As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Angry-Bender’s blog house
  DFIR – Final result 1 – Powershell telemetry by Windows
  
  
• AT&T Cybersecurity
  Stories from the SOC – Powershell, Proxyshell, Conti TTPs OH MY!
  
  
• Benjamin Bruppacher at Compass Security
  Docker Forensics
  
  
• Digital Forensics Myanmar
  • eCDFP (Data Representation & File Examination) (Part-1)
  • eCDFP (Data Representation & File Examination) (Part-2)
    
    
• Robert Graham at Errata Security
  Example: forensicating the Mesa County system image
  
  
• Forensafe
  • Investigating TeamViewer
  • Investigating MUICache
    
    
• Heather Mahalik at Cellebrite
  • Part 3: Walk-Through of Answers to the 2021 CTF – Marsha’s iPhone (FFS and Backup)
  • Part 4: Walk-Through of Answers to the 2021 CTF – Beth’s iPhone
    
    
• Ian Whiffin at DoubleBlak
  The case of the Phantom Device Usage
  
  
• Changalamaadan at InfoSec Write-ups
  Cyber Defenders Phishy Walkthrough
  
  
• Koen Van Impe
  Parsing the O365 Unified Audit Log with Python
  
  
• Alexander Jäger at Open Source DFIR
  Use EVTX files on VirusTotal with Timesketch and Sigma (Part 2)
  
  
• Oxygen Forensics
  Wickr Me via OxyAgent
  
  
• Security Onion
  • Quick Malware Analysis: Trickbot GTAG ROB13 pcap from 2/17/2021!
  • Quick Malware Analysis: TA551 SHATHAK BAZARLOADER CobaltStrike pcap from 2021-11-03
  • Quick Malware Analysis: Traffic Analysis Exercise pcap from 2021-02-08
  • Quick Malware Analysis: TA551 SHATHAK TRICKBOT GTAG ZEV1 Cobalt Strike pcap from 2021-07-15
  • Quick Malware Analysis: TR QAKBOT QBOT Cobalt Strike pcap from 2021-11-04
    
    
• Aazim Yaswant at Zimperium
  PhoneSpy: The App-Based Cyberattack Snooping South Korean Citizens
  

THREAT INTELLIGENCE/HUNTING

• 3CORESec
  Mal Cl
  
  
• Andreas Klopsch at ‘Malware and Stuff’
  The DLL Search Order And Hijacking It
  
  
• Anomali
  Anomali Cyber Watch: GitLab Vulnerability Exploited In The Wild, Mekotio Banking Trojan Returns, Microsoft Exchange Vulnerabilities Exploited Again and More
  
  
• Bitsadmin’s blog
  Windows Security Updates for Hackers
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-11-03 – TA551 (Shathak) BazarLoader with Cobalt Strike
  • 2021-11-05 – TA551 (Shathak) BazarLoader with Cobalt Strike and DarkVNC
  • 2021-11-04 – TR distribution Qakbot (Qbot) with Cobalt Strike
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 06 – 12 novembre 2021
  
  
• Check Point Research
  • 8th November – Threat Intelligence Report
  • October 2021’s Most Wanted Malware: Trickbot Takes Top Spot for Fifth Time
  • Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records
    
    
• Chris Doman at Cado Security
  Cloud Malware Proliferation?
  
  
• Cisco’s Talos
  • North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets
  • Threat Source newsletter (Nov. 11, 2021)
  • Threat Roundup for November 5 to November 12
    
    
• Vivek Ganti and Omer Yoachimik at Cloudflare
  A Brief History of the Meris Botnet
  
  
• Dan Brown and Fabio Fratucello at CrowdStrike
  Why the Detection Funnel Hits Diminishing Returns
  
  
• Curated Intelligence
  • IronTiger APT campaign: New HyperBro and SysUpdate samples
  • Trends Among Iranian Espionage Threat Actors
  • TeamTNT added to the Mitre ATT&CK framework
    
    
• Cybereason
  • When Your EDR Vendor Attacks!
  • THREAT ANALYSIS REPORT: From Shatak Emails to the Conti Ransomware
  • The Ransom Disclosure Act and Defending Against Complex RansomOps
    
