As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrew Rathbun
  DFIRMindMaps
  
  
• Andrew Rathbun and Josh Mitchell at Kroll
  • Diving Deeper into EventTranscript.db
  • Enabling EventTranscript.db: Windows Settings
  • EventTranscript.db and Security Events
  • Diagnostic Data Viewer Overview
  • Navigating EventTranscript.db With Diagnostic Data Viewer
  • Forensic Quick Wins With EventTranscript.DB: Microsoft.Windows.ClipboardHistory.Service
    
    
• Tony Knutson at AboutDFIR
  SOF-ELK and Integration with KAPE
  
  
• Atomic Matryoshka
  Pesky Persistence: How “Turning It Off and On Again” May Not Solve Your Problem
  
  
• Matt Duda at AWS Security
  How to automate forensic disk collection in AWS
  
  
• Elcomsoft
  • iOS 15 Forensic Implications: Temporary iCloud Backups
  • Instant Messengers: Authentication Methods and Instant Password Extraction
  • The iPhone Upgrade: How to Back Up and Restore iOS Devices Without Losing Data
    
    
• Forensafe
  • Investigating ThumbCache
  • Investigating Firefox
    
    
• Keshav Khanna at InfoSec Write-ups
  Handling queries on SPLUNK
  
  
• Joshua Hickman at ‘The Binary Hick’
  Wipeout!  Detecting Android Factory Resets
  
  
• Nasreddine Bencherchali
  Finding Detection and Forensic Goodness In ETW Providers
  
  
• Oxygen Forensics
  Master the Timeline
  
  
• Sandor Tokesi at Forensics Exchange
  Per-Table retention in Sentinel
  
  
• Security Onion
  • Pivoting from PCAP to CyberChef in Security Onion 2.3.70
  • Quick Malware Analysis: malware-traffic-analysis.net Hancitor pcap from 2021-05-13
  • Quick Malware Analysis: malware-traffic-analysis.net TA551/SHATHAK + ICEDID/BOKBOT pcap from 2021-04-29
  • Quick Malware Analysis: malware-traffic-analysis.net TA551/SHATHAK + URSNIF/GOZI/ISFB pcap from 2021-04-28
  • Quick Malware Analysis: malware-traffic-analysis.net ICEDID/BOKBOT pcap from 2021-04-23
  • Quick Malware Analysis: malware-traffic-analysis.net pcap from 2021-08-19
    
    
• Teri Radichel
  How to Inspect Network Traffic
  
  
• Bill Marczak, Ali Abdulemam, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, John Scott-Railton, and Ron Deibert at The Citizen Lab
  From Pearl to Pegasus: Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits
  
  
• Zach Burnham & John Melvin at RSM
  Identifying Credit Card Skimmers Using Linux’s “strace” Command
  
  

THREAT INTELLIGENCE/HUNTING

• 0xdf hacks stuff
  Pivoting off Phishing Domain
  
  
• Anastasia Sentsova at Advanced Intelligence
  From Russia With… LockBit Ransomware: Inside Look & Preventive Solutions
  
  
• Alex Verboon at ‘Anything about IT’
  Use advanced hunting to Identify Defender clients with outdated definitions
  
  
• Azure Sentinel
  • Ingestion Cost Spike detection App
  • Becoming an Azure Sentinel Notebooks ninja – the series!
    
    
• Check Point Research
  23rd August – Threat Intelligence Report
  
  
• Nilesh Bhamare at Checkmate
  Revealing REvil
  
  
• Cisco’s Talos
  Threat Roundup for August 20 to August 27
  
  
• Cyber Threat Intelligence Training Center
  JSON Abstract Data Notation Finalized
  
  
• Lior Rochberger at Cybereason
  Cybereason vs. LockBit2.0 Ransomware
  
  
• EclecticIQ
  • Recent Events Highlight Threat Actors’ Complex Relationships Alongside New Risks at the Fore of the Financial Industry
  • Service Providers: Let’s Talk About Improving Your EDR Toolset
    
    
• Elastic
  Detection and response for the actively exploited ProxyShell vulnerabilities
  
  
• Hanno Heinrichs at CrowdStrike
  Shut the Door: Guarding Against SonicWall GMS Remote Code Execution (CVE-2021-20020)
  
  
• Rachel Bishop at Huntress
  ProxyShell vs. ProxyLogon: What’s the Difference?
  
