As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  How to acquire data from an Android device using APK downgrade method
  
  
• Forensafe
  Investigating Signal with ArtiFast Signal
  
  
• Kevin Pagano at Stark 4N6
  May I Ask Who’s Calling – Google Call Screen
  
  
• Matt Lombana at Praetorian
  How to improve your Incident Response (IR) with Live Response
  
  
• Security Onion
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-05-26
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-08-05
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-05-24
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-08-10
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-05-24 IcedID
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-05-21 Qakbot
    
    
• Seif Shalaby at 0xSh3rl0ck
  Africa DFIR CTF Week 2
  
  
• Syed Hasan
  Forensic Analysis of an LNK File
  
  

THREAT INTELLIGENCE/HUNTING

• Hannah Cartier at Active Countermeasures
  Malware of the Day – Malware Techniques: Discovery and Information Gathering
  
  
• Adam Svoboda
  Sleeping with a Mask On (Cobalt Strike)
  
  
• Alex Teixeira
  The role of ‘Novelty’ and ‘Behaviour’ in Computer Forensics & Detection Engineering
  
  
• Anomali
  Anomali Cyber Watch: GIGABYTE Hit By RansomEXX Ransomware, Seniors’ Data Exposed, FatalRat Analysis, and More
  
  
• Brian Kerns and Vedran Tomljanovic at AT&T Cybersecurity
  Stories from the SOC – Sodinokibi Ransomware (REvil / BlueCrab)
  
  
• Azure Sentinel
  • Azure Sentinel SQL Solution Query Deep-Dive
  • What’s new: Fusion Detection for Ransomware
  • What’s new: Incident advanced search is now public!
    
    
• David Kennedy at Binary Defense
  Commodity vs Behavioral Detections
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-08-10 – Pcap and malware for ISC diary (TA551 -> BazarLoader -> Cobalt Strike)
  • 2021-08-12 Stolen Images Evidence.zip  -> BazarLoader -> Cobalt Strike
    
    
• Bryan Murphy at CyberArk
  Living Off the Land Ransomware Attacks: A Step-By-Step Plan for Playing Defense
  
  
• BushidoToken
  The Lazarus Heist: Where Are They Now?
  
  
• Joseph Barsness at Censys
  It’s Raining Buckets: The Importance of Cloud Storage Configurations
  
  
• CERT NZ
  How ransomware happens and how to stop it
  
  
• Check Point Research
  • 09th August – Threat Intelligence Report
  • Stealth is never enough, or Revealing Formbook successor’s C&C infrastructure
  • Indra — Hackers Behind Recent Attacks on Iran
  • July 2021’s Most Wanted Malware: Snake Keylogger Enters Top 10 for First Time
    
    
• Ben Nahorney at Cisco
  Threat Protection: The REvil Ransomware
  
  
• Cisco’s Talos
  • Talos Incident Response quarterly threat report — The top malware families and TTPs used in Q2 2021
  • Signed MSI files, Raccoon and Amadey are used for installing ServHelper RAT
  • Threat Roundup for August 6 to August 13
    
    
• Cobalt Strike Research and Development
  • Cobalt Strike 4.4: The One with the Reconnect Button
  • Cobalt Strike DoS Vulnerability (CVE-2021-36798)
  • Introducing Cobalt Strike Community Kit
  • TeamServer.prop
    
    
• Cyberint
  • PetitPotam – NTLM Relay Attack
  • IOC’s identified to hunt Conti Ransomware
  • LockBit Ransomware hits again
    
    
• CyberWatch
  Comparing Chinese APTs in Software Supply Chain Attacks
  
  
• Kelsey LaBelle at DomainTools
  Valuable Datasets to Analyze Network Infrastructure | Part 1
  
  
• EclecticIQ
  REvil and Darkside Successor Launches Operations as United States Establishes Joint Cyber Defense Collaborative
  
  
• Haran Kumar at Elastic
  Establish robust threat intelligence with Elastic Security
  
  
• Fire Eye Threat Research
  UNC215: Spotlight on a Chinese Espionage Campaign in Israel
  
  
• Flashpoint
  REvil Master Key for Kaseya Attack Posted to XSS
  
  
• Val Saengphaibul at Fortinet
  The Affiliate’s Cookbook – A Firsthand Peek into the Operations and Tradecraft of Conti
  
  
• Gianni Castaldi at Kusto King
  Searching and finding data
  
  
• Dmitry Volkov at Group-IB
  Under the hood.  Group-IB Threat Intelligence & Attribution. Part 2
  
  
• Divyanshu Shukla at InfoSec Write-ups
  GCP Inspector | Auditing Publicly Exposed GCP Bucket
  
  
• Jumpsec Labs
  Running Once, Running Twice, Pwned! Windows Registry Run Keys
  
  
• Luis Francisco Monge Martinez
  Hunting threats with Pandas  — $MFT Analysis
  
  
• Michael Koczwara
  Conti Ransomware Group Cobalt Strike C2 Analysis & RDP Persistence
  