    
• Kit Clelford at Cyjax
  Ransomware Review – October 2021
  
  
• Andrew Lawrence at Darktrace
  GitLab vulnerability exploit detected by AI
  
  
• Digital Forensics Corp
  What is Ransomware
  
  
• Dragos
  New Knowledge Pack Released (KP-2021-008-M)
  
  
• EclecticIQ
  The Analyst Prompt #39 Ransomware, Falsified Covid Certificates, US Blacklists NSO Group
  
  
• Jeff Birnbaum at Forcepoint
  Security News: REvil Group Taken Offline by Feds, Attacker Activities and a VPN Company Exposes Data
  
  
• Harshit Rajpal at Hacking Articles
  Windows Privilege Escaslation: HiveNightmare
  
  
• Tony Robinson at Hurricane Labs
  Malware Analysis Part 3: The phases and roles of incident response
  
  
• Intezer
  Implement these MITRE D3FEND™ Techniques with Intezer Protect
  
  
• Invictus Incident Response
  Responding to macOS attacks
  
  
• Hossein Jazi at Malwarebytes Labs
  A multi-stage PowerShell based attack targets Kazakhstan
  
  
• Kiran Raj at McAfee Labs
  The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.
  
  
• Mehmet Ergene
  Detecting NTLM Relay Attacks
  
  
• Microsoft Security
  • Threat actor DEV-0322 exploiting ZOHO ManageEngine ADSelfService Plus
  • The hunt for NOBELIUM, the most sophisticated nation-state attack in history
  • HTML smuggling surges: Highly evasive loader technique increasingly used in banking malware, targeted attacks
    
    
• NCC Group Research
  • TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
  • Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
  • Detection Engineering for Kubernetes clusters
  • “We wait, because we know you.” Inside the ransomware negotiation economics.
    
    
• Nicolas Bareil at ‘Just Another Geek’
  What if we used Jupyter as a SOAR?
  
  
• Robert Falcone, Jeff White and Peter Renals at Palo Alto Networks
  Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
  
  
• Pete Cowman at Hatching
  SSO Support and Family Signatures
  
  
• PhishLabs
  Research Finds Alarming Jump in Phishing Attacks
  
  
• Daniel Smith at Radware
  Are Offensive Cyber Campaigns Gaining Traction?
  
  
• Recorded Future
  • FIN7 Group Lures Cyber Pros With Fake Jobs
  • The Business of Fraud: Botnet Malware Dissemination
    
    
• SANS Internet Storm Center
  • (Ab)Using Security Tools & Controls for the Bad, (Mon, Nov 8th)
  • Shadow IT Makes People More Vulnerable to Phishing, (Wed, Nov 10th)
  • Microsoft November 2021 Patch Tuesday, (Tue, Nov 9th)
  • In Memory of Alan Paller, (Thu, Nov 11th)
  • Obfuscated Maldoc: Reversed BASE64, (Sat, Nov 13th)
    
    
• Security Investigation
  • Hunting for Suspicious Windows Services – Mind Map
  • APT-Hunter V2.0 – Threat Hunting Tool For Windows Event Logs
  • Densityscout – Entropy Analyzer for Threat Hunting and Incident Response
    
    
• Pedro Tavares at Segurança Informática
  Threat Report Portugal: Q3 2021
  
  
• SentinelOne
  • Revolutionize Incident Response and Endpoint Management with Remote Script Orchestration
  • Is SquirrelWaffle the New Emotet? How to Detect the Latest MalSpam Loader 
    
    
• Sophos
  • Sophos XDR: Detections dashboard now available
  • Winners and losers in the ransomware turf wars
  • Sophos releases the 2022 Threat Report
    
    
• Michael Barclay at SpecterOps
  Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications
  
  
• Velocidex
  • Cobalt Strike Payload Discovery And Data Manipulation In VQL
  • EQL To VQL
    
    
• VinCSS
  [EX008] The exploit chain allows to take control of Zalo user accounts
  

UPCOMING EVENTS

• ArcPoint Forensics podcast featuring Jessica Hyde
  Check out @Get_ArcPoint’s Tweet
  
  
• Ryan Parthemore at Cellebrite
  Seminar on Guardian
  
  
• Stephanie Calabrese at Microsoft Security Response Center
  BlueHat is Back!
  

