witt
  • DFIR – Ransomware Attack
  • ThreatGEN Red vs Blue – Blue 001
    
    
• Cellebrite
  • Learn tricks on how to navigate and search for artifacts of interest in Cellebrite Physical Analyzer
  • Learn more about our latest resource – The Pathfinder Master Class
  • App Categorization can be built into Cellebrite UFED with the proper settings enabled.
  • Learn more about our Cellebrite Certified Mobile Examiner course
  • Leverage the Cross Case analysis in Pathfinder to find the missing link across multiple cases.
    
    
• Check Point Research
  Cyber Academy – Botnets
  
  
• Cisco’s Talos
  Talos Takes Ep: #62: Don’t sleep on business email compromise
  
  
• Cyber Security Interviews
  #122 – Leeann Nicolo: Go For It
  
  
• Day Cyberwox
  • One Year as a Cybersecurity Content Creator on YouTube
  • How I Failed The CompTIA CySA+
    
    
• Didier Stevens
  • dnsresolver.py: 1 Intro
  • dnsresolver.py: 2 wildcard Command
  • dnsresolver.py: 3 rcode Command
  • dnsresolver.py: 4 resolve Command
  • dnsresolver.py: 5 payload Command
    
    
• Digital Forensic Survival Podcast
  DFSP # 283 – CSA Cloud Threats 5
  
  
• Dump-Guy Trickster
  HiveNightmare – Bug in ACLs of Registry Hives
  
  
• FIRST
  Using Yara & Strelka to Identify & Detect Malware
  
  
• Gerald Auger at Simply Cyber
  Making Sure Your First Cybersecurity Job Isn’t A SCAM
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 19 – Search Result Reports Using Labels
  
  
• OALabs
  Warzone RAT Config Extraction With Python and IDA Pro
  
  
• Phoenix Cast
  Digital Forensics with Jared Luebbert
  
  
• Positivity Blue Team
  Being Compliant
  
  
• The Lost Bots
  [The Lost Bots] Episode 1: External Threat Intelligence
  
  
• Richard Davis at 13Cubed
  Let’s Talk About Shimcache – The Most Misunderstood Artifact
  
  
• The Digital Forensics Files Podcast
  Patrick Eller of Metadata Forensics Joins Tyler Hatch of DFI Forensics
  
  
• Velocidex Enterprises
  Velociraptor Deep Dive Workshop DFRWS
  
  
• Vitaliy Mokosiy
  Our team talks about new Atola Insight Forensic hardware
  
  

MALWARE

• Topotam
  PetitPotam
  
  
• Binary Defense
  Mars-Deimos: From Jupiter to Mars and Back again (Part Two)
  
  
• BushidoToken
  Attack campaign analysis and interdiction: Async RAT
  
  
• CERT-AGID
  Individuato malware FickerStealer veicolato tramite campagna Hancitor
  
  
• CISA Analysis Reports
  • MAR-10338868-1.v1: Pulse Connect Secure
  • MAR-10334057-1.v1: Pulse Secure Connect
  • MAR-10338401-1.v1: Pulse Connect Secure
  • MAR-10336935-1.v1: Pulse Connect Secure
  • MAR-10336161-1.v1: Pulse Connect Secure
  • MAR-10334587-1.v1: Pulse Connect Secure
  • MAR-10335467-1.v1: Pulse Connect Secure
  • MAR-10337580-1.v1: Pulse Connect Secure
  • MAR-10334057-2.v1: Pulse Connect Secure
  • MAR-10334587-2.v1: Pulse Connect Secure
  • MAR-10333243-1.v1: Pulse Connect Secure
    
    
• Elmer Hernandez at Cofense
  HTA Files Distributed as Fake Chrome Patches for CVE-2021-30554
  
  
• Aspen Lindblom, Joseph Goodwin, and Chris Sheldon at CrowdStrike
  Shlayer Malvertising Campaigns Still Using Flash Update Disguise
  
