As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Proving it now
  
  
• Robert Graham at Errata Security
  Fact check: that “forensics” of the Mesa image is crazy
  
  
• Forensafe
  • Investigating Typed Paths
  • Solving HireMe Challenge with ArtiFast Windows
  • Investigating Typed URLs
    
    
• İbrahim Baloğlu
  Dosya Tarih Manipülasyonu ve Tespiti (Anti -Forensics & Forensics)
  
  
• Kevin Pagano at Stark 4N6
  Samsung Power Off Reset Logs
  
  
• Pablo Espada at Perito Informático
  WhatsApp multidispositivo: ¿Cómo afectan los cambios al análisis forense? – Parte 4
  
  
• Security Onion
  • Quick Malware Analysis: Qakbot obama111 and Cobalt Strike pcap from 2021-10-07
  • Quick Malware Analysis: TA551/SHATHAK and BAZARLOADER pcap from 2021-09-20
  • Quick Malware Analysis: PURPLEFOX and NUGGETPHANTOM pcap from 2021-01-05
  • Quick EVTX Analysis: Meterpreter
    
    
• Andrew Case at Volatility Labs
  Memory Forensics R&D Illustrated: Detecting Mimikatz’s Skeleton Key Attack
  
  
• 博客园_Pieces0310
  Windows InstallDate could be changed via Windows Update – Pieces0310
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  • Selecting a Threat Intelligence Platform (TIP)
  • Anomali Cyber Watch: Aerospace and Telecoms Targeted by Iranian MalKamak Group, Cozy Bear Refocuses on Cyberespionage, Wicked Panda is Traced by Malleable C2 Profiles, and More
  • Climbing the Threat Intelligence Maturity Curve
    
    
• Azure Sentinel
  • Analyzing Endpoints Forensics – Azure Sentinel Connector
  • A Quick Guide on Using Sysmon for Linux  in Azure Sentinel
  • Automating the deployment of Sysmon for Linux 🐧 and Azure Sentinel in a lab environment 🧪
    
    
• BI.Zone
  A tale of Business Email Compromise
  
  
• Blackberry
  BlackBerry Shines Spotlight on Evolving Cobalt Strike Threat in New Book
  
  
• Check Point Research
  11th October – Threat Intelligence Report
  
  
• Cisco’s Talos
  Threat Roundup for October 8 to October 15
  
  
• CrowdStrike
  ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 21 – Re-opened Applications
  
  
• William Thomas at Cyjax
  A persistent AgentTesla campaign is targeting the UAE
  
  
• Oakley Cox at Darktrace
  How AI uncovered Outlaw’s secret crypto-mining operation
  
  
• Joe St Sauver at Farsight Security
  Going From An IP Address to A Fully Qualified Domain Name (FQDN) In DNSDB
  
  
• Ajax Bash at Google Threat Analysis Group
  Countering threats from Iran
  
  
• HP Wolf Security
  HP Wolf Security Threat Insights Report Q3 2021
  
  
• Pratinav Chandra at InfoSec Write-ups
  Windows Threat Hunting : Processes of Interest (Part 2)
  
  
• Mehmet Ergene
  Reducing Alert Fatigue by Lightning Fast Alert Prioritization with Microsoft Defender for Endpoint
  
  
• Microsoft Security
  Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors
  
  
• NCC Group Research
  SnapMC skips ransomware, steals data
  
  
• Olaf Hartong
  Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01
  
  
• Palo Alto Networks
  • Ransomware as a Service: Criminal “Entrepreneurs” Evolve Ransomware
  • The Anatomy of an Attack Against a Cloud Supply Pipeline
    
    
• Jessica Ellis at PhishLabs
  BazaLoader Leads Payloads as Families Fluctuate, Players Broaden
  
  
• Alon Arvatz at Rapid7
  4 Simple Steps for an Effective Threat Intelligence Program
  
  
• SANS Internet Storm Center
  • Wireshark 3.4.9 Released, (Sun, Oct 10th)
  • Things that go “Bump” in the Night: Non HTTP Requests Hitting Web Servers, (Mon, Oct 11th)
  • Port-Forwarding with Windows for the Win, (Thu, Oct 14th)
  • Please fix your E-Mail Brute forcing tool!, (Wed, Oct 13th)
  • Warranty Repairs and Non-Removable Storage Risks, (Fri, Oct 15th)
  • Apache is Actively Scan for CVE-2021-41773 & CVE-2021-42013, (Sat, Oct 16th)
    