PRESENTATIONS/PODCASTS

• AGDC Services
  Automate Qbot Malware String Decryption With Ghidra Script
  
  
• Archan Choudhury at BlackPerl
  • Windows Forensics Analysis- Part2, Identify Recon- Delivery- Persistence
  • Incident Response Training Course, Malware Alert Investigation, Day 14
    
    
• Belkasoft
  Writeblocking mobile devices—11th episode of BelkaTalk on DFIR
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2021-11-08
  • How to Not Get Scammed on Discord
  • BHIS | Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit
  • Talkin’ About Infosec News – 11/12/2021
    
    
• Breaking Badness
  102. Tales of Justice, Cash, and Shrootlessness
  
  
• Cisco’s Talos
  Talos Takes Ep. #76: What is Kimsuky phishing around for?
  
  
• Cyber Secrets
  CSI Linux Video Capture Tool
  
  
• Cybereason
  Malicious Life Podcast: Inside Operation Flyhook Part 1
  
  
• DFIRScience
  • How to add artifacts to ALEAPP
  • 7 Million Records Lost in Robinhood Security Breach
    
    
• Didier Stevens
  Decrypting Cobalt Strike Metadata Without and With Malleable C2 Instructions
  
  
• Gerald Auger at Simply Cyber
  • How to Setup TryHackMe  (Get Practical Cybersecurity Skills)
  • Threat-Informed Cybersecurity Insurance Roundtable
    
    
• Hasherezade
  Installing TinyTracer on Windows 10
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 29 – Working with Bitlocker
  
  
• LetsDefend
  Hands-On Windows Incident Response
  
  
• MalGamy
  • Unpacking FLAWEDAMMY Malware
  • Unpacking Neutrino Malware
    
    
• Nextron Systems
  • Aurora – Sigma-Based EDR Agent – Preview
  • Nextron Aurora – Free Sigma-based EDR Agent Preview
    
    
• OALabs
  • Identify Unknown Malware Using Four Free Threat Intelligence Services
  • RedTeam Tricks Exposed – Reversing Engineering Syscalls To Evade Detection
    
    
• Paraben Corporation
  • Searching using the Skip List in E3
  • Using a Skip List to Refine Data in E3
  • Using E3 Forensic Platform Data with other tools
    
    
• SANS
  • Mining The Shadows with ZoidbergStrike: A Scanner for Cobalt Strike
  • Hunting Malicious Office Macros
  • Full Circle Detection: From Hunting to Actionable Detection
  • CISSP Test-Taking Tactics: Successfully Navigating Adaptive Exams
  • Building on the Foundations of OSINT with SEC587: Advanced Open-Source Intelligence
  • SANS Cybersecurity Standards Scorecard (2021 Edition)
  • SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
  • Live at SANS Pen Test HackFest 2021
    
    
• Uriel Kosayev
  Windows Defender Antivirus Bypass PoC
  

MALWARE

• Alex Turing, Hui Wang, and Yang Xu at 360 Netlab
  • Abcbot, an evolving botnet
  • Malware uses namesilo Parking pages and Google’s custom pages to spread
    
    
• AlienVault Labs
  AT&T Alien Labs finds new Golang malware (BotenaGo) targeting millions of routers and IoT devices with more than 30 exploits
  
  
• Blackberry
  Threat Thursday: SquirrelWaffle Takes a Bite Out of Victim’s Bank Accounts
  
  
• CrowdStrike
  • Scheming with URLs: One-Click Attack Surface in Linux Desktop Environments
  • Ploutus ATM Malware Case Study: Automated Deobfuscation of a Strongly Obfuscated .NET Binary
  • Golang Malware Is More than a Fad: Financial Motivation Drives Adoption
    
    
• Dominik at ‘Living Code’
  AgentTesla dropped via NSIS installer
  
  
• Erye Hernandez at Google Threat Analysis Group
  Analyzing a watering hole campaign using macOS exploits
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #64: Full-screen mode
  