  
• Netskope
  New Phishing Attacks Exploiting OAuth Authentication Flows (Part 2)
  
  
• ReaQta
  A New Era of Ransomware and its Affiliates: LockBit 2.0
  
  
• Red Alert
  SectorA05 PDF Malware disguised as a Northeast Asia Economic Association Executive Course
  
  
• Laura Brosnan at Red Canary
  5 ways to reduce SOC analyst burnout
  
  
• SANS Internet Storm Center
  • ProxyShell – how many Exchange servers are affected and where are they?, (Mon, Aug 9th)
  • TA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike, (Wed, Aug 11th)
  • Example of Danabot distributed through malspam, (Fri, Aug 13th)
  • Scanning for Microsoft Exchange eDiscovery, (Fri, Aug 13th)
    
    
• Security Investigation
  • Event ID 4663 -Occurrence , Log fields Explanation & Use cases
  • Threat Hunting using Proxy Logs – Soc Incident Response Procedure
  • What is Crown Jewels Analysis ? Part:01
  • Dot Dot Slash Attack – Prevention & Detection
    
    
• SentinelOne
  What Is A Malware File Signature (And How Does It Work)?
  
  
• Symantec Enterprise
  Affiliates Unlocked: Gangs Switch Between Different Ransomware Families
  
  
• Claire Tills at Tenable
  One Year Later: What Can We Learn from Zerologon?
  
  
• Tyranid’s Lair
  How to secure a Windows RPC Server, and how not to.
  
  
• Vicente Díaz at VirusTotal
  A Sneak Peek into VT Alerts
  
  
• Vitali Kremez at Advanced Intelligence
  Secret “Backdoor” Behind Conti Ransomware Operation: Introducing Atera Agent
  
  

UPCOMING EVENTS

• Acelab
  Meet ACE Lab and the PC-3000 at FT-Day 2021, Germany!
  
  
• Ashley Hernandez at Cellebrite
  Remote Mobile Collections for Corporate Investigations
  
  
• Exterro
  Masters of Digital Forensics Course # 1: Imaging—The Easy Part! Or is it? Mastering Collection & Acquisition
  
  
• Magnet Forensics
  • August 18 11:00AM ET // RAM is King: Analyzing RAM in AXIOM
  • August 19 11:00AM ET// Tips & Tricks // Looking at the Source Data to Support an Artifact
    
    
• Seventh Annual Industrial Control System Security (ICSS) Workshop
  Call for Submissions
  
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Threat Intelligence Tools, Automate Intelligence Gathering, Twitter & Power Automate
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout [infosec] News 2021-08-10
  • Center for Internet Security (CIS) v8 – Why You Should Care
  • Talkin’ About Infosec News – 8/13/2021
    
    
• Bret Witt
  DFIR – REvil Ransomware
  
  
• Cisco’s Talos
  Talos Takes Ep. #64: Back 2 Skool edition
  
  
• Didier Stevens
  • dnsresolver.py: Videos For Each Command
  • dnsresolver.py: 8 Options
  • dnsresolver.py: 7 track Command
  • dnsresolver.py: 6 exfiltration Command
    
    
• Digital Forensic Survival Podcast
  DFSP # 286 – Lateral MM Fast Triage 2 [5145]
  
  
• Eric and Mark at ‘Forensics and Beer’
  Imaging a Hard Drive
  
  
• Gerald Auger at Simply Cyber
  • Top 5 Cybersecurity Certifications for Beginners – Massive AMA
  • Cybersecurity Certifications for Beginners (Which and Why!)
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 22 – Saving Registry Viewer Common Areas
  
  
• LetsDefend
  Simple demo of Incident Responder module
  
  
• Matt Danner at Monolith Forensics
  • Getting Started with Monolith
  • How to track and record case storage for digital forensics
    
    
• OALabs
  Leaked Conti Ransomware Playbook – Red Team Reacts
  
  
• Recorded Future
  Understanding Ransomware
  
  
• Richard Frawley at ADF
  How to Build a Digital Forensic Triage Process that Works Field to Lab
  
  
• SANS Institute
  Why Level Up with SANS SEC401?
  
  
• SecurityNinja
  Blue Team Labs Online Walk Through – Log Analysis Privilege Escalation
  
  
• Trend Micro
  Optimize Your Incident Response Planning with the MITRE Framework
  
  
• Watson Infosec
  Ransomware Threat Hunting
  
  
• WolfCast
  WolfCast – Episode 06 – Recruitment – Jobba The Hunt
  
  

MALWARE

• Martin Chlumecký at Avast Threat Labs
  DirtyMoe: Rootkit Driver
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #52: Special attributes
  
  
• Giancarlo Lezama at Intezer
  Fast Insights for a Microsoft-Signed Netfilter Rootkit
  