    
• Ole Villadsen and Charlotte Hammond at Security Intelligence
  Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
  
  
• Security Investigation
  • How to Detect Windows Sensitive Privilege Manipulation
  • Threat Hunting Using Powershell and Fileless Malware Attacks
  • Detections of Malware Execution from Unusual Directories
  • Hindsight – Browser Forensic Analyzer for Web Artifacts
  • Detecting and Preventing a Golden Ticket Attack
    
    
• Jagadeesh Chandraiah at Sophos
  CryptoRom fake iOS cryptocurrency apps hit US, European victims for at least $1.4 million
  
  
• Andy Robbins at SpecterOps
  Azure Privilege Escalation via Service Principal Abuse
  
  
• Fernando Merces at Trend Micro
  Ransomware Operators Found Using New “Franchise” Business Model
  
  
• Nyxgeek at TrustedSec
  Creating a Malicious Azure AD OAuth2 Application
  
  
• Radoslaw Zdonczyk at Trustwave SpiderLabs
  A Handshake with MySQL Bots
  

UPCOMING EVENTS

• Magnet Forensics
  • Level Up Your #DFIR Career
  • Moving Digital Forensic Labs to the Cloud
    

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Most Powerful Threat Intelligence Tools Platform- MISP, Full Demo
  
  
• Belkasoft
  How to know what artifacts to look for in an investigation—8th episode of BelkaTalk on DFIR
  
  
• Black Hat
  Can Your Security Mid Game Stand Up to the IT Ransomware Playbook?
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 10/13/2021
  
  
• Cellebrite
  How to Use Timestamps in Cellebrite Physical Analyzer
  
  
• Cisco’s Talos
  Talos Takes Ep. #73 (NCSAM edition): Fight the phish from land, sea and air
  
  
• Correlated Security
  SOC Summit 2021 Presentation
  
  
• Detection: Challenging Paradigms
  S2 – Episode 4: Cedric Owens and Justin Bui
  
  
• DFIR Science
  • Mutli-Threading Forensic Applications
  • Using video2ocr / Tesseract-OCR to extract text from video
  • Physical Image and Partition Mounting in Tsurugi Linux
  • Interview: Deidra A. Phyall, IT Specialist (Security), Internal Revenue Service, Dept of Treasury
  • Find and sort files by extension in the Linux command line
    
    
• InfoSec_Bret
  • DFIR – PrintNightmare
  • InfoSec Tools – Non-Interactive Sandboxes
    
    
• John Hammond
  SnykCon CTF – Sauerkraut – Python Pickle Vulnerabilities
  
  
• Marco Ramilli
  Arts in digital defence
  
  
• OALabs
  HashDB – Malware API Hashing Obfuscation Solved Forever (Not Clickbait)
  
  
• Radware
  Radware Threat Researchers Live: Ep.14
  
  
• Caitlin Mattingly at Recorded Future
  Cryptocurrency is a Double-Edged Sword
  
  
• SANS Institute
  • Getting Started: Your First Two Years in Your Cybersecurity Career
  • Your Career in Application Security
  • Heroes in a Bash Shell: The Linux Command Line
  • Why Train with SANS at CDI?
  • SANS Training: What’s In It For You
  • The Best Part about Being a SANS Student
  • How does SANS help you?
  • The SANS Difference
  • Exceeding Expectations and Expanding Capabilities: SANS Training
  • This is Who You Want to Learn From
  • The Right Amount of Lecture and Lab
  • Solving Real-World Problems with SANS
    
    
• Security Unlocked
  Mobile 4N6 101
  
  
• Uriel Kosayev
  DarkSide Ransomware Reverse Engineering
  
  
• Virus Bulletin
  VB2021 localhost is over, but the content is still available to view!
  
