As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• BlueteamOps
  Super Charging Bulk DFIR triage with Node-RED, Google Log2timeline & Google Timesketch
  
  
• Forensafe
  • Investigating UserAssist
  • Investigating Google Chrome Web Browser
  • Investigating Windows Run MRU
    
    
• Forensic-Research
  LNK File Structure Analysis
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: Logs
  
  
• Inginformatico
  Forensic challenge losprys I: Presentation, tools and techniques [ENG]
  
  
• Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
  CTF01: Cyberdefenders.org
  
  
• Joshua Hickman at ‘The Binary Hick’
  Sharing Locations in iOS Messages
  
  
• Kyle Song
  Blog #29: Understand My Child’s Pattern of Mobile Phone Use [KR]
  
  
• Junhyeong Lee at Plainbit Co., Ltd.
  [TIP#7] FTP Programs
  
  
• Security Onion
  • Quick Malware Analysis: SquirrelWaffle, Qakbot, and Cobalt Strike pcap from 2021-09-24
  • Quick Malware Analysis: SquirrelWaffle, Qakbot, and Cobalt Strike pcap from 2021-09-23
  • Quick Malware Analysis: Hancitor, Ficker Stealer, Cobalt Strike, and NetSupport pcap from 2021-02-02
    

THREAT INTELLIGENCE/HUNTING

• Vitali Kremez & Yelisey Boguslavskiy at Advanced Intelligence
  Backup “Removal” Solutions – From Conti Ransomware With Love
  
  
• Alex Verboon at ‘Anything about IT’
  Detect  Audit Policy Modifications with Microsoft 365 Defender
  
  
• Joe Ariganello at Anomali
  The Need for Savvy Sharing of Threat Intelligence
  
  
• Azure Sentinel
  • Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions
  • Monitoring Azure Sentinel Analytical Rules – Push Health Notifications
  • General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloud
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2021-09-23 – Gozi/IFSB/Ursnif with Raccoon Stealer
  • 2021-09-29 – Hancitor with Cobalt Strike
    
    
• Check Point Research
  27th September – Threat Intelligence Report
  
  
• Vitor Ventura and Arnaud Zobec at Cisco’s Talos
  A wolf in sheep’s clothing: Actors spread malware by leveraging trust in Amnesty International and fear of Pegasus
  
  
• Clong
  Quick And Dirty Linux Forensics
  
  
• David Barroso at CounterCraft
  Malicious Docker Images Still Used for Mining Purposes
  
  
• Tim Helming at DomainTools
  Stop That Phish!
  
  
• Eclypsium
  FinSpy UEFI and MBR BootKit
  
  
• Henri Hambartsumyan at Falcon Force
  FalconFriday — Stealing and detecting Azure PRT cookies — 0xFF18
  
  
• Inversecos
  Attacks on Azure AD and M365: Pawning the cloud, PTA Skeleton Keys and more – PART II
  
  
• Kris Oosthoek
  • Cyber Threat Intelligence: A Product Without A Process?
  • Actionable Intelligence
    
    
• Lacework
  Mirai goes Stealth – TLS & IoT Malware
  
  
• Michael Koczwara
  • THM: Windows Server Attack Analysis: Part One
  • HTB: Intro to Blue Team: Lure
  • HTB: Intro to Blue Team: Intel
  • HTB: Intro to Blue Team: Chase
    
    
• Microsoft Security
  • How nation-state attackers like NOBELIUM are changing cybersecurity
  • FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
  • A guide to combatting human-operated ransomware: Part 2
    
    
• Moath Maharmeh at C99.sh
  Hunting ngrok Activity
  
  
• Brady Stout at Palo Alto Networks
  Credential Harvesting at Scale Without Malware
  
  
• Jimmy Chang at Praetorian
  How to Detect and Dump Credentials from the Windows Registry
  
  
• Proofpoint
  TA544 Targets Italian Organizations with Ursnif Malware
  
  
• Recorded Future
  • The Business of Fraud: Laundering Funds in the Criminal Underground
  • 4 Chinese APT Groups Identified Targeting Mail Server of Afghan Telecommunications Firm Roshan
    
    
• Katie Nickels at Red Canary
  So you’re thinking about starting a cyber threat intelligence team…
  
  
• S2W Lab
  [SoY] 2021 | EN | Story of the first half of the year: Ransomware on the Darkweb
  
