As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  New ESG Research Reveals 89% of Companies Negatively Impacted by Cloud Cyber-Attacks Prior to Full Investigation
  
• Chris Sistrunk, Ken Proska, Glen Chason, and Daniel Kapellmann at Mandiant
  Introducing Mandiant’s Digital Forensics and Incident Response Framework for Embedded OT Systems
  
• Digital Forensics Myanmar
  • eCDFP (Data Representation & File Examination) (Part-3)
  • eCDFP (Data Representation & File Examination) (Part-4)
  • eCDFP (Data Representation & File Examination) (Part-5)
  • eCDFP  (Disk Drives)
    
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  That’s not spam
  
• Jess Garcia at DS4N6
  [BLOG]  ODSC West 2021 – “Data Science for Digital Forensics & Incident Response (DFIR)” – Wrap-Up & Community Resources Announced, by  Jess Garcia
  
• Elcomsoft
  • iPhone Acquisition Methods Compared
  • checkm8, checkra1n and USB hubs
  • Forensically Sound Extraction for iPhone 5s, 6, 6s and SE
  • How to Use iOS Forensic Toolkit 8.0 b2 to Perform Forensically Sound Extraction of iPhone 5s, 6, 6s and SE
  • Real-Time Surveillance via Apple iCloud
    
• Forensafe
  • Investigating 7-Zip
  • Investigating Installed Programs
    
• Huntress
  Investigating Unauthorized Access: Huntress QA Environment Incident
  
• Inginformatico
  Forensic Analysis to Anydesk: Forensic Artifacts and Log Analysis [ENG]
  
• iNPUT-ACE
  Can Pinch to Zoom Alter Video Evidence?
  
• Magnet Forensics
  • Deploying Digital Forensics Solutions in the Cloud
  • Anatomy of an eDiscovery Investigation
  • Connect to GrayKey: AXIOM Integration for Android
  • Keychain Pre-Processing and Easier Data Decryption for iOS in Magnet AXIOM
    
• Oxygen Forensics
  Traceless data extraction from MEGA cloud
  
• Security Onion
  • Quick Malware Analysis: TA551 SHATHAK BAZARLOADER with Cobalt Strike and DarkVNC pcap from 2021-11-05
  • Quick Malware Analysis: Emotet Epoch 2 with Trickbot GTAG MOR9 pcap from 2021-01-04
  • Quick Malware Analysis: Emotet Epoch 4 pcap from 2021-11-18
    
• Sky Blueteam
  Recovering registry hives encrypted by LockBit 2.0
  
• The DFIR Report
  Exchange Exploit Leads to Domain Wide Ransomware
  
• Threat Lab Indonesia
  • Network Analysis Packet Injection
  • Network Analysis Command And Control
    

THREAT INTELLIGENCE/HUNTING

• Yelisey Boguslavskiy & Vitali Kremez at Advanced Intelligence
  Corporate Loader “Emotet”: History of “X” Project Return for Ransomware
  
  
• Avast Threat Labs
  Avast Q3’21 Threat Report
  
  
• Blackberry
  All Your Beacon Are Belong to Us: New BlackBerry Book Cracks Code of Cobalt Strike Threat Actors
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-11-15 – Emotet email and malware samples for ISC diary
  • 2021-11-15 – Matanbuchus –> Qakbot obama128b –> Cobalt Strike
    
    
• BushidoToken
  • Analysis of the latest PayPal phishing attacks
  • Leveraging Legitimate Services for Malware and Phishing
    
    
• CERT-AGID
  Dopo due mesi, nuova campagna malware sLoad veicolata via PEC
  
  
• Check Point Research
  • Uncovering MosesStaff techniques: Ideology over Money
  • 15th November – Threat Intelligence Report
    
    
• Cisco’s Talos
  • Attackers use domain fronting technique to target Myanmar with Cobalt Strike
  • Threat Source Newsletter (Nov. 18, 2021)
  • Threat Roundup for November 12 to November 19
    
    
• Cobalt Strike Research and Development
  Nanodump: A Red Team Approach to Minidumps
  
  
• Mikel Gastesi at Countercraft
  CVE-2021-41773 Actively Exploited by H2Miner
  
  
• CrowdStrike
  • Credentials, Authentications and Hygiene: Supercharging Incident Response with Falcon Identity Threat Detection
  • Ransomware (R)evolution Plagues Organizations, But CrowdStrike Protection Never Wavers
    
    
• Dave Klein at Cymulate
  Surviving Ransomware – The Secret? Being Proactive!
  