  
• Fortinet
  • Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader
  • Fresh Malware Hunts for Crypto Wallet and Credentials
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #49: Navigation band
  
  
• Dmitry Melikov at InQuest
  IcedID: 07.07.21
  
  
• Itai Tevet at Intezer
  Reimagining the Malware Analysis Experience
  
  
• Mahmoud Morsy
  • IOCs 21_7_2021
  • Phishing Attacks 21_7_2021
  • IOCs 23_7_2021
  • Phishing Attacks 23_7_2021
    
    
• Malwarebytes Labs
  • Remcos RAT delivered via Visual Basic
  • AvosLocker enters the ransomware scene, asks for partners
    
    
• Mark Lim at Palo Alto Networks
  Evade Sandboxes With a Single Bit – the Trap Flag
  
  
• Talon at S2WLAB
  Quick analysis of Haron Ransomware (feat. Avaddon and Thanos)
  
  
• Sean Gallagher and Andrew Brandt at Sophos
  Malware increasingly targets Discord for abuse
  
  
• Trend Micro
  • StrongPity APT Group Deploys Android Malware for the First Time
  • Updated XCSSET Malware Targets Telegram, Other Apps
    
    
• Viral Gandhi at ZScaler
  Joker Joking in Google Play
  
  

MISCELLANEOUS

• Anton Chuvakin
  New Paper: “Autonomic Security Operations — 10X Transformation of the Security Operations Center”
  
  
• Didier Stevens
  Using SeBackupPrivilege With Python
  
  
• Garry Dukes at DME Forensics
  Feature Focus: Search, Scan, & Filter in DVR Examiner 3
  
  
• Dragos
  • Dragos CEO’s Congressional Testimony on “The Growing Threat of Ransomware”
  • The Dragos Platform – Now With Vulnerability Management
    
    
• Forensic Focus
  • Forensic Focus Legal Update July 2021: Reliability And Credibility Of Digital Evidence
  • How To Use The Updated Oxygen Forensic SQLite Viewer
  • Back On The Beach: Recapping Techno Security Myrtle Beach 2021
    
    
• Kim Zetter at ‘Zero Day’
  The NSO “Surveillance List”: What It Is and Isn’t
  
  
• MacroSEC
  Building A Basic Active Directory Lab
  
  
• Marco Fontani at Amped
  How Can I Correct a Stretched Video That Has Half of the Lines?
  
  
• Red Canary
  Practical recommendations and actionable steps to improve your organization’s security today
  
  
• SANS
  • Transition to Cyber Security From a Non-Cyber Role
  • SANS+HBCU Live Streams
  • ICS Threat Hunting – “They’re Shootin’ at the Lights!” – PART 1
  • DFIR Live Training Special 2021 – SAVE THE DATE
  • 2021 SANS Security Awareness Planning Kit
  • A Visual Summary of SANS DFIR Summit 2021
    
    
• Securizame
  Nuevo curso online++: DFIR y Análisis Forense en Redes
  
  
• Thomas Roccia
  Anatomy of Sigma rule
  
  
• Velociraptor
  2021 Velociraptor Contributor Competition
  
  

SOFTWARE UPDATES

• Apache Tika
  Release 2.0.0 – 07/07/2021
  
  
• Elastic
  Elastic Stack 7.13.4 released
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Fire Eye Threat Research
  capa 2.0: Better, Faster, Stronger
  
  
• Yogesh Khatri
  mac_apt 20210722
  
  
• Megan Roddie
  Google Workspace DFIR Tool
  
  
• Costas K
  MFTBrowser.exe (x64) v.0.0.20.0
  
  
• Mihari
  v3.2.0
  
  
• regipy
  2.0.1: Merge pull request #180 from ravenexp/master
  
  
• Security Onion
  Security Onion 2.3.61 Now Available!
  
  
• Vishal Thakur
  Varg — Payload Decryptor
  
  
• Xways
  X-Ways Forensics 20.3 Release
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!