As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• eCrimeLabs
  “Analysis of competing hypotheses” to the rescue in incident response cases
  
  
• Erik Hjelmvik at Netresec
  Carving Packets from Memory
  
  
• Forensafe
  • Investigating Facebook Messenger Windows Application
  • Investigating Logon Banner
    
    
• Andrea Canepa at Zena Forensics
  McAFuse – open source McAfee FDE decryption
  
  
• Mike Cohen at Velocidex
  Event Tracing For Windows
  
  
• Oxygen Forensics
  GeoData
  
  
• Security Onion
  • Quick Malware Analysis: malware-traffic-analysis.net BazaCall-BazaLoader pcap from 2021-04-16
  • Quick Malware Analysis: malware-traffic-analysis.net TA551-Shathak-Bazarloader pcap from 2021-08-30
  • Quick Malware Analysis: malware-traffic-analysis.net STRRAT pcap from 2021-08-30
  • Quick Malware Analysis: malware-traffic-analysis.net TA551-Shathak-Ursnif-Gozi-ISFB pcap from 2021-04-16
    
    
• The DFIR Report
  Cobalt Strike, a Defender’s Guide
  
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Ransomware Group Activity, Credential Phishing with Trusted Redirects, F5 BIG-IP Bugs, and More
  
  
• Vladimir Martyanov at Avast Threat Labs
  Research shows over 10% of sampled Firebase instances open
  
  
• Awake Security
  Exploiting CVE-2018-13379 – A Case Study of Threat Actors Exploiting Years Old CVEs
  
  
• Azure Sentinel
  • Ingestion Cost Spike detection Playbook
  • Alert enrichment “how to reduce incident triage and investigation times using dynamic alert details”
  • Introducing: Azure Sentinel Data Exploration Toolset (ASDET)
    
    
• Ben Martin at Sucuri
  Analysis of a Phishing Kit (that targets Chase Bank)
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-08-30 – Quick post: TA551 (Shathak) BazarLoader
  • 2021-08-30 – Pcap and malware for ISC diary (STRRAT)
  • 2021-09-03 – GuLoader for possible Recmos RAT
  • 2021-09-02 – Hancitor with Cobalt Strike
  • 2021-09-01 – TA551 (Shathak) BazarLoader to Trickbot gtag zev4
  • 2021-08-31 – Astaroth/Guildma infection from Brazil malspam
    
    
• BushidoToken
  How Do You Run A Cybercrime Gang?
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 agosto 2021
  
  
• Check Point Research
  30th August – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Attracting flies with Honey(gain): Adversarial abuse of proxyware
  • Translated: Talos’ insights from the recently leaked Conti ransomware playbook
  • Threat Roundup for August 27 to September 3
    
    
• Cyberint
  • Masslogger Stealer
  • Atlassian Confluence Server OGNL Injection (CVE-2021-26084)
    
    
• Chad Anderson at DomainTools
  Hunting Down Late Night Security Snacks – Raiding The Domain Fridge
  
  
• Esentire
  The Insurance Sector: Another Ripe Target for Ransomware Attacks
  
  
• Ashwin Ramesh at Expel
  Swimming past 2FA, part 2: How to investigate Okta compromise
  
  
• Fire Eye Threat Research
  • Too Log; Didn’t Read — Unknown Actor Using CLFS Log Files for Stealth
  • PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
    
    
• Pete Cowman at Hatching
  GeoIP Mapping, Non-English VMs and Modify Analysis Duration
  
  
• Hurricane Labs
  Security Advisory Regarding ProxyToken
  
  
• Inversecos
  Backdoor Office 365 and Active Directory – Golden SAML
  
  
• Scythe
  • SCYTHE Presents: SCYTHE’s Virtual File System
  • SCYTHE Presents: Threat Thursday – Hive Ransomware
    
    
• LIFARS Cybersecurity
  MacOS Faces Threats From Rewritten Malware
  
  
• Pieter Arntz at Malwarebytes Labs
  ProxyToken: Another nail-biter from Microsoft Exchange
  