  
• Chad Anderson at DomainTools
  Seeing Red
  
  
• Elliptic
  Conti Ransomware Nets at Least $25.5 Million in Four Months
  
  
• Flashpoint
  RAMP Ransomware’s Apparent Overture to Chinese Threat Actors
  
  
• GuidePoint Security
  • ‘GoldDust’ operation shuts down REvil
  • Phishing news roundup: One Font BEC campaign, BazarBackdoor malware, and HTML smuggling
  • Law enforcement deals blow to REvil/Sodinokibi operations and more ransomware and phishing news
    
    
• LIFARS Cybersecurity
  • Spread of Ransomware Through SEO Poisoning
  • New but Odd BlackByte Ransomware Reusing Crypto Keys and Worms into Networks
  • Emotet is Back on the Main Stage Thanks to Trickbot
  • Cyber Attackers Using Google Chrome to Steal User Data and Credentials 
    
    
• Mandiant
  • UNC1151 Assessed with High Confidence to have Links to Belarus, Ghostwriter Campaign Aligned with Belarusian Government Interests
  • ProxyNoShell: A Change in Tactics Exploiting ProxyShell Vulnerabilities
    
    
• Microsoft Security
  • Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021
  • Iranian targeting of IT sector on the rise
    
    
• Microsoft Security Response Center
  Guidance for Azure Active Directory (AD) keyCredential property Information Disclosure in Application and Service Principal APIs
  
  
• Morphisec
  The Notorious Emotet Is Back: What Organizations Need to Know
  
  
• Netskope
  What’s New for 2022: Long Shots and Safe Bet Predictions
  
  
• NVISO Labs
  • Detecting DCSync and DCShadow Network Traffic
  • Kernel Karnage – Part 3 (Challenge Accepted)
  • Cobalt Strike: Decrypting Obfuscated Traffic – Part 4
  • Kernel Karnage – Part 4 (Inter(ceptor)mezzo)
    
    
• Jessica Ellis at PhishLabs
  Initial Access Brokers: Selling Entry into Your Network
  
  
• PhishLabs
  Vishing Hybrid, Response-Based Attacks on the Rise
  
  
• Prodraft
  [Conti] Ransomware Group In-Depth Analysis
  
  
• Darien Huss and Selena Larson at Proofpoint
  Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, September 2021
  
  
• Red Canary
  Intelligence Insights: November 2021
  
  
• RiskIQ
  • The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing
  • New Aggah Campaign Hijacks Clipboards to Replace Cryptocurrency Addresses
  • New E-Commerce Cybersecurity Guide Helps Brands be Proactive This Holiday Shopping Season
    
    
• Dean Parsons at SANS
  Consequence-Driven ICS Risk Management
  
  
• SANS Internet Storm Center
  • Changing your AD Password Using the Clipboard – Not as Easy as You’d Think!, (Mon, Nov 15th)
  • External Email System FBI Compromised: Sending Out Fake Warnings, (Sun, Nov 14th)
  • Video: Obfuscated Maldoc: Reversed BASE64, (Sun, Nov 14th)
  • Emotet Returns, (Tue, Nov 16th)
  • JavaScript Downloader Delivers Agent Tesla Trojan, (Thu, Nov 18th)
  • Downloader Disguised as Excel Add-In (XLL), (Fri, Nov 19th)
  • Hikvision Security Cameras Potentially Exposed to Remote Code Execution, (Sat, Nov 20th)
    