  
• Hurricane Labs
  Security Advisory Regarding ProxyShell
  
  
• Pieter Arntz at Malwarebytes Labs
  Microsoft warns about phishing campaign using open redirects
  
  
• Mehmet Ergene
  An Alternative Way of Using MITRE ATT&CK® for Threat Hunting and Detection
  
  
• Michael Koczwara
  Conti TTP’s using Atomic Red Team and Detection Lab & C2 Infrastructure Hunting
  
  
• Microsoft Security
  Widespread credential phishing campaign abuses open redirector links
  
  
• Jon Baker and Richard Struse at MITRE-Engenuity
  Connecting VERIS and MITRE ATT&CK®
  
  
• Nick Kuligoski at Panther
  Detect Everything, Real-time Alerts As Needed
  
  
• Selena Larson at Proofpoint
  As Delta Variant Spreads, COVID-19 Themes Make Resurgence In Email Threats 
  
  
• RiskIQ
  RiskIQ Analysis Links EITest and Gootloader Campaigns, Once Thought to Be Disparate
  
  
• SANS Internet Storm Center
  • Out of Band Phishing. Using SMS messages to Evade Network Detection, (Thu, Aug 19th)
  • Attackers Hunting For Twilio Credentials, (Tue, Aug 24th)
  • There may be (many) more SPF records than we might expect, (Wed, Aug 25th)
    
    
• Security Investigation
  • CRLF Injection – Attack Explained , Detection & Preventions
  • ICMP Attacks – Types & Codes For Log Analysis , Detection & Defense
  • How to Enable Packet Filtering With Open Source Iptables Firewall/Linux Firewall?
  • Malware Persistence on Boot – Monitor Modified Registry Keys & Possible Windows Event ID
    
    
• SentinelOne
  • Hive Attacks | Analysis of the Human-Operated Ransomware Targeting Healthcare
  • HiveNightmare | Protecting Windows 10 Security Account Manager Against CVE-2021-36934
    
    
• Sophos
  • How PetitPotam hijacks the Windows API, and what you can do about it
  • Hindsight #4: Prevent threat actors getting (and using) your passwords
  • ProxyShell vulnerabilities in Microsoft Exchange: What to do
    
    
• Manfred Chang at Tevora
  PetitPotam: The Full Attack Chain with Windows and Linux
  
  
• Trend Micro
  • Key Takeaways from the Linux Threat Report
  • APT41 Resurfaces as Earth Baku With New Cyberespionage Campaign
    
    
• Damien Cash, Josh Grunzweig, Steven Adair, and Thomas Lancaster at Volexity
  North Korean BLUELIGHT Special: InkySquid Deploys RokRAT
  
  

UPCOMING EVENTS

• Amped
  Free Webinar – For the Record: How to Quickly Process All Your Videos (And Audio) for Release in Amped FIVE
  
  
• Exterro
  Masters of Digital Forensics Course # 3: Capturing the low hanging fruit—analysis phase, Part I
  
  
• Lee Archinal at Cyborg Security
  Do you even threat hunt, bro? II
  
  
• Magnet Forensics
  September 2 11:00AM ET — Tips & Tricks // Pre-Configuring Cloud Accounts for AXIOM Cyber
  
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  • FullHD – Malware Analysis of Hancitor maldoc and initial Dlls
  • Malware Analysis of Hancitor maldoc and initial Dlls
    
    
• Belkasoft
  Belkasoft is introducing a show BelkaTalk on DFIR
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-08-23
  • Talkin’ About Infosec News – 8/25/2021
    
    
• Breaking Badness
  Voices from Infosec with Adam Levin and Beau Friedlander
  
  
• Heather Mahalik at Cellebrite
  Crypto Talk – Why Should Examiners Care?
  
