As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• ArcPoint Forensics
  macOS Forensic Artifacts
  
  
• Belkasoft
  Signal decryption with Belkasoft X
  
  
• Cado Security
  Your Questions Answered: Cloud & Kubernetes Memory Forensics
  
  
• Forensafe
  • Investigating Shellbags
  • Investigating Opera Web Browser
    
    
• Shusei Tomonaga at JPCERT/CC
  How to Use Volatility 3 Offline
  
  
• Magnet Forensics
  Anatomy of A Ransomware Investigation
  
  
• Rory Wagner
  Part 1: Memory and Volatility
  
  
• Security Onion
  • Quick Malware Analysis: malware-traffic-analysis.net data exfiltration exercise from 2021-07-14
  • Quick Malware Analysis: malware-traffic-analysis.net ASTAROTH/GUILDMA pcap from 2021-08-31
  • Quick Malware Analysis: malware-traffic-analysis.net TA551-SHATHAK-BAZARLOADER-TRICKBOT-GTAG-ZEV4 pcap from 2021-09-01
  • Quick Malware Analysis: malware-traffic-analysis.net HANCITOR-COBALT-STRIKE pcap from 2021-09-02
  • Quick Malware Analysis: malware-traffic-analysis.net GULOADER-POSSIBLE-REMCOS-RAT pcap from 2021-09-03
    
    

THREAT INTELLIGENCE/HUNTING

• CVE-2021-40444
  • MSHTML RCE Exploited CVE-2021-40444
  • Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444)
  • Cybersecurity Advisory: Hackers Are Exploiting CVE-2021-40444
  • CVE-2021-40444 zero-day vulnerability in Microsoft Office
  • Windows MSHTML zero-day actively exploited, mitigations required
  • Kusto hunting query for CVE-2021-40444
  • Microsoft Offers Workaround for 0-Day Office Vulnerability (CVE-2021-40444), (Wed, Sep 8th)
    
    
• Yelisey Boguslavskiy & Anastasia Sentsova at Advanced Intelligence
  Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
  
  
• AlienVault Labs
  TeamTNT with new campaign aka “Chimaera”
  
  
• Anomali
  Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day and More
  
  
• Azure Sentinel
  • What’s New: Azure Sentinel – SOC Process Framework 8 Part Video Series!
  • Check the health of your exported Azure Sentinel logs in your ADX cluster
    
    
• Cisco’s Talos
  • Threat Roundup for September 3 to September 10
  • Talos release protection against zero-day vulnerability in Microsoft MSHTML
    
    
• Aleksandar Milenkoski at Cybereason
  THREAT ALERT: Microsoft MSHTML Remote Code Execution Vulnerability
  
  
• Brianna Leddy at Darktrace
  The early signs of ransomware: A blitz game
  
  
• Tim Helming at DomainTools
  Developing DNS-Based Intel Requirements
  
  
• Dragos
  New Knowledge Pack Released (KP-2021-007-E)
  
  
• EclecticIQ
  A Look into Banking Trojan IcedID’s Installation Process
  
  
• Expel
  The top phishing keywords in the last 10k+ malicious emails we investigated
  
  
• Ryan Serabian and Lee Foster at Fire Eye Threat Research
  Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms,
  Websites, and Forums in at Least Seven Languages, Attempted to
  Physically Mobilize Protesters in the U.S.
  
  
• Flashpoint
  REvil Is Back on Exploit and Trying to Restore Its Reputation [Updated]
  
  
• Joe Slowik at Gigamon
  Rendering Threats: A Network Perspective
  
  
• Henri Hambartsumyan at Falcon Force
  FalconFriday — Detecting ASR Bypasses — 0xFF17
  
  
• Joe at Stranded on Pylos
  A Spectrum of State Ransomware Responsibility
  
  
• Scythe
  • SCYTHE Presents: T1030- Testing Data Transfer Limit Sizes
  • SCYTHE Presents: ThreatThursday – Phobos Ransomware
    
    
• Lacework
  • Muhstik Takes Aim at Confluence CVE 2021-26084
  • PYSA Ransomware Gang adds Linux Support
    
    
• Malwarebytes Labs
  500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords
  
  
• Mark Mo
  • Changing file properties to lower virus total detection
  • Dynamic passwords, process hollowing and packers test
    
    
• Michael Koczwara
  • Cobalt Strike C2 Hunting with Shodan
  • Active Directory & Pentesting Lab Part 1 (Recon & Attacking Web Servers)
    