  
• SANS Internet Storm Center
  • TLS 1.3 and SSL – the current state of affairs, (Tue, Sep 28th)
  • New Tool to Add to Your LOLBAS List: cvtres.exe , (Fri, Oct 1st)
    
    
• Security Investigation
  • Threat Hunting Using Windows Event ID 5143
  • Threat Hunting Using Windows EventID 4648 – Logon/Logoff
  • Threat Hunting Using Windows Security Log
  • Types of SPLUNK Deployments and Configuration
  • Latest Ransomware CVEs – Vulnerabilities Abused by Ransomware Actors
    
    
• SentinelOne
  • Ransom Payments and Victim Notice Requirements Come under Federal Scrutiny
  • Why Defense-in-Depth is Key to Defeating Ransomware
    
    
• Steve Ragan
  Kit Hunter 2.0 – Known Detections in WordPress
  
  
• Akshay Dubey at Walmart
  Pumped-up logging with Fluent Bit and Splunk
  
  
• Roman Kovac at WeLiveSecurity
  ESET Threat Report T2 2021
  

UPCOMING EVENTS

• Belkasoft
  [WEBINAR] Android phones investigation: data extraction and analysis with Belkasoft X
  
  
• Cellebrite
  • Best Practices for Gathering and Analyzing Key Messaging Data
  • How to Utilize Advanced Collection and Remote Collection Capabilities to Enhance Investigations
    
    
• Elan at DFIR Diva
  DFIR Related Events for Beginners – October 2021
  
  
• Lily Teplow at Huntress
  Learn to Think Like a Hacker at hack_it 2021.2
  
  
• Hoyt Harness at Magnet Forensics
  GNU/Linux Examinations with AXIOM & AXIOM Cyber
  

PRESENTATIONS/PODCASTS

• Jessica Hyde at Magnet Forensics
  Demystifying the Cloud: Exploring the Data Available from Google Takeout
  
  
• Archan Choudhury at BlackPerl
  Incident Response Training, Analysis of Phishing Incident, Day 12
  
  
• Belkasoft
  Remote RAM Acquisition—6th episode of BelkaTalk on DFIR
  
  
• Black Hills Information Security
  • Webcast: Shellcode Execution with GoLang
  • Talkin’ About Infosec News – 9/29/2021
    
    
• Breaking Badness
  98. Spill the IoT
  
  
• Cellebrite
  New Cellebrite Guardian – Evidence and Workflow Management Redefined
  
  
• Cisco’s Talos
  Talos Takes Ep. #70: Let’s put a positive spin on this whole working from home thing for once
  
  
• Didier Stevens
  Strings Analysis: VBA & Excel4 Maldoc
  
  
• Digital Forensic Survival Podcast
  DFSP # 293 – Case Study: Ransomware
  
  
• Doug Metz at Baker Street Forensics
  HTCIA International Conference
  
  
• Dr Ali Hadi
  • 29- Working with 010 Templates – PE File (Part #1)
  • 30- Working with 010 Templates – PE File (Part #2)
  • 31-Working with 010 Templates – PE File (Part #3)
  • 32-Working with 010 Templates – PE File (Part #4)
  • 33-Working with 010 Templates – PE File (Part #5)
  • 34-Working with 010 Templates – PE File (Part #6)
  • 35-Working with 010 Templates – PE File (Part #7)
  • 36-Working with 010 Templates – PE File (Part #8)
  • 37-Working with 010 Templates – PE File (Part #9)
    
    
• Gerald Auger at Simply Cyber
  • Let’s Land Your First Cybersecurity Job
  • 5 Must Know Truths About Writing a Book
  • VetSecCon Event Preview and Exploration
  • How Important is Programming for Cybersecurity?
  • The Complete Cybersecurity Job Interview Prep Video (Know How To Crush It)
  • You Have NO IT Background and Want to Get Into Cybersecurity!
  • I’m Transitioning Military and Want to Get A Cybersecurity Job
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 27 – Creating Email Reports
  
  
• OALabs
  Live Coding A Squirrelwaffle Malware Config Extractor
  
  
• Richard Davis at 13Cubed
  User Access Logging (UAL) Forensics
  
  
• SANS Institute
  • Windows Command Line & Intro to PowerShell
  • Job Role Spotlight: Incident Detection & Response
  • How Did I Get Here?
  • Panel: Hack Your Growth – #LevelUP
  • SANS Introduces #SecureTheFamily with Heather Mahalik
  • The Nuts & Bolts of Cryptography & Everyday Cybersecurity
    