  
• Cisco’s Talos
  Talos Takes Ep: #65: How several RAT campaigns in Latin America are connected
  
  
• Day Cyberwox
  How I got a Cyber Security Engineer Internship Offer at Intel | Landing Internships at F50 companies
  
  
• Detection: Challenging Paradigms
  S2 – Episode 1: Grant Ho and Devdatta Akhawe
  
  
• Digital Forensic Survival Podcast
  DFSP # 288 – Max DFIR Impact
  
  
• Dump-Guy Trickster
  [2] Lokibot analyzing – spoofing GULoader and LokiBot C2 [part2] – INetSim + BurpSuite
  
  
• Eric and Mark at ‘Forensics and Beer’
  Destroying data using … hardware methods
  
  
• Gerald Auger at Simply Cyber
  • Cyber101- Lecture 1 Introduction and Overview of Cybersecurity Terms
  • 🔴 The Need For Skill-Based Training in Cybersecurity
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode24 – Using Python to Create FTK Filters
  
  
• Magnet Forensics
  • RAM is King: Analyzing RAM in AXIOM and AXIOM Cyber
  • Tips & Tricks // Looking at the Source Data to Support an Artifact
  • Digital Forensics and eDiscovery: Where One Stops and the Other Begins
    
    
• OALabs
  RE Tools Spotlight: Binary Refinery – High Octane Malware Triage Analysis
  
  
• Paraben Corporation
  E3 Forensic Platform Processing MS Edge Browser Data
  
  
• Rapid7
  [The Lost Bots] Bonus Episode: Velociraptor Contributor Competition
  
  
• Richard Davis at 13Cubed
  RDP Hashes – Event ID 1029 Explained
  
  
• SANS
  • Keynote: Cobalt Strike Threat Hunting | SANS DFIR Summit 2021 | Chad Tilbury
  • Incident Response 9-Line | SANS DFIR Summit 2021 | Gerard Johansen
  • DFIR 101: Digital Forensics Essentials | SANS DFIR Summit 2021 | Kathryn Hedley
  • IR Playbooks: A New Open Source Resource | Mathieu Saulnier
  • Scoring and Judging Artifacts in Autopsy | Brian Carrier
  • Breaches Be Crazy | Eric Capuano & Whitney Champion
  • SANS Cyber Solutions Fest – Level Cloud Security
    
    
• Security Unlocked
  Turning to the Purple Side
  
  
• Sumuri
  009 – Why You Are Doing Mac Forensics Wrong
  
  
• Uriel Kosayev
  Malware Analysis – Mirai Botnet Huawei Exploit
  
  
• WolfCast
  WolfCast – Episode 07 – Recruitment – Interview 1 of 856
  
  

MALWARE

• Alex.turing, Hui Wang, and Genshen Ye at 360 Netlab
  Mozi已死，余毒犹存
  
  
• AlienVault Labs
  PRISM attacks fly under the radar
  
  
• Noah Rubin at Aon
  Cobalt Strike Configuration Extractor and Parser
  
  
• CISA Analysis Reports
  • MAR-10333243-3.v1: Pulse Secure Connect
  • MAR-10336935-2.v1: Pulse Secure Connect
  • MAR-10334057-3.v1: Pulse Secure Connect
  • MAR-10338401-2.v1: Pulse Secure Connect
  • MAR-10339606-1.v1: Pulse Secure Connect
    
    
• GoggleHeadedHacker
  Reverse Engineering Crypto Functions: RC4 and Salsa20
  
  
• Hannah Cartier at Active Countermeasures
  Malware of the Day – EvilOSX
  
  
• John Hammond at Huntress
  Bullseye: A Story of a Targeted Cyberattack
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #54: Shifted pointers
  
  
• Dmitry Melikov at InQuest
  Kimsuky Espionage Campaign
  
  
• Intezer
  Intezer Analyze Transforms for Maltego
  
  
• John Hammond
  TARGETED Phishing – Fake Outlook Password Harvester
  
  
• Kyle Cucci at SecurityLiterate
  Malware Analysis in 5 Minutes: Identifying Evasion and Guardrail Techniques with CAPA
  
  
• Hossein Jazi at Malwarebytes Labs
  New variant of Konni malware used in campaign targetting Russia
  
  
• Marco Ramilli
  Paradise Ransomware: The Builder
  
  
• Morphisec
  ProxyShell Exchange Exploitation Now Leads To An Increasing Amount Of Cobaltstrike Backdoors
  
  
• Gustavo Palazolo at Netskope
  Netskope Threat Coverage: BlackMatter
  
  
• Nikhil Rathor at 0xthreatintel
  Tempering with practicing of information warfare!
  