    
• Mike Cohen at Velocidex
  ETW Part 2: Process Parent Spoofing
  
  
• Nik Alleyne at ‘Security Nik’
  • Continuing Web Shell – Weevely
  • Beginning Web Shell – The basics and some detection – Hack and Detect
  • Beginning Server Side Request Forgery (SSRF) – WebGoat
  • TShark: Working with statistics
    
    
• Palo Alto Networks
  • Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances 
  • PhishingJS: A Deep Learning Model for JavaScript-Based Phishing Detection
    
    
• Recorded Future
  Dark Covenant: Connections Between the Russian State and Criminal Actors
  
  
• RiskIQ
  Flowspec Bulletproof Services Enable Cybercrime Worldwide
  
  
• S2W Lab
  • Groove’s thoughts on Blackmatter , Babuk, and interruption in the supply of cheese in the…
  • Groove x RAMP : The relation between Groove, Babuk, RAMP, and BlackMatter
  • Case Analysis of Suncrypt Ransomware Negotiation and Bitcoin Transaction
    
    
• SANS Internet Storm Center
  • Why I Gave Up on IPv6. And no, it is not because of security issues., (Tue, Sep 7th)
  • “Stolen Images Evidence” Campaign Continues Pushing BazarLoader Malware, (Wed, Sep 8th)
  • Shipping to Elasticsearch Microsoft DNS Logs, (Sat, Sep 11th)
    
    
• Securelist
  Threat landscape for industrial automation systems in H1 2021
  
  
• Megan Roddie at Security Intelligence
  LockBit 2.0: Ransomware Attacks Surge After Successful Affiliate Recruitment
  
  
• Security Investigation
  • Cooking Malicious Documents with Cyberchef – Detect & Respond
  • Malware Analysis Use Cases with ANY.RUN Sandbox
  • Splunk Architecture: Forwarder, Indexer, And Search Head
  • Cooking Malicious Powershell Obfuscated Commands with CyberChef
  • Google Rapid Response Tool for Remote Live Forensics
    
    
• Segurança Informática
  • Bypassing security products via DNS data exfiltration
  • The new maxtrilha trojan is being disseminated and targeting several banks
    
    
• Symantec Enterprise
  Grayfly: Chinese Threat Actor Uses Newly-discovered Sidewalk Malware
  
  
• Teri Radichel
  • The Network Logs You Might Not Need (GASP!)
  • The Network Logs You Need
    
    
• Andy Gill at ZeroSec
  ADExplorer Exporting Quick Tip
  
  
• Sudeep Singh and Sahil Antil at ZScaler
  CloudFall Targets Researchers and Scientists Invited to International Military Conferences in Central Asia and Eastern Europe
  
  

UPCOMING EVENTS

• Cybereason
  Cybereason’s Lodrina Cherne Joins Panel on Building a More Inclusive Future in Cybersecurity
  
  
• Cellebrite
  • Part 1: Disclosure of Evidence in Prosecution Briefs
  • Part 2: Telecommunication Data in Evidence: Use and Admissibility
  • Part 3: Cloud Access – What’s it all About?
  • Part 4: Digital Evidence & Investigative Management
  • eDiscovery Investigations in the Age of Remote Work
    
    
• Europol
  Forensic Experts Forum 2021 Conference
  
  
• Exterro
  Masters of Digital Forensics Course # 5: Reporting—Bringing it all together
  
  
• Magnet Forensics
  • Digital Forensics and the Enterprise Cloud: A Panel Discussion
  • Best Practices for Digital Forensics Workflow Orchestration & Automation
  • Tips & Tricks // In-Depth Look at Timeline in AXIOM
    
    
• SANS
  Cyber Solutions Fest: Diversify and Conquer Keynote
  
  

PRESENTATIONS/PODCASTS

• AGDC Services
  How To Defeat Qbot AntiDebug Checks And Extract Payload
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout [infosec] News 2021-09-07
  • BHIS | Getting Started in Blockchain Security and Smart Contract Auditing | Beau Bullock
  • Talkin’ About Infosec News – 9/9/2021
    
    
• Cellebrite
  • Watch Lists are a great way to add lists of keywords into Cellebrite Physical Analyzer
  • Learn all the methods and tricks for Keyword searching in Cellebrite Physical Analyzer.
  • Tabs in Cellebrite Physical Analyzer make navigating views easy.
    
    
• Cisco’s Talos
  Talos Takes Ep. #67: What a leaked playbook tells us about the Conti ransomware group
  
  
• Cloud Security Podcast by Google
  EP30 Malware Hunting with VirusTotal
  
  
• Day Cyberwox
  4 Reasons Why Cybersecurity Might Not Be Right For You!
  