    
• SecurityNinja
  Cyber Defenders – Obfuscated
  
  
• Watson Infosec
  • How To Elastic Security XDR Live Build!
    • How To malware Analyst LAB Part Three
      

MALWARE

• Hui Wang, Alex Turing, and Yang Xu at 360 Netlab
  Mirai_ptea_Rimasuta variant is exploiting a new RUIJIE router 0 day to spread
  
  
• Ann Fam
  • SquirrelWaffel Cobalt Strike Payload Quick Analysis (Part 2)
  • SquirrelWaffle (not exactly a waffle) Analysis Part 1
    
    
• Aparna at Any.Run
  Malware Analysis Explained: Types, Stages, Use Cases
  
  
• Erik Pistelli at Cerbero
  A Fun CTF-Like Malware
  
  
• Israel Wernik and Bohdan Melnykov at Check Point Research
  PixStealer: a new wave of  Android banking Trojans abusing Accessibility Services
  
  
• Chuong Dong at 0ffset
  SQUIRRELWAFFLE – Analysing the Custom Packer
  
  
• Cyber Geeks
  How to defeat the Russian Dukes: A step-by-step analysis of MiniDuke used by APT29/Cozy Bear
  
  
• Cybereason
  Threat Analysis Report: Inside the Destructive PYSA Ransomware
  
  
• Flashpoint
  • REvil’s “Cryptobackdoor” Con: Ransomware Group’s Tactics Roil Affiliates, Sparking a Fallout
  • Russian hacker Q&A: An Interview With REvil-Affiliated Ransomware Contractor
    
    
• Fortinet
  • Fortinet Ransomware Survey Shows Many Organizations Unprepared
  • Ranion Ransomware – Quiet and Persistent RaaS
    
    
• Karsten Hahn at G Data Security
  An overview of malware hashing algorithms
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week: Season 01
  
  
• Dmitry Melikov at InQuest
  • Rechnung_91741485
  • Rechnung Financial Malspam
    
    
• Intezer
  Essential Security Tools for GCP
  
  
• Karlo Licudine at AccidentalRebel
  IOLI Crackme 0x04
  
  
• Kaspersky Lab
  • Most used LOLBins | Kaspersky official blog
  • The BloodyStealer virus and gamer accounts on the dark web | Kaspersky official blog
  • Tomiris backdoor likely linked to DarkHalo | Kaspersky official blog
    
    
• Radu Emanuel Chiscariu at Keysight
  Conti Ransomware: Behavior and Techniques
  
  
• LIFARS Cybersecurity
  A brief analysis of the last version of Conti ransomware
  
  
• Mahmoud Morsy
  Phishing Attacks 27_9_2021
  
  
• Carol Hildebrand at Netscout
  Six Months of Threat Actor Innovation….
  
  
• Nikhil Rathor at 0xthreatintel
  Unpacking APT29’s Polyglot Duke
  
  
• Pete Cowman at Hatching
  Detection Updates for BazarLoader, ERMAC, Jupyter and Vidar
  
  
• Brenton Morris at ProferoSec
  RansomEXX, Fixing Corrupted Ransom
  
  
• Ryan Campbell at ‘Security Soup’
  DoppelDridex Delivered via Slack and Discord
  
  
• Ryan Cornateanu
  Deobfuscating PowerShell Malware Droppers
  
  
• Securelist
  • FinSpy: unseen findings
  • BloodyStealer and gaming assets for sale
  • DarkHalo after SolarWinds: the Tomiris connection
  • GhostEmperor: From ProxyLogon to kernel mode
    
    
• Amitai Ben Shushan Ehrlich at SentinelOne
  New Version Of Apostle Ransomware Reemerges In Targeted Attack On Higher Education
  
  
• Telsy
  Google Drive abused in document exfiltration operation against Afghanistan
  
  
• Trend Micro
  • Fake Installers Drop Malware and Open Doors for Opportunistic Attackers
  • FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
  • Mac Users Targeted by Trojanized iTerm2 App
    
    
• Avinash Kumar and Brett Stone-Gross at ZScaler
  Squirrelwaffle: New Loader Delivering Cobalt Strike
  

