Lee has opened up nominations for the 2022 Forensic 4Cast Awards. This means that people can start nominating folks this year!
2022 Forensic 4:cast Awards – Nominations are Open!

---

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Bob Rudis
  Acoustic: Solving a CyberDefenders PCAP SIP/RTP Challenge with R, Zeek, tshark (& friends)
  
  
• DFIR Review
  Missing SQLite Records Analysis
  
  
• Forensafe
  • Investigating Brave Web Browser
  • Investigating OpenSaveMRU
    
    
• InfoSec Write-ups
  Wireshark 101 Walkthrough (Tryhackme)
  
  
• Joshua Hickman at ‘The Binary Hick’
  Today, Widgets, & Ignored Apps in iOS
  
  
• Magnet Forensics
  • Investigating a Ransomware Attack Using Magnet AXIOM Cyber
  • Examining Twitter Warrant Returns with AXIOM
  • Why Only Working with Logical Images Isn’t Always Logical
    
    
• Marco Fontani at Amped
  How Do I Fix the Aspect Ratio of a Video and Avoid Objects Being Stretched?
  
  
• Khris Tolbert at MaverisLabs
  Decrypting SMB3 Traffic with just a PCAP? Absolutely (maybe.)
  
  
• Mike at ØSecurity
  Super Timeline Quick Reference
  
  
• Sumuri
  RECON ITR plus RECON LAB
  
  

THREAT INTELLIGENCE/HUNTING

• 360 Threat Intelligence Center
  Summary of Kimsuky’s secret stealing activities in the first half of 2021
  
  
• Anomali
  Anomali Cyber Watch: APT31 Targeting French Home Routers, Multiple Microsoft Vulnerabilities, StrongPity Deploys Android Malware, and More
  
  
• Anton Chuvakin
  How to Make Threat Detection Better?
  
  
• Antonio Piazza
  Acting Red — Seeing Blue
  
  
• Atomic Matryoshka
  Process Injection: Malware Lurking in the Shadows of Legitimate Programs (Part 2)
  
  
• Azure Sentinel
  • Integrating SIEM + XDR:  Azure Sentinel and Azure Defender bi-directional incident sync
  • Microsoft Threat Intelligence Matching Analytics
  • Software Defined Monitoring – Using Automated Notebooks and Azure Sentinel to Improve Sec Ops
    
    
• Ben Martin at Sucuri
  Stylish Magento Card Stealer loads Without Script Tags
  
  
• Matthew Warner at Blumira
  NTLM Relay Attack PetitPotam Targets AD Certificate Services
  
  
• Check Point Research
  26th July – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Threat Source newsletter (July 29, 2021)
  • Threat Roundup for July 23 to July 30
    
    
• Cyberint
  Agent Tesla Delivers Oski Stealer
  
  
• Max Heinemeyer at Darktrace
  Crypto-botnets moving laterally
  
  
• Dirk-jan Mollema
  NTLM relaying to AD CS – On certificates, printers and a little hippo
  
  
• DomainTools
  • Finding AnchorDNS C2s With Iris Investigate
  • Tools To Quickly Extract Indicators of Compromise
    
    
• Dragos
  The Challenges of Vulnerability Management in OT Environments
  
  
• EclecticIQ
  Recent Articles Highlight Threat Actors’ Propensity for Focused Targeting of Different Victim Groups
  
  
• Eclypsium
  July Firmware Threat Report
  
  
• Elastic
  • Collecting and operationalizing threat data from the Mozi botnet
  • Detecting unusual network activity with Elastic Security and machine learning
    
    
• Esentire
  Tactical Experts Driving Success for Ransomware Gangs
  
  
• Britton Manahan at Expel
  Well that escalated quickly: How a red team went from domain user to kernel memory
  
  
• Flashpoint
  Chatter Indicates BlackMatter as REvil Successor
  
  
• Jenny Heino at Forcepoint
  Forcepoint NGFW MITRE ATT&CK simulation
  
  
• Joe Slowik at Gigamon
  Ghosts on the Wire: Expanding Conceptions of Network Anomalies
  
  
• Dmitry Volkov at Group-IB
  Under the hood.  Group-IB Threat Intelligence & Attribution
  
  
• HP Wolf Security
  • HP Wolf Security Threat Insights Report 1H 2021
  • Detecting TA551 domains
    
    
• Huntress
  A Recap of Events and Lessons Learned During the Kaseya VSA Supply Chain Attack
  