  
• Mehmet Ergene
  Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks)
  
  
• Microsoft Security
  A deep-dive into the SolarWinds Serv-U SSH vulnerability
  
  
• Nextron Systems
  Silent Scanning – Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server
  
  
• Zhanhao Chen at Palo Alto Networks
  DNS Rebinding Attack: How Malicious Websites Exploit Private Networks
  
  
• pat_h/to/file
  Hunting Sliver
  
  
• Proofpoint
  BEC Taxonomy: Advance Fee Fraud
  
  
• Recorded Future
  H1 2021: Malware and Vulnerability Trends Report
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, July 2021
  
  
• Red Siege Information Security
  Bypassing Signature-Based AV
  
  
• SANS Internet Storm Center
  • BrakTooth: Impacts, Implications and Next Steps, (Tue, Aug 31st)
  • Filter JSON Data by Value with Linux jq, (Sun, Aug 29th)
  • STRRAT: a Java-based RAT that doesn’t care if you have Java, (Wed, Sep 1st)
  • Attackers Will Always Abuse Major Events in our Lifes, (Thu, Sep 2nd)
    
    
• Security Investigation
  • Clickjacking Attack – How to Detect & Prevent this Attack ?
  • FireEye’s Open-Source Tool – CAPA to Identify Malware Capabilities
  • NetworkMiner Tool – Dynamic Malware Analysis with Minimum Dwell Time
  • Fingerprint all the things! – Protocol Profiling Method for Anomaly Detection
  • Threat Intelligence –  Diamond Model of Intrusion Analysis
    
    
• Sophos
  • Fake pirated software sites serve up malware droppers as a service
  • Conti affiliates use ProxyShell Exchange exploit in ransomware attacks
    
    
• Joe at Stranded on Pylos
  Ransomware’s Unintended Consequences
  
  
• Pritam Salunkhe and Shilpesh Trivedi at Uptycs
  LOLBins Are No Laughing Matter: How Attackers Operate Quietly
  
  
• Simon Zuckerbraun at Zero Day Initiative
  ProxyToken: An Authentication Bypass in Microsoft Exchange Server
  
  
• Andy Gill at ZeroSec
  Understanding Cobalt Strike Profiles
  
  

UPCOMING EVENTS

• Arman Gungor at Metaspike
  Forensic Email Collector Workshop
  
  
• Cellebrite
  Remote Mobile Collections for Corporate Investigations
  
  
• Elan at DFIR Diva
  DFIR Related Events for Beginners – September 2021
  
  
• Exterro
  Masters of Digital Forensics Course # 4: Casting a wider net—analysis phase, Part II
  
  
• Griffeye
  Webinar: Getting started with Analyze DI
  
  
• Tim Moniot at Magnet Forensics
  Finding Evidence of Cloud Data ‘Footprints’ in Existing Evidence
  
  
• Yuri Gubanov at Belkasoft
  [webinar] Sneak Peek Of Belkasoft X V.1.10
  
  

PRESENTATIONS/PODCASTS

• Ali Hadi
  • 1- The 010 Editor, Let us start
  • 25- Inspector (Interpreting Data)
  • 26- Inspector (Interpreter Part 2)
  • 27- Templates (Part 1)
  • 28- Templates (Part 2) and File Signatures
    
    
• Archan Choudhury at BlackPerl
  Incident Response Training, Full Analysis of Sev0 Real Incident, Day 11
  
  
• Black Hat
  Threat Hunting in Active Directory Environment
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-08-30
  • BHIS | Uncovering Secrets and Simplifying Your Life with CyberChef – BB King
  • Talkin’ About Infosec News – 9/3/2021
    
    
• Breaking Badness
  95. BEC You Later
  
  
• Cellebrite
  • Helpful Resources and Where to Find Them
  • Nothing to See Here – I Beg to DFIR (panel)
  • Pathfinder Capture the Flag (CTF)
    
    
• Cisco’s Talos
  Talos Takes Ep. #66: Dude, where’s my bandwidth?
  