MISCELLANEOUS

• A. Boukar
  A Quick Guide To Regular Expressions
  
  
• ArcPoint Forensics
  ArcPoint Newsletter, September 2021
  
  
• AWS Security
  • Validate IAM policies in CloudFormation templates using IAM Access Analyzer
  • Introducing the Ransomware Risk Management on AWS Whitepaper
    
    
• Cellebrite
  • Overview of the 2021 Cellebrite Capture the Flag Event
  • Introducing the Cellebrite Design Partner Program
  • Cellebrite Pioneers Industry-First Remote Mobile Device Data Collection Solution
  • Streamline Your Corporate eDiscovery Process Today With This New Innovative Solution From Cellebrite
    
    
• Craig Ball at ‘Ball in your Court’
  • Then his head exploded!
  • Did You Miss Tom’s Checklist Manifesto?
    
    
• Dragos
  • The MITRE Engenuity ATT&CK Evaluations for ICS Explained
  • Taking the Dragos Platform into the Smart Factory
    
    
• Evotec
  Configuring Office 365 settings using PowerShell – The non-supported way
  
  
• Joe St Sauver at Farsight Security
  Going From A Domain Name to IP Address in DNSDB: Some “Pro Tips” To Keep In Mind
  
  
• Forensic Focus
  • Short Papers from DFRWS APAC 2021: Deepfakes, Protest, & Apple Health Data Forensics
  • Logicube’s Todd Bellows on Challenges and Opportunities for Forensic Imaging
  • The AFF4 Evidence Container: Why and What’s Next
  • Customizing Password Attacks in Oxygen Forensic Detective
  • XRY Generic Profiles Explained
  • Comprehensive Statistical Analysis on the Crackability of Real-World Passwords
    
    
• İbrahim Baloğlu
  Windows Forensics Challange
  
  
• Neil Tansley at IntaForensics
  The Anatomy of a Ransomware Attack: Ten Steps to Defending Your Company Against Cybercrime
  
  
• LimaCharlie
  • Get to Market Quicker with LimaCharlie
  • September Developer Roll Up
    
    
• Karen Sprenger at LMG Security
  Our Top 3 Incident Response Tabletop Exercise Scenarios & Why These Should Be Part of Your Cybersecurity Plan
  
  
• Magnet Forensics
  • Introducing the New Agent Status Dashboard
  • Examining Vehicle Data with Magnet AXIOM
  • Anatomy of A Data Breach Investigation
    
    
• Marco Fontani at Amped
  How Can I Magnify or Spotlight a Detail of the Video With Amped Replay?
  
  
• Michael Karsyan at Event Log Explorer
  Case study – A new way to get regular reports about the problems.
  
  
• Oxygen Forensics
  Customizing Password Attacks
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — September 26 to October 2
  
  
• SANS
  • STAR livestream with Katie Nickels: September 24, 2021 Episode NOTES
  • NEW FOR710: Reverse-Engineering Malware: Advanced Code Analysis – Beta opening at the Cyber Defense Initiative Event in December
  • Cybersecurity Podcast Roundup
  • Introduction to ICS Security Part 3
    
    
• Roberto Amado at Security Art Work
  TrustedInstaller, parando Windows Defender
  
  
• Symantec Enterprise
  The Ransomware Threat in 2021
  

SOFTWARE UPDATES

• Capa
  v3.0.2
  
  
• Cellebrite
  Now Available: Cellebrite Endpoint Inspector 1.2
  
  
• Costas K
  MFTBrowser.exe (x64)
  
  
• DFIRTrack
  2.2.0
  
  
• Didier Stevens
  • Update: base64dump.py Version 0.0.17
  • New Tool: onion-connect-service-detection.py
    
    
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.32
  
  
• Magnet Forensics
  • Magnet REVIEW 3.7: Review Evidence from Physical Analyzer, Single Sign-On Support, and More!
  • New in Magnet AXIOM 5.5: Support for Vehicle Data and Third-Party Map Servers
    
    
• Metaspike
  Forensic Email Collector (FEC) Changelog – v3.62.2.0
  
  
• Mihari
  v3.9.1
  
  
• Security Onion
  Security Onion 2.3.80 now available!
  
  
• Ulf Frisk
  MemProcFS Version 4.3
  
  
• Xways
  X-Ways Forensics 20.3 SR-5
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!