As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  The Ultimate Guide to Docker & Kubernetes Forensics
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  With Strings Attached
  
  
• Oleg Afonin at Elcomsoft
  Forensic Implications of Sleep, Hybrid Sleep, Hibernation, and Fast Startup in Windows 10
  
  
• Forensafe
  • Investigating AmCache
  • Investigating Foxit Reader
    
    
• Inginformatico
  Reto forense losprys I — Presentación, herramientas y técnicas
  
  
• Junhyeong Lee at Plainbit
  • [TIP#1] Microsoft defender
  • [TIP#2] Chromium based Browser
  • [TIP#3] WSL (Windows Subsystem for Linux)
  • [TIP#4] Delete
  • [TIP#5] RID Hijacking
    
    
• Security Investigation
  • Cooking Malicious Phishing Email Headers with CyberChef
  • Email Header Analysis – Use Cases Including SPF, DKIM & DMARC
  • How DKIM SPF & DMARC Work to Prevent Email Spoofing and Phishing
    
    
• Security Onion
  • Quick Malware Analysis: malware-traffic-analysis.net BAZACALL-BAZARCALL-BAZALOADER-BAZARLOADER pcap from 2021-04-15
  • Quick Malware Analysis: Cobalt Strike, AgentTesla, and Ficker pcap from 2021-06-16
  • Quick Malware Analysis: Cobalt Strike and Hancitor pcap from 2021-09-14
  • Quick Malware Analysis: Qakbot, C2, and spambot pcap from 2021-05-05
  • Quick Malware Analysis: BazaLoader, Cobalt Strike, and Anchor pcap from 2021-03-29
  • Quick Malware Analysis: Squirrelwaffle and Cobalt Strike pcap from 2021-09-17
    
    
• Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristin Berdan, and Ron Deibert at The Citizen Lab
  FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild
  
  
• The DFIR Report
  BazarLoader to Conti Ransomware in 32 Hours
  
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More
  
  
• Sumit Patel at AWS Security
  How to automate incident response to security events with AWS Systems Manager Incident Manager
  
  
• Azure Sentinel
  • Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel Notebooks
  • Azure Sentinel Notebooks – Azure cloud support, new visualizations
  • Unusual MIRAI variant looks for mining infrastructure
  • Hunting for OMI Vulnerability Exploitation with Azure Sentinel
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2021-09-10 – Traffic analysis exercise – Angry Poutine
  • 2021-09-14 – Pcap and malware for an ISC diary (Hancitor with Cobalt Strike)
  • 2021-09-17 – Squirrelwaffle Loader with Cobalt Strike
    
    
• Cado Security
  • TeamTNT Employs New Techniques to Grab AWS Credentials
  • Azure OMI Vulnerability OMIGOD (CVE-2021-38647) Now Under Exploitation
    
    
• CERT-AGID
  Campagna malware Lokibot in atto in ambito universitario
  
  
• Check Point Research
  13th September – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Operation Layover: How we tracked an attack on the aviation industry to five years of compromise
  • Threat Roundup for September 10 to September 17
    
    
• Cobalt Strike Research and Development
  How to Extend Your Reach with Cobalt Strike 
  
  
• Jurgen at Correlated Security
  The 80/20 of Cyber Threat Intelligence Domain Knowledge
  
  
• CrowdStrike
  • Shining a Light on DarkOxide
  • Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
    
    
• Cybereason
  • What is Driving the Surge of Ransomware Attacks?
  • Three Pillars of Infosec: Confidentiality, Integrity and Availability
  • Grief Gang’s New Quadruple Extortion Scheme Doesn’t Change the Game
    
    
• EclecticIQ
  The Analysis Prompt #35 – Ragnarok Phorpiex US Cryptocurrency Heists
  
  
• Group-IB
  • Scamdemic outbreak
  • RUNLIR – phishing campaign targeting Netherlands
    