  
• John Hammond
  • HackTheBox “Business CTF” – Time – Command Injection
  • HackTheBox “Business CTF” – discordvm – Node.js Sandbox Escape
  • GraphQL Introspection – HackTheBox “Business CTF” – NoteQL
  • JSON Web Keys (JWK & JWT) – “Emergency” – HackTheBox Business CTF
  • Laravel CVE / PHP Deserialization – “Larablog” HTB Business CTF
    
    
• Roman Dedenok at Kaspersky Lab
  Use of Google Apps Script in phishing | Kaspersky official blog
  
  
• Keysight
  • Koadic C3 : Command & Control Decoded
  • Network Flow Monitoring: The ABCs of Network Visibility
    
    
• Lawrence Abrams at Bleeping Computer
  LockBit ransomware now encrypts Windows domains using group policies
  
  
• Malwarebytes Labs
  Microsoft provides more mitigation instructions for the PetitPotam attack
  
  
• Thibault Seret at McAfee Labs
  Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems?
  
  
• Mehmet Ergene
  Detecting PetitPotam and other Domain Controller Account Takeovers
  
  
• Microsoft Security
  • Combing through the fuzz: Using fuzzy hashing and deep learning to counter malware detection evasion techniques
  • BazaCall: Phony call centers lead to exfiltration and ransomware
  • When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
    
    
• Nikhil Rathor at 0xthreatintel
  Tempering with practicing of information warfare !
  
  
• Joshua Miller, Michael Raggi, and Crista Giering at Proofpoint
  I Knew You Were Trouble: TA456 Targets Defense Contractor with Alluring Social Media Persona
  
  
• ReaQta
  Understanding PrintNightmare: The importance of having visibility over new attack vectors
  
  
• Recorded Future
  • BlackMatter Ransomware Emerges As Successor to DarkSide, REvil
  • China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road
  • “Beijing One Pass” Employee Benefits Software Exhibits Spyware Characteristics
    
    
• Red Alert
  • SectorB31 uses compromised routers to targeted attack to entities in France
  • Domains for fake websites related to Tokyo Olympic
  • Monthly Threat Actor Group Intelligence Report, June 2021
  • SectorJ01 Word malware disguised as a Windows 11 Alpha document to deploy the JSSLoader
    
    
• Thomas Gardner and Matt Graeber at Red Canary
  The adversary’s gift: When one technique opens a Pandora’s box
  
  
• RiskIQ
  • New Analysis Shows XAMPP Serving Agent Tesla and Formbook Malware
  • Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers
    
    
• Ryan Hausknecht
  Cobalt Strike and Tradecraft
  
  
• S2W Lab
  • Campaign Rifle: Andariel, The Maiden of Anguish
  • [SoW] W5 July | KO | Story of the week: Ransomware on the Darkweb
    
    
• Sandor Tokesi at Forensics Exchange
  Parameterized Alerts in Azure Sentinel
  
  
• SANS Internet Storm Center
  • Wireshark 3.4.7 Released, (Sun, Jul 25th)
  • Failed Malspam: Recovering The Password, (Mon, Jul 26th)
  • Malicious Content Delivered Through archive.org, (Thu, Jul 29th)
  • A sextortion e-mail from…IT support?!, (Wed, Jul 28th)
  • Infected With a .reg File, (Fri, Jul 30th)
    
    
• Scythe
  • SCYTHE Presents: Adaptive Adversary Emulation (Part 1):  Execution Details
  • SCYTHE Presents: Threat Intelligence Sharing: Democratizing Risk Information
    
    
• Securelist
  APT trends report Q2 2021
  
  
• Security Investigation
  • Exploiting the HIVE-Nightmare [CVE-2021-36934] – Detection & Prevention
  • How Attackers are Using LNK Files to Spread Malware
  • Directory Listing Vulnerability – Detection & Prevention
  • Lateral Movement Detection with Windows Event Logs
    
    
• Ahmed Khlief at Shells.Systems
  NinjaC2 V2.1 :  New webshell agent , more features and updated AV bypass
  
  
• Andy Robbins at SpecterOps
  Introducing BloodHound Enterprise: Attack Path Management for Everyone
  
  
• Splunk
  Detecting SeriousSAM CVE-2021-36934 With Splunk
  
  
• Alfredo Oliveira and David Fiser at Trend Micro
  Threat Actors Exploit Misconfigured Apache Hadoop YARN
  
  
• Zach Stanford
  Guide to Named Pipes and Hunting for Cobalt Strike Pipes
  
  

UPCOMING EVENTS

• Elan at DFIR Diva
  DFIR Related Events for Beginners – August, 2021
  
  
• Magnet Forensics
  August 4 11:00AM ET // Introduction to Magnet AXIOM
  
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Analysis of Malware from Kaseya/Revil Supply Chain attack.
  