  
• Johannes Bader
  A BazarLoader DGA that Breaks Down in the Summer
  
  
• Pieter Arntz
  Phishing campaign goes old school, dusts off Morse code
  
  
• McAfee Labs
  • XLSM Malware with MacroSheets
  • The Rise of Deep Learning for Detection and Classification of Malware
    
    
• Microsoft Security
  Attackers use Morse code, other encryption methods in evasive phishing campaign
  
  
• Palo Alto Networks
  • New eCh0raix Ransomware Variant Targets QNAP and Synology Network-Attached Storage Devices
  • Discovering CAPTCHA Protected Phishing Campaigns
    
    
• Phil Stokes at SentinelLabs
  Massive New AdLoad Campaign Goes Entirely Undetected By Apple’s XProtect
  
  
• Sophos
  • BlackMatter ransomware emerges from the shadow of DarkSide
  • Gootloader’s “mothership” controls malicious content
    
    
• Trend Micro
  • Cinobi Banking Trojan Targets Cryptocurrency Exchange Users via Malvertising
  • Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications
  • Detecting PrintNightmare Exploit Attempts using Trend Micro Vision One and Cloud One
    
    
• Zuzana Hromcová at WeLiveSecurity
  IISerpent: Malware‑driven SEO fraud as a service
  
  
• Aazim Yaswant at Zimperium
  FlyTrap Android Malware Compromises Thousands of Facebook Accounts
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 8/8/2021
  
  
• Binalyze
  • New in Binalyze AIR v1.8.0: Elevate your security with 2FA and Azure AD SSO
  • New in Binalyze AIR v1.8.0: Introducing out-of-the-box Wazuh integration support
  • New in Binalyze AIR v1.8.0: Introducing Network Capture
    
    
• Cellebrite
  • Cellebrite Introduces New Professional Services To Help Public Safety Agencies And Fortune 1000 Companies Transform Investigations With Digital Intelligence
  • Cellebrite Announces Second Quarter 2021 Results
    
    
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage Gives Back to Autopsy
  
  
• Dr. Ali Hadi at ‘Binary Zone’
  Prevent Windows Reboots on Expired VMs
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  One Bad Apple
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  The Apple CSAM Scanning Discussion – Part One
  
  
• Lesley Carhart at Dragos
  5 Costly Mistakes in Cyber Incident Response Preparation
  
  
• Faith Opiyo at CyberSecFaith
  Building my Home Lab part 3: deploying the core infrastructure (hypervisor,firewall and router)
  
  
• Forensic Focus
  • Identifying Crypto API Usages In Android Apps Using A Static Analysis Framework
  • Big Game Hunting From A Forensic Point Of View
  • Amazing Opportunity – USA And Canada Channel Partners – Work With UK Leading Digital Forensics Company
  • Warren Kruse,  Vice President of Cyber Investigations, Consilio
  • A Novel Adversarial Example Detection Method For Malicious PDFs Using Multiple Mutated Classifiers
  • Register For Webinar: Binalyze AIR v1.8.0 Release Highlights
  • Joshua Smith, Training Instructor, Oxygen Forensics
  • Advanced Forensic Recovery And Analysis Of MySQL Data In Deleted State
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  How Apple intends checking images for CSAM
  
  
• Nicole Fishbein at Intezer
  Guide to Digital Forensics Incident Response in the Cloud
  
  
• LockBoxx
  Approaches to Threat Modeling – With The Hunt for Red Apples
  
  
• Magnet Forensics
  Demystifying Cloud Investigations
  
  
• Marco Fontani at Amped
  How Can I Crop a Video or Image in Amped Replay?
  
  
• Microsoft Security Response Center
  Point and Print Default Behavior Change
  
  
• Chuck Dodson at OpenText
  A day in the life of evidence: Part 1
  
  
• Patrick J. Siewert at ‘Pro Digital Forensic Consulting’
  Apple’s New CSAM Detection Policy Analysis
  
  
• Whitney Champion, Kelley Wilds, Eric Capuano, Brian Greunke, and Matt Bromiley at Recon InfoSec
  OpenSOC @ DEF CON 29
  
  
• SANS
  • Why You Need Automation to Achieve Compliance in the Cloud – Part 2
  • What’s New with SANS ICS Security?
    
    
• Kaya Overholtzer at ‘The Leahy Center for Digital Forensics & Cybersecurity’
  The End: DFIR
  
  
• Michael Hale Ligh at Volatility Labs
  The 9th Annual Volatility Plugin Contest!
  
  

SOFTWARE UPDATES

• Cellebrite
  Now Available: Cellebrite UFED and Cellebrite Responder 7.47
  
  
• CyberChef
  v9.31.0
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.30 (production release)
  
  
• Mihari
  v3.5.0
  
  
• MISP
  MISP 2.4.148 released (summer time release)
  
  
• Regipy
  Additional registry plugins
  
  
• Sigma
  sigmatools 0.20
  
  
• Xways
  • X-Ways Forensics 20.3 SR-2
  • X-Ways Forensics 20.4 Preview 2
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!