    
• Josh Neubecker at Hurricane Labs
  How to Detect Anomalies in Splunk Using Streamstats
  
  
• Inversecos
  Office365 Attacks: Bypassing MFA, Achieving Persistence and More
  
  
• Jérôme Segura at Malwarebytes
  The many tentacles of Magecart Group 8
  
  
• Koen Van Impe
  • Cobalt Strike Hunting – Key items to look for
  • Identify malicious servers / Cobalt Strike servers with JARM
  • Use Mobile Verification Tool to check if your iPhone is affected by Pegasus spyware
    
    
• Samuel Hassine at Luatix
  Robustness, intelligence and collaboration with OpenCTI 5.0
  
  
• MDSec
  NSA Meeting Proposal for ProxyShell
  
  
• Michael Koczwara
  • Mapping and Pivoting from Cobalt Strike C2 Infrastructure Attributed to CVE-2021-40444
  • Hunting “Legit” Red Teams C2 Infrastructure
    
    
• Penetration Testing Lab
  Account Persistence – Certificates
  
  
• Pete Cowman at Hatching
  New and Improved Family Detections
  
  
• Recorded Future
  • How to Detect Cobalt Strike: An Inside Look at the Popular Commercial Post-Exploitation Tool
  • How Many Words is a Picture Actually Worth? What Images Mean in Intelligence Analysis
  • How Agencies Can Refine Threat Intelligence Through Automation
    
    
• Sam Straka at Red Canary
  Microsoft Identity: An intro to Windows Active Directory
  
  
• RiskIQ
  Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
  
  
• SANS Internet Storm Center
  • Hancitor campaign abusing Microsoft’s OneDrive, (Wed, Sep 15th)
  • Malicious Calendar Subscriptions Are Back?, (Fri, Sep 17th)
  • Phishing 101: why depend on one suspicious message subject when you can use many?, (Thu, Sep 16th)
  • Simple Analysis Of A CVE-2021-40444 .docx Document, (Sat, Sep 18th)
    
    
• Securelist
  • Incident response analyst report 2020
  • Exploitation of the CVE-2021-40444 vulnerability in MSHTML
    
    
• Sergiu Gatlan at Bleeping Computer
  Researchers compile list of vulnerabilities abused by ransomware gangs
  
  
• Joe at Stranded on Pylos
  Unpacking Vexing Vulnerabilities
  
  
• Thomas Barabosch at Telekom
  Flubot’s Smishing Campaigns under the Microscope
  
  
• Justin Vaicaro at TrustedSec
  Why your threat hunting program building shouldn’t stop once the engagement is over
  
  
• Vicente Díaz at VirusTotal
  Introducing VT Alerts
  
  

UPCOMING EVENTS

• Analyst1
  Nation-State Ransomware Report: A Webinar Briefing
  
  
• Belkasoft
  Locked iPhones investigation: What can you do to acquire data?
  
  
• CactusCon 2022
  CactusCon CFP
  
  
• Ashley Hernandez and Derrick Donnelly at Cellebrite
  eDiscovery Investigations in the Age of Remote Work
  
  
• Cyborg Security
  Do you even threat hunt, bro? III
  
  
• Leslie Corbo at Dragos
  New This Year! Dragos Capture the Flag (CTF) at DISC 2021
  
  
• Lares
  Upcoming Ransomware Webinar Series
  
  
• Magnet Forensics
  Demystifying the Cloud: Exploring the Data Available from Google Takeout
  
  
• Virtual OSDFCon
  OSDFCon 2021
  
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Decrypt ProtonMail emails in iOS
  
  
• Alex Desmond
  SANS & GIAC in review with ICS515
  
  
• Archan Choudhury at BlackPerl
  Incident Response Training, Live Forensics of Compromised Website
  
  
• Belkasoft
  What is the difference between remote forensics and triage?
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout [infosec] News 2021-09-13
  • How to Play Competitive Backdoors & Breaches w/ Jason Blanchard (1-Hour)
  • Webcast: Getting Started in Blockchain Security and Smart Contract Auditing
  • Talkin’ About Infosec News – 9/17/2021
    