  
• Watson Infosec
  How To Cybersecurity LAB Build
  

MALWARE

• Alyssa Rahman at Mandiant
  Defining Cobalt Strike Components So You Can BEA-CONfident in Your Analysis
  
  
• Any.Run
  How to Identify Malware Similarities with Fuzzy Hashing
  
  
• Chuong Dong
  AtomSilo Ransomware
  
  
• Bar Block at Deep Instinct
  Do Not Exchange! It has a Shell Inside.
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #60: Type libraries
  
  
• Lacework
  “Spytech Necro” – Keksec’s Latest Python Malware
  
  
• NCC Group Research
  A Look At Some Real-World Obfuscation Techniques
  
  
• Pete Cowman at Hatching
  Configuration Extractors and Family Updates
  
  
• Phil Stokes at SentinelOne
  Techniques for String Decryption in macOS Malware with Radare2
  
  
• Sky Blueteam
  Welcome Yagi, Yet Another Ghidra Integration for IDA
  
  
• Symantec Enterprise
  New Yanluowang ransomware used in targeted attacks
  
  
• Trustwave SpiderLabs
  • BlackByte Ransomware – Pt. 1 In-depth Analysis
  • BlackByte Ransomware – Pt 2. Code Obfuscation Analysis
    
    
• Jason Reaves at Walmart
  Investigation into the state of NIM malware Part 2
  
  
• Rajdeepsinh Dodia at ZScaler
  AtomSilo Ransomware Enters the League of Double Extortion
  

MISCELLANEOUS

• Belkasoft
  Triaging Windows-based PCs with Belkasoft T
  
  
• Cellebrite
  • Cellebrite to Acquire Digital Clues, Strengthening Its Market Leading Position as the End-To-End Investigative Digital Intelligence Platform Provider
  • 5 Reasons Enterprises Need Advanced Collection Capabilities to Solve Internal Crimes Today
    
    
• Eric Dosal at Compuquip Cybersecurity
  Purple Teaming: How Purple Teams Help Protect Your Data
  
  
• Humio
  How to collect Microsoft Office 365 logs with O365beat
  
  
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage on AWS: DFIR in the Cloud
  
  
• Darkdefender
  Cybersecurity Awareness for the Non-Technical
  
  
• Forensic Focus
  • Run Sigma rules on a live machine with DRONE
  • Enhancing Traditional Forensic Investigations Using IoT Traces from Smart Buildings
  • Binalyze’s Emre Tinaztepe and Tom Blumenthal on Enterprise Forensic Readiness
  • A Practical Guide to Virtualizing Your Forensics Workstation
  • Working With Warrant Returns in XRY and XAMN
  • Detego partners with IACIS to deliver industry-leading digital forensics training
  • Release Alert: Acquire 150+ digital evidence types with one click!
  • A Look at FTK’s Biggest Improvements This Year
  • Evaluating Results from Automated Systems in Forensic Science
  • Encouraging Different Perspectives in Digital Forensics: September Research
    
    
• Aamir Lakhani at Fortinet
  The More You Know: Get the Skills to Defeat the Cyber Kill Chain
  
  
• Eddy Willems at G Data Security
  To pay or not to pay?
  
  
• Jaron Bradley at The Mitten Mac
  The ESF Playground
  
  
• Josh Brunty
  Creating an HTML Index Using Python
  
  
• David Ruiz at Malwarebytes Labs
  Ransom Disclosure Act would mandate ransomware payment reporting
  
  
• Pieter Arntz at Malwarebytes Labs
  What is an .exe file? Is it the same as an executable?
  
  
• Marco Fontani at Amped
  How Do I Save the Current Image in Amped Replay?
  
  
• Maxim Suhanov
  The uppercased hell
  
  
• Olaf Hartong
  Sysmon for Linux
  
  
• Oxygen Forensics
  All In One: Merging Extractions in Oxygen Forensic® Detective
  
  
• SANS
  • Cyber Fest Day 1 Keynote U.S. Cybersecurity Executive Order
  • A Visual Summary of SANS Cybersecurity Leadership Summit 2021
  • Top 5 Reasons to Attend Cyber Solutions Fest 2021
    
    
• Secureworks
  • Threat Hunting Wisdom: Planning Makes Perfect
  • Endpoint Attacks, Endpoint Defenses, and Endpoint Time-Sink Avoidance
    
    
• Security Onion
  Security Onion Certification available now!
  
  
• tcdi
  What is an Incident Response Plan (IRP), and Why are they so Important?
  

SOFTWARE UPDATES

• Costas K
  MFTBrowser.exe (x64)
  
  
• Didier Stevens
  Update: 1768.py Version 0.0.8
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.33
  
  
• IntelOwl
  v3.1.0
  
  
• MISP
  MISP 2.4.149 released (Autumn care-package – STIX 2.1 support and Cerebrate integration)
  
  
• Velociraptor
  Release 0.6.2 – RC1
  
  
• Xways
  • X-Ways Forensics 20.3 SR-6
  • X-Ways Forensics 20.4 Beta 2
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!