  
• Archan Choudhury at BlackPerl
  Threat Hunt – MOST Powerful Platform for Hunters – It’s FREE
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout [infosec] News 2021-07-26
  • Talkin’ About Infosec News – 7/28/2021
  • How to Phish for User Passwords with PowerShell
  • What To Know About Microsoft’s Registry Hive Flaw: #SeriousSAM
    
    
• Breaking Badness
  92. The Game is Afoot
  
  
• Bret Witt
  DFIR – IcedID Malware Family
  
  
• Cellebrite
  DFIR Mentorship – What does it mean?
  
  
• Chewing the FAT
  Episode 3
  
  
• Chris Sienko at the Cyber Work podcast
  Tips on entering blue teaming, red teaming or purple teaming | Cyber Work Live
  
  
• Day Cyberwox
  CompTIA Security+ VS CompTIA CySA+ | Do You Need Both?
  
  
• Digital Forensic Survival Podcast
  DFSP # 284 – Fast Triage case study: non-Windows core processes
  
  
• Gerald Auger at Simply Cyber
  • Fast Hackthebox Setup For Windows Users (Cybersecurity Starters)
  • Redefining How You Find Cybersecurity Jobs
  • Cyber Supply Drop Is On A Mission To Boost Your Cybersecurity Career [LIVESTREAM]
    
    
• John Hammond
  Reverse Engineering Loops – “Syncopation” HackTheBox Business CTF
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 20 – Upcoming Webinars!
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Theory – Trojan Horse is not a Malware Type
  
  
• LIFARS Cybersecurity
  Hackbits Podcast Episode 1 – Avanan – SOC Burnout
  
  
• Magnet Forensics
  • Tips & Tricks // Get Your OSINT with Public Social Media Data
  • Make the Move to AXIOM Cyber
    
    
• OALabs
  Python3 Tips For Reverse Engineers
  
  
• Passware
  Passware Kit Mobile Demo Video
  
  
• Positivity Blue Team
  Behavioral Engineering
  
  
• Recorded Future
  You’re Not Really Ready for Ransomware
  
  
• Richard Bejtlich at TaoSecurity
  Zeek in Action Videos
  
  
• SANS Institute
  What Your Privacy Officer Is Trying To Tell You…If only you would listen.
  
  
• SecurityNinja
  Blue Team Labs Online Walk Through – Memory Analysis Ransomware
  
  
• We are OSINTCurio.us
  Companion Post to the 2021 SANS Live Stream “Tips for Conducting OSINT Investigations in the EU with GDPR”
  
  
• WolfCast
  WolfCast – Episode 05 – Security In Japan
  
  

MALWARE

• 0day in {REA_TEAM}
  Reversing With Ida From Scratch (P36)
  
  
• 360 Total Security
  “Netfilter Rootkit II ” Continues to Hold WHQL Signatures
  
  
• CERT-AGID
  In atto campagna di phishing con invito ad aggiornare WebMail Pro
  
  
• Alexey Bukhteyev and Raman Ladutska at Check Point Research
  Time-proven tricks in a new environment: the macOS evolution of Formbook
  
  
• Andrew Windsor and Chris Neal at Cisco’s Talos
  Threat Spotlight: Solarmarker
  
  
• Ido Kringel at Deep Instinct
  PDF as a Weapon of Choice on the Cybersecurity Battlefield
  
  
• Shunichi Imano and Fred Gutierrez at Fortinet
  Wiper Malware Riding the 2021 Tokyo Olympic Games
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  A Short History of Malware Protection in macOS
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #50: Execution flow arrows
  
  
• Dmitry Melikov at InQuest
  Espionage Utilizing Mobile Devices
  
  
• Jan Vojtěšek at Avast Threat Labs
  Magnitude Exploit Kit: Still Alive and Kicking
  
  
• Mahmoud Morsy
  • IOCs 29_7_2021
  • Phishing Attacks 29_7_2021
  • Phishing Attacks 30_7_2021
    