  
• Cyberwarcon
  CYBERWARCON 2019 – Keynote – Andy Greenberg’s Reflections on Sandworm
  
  
• Day Cyberwox
  How To Turn Your Internship Into A Full Time Offer/Job
  
  
• Digital Forensic Survival Podcast
  DFSP # 289 – Framing Root Cause
  
  
• Esentire
  Ep. 3:  The Current Threat Environment
  
  
• Gerald Auger at Simply Cyber
  • GI Bill an Entire SANS Education And Get Paid (Fully Explained)
  • Exploring the Dark Arts of “Crypto” Currency with Charles Finfrock
    
    
• InfoSec_Bret
  IR BETA – SOC148 EventID:95 – IR BETA
  
  
• Nextron Systems
  Silent Scanning – THOR- Lite Exchange Server 2019 Scan for ProxyShell ProxyToken Exploitation
  
  
• Rapid7
  [The Lost Bots] Episode 4: Deception Technology
  
  
• SANS
  • A Holistic Approach to Defending Business Email Compromise (BEC) Attacks
  • Greppin’ Logs | Jon Stewart & Noah Rubin
  • To the Moon! The Cyber Kill Chain Meets Blockchain | Jackie Koven
  • EZ Tools/KAPE: How to Contribute to and Benefit from Open Source Contributions
  • Order of Volatility in Modern Smartphone Forensics
  • Automating Google Workspace Incident Response | Megan Roddie
  • SANS Cyber Solutions Fest – Level Threat Hunting and Intelligence
  • FOR509: Cloud Forensics & Incident Response Course Preview
    
    
• Security Onion
  SOARLab = Security Onion + Automation + Response Lab including n8n and Velociraptor
  
  
• Security Unlocked
  Battling BazaCall BuzzKill
  
  
• SecurityNinja
  Cyber Defenders – PacketMaze
  
  
• This Month in 4n6
  This Month In 4n6 – August – 2021
  
  
• Uriel Kosayev
  Malware Analysis – Unpacking UPX Manually
  
  
• Watson Infosec
  Malware LAB Build Part Two
  
  

MALWARE

• 360 Netlab
  The Mostly Dead Mozi and Its’ Lingering Bots
  
  
• Gage Mele, Tara Gould, Rory Gould, and Sean Townsend at Anomali
  Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor
  
  
• Chuong Dong
  BlackMatter Ransomware v2.0
  
  
• Cybereason
  Evolving Ransomware Tactics Include Recruiting Insiders and DDoS Attacks
  
  
• Ahmad Muneeb Khan and Syed Hasan Akhtar at Ebryx
  Exposing Sidewinder’s Arsenal against Windows
  
  
• Flashpoint
  What Does LockBit Want? Decrypting an Interview With the Ransomware Collective
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #55: Using debug symbols
  
  
• Changalamaadan at InfoSec Write-ups
  MalDoc 101 Malware Analysis Walkhthrough
  
  
• Ayan Saha at Keysight
  Posh C2 – Command and Control
  
  
• ChanUng Pak at McAfee Labs
  Phishing Android Malware Targets Taxpayers in India
  
  
• Michael Koczwara
  Cobalt Strike PowerShell payload Analysis
  
  
• Yihua Liao at Netskope
  AI/ML for Malware Detection
  
  
• Rob Bone at Nettitude Labs
  Introducing Process Hiving & RunPE
  
  
• NVISO Labs
  • How malicious applications abuse Android permissions
  • Anatomy and Disruption of Metasploit Shellcode
    
    
• Brock Mammen and Haozhe Zhang at Palo Alto Networks
  New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)
  
  
• ReaQta
  The resurgence of RansomEXX
  
  
• S2W Lab
  BlackMatter x Babuk : Using the same web server for sharing leaked files
  
  
• Anton Kuzmenko, Oleg Kupreev, and Haim Zigel at Securelist
  QakBot technical analysis
  