  
• jmp esp
  Malware Analysis: Syscalls
  
  
• Mahmoud Morsy
  • Phishing Attacks 10_11_2021
  • Phishing Attacks 13_11_2021
    
    
• Michael Goodman
  Extracting the config from Blackmatter ESXi ELF Encryptors
  
  
• Nikhil Rathor at 0xthreatintel
  Analysis of Stop Ransomware
  
  
• Andrew Brandt at Sophos
  BazarLoader ‘call me back’ attack abuses Windows 10 Apps mechanism
  
  
• Sucuri
  • WooCommerce Skimmer Spoofs Checkout Page
  • Understanding .htaccess Malware
    
    
• The Citizen Lab
  Devices of Palestinian Human Rights Defenders Hacked with NSO Group’s Pegasus Spyware
  
  
• Trend Micro
  • TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments
  • Void Balaur and the Rise of the Cybermercenary Industry
  • Compromised Docker Hub Accounts Abused for Cryptomining Linked to TeamTNT
  • Build a Modern Ransomware Protection Strategy
  • A Review and Analysis of 2021 Buer Loader Campaigns
  • QAKBOT Loader Returns With New Techniques and Tools
    

MISCELLANEOUS

• Bill Stearns at Active Countermeasures
  AC-Hunter Whitelisting
  
  
• Anton Guzhevskiy
  Building Enterprise Forensics Capabilities
  
  
• Yulia Samoteykina at Atola
  Q&A about Atola products at Techno Security San Diego 2021
  
  
• Cellebrite
  • Cellebrite Announces Third Quarter 2021 Results
  • OEDI Aids In Protecting Victims of Cybercrime and Partners with Law Enforcement to Convict Offenders by using Digital Intelligence to Drive Investigations
    
    
• Umair Imran at CrowdStrike
  Building a Modern Mentorship in the Cybersecurity Industry
  
  
• Forensic Focus
  • MSAB’s Joel Bollö on the Sweeping Challenges & Opportunities in the Digital Forensics Market
  • Without Access, Mobile Forensics Fails to Deliver
  • How Detego is Helping Banks Protect Customers from the Rising Threat of Fraud
  • Theory and Practice of the Use of Digital Evidence in Polish Criminal Court Proceedings
  • APK Downgrade in Oxygen Forensic Detective
  • Enhanced support for Samsung Galaxy and iOS with XRY 9.6.1 from MSAB
  • How Law Enforcement Access the Truth: GrayKey Stories from the Field | Grayshift 
  • Wickr Me Extraction in Oxygen Forensic Detective
  • Capturing the Low Hanging Fruit: Analysis Phase
  • Forensic Analysis of ReFS Journaling
    
    
• Rachel Bishop at Huntress
  How Ransomware Works and Why It’s a Hacker Favorite
  
  
• Michelle Coan at Amped
  How to Use Variable Motion Deblurring in Amped FIVE
  
  
• Richard Frawley at ADF
  Intro to Digital Evidence Investigator
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — November 7 to November 13
  
  
• SANS
  SANS Experts Offer Advice: How to Make the Most of a Free Device with Your Training
  

SOFTWARE UPDATES

• Adam at Hexacorn
  Dexray v2.31
  
  
• Amped
  Amped DVRConv Update 22526: New Important Formats and Codec Variations
  
  
• Autopsy
  autopsy-4.19.2
  
  
• Costas K
  MFTBrowser.exe (x64)
  
  
• Didier Stevens
  Update: cs-decrypt-metadata.py Version 0.0.2
  
  
• ExifTool
  ExifTool 12.35
  
  
• IntelOwl
  v3.2.1
  
  
• MSAB
  Released today: Enhanced support for Samsung Galaxy and iOS with XRY 9.6.1
  
  
• Nextron Systems
  ASGARD 2.11 Release
  
  
• OSForensics
  V9.1 build 1001 12th November 2021
  
  
• Telekom Security
  Acquire AWS EC2
  
  
• Xways
  X-Ways Forensics 20.4 Beta 6
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!