  
• DEF CON 29 Blue Team Village
  • DEF CON 29 Blue Team Village – Logjamming Tales of innovation, intrigue, & shenanigans
  • DEF CON 29 Blue Team Village – Sebastian Provost – Yeet the leet with Osquery
  • DEF CON 29 Blue Team Village – Igal Flegmann –   I know who has access to my cloud, do you
  • DEF CON 29 Blue Team Village  – Henry – How do you ALL THE CLOUDS
  • DEF CON 29 Blue Team Village – John Bambenek – Adventures in Pro Bono Digital Forensics Work
  • DEF CON 29 Blue Team Village – Renzon Cruz – Forensicating Endpoint Artifacts in Cloud Storage Svcs
  • DEF CON 29 Blue Team Village – Drimacus – Leveraging NGFWs for Threat Hunting
  • DEF CON 29 Blue Team Village – Gert-Jan Bruggink – This is what we thought would happen in 2021
  • DEF CON 29 Blue Team Village – Ch33r10, Jorge Orchilles – BTV Presents Threat Report Roulette
  • DEF CON 29 Blue Team Village – muteki –  Year of Mentoring BTV’s Meet a Mentor Turns One
  • DEF CON 29 Blue Team Village – Wendy Edwards – What Machine Learning Can and Can’t Do for Security
  • DEF CON 29 Blue Team Village – Karl Lovink,  – Use DNS to detect domains abused for phishing
  • DEF CON 29 Blue Team Village – Mark Morowczynski – Modern Authentication for the Security Admin
  • DEF CON 29 Blue Team Village – Mike Cohen – Velociraptor   Dig Deeper
  • DEF CON 29 Blue Team Village  – Meisam Eslahi – Scope X Hunt in the Ocean
    
    
• DEF CON 29 Cloud Village
  DEF CON 29 Cloud Village – Rod Soto – Detection Challenges in Cloud Connected Credential  Attacks
  
  
• Detection: Challenging Paradigms
  S2 – Episode 2: Anton Chuvakin
  
  
• DFIR.Science
  • Is ProtonMail Broken?
  • Use GitHub to get started in the DFIR community
  • What is an AD1 file? FTK Imager Tutorial
  • What did the digital investigator order at the bar?
    
    
• Digital Forensic Survival Podcast
  DFSP # 290 – Mac Training with SUMURI
  
  
• Dr Ali Hadi
  • IOCs and Yara – Part #1
  • Writing Yara Rules – Part #2
  • More Yara Rules – Part #3
  • 25- Inspector (Interpreting Data)
  • 26- Inspector (Interpreter Part 2)
  • 27- Templates (Part 1)
  • 28- Templates (Part 2) and File Signatures
  • Tracing Windows APIs using Tiny_Tracer
    
    
• Gerald Auger at Simply Cyber
  • Cybersecurity Threat Hunting Utility
  • Unconventional Paths Into Cybersecurity
    
    
• InfoSec_Bret
  • IR BETA – SOC149 EventID:96 – IR BETA
  • IR BETA – SOC128 EventID:97 – IR BETA
    
    
• John Hammond
  • KOVTER Malware Analysis – Fileless Persistence in Registry
  • REvil Ransomware Leak Site RETURNS
  • VOD – TryHackMe! Game Zone – Recreating a Metasploit Exploit in Python
  • VOD – TryHackMe! Alfred with Empire
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 25 – Duplicate Files
  
  
• Nextron Systems
  • YARA Session 2 20210907 FIN7 Maldoc
  • YARA Rule Processing Session #1 2021-09-07
  • YARA Rule Processing Session #3 2021-09-08 Khepri Beacons
  • YARA Rule Processing Session #4 CVE-2021-40444 Rule
  • THOR Lite Introduction and Demo
    
    
• Radware
  Radware Threat Researchers Live: Ep.13
  
  
• SANS
  • OCR’ing the Bitmap Cache Puzzle | Drew Luckenbaugh
  • Where Have UAL Been? | Brian Moran & Kevin Stokes
  • Stringlifier: An Open Source Tool for Random String Classification
  • Forensic Analysis of Xiaomi IoT Ecosystem
  • SANS Cyber Solutions Fest Keynote | Diversify and Conquer: Building & Managing Successful CyberTeams
  • Crossing the Threshold: Analysis of the Facebook Portal Mini
  • Reporting for Digital Forensics | Jason Wilkins
  • UFOs (Unidentified Forensic Objects) | Ian Whiffin
  • SANS Institute | Level Up | How Do You Start In Cyber Security
    