  
• Camille Singleton, Andrew Gorecki, and John Dwyer at Security Intelligence
  Dissecting Sodinokibi Ransomware Attacks: Bringing Incident Response and Intelligence Together in the Fight
  
  
• Segurança Informática
  Netwalker ransomware full analysis
  
  
• Phil Stokes at SentinelLabs
  6 Pro Tricks for Rapid macOS Malware Triage with Radare2
  
  
• Tony Lambert
  Getting PE Rich Header Hashes with pefile in Python
  
  
• Mohamad Mokbel at Trend Micro
  Analyzing SSL/TLS Certificates Used by Malware
  
  

MISCELLANEOUS

• Anton Chuvakin
  • Kill SOC Toil, Do SOC Eng
  • Anton and The Great XDR Debate, Part 2
    
    
• Amina Zilic at Binalyze
  The Seventh Step to Forensic Readiness: When a full formal investigation should be launched?
  
  
• Brett Shavers
  When Being Self-Taught Goes Wrong
  
  
• Cassie Doemel at AboutDFIR
  First Time GIAC: Studying for the GCFE
  
  
• Cellebrite
  • Cellebrite Completes Business Combination with TWC Tech Holdings II Corp., Company Will Begin Trading on Nasdaq Under Symbol “CLBT”
  • The ALL NEW Cellebrite Capture the Flag (CTF)
    
    
• Cyberbit
  Building Cyber Resiliency Through SOC Team Readiness
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Don’t Talk to Me
  
  
• Jared Pane at Elastic
  Deterring ransomware for state and local government
  
  
• Forensic Focus
  • 3 Parallel Imaging Sessions On Good Or Bad Drives With Atola Insight Forensic And DiskSense 2
  • Register For Workshop: Learn How To Use Network Capture In A Totally Different Way
  • What is digital forensics?
  • Geneva Police Stay Ahead Of Criminals With OpenText EnCase
    
    
• Ayrat Murtazin at InfoSec Write-ups
  Microsoft Azure & O365 CLI Tool Cheatsheet
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (9/1/2021)
  
  
• Marco Fontani at Amped
  How Do I Resize the Frames of a Video and Zoom with Amped Replay?
  
  
• Suzanne Strobel at Red Canary
  The 2021 Forrester MDR Wave: Behind the research
  
  
• SANS
  • Protect Control Systems and Critical Infrastructure with GRID
  • Promociones de Entrenatiento SANS en Cyberseguridad para Latinoamérica
  • Making ‘AutoMagic’ Happen in the SOC
    
    
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.3.70!
  
  
• VirusTotal
  Applied Yara training – Q&A
  
  
• Rik Van Duijn at Zolder B.V.
  Decrypt passwords from Xerox Workcentre config backups
  
  

SOFTWARE UPDATES

• Belkasoft
  Belkasoft Incident Investigations is released!
  
  
• John Gamble at Corelight
  Smart PCAP and threat detection in the cloud
  
  
• CyberChef
  v9.32.3
  
  
• Eric Zimmerman
  ChangeLog
  
  
• F-Response
  F-Response 8.3.1.8 Released – Manual resuming for device imaging, F-Response Collect gets profiles!
  
  
• F-Secure Countercept
  Chainsaw v1.0.1
  
  
• Grayshift
  Grayshift Announces GrayKey support for LG and MediaTek
  
  
• iNPUT-ACE
  iNPUT-ACE Version 2.6.3
  
  
• mac_apt
  20210904
  
  
• Costas K
  MFTBrowser.exe (x64)
  
  
• Mihari
  v3.7.1
  
  
• Security Onion
  Security Onion 2.3.70 WAZUH Hotfix Now Available!
  
  
• P. Abhiram Kumar
  EventTranscriptParser
  
  
• Xways
  • X-Ways Forensics 20.1 SR-12
  • X-Ways Forensics 20.2 SR-7
  • X-Ways Forensics 20.3 SR-4
  • X-Ways Forensics 20.4 Preview 6
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!