    
• Malwarebytes Labs
  • OSX.XLoader hides little except its main purpose: What we learned in the installation process
  • BlackMatter, a new ransomware group, claims link to DarkSide, REvil
  • Crimea “manifesto” deploys VBA Rat using double attack vectors
    
    
• Gustavo Palazolo at Netskope
  Netskope Threat Coverage: 2020 Tokyo Olympics Wiper Malware
  
  
• Palo Alto Networks
  • THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
  • Ransomware Families: 2021 Data to Supplement the Unit 42 Ransomware Threat Report
    
    
• PC’s Xcetra Support
  A deeper look at Office documents flat style
  
  
• ReversingLabs
  • Third-party code comes with some baggage
  • Groundhog day: NPM package caught stealing browser passwords
    
    
• Security Onion
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-06-18
  • Quick Malware Analysis: malware-traffic-analysis.net pcaps from 2021-06-16
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-06-17
  • Quick Malware Analysis: malware-traffic-analysis.net pcaps from 2021-06-15
  • Quick Malware Analysis: malware-traffic-analysis.net pcaps from 2021-06-04
    
    
• SentinelOne
  • Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger
  • MeteorExpress | Mysterious Wiper Paralyzes Iranian Trains with Epic Troll
    
    
• Jason Reaves at Walmart
  Decrypting BazarLoader strings with a Unicorn
  
  
• Brett Stone-Gross at ZScaler
  DoppelPaymer Continues to Cause Grief Through Rebranding
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 7/26/2021
  
  
• Blaine Davison at Amped
  Three Reasons Why You Should Keep Your SMS Plan Up to Date
  
  
• Belkasoft
  Belkasoft DFIR Survey 2021: Your Personal Advisor
  
  
• Amina Zilic at Binalyze
  The Fifth Step to Forensic Readiness: Secure Evidence Repositories & Handling
  
  
• Joseph Muniz at Cisco
  The Modern Security Operation Center
  
  
• Yacin Nadji at Corelight
  Telegram Zeek, you’re my main notice
  
  
• Oleg Afonin at Elcomsoft
  iOS Privacy Protection Tools: Encrypted DNS, iOS 15 Private Relay, Proxy, VPN and TOR
  
  
• Forensic Focus
  • Recognize And Capture The Character Using Timestamp/Channel OCR Feature In MD-VIDEO
  • How To Protect Your Acquired Evidence From Ransomware Attacks
  • Amped Replay Now With Smart Processing, Detailed Reporting And Improved Format Support
  • XRY 9.4.3 From MSAB
    
    
• IntaForensics
  Ten Steps to Effectively Managing Cases and Investigations within Lima v2.9
  
  
• Magnet Forensics
  Another Set of Amazing Wins at the 2021 Forensic 4:cast Awards!
  
  
• Matt Suiche at Comae
  Announcing Comae platform V2.0 Closed Beta
  
  
• McHugh Security
  Deploying MISP on DigitalOcean of Vultr Cloud Hosting
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — July 25 to July 31
  
  

SOFTWARE UPDATES

• AccessData
  Forensic Toolkit (FTK) International version 7.4.2
  
  
• Autopsy
  autopsy-4.19.0
  
  
• Cellebrite
  Now available: Cellebrite Physical Analyzer and Cellebrite UFED Cloud v7.47
  
  
• CyberChef
  v9.29.2
  
  
• DFIRTrack
  v2.0.0
  
  
• DME Forensics
  DVR Examiner 3.0.5 is now available!
  
  
• Eric Zimmerman
  ChangeLog
  
  
• IntelOwl
  Dehashed.com search analyzer and other improvements
  
  
• Magnet Forensics
  • Magnet AXIOM 5.3: Introducing Twitter Warrant Return Support
  • New in AXIOM Cyber 5.3: Faster and Better Email Support
    
    
• MISP
  MISP 2.4.147 released (improvements and bug fixes release)
  
  
• MobilEdit
  MOBILedit Forensic Express 7.4.1 released
  
  
• OpenText
  Tableau Firmware Update Revision History for 21.3
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.13.7
  
  
• Paraben Corporation
  E3 Forensic Platform 3.0 Released
  
  
• Security Onion
  • Security Onion 2.3.61 Hotfix for STENO and CSP Now Available!
  • Security Onion 2.3.61 MSEARCH Hotfix Now Available!
    
    
• Xways
  • X-Ways Forensics 20.2 SR-6
  • X-Ways Forensics 20.3 SR-1
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!