    
• Breaking Badness
  96. A Not So Idle Botnet
  
  
• Cisco’s Talos
  Talos Takes Ep. #68: The various pivots and pitfalls in a malware investigation
  
  
• Colin Hardy
  NSO Pegasus Malware – How Governments spy on any phone
  
  
• Day Cyberwox
  WGU BSNOS: C849 – Cloud Foundations & C779 – Web Development Foundations
  
  
• DFIR Science
  • Getting Started with Bento Digital Forensics Toolkit
  • What is an AD1?
  • Is Protonmail Broken?
  • Getting Started with Bento Digital Forensics Toolkit
    
    
• Exterro
  Digital Forensics Masters Series
  
  
• Gerald Auger at Simply Cyber
  Cybersecurity Resume POWER Tutorial (Level Up Your Resume)
  
  
• John Hammond
  • VOD – TryHackMe! Relevant
  • VOD – TryHackMe! Buffer Overflow Prep
  • VOD – TryHackMe! “Intro to Active Directory” Room
  • VOD – TryHackMe! Attacking Kerberos
  • VOD – Proving Grounds – “FunBoxEasy”
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 26 – Additional Analysis
  
  
• Magnet Forensics
  Best Practices for Digital Forensics Workflow Orchestration & Automation
  
  
• Nextron Systems
  YARA Session CVE 2021 40444 Rule for Obfuscated Samples
  
  
• Rapid7
  [The Lost Bots] Episode 5: Insider Threat
  
  
• Red Siege Information Security
  SiegeCast: Cobalt Strike Basics
  
  
• SANS
  • Panel: Validating Evidence for Courtroom Testimony
  • The Future of Work: Finding Evil Without Losing Your Mind
  • 2021 Forensic 4Cast Awards
  • Exploring Windows Command-Line Obfuscation
  • SANS Law Enforcement Appreciation Programs
  • 2021 SANS DFIR Summit Day 1 Wrap Up Panel
  • 2021 SANS DFIR Summit Day 2 Wrap Up
  • Not in Cyber Security? No Problem! Creative Ways to Gain Experience With No Experience
  • Job Role Spotlight:  Cyber Threat Intelligence
  • What you Need to Know about CVE-2021-30860 aka FORCEDENTRY w/ Chris Crowley
    
    
• Uriel Kosayev
  Malware Analysis – Unpacking PECompact Manually
  
  
• Watson Infosec
  How To Malware Analysis Lab Part Two
  
  

MALWARE

• Hannah Cartier at Active Countermeasures
  Malware of the Day – Mythic – Apollo
  
  
• BlackBerry
  Threat Thursday: NetWire RAT is Coming Down the Line
  
  
• Willi Ballenthin, Moritz Raabe, Mike Hunhoff, and Ana Maria Martinez Gomez at Fire Eye Threat Research
  ELFant in the Room – capa v3
  
  
• John Simmons at Fortinet
  More ProxyShell? Web Shells Lead to ZeroLogon and Application Impersonation Attacks
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #57: Shifted pointers 2
  
  
• Intezer
  • Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike
  • Teaching Capa New Tricks: Analyzing Capabilities in PE and ELF Files
    
    
• Lumen
  No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed As Stealth Windows Loaders
  
  
• Marco Ramilli
  Program Synthesis for Deobfuscation
  
  
• Martin Chlumecký at Avast Threat Labs
  DirtyMoe: Code Signing Certificate
  
  
• Fernando Ruiz at McAfee Labs
  Android malware distributed in Mexico uses Covid-19 to steal financial credentials
  
  
• Microsoft Security
  Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability
  
  
• Ghanashyam Satpathy at Netskope
  Microsoft Office Document Triggering New Zero-Day
  