    
• SentinelOne
  Introducing the Cyber Chat Podcast with Thom Langford
  
  

MALWARE

• 0day in {REA_TEAM}
  Quick analysis CobaltStrike loader and shellcode
  
  
• CERT-AGID
  BRATA malware per dispositivi Android spacciato per AntiSPAM
  
  
• Xiaopeng Zhang at Fortinet
  New Dridex Variant Being Spread By Crafted Excel Document
  
  
• John Ferrell at Huntress
  Malware Deep Dive: Investigating a Foothold and Uncovering the Payload
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #56: String literals in pseudocode
  
  
• Jason Reaves at Walmart
  Decoding SmartAssembly strings, a Haron ransomware case study
  
  
• Gustavo Palazolo at Netskope
  Hive Ransomware: Actively Targeting Hospitals
  
  
• Tony Lambert
  Smarter, Not Harder: Getting Malware to Help You Analyze It
  
  
• Lukas Stefanko at WeLiveSecurity
  BladeHawk group: Android espionage against Kurdish ethnic group
  
  

MISCELLANEOUS

• Amped
  • How Can I Add Shapes, Arrows, and Text to a Video With Amped Replay?
  • Introducing New Tutorial Videos on Annotations and Video Redaction
    
    
• Bob Rudis at Rapid7
  The Rise of Disruptive Ransomware Attacks: A Call To Action
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Content Update 9/11/2021
  
  
• Cybereason
  Busted: Taking Down Ransomware Attackers
  
  
• Forensic Focus
  • Binalyze AIR Release 1.8.0 Feature Highlights
  • Register For Webinar: Casting A Wider Net—Analysis Phase, Part II
  • ChunkedHCs Algorithm For Authorship Verification Problems: Reddit Case Study
  • Register For Webinar: Reporting — Bringing It All Together
  • The Internet Of Things Is Ubiquitous, But Analysis Of IoT Data Is Not… Yet
  • Abdeslam Afras, Executive Vice President of Investigations, Nuix
  • Atola Releases TaskForce 2021.8 Firmware Qith XFS, RAID 10, Imaging Enhancements
  • Another Brick In The Wall: An Exploratory Analysis Of Digital Forensics Programs In The United States
    
    
• Grayshift
  Grayshift Expands Global Presence with New Asia-Pacific Office in Japan
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: macOS scheduled background activities
  
  
• Karlo Licudine at AccidentalRebel
  Building my Virtual Cybersecurity Home Lab
  
  
• Kim Zetter at ‘Zero Day’
  • Hacking Team Customer in Turkey Was Arrested for Spying on Police Colleagues [or: The Spy Story That Spun a Tangled Web]
  • Timeline for Hacking Team Story
    
    
• LockBoxx
  Testimonials on the Benifits of Offensive Security Tools
  
  
• Michael Kavka at Silicon Shecky
  Device vs. User
  
  
• Oxygen Forensics
  Top 5 Challenges Digital Forensic Investigators Will Face
  
  
• Ryan Campbell at ‘Security Soup’
  • Weekly News Roundup — August 29 to September 4
  • Weekly News Roundup — September 5 to September 11
    
    
• SANS
  A Visual Summary of SANS Blue Team Summit 2021
  
  
• TrustedSec
  • Obsidian, Taming a Collective Consciousness
  • Update: The Defensive Security Strategy
    
    
• John Patzakis at X1
  eDiscovery Services Are Undergoing a Major Transformation
  
  

SOFTWARE UPDATES

• Bill Budington at EFF
  Introducing “apkeep,” EFF Threat Lab’s new APK Downloader
  
  
• Brett Fitzpatrick
  pyMalleableProfileParser
  
  
• Cellebrite
  Now Available: Cellebrite Physical Analyzer, Cellebrite Logical Analyzer, Cellebrite Reader, and UFED Cloud v7.48
  
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 7.03 simplifies agent sideloading in macOS, improves support for legacy devices
  
  
• Eric Zimmerman
  ChangeLog
  
  
• MFT_Browser
  MFTBrowser.exe (x64) v.0.0.24.0
  
  
• Mike Cohen at Velocidex
  Velociraptor 0.6.1 Release
  
  
• OSForensics
  V9.0 build 1002 8th September 2021
  
  
• Yulia Samoteykina at Atola
  XFS, RAID 10 and new imaging features. TaskForce 2021.8 is here!
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!