  
• Michel Coene at NVISO Labs
  Credential harvesting and automated validation: a case study
  
  
• Doel Santos and Ruchna Nigam at Palo Alto Networks
  Ransomware Groups to Watch: Emerging Threats
  
  
• Red Team Tips
  %appdata% is a mistake – Introducing Invoke-DLLClone
  
  
• Sojun Ryu at S2W Lab
  Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hidden Tear ransomware)
  
  
• Igor Golovin at Securelist
  Triada Trojan in WhatsApp mod
  
  
• SentinelOne
  What Is A Malware File Signature (And How Does It Work)?
  
  
• Mark Loman at Sophos
  LockFile ransomware’s box of tricks: intermittent encryption and evasion
  
  
• Trend Micro
  • Key Takeaways from the Linux Threat Report
  • New Campaign Sees LokiBot Delivered Via Multiple Methods
    
    
• Thibaut Passilly and Mathieu Tartare at WeLiveSecurity
  The SideWalk may be as dangerous as the CROSSWALK
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 8/26/2021
  
  
• ArcPoint Forensics
  August Newsletter
  
  
• Binalyze
  • The Sixth Step to Forensic Readiness: System Monitoring
  • Is it time to change the old DFIR practices?
  • Reducing Digital Investigation Cost With DRONE
    
    
• DFIR_300
  2021 Crack Me If You Can Contest Write-Up
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  PhotoDNA and Limitations
  
  
• Forensic Focus
  • Forensic Considerations For Cloud Data Storage
  • Register For Webinar: Grayshift Quarterly Virtual Update
  • TraceGen: User Activity Emulation For Digital Forensic Test Image Generation
  • Tracing Walking Path Using Smart Lighting System
    
    
• Steve Gemperle at Magnet Forensics
  Don’t Let a Proxy Server Stop Your Remote Collection
  
  
• Marco Fontani at Amped
  How Can I Improve the Details of a Video in Amped Replay?
  
  
• Riley Anne Johns at Paraben Corporation
  The Role of Psychology in Digital Forensics
  
  
• Matt Spohn at Red Canary
  Law & Order: Incident Response Unit
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — August 22 to August 28
  
  
• Security Intelligence
  Red & Blue: United We Stand
  
  
• Segurança Informática
  NIST ransomware recovery guide: What you need to know
  
  
• Ygor Maximo
  Awesome Intelligence Writing
  
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv Update 21854: More New Formats and Codec Variants
  
  
• Any.Run
  Release Notes August 25, 2021
  
  
• Binalyze
  DRONE Release: YARA Scanner & Ransomware Identifier
  
  
• CyberChef
  v9.32.2
  
  
• imp0rtp3
  Yobi
  
  
• mac_apt
  20210824
  
  
• Magnet Forensics
  • New in Magnet AXIOM 5.4: Improved VICS Exporting
  • New in AXIOM Cyber 5.4: Proxy Server Support and More
    
    
• Metaspike
  Remote Authenticator v1.50.2 – Released on 8/24/2021
  
  
• Mihari
  v3.6.1
  
  
• MSAB
  Released today: XRY 9.5.1 with Huawei Kirin and iOS 15 Beta support
  
  
• Security Onion
  • Security Onion 2.3.70 CURATOR Hotfix Now Available!
  • Security Onion 2.3.70 GRAFANA Hotfix Now Available!
    
    
• Xways
  • X-Ways Forensics 20.3 SR-3
  • X-Ways Forensics 20.4 Preview 4
    
    
• YARA
  YARA v4.1.2
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!