  
• Nick Chalard and Dmitry Melikov at InQuest
  CVE-2021-40444
  
  
• Objective-See
  • Made in China: OSX.ZuRu
  • Analysis of CVE-2021-30860
    
    
• ReaQta
  BlackMatter Ransomware: A New Ransomware-as-a-Service (RaaS)
  
  
• Ret2pwn
  CVE-2021-40444 Analysis/Exploit
  
  
• Ryan Campbell at ‘Security Soup’
  “Squirrelwaffle” Maldoc Analysis
  
  
• Security Investigation
  • Free Automated Malware Analysis Sandboxes for Incident Response
  • Freki – Malware Analysis and Reverse Engineering Tool
    
    
• Antonio Pirozzi and Antonio Cocomazzi at SentinelOne
  Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms
  
  
• Squibydoo
  Solarmarker: Registry Key Persistence Walkthrough
  
  
• Trend Micro
  • APT-C-36 Updates Its Spam Campaign Against South American Entities With Commodity RATs
  • Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus
    
    
• WeLiveSecurity
  Numando: Count once, code twice
  
  

MISCELLANEOUS

• Marco Fontani at Amped
  How Can I Add an Image or Logo to a Surveillance Video in Amped Replay?
  
  
• Belkasoft
  Digital Forensics Survey 2021: Results
  
  
• Berla
  iVe 3.3 Feature Spotlight: Animating Tracklogs
  
  
• Amina Zilic at Binalyze
  The Eight Step to Forensic Readiness: Incident Response Training & Awareness
  
  
• Carlos Canto at Rapid7
  Welcome To Velociraptor, Carlos
  
  
• Cellebrite
  Cellebrite Announces Formation of Ethics & Integrity Committee
  
  
• Jimmy Schroering & Tyler Schlecht at DME Forensics
  DME Forensics is Now a Part of Magnet Forensics
  
  
• Reid Wightman at Dragos
  Safety Instruments Testing: Spotting and Stopping Process Attacks 
  
  
• Forensic Focus
  • Amazing Opportunity – USA And Canada Channel Partners – Work With UK Leading Digital Forensics Company
  • A Practical Guide To Virtualizing Your Forensics Workstation: Setting Up An Amazon EC2 Instance For AXIOM Cyber
    
    
• Joan Soriano at Security Art Work
  Omnium contra omnes (I): Foucault en la ciberguerra
  
  
• LockBoxx
  The Incident Responder’s Bias
  
  
• MuSecTech
  Collecting Files by Signature
  
  
• Pedro Tavares at Segurança Informática
  Ransomware deletion methods and the canary in the coal mine
  
  
• Rapid7
  SANS 2021 Threat Hunting Survey: How Organizations’ Security Postures Have Evolved in the New Normal
  
  
• Richard Frawley at ADF
  Find Anti-Forensic and Dark Web Traces with ADF Triage Software
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — September 12 to September 18
  
  
• StrangeBee
  • TheHive turns 5 and adopts a model shaped for the future
  • FAQ for TheHive 5’s upcoming distribution model
    
    
• Tami Smith at ‘Pro Digital Forensic Consulting’
  How to Deal with Difficult Clients as a Digital Forensic Examiner
  
  
• Teri Radichel
  Concatenating IP Ranges And Other Firewall Rule Tricks
  
  

SOFTWARE UPDATES

• Berla
  iVe Software v3.3 Release
  
  
• Brim
  v0.25.0
  
  
• Capa
  v3.0.0
  
  
• Cyber Triage
  Cyber Triage 3.0 Is Out!
  
  
• Darkquasar
  AzureHunter 1.5.1
  
  
• IntelOwl
  v3.0.1: Patch release
  
  
• Costas K
  MFTBrowser.exe (x64) v.0.0.25.0
  
  
• Mihari
  v3.8.1
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.14.0
  
  
• Xways
  X-Ways Forensics 20.4 Preview 8
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!