    
• Sansec
  • Linux malware agent hits eCommerce sites
  • Case study: how eCommerce hackers silently steal credit card data
    
    
• Securelist
  Advanced threat predictions for 2022
  
  
• Stacy Leidwinger at Secureworks
  Top 5 Actionable Cyber Threat Intelligence Insights
  
  
• Security Art Work
  • Steal ’em all! Token impersonation
  • Evadiendo el antivirus mediante Early Bird y Syscalls
    
    
• Koen Van Impe at Security Intelligence
  How Attackers Exploit the Remote Desktop Protocol
  
  
• Mike Elgan at Security Intelligence
  Top Cybersecurity Threats Around the Globe
  
  
• Anusthika Jeyashankar at Security Investigation
  Detecting Office365 Azure AD Environment Backdoors
  
  
• Sean Gallagher at Sophos
  New ransomware actor uses password-protected archives to bypass encryption protection
  
  
• Justin Kohler at SpecterOps
  Active Directory Attack Paths — “Is everyone this bad?”
  
  
• Sucuri
  • What is a Website Backdoor?
  • An Overview of Website Reinfection Vectors
    
    
• Trend Micro
  • Groups Target Alibaba ECS Instances for Cryptojacking
  • Analyzing ProxyShell-related Incidents via Trend Micro Managed XDR
  • A Guide to Ransomware: Prevention and Response
  • Squirrelwaffle Exploits ProxyShell and ProxyLogon to Hijack Email Chains
  • Ransomware as a Service 101
    
    
• Fabio Viggiani at Truesec
  ProxyShell, QBot, and Conti Ransomware Combined in a Series of Cyberattacks
  
  
• Vicente Díaz at VirusTotal
  Uncovering brandjacking with VirusTotal
  
  
• Matthieu Faou at WeLiveSecurity
  Strategic web compromises in the Middle East with a pinch of Candiru
  
  
• ZScaler
  Return of Emotet malware
  

UPCOMING EVENTS

• Belkasoft
  [WEBINAR] Countering Anti-Forensic Efforts
  
  
• Cellebrite
  Episode 17: I Beg to DFIR – Was it actually there? Location education on iOS and Android
  
  
• Magnet Forensics
  • Collect and Analyze Data from Off-Network Endpoints with AXIOM Cyber
  • Modernizing Digital Investigations with Microsoft Azure and the Magnet Digital Investigation Suite
  • Tips & Tricks // Get Your OSINT with Public Social Media Data
    
    
• Microsoft Security
  Join us at InfoSec Jupyterthon 2021
  
  
• Scott Poley and Eric Sigman at Cyborg Security
  Threat Hunting Fireside Chat
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Incident Response Training Course, Malicious Document Analysis, Day 15
  
  
• Belkasoft
  • Belkasoft Evidence Reader Tutorial
  • What Artifacts can be Analyzed from a Windows System—12th Episode of BelkaTalk on DFIR
    
    
• Black Hills Information Security
  • DNS Over HTTPS for Cobalt Strike
  • Talkin’ About Infosec News – 11/17/2021
  • BHIS | Looking for Needles in Needlestacks w/ Threat Hunting Toolkit | Derek Banks & Ethan Robish
    
    
• Breaking Badness
  103. Malware and Tear
  
  
• Cellebrite
  • How to Use the Timeline Graph in Cellebrite Physical Analyzer
  • Episode 5: Carved From Unallocated Episode – Imposter Syndrome
  • How to Create Connections Between Multiple Files with SQLite Joins in Cellebrite Physical Analyzer
    
    
• Chewing the FAT
  Episode 7
  
  
• Chris Sienko at the Cyber Work podcast
  How to become a cyber threat researcher | Cyber Work Podcast
  
  
• Cisco’s Talos
  Talos Takes Ep. #77: How to connect to (and safely use) public WiFi
  
  
• Day Cyberwox
  Life Update: WGU Progress, Job Promotion, Quitting Social Media, Starting Blue Team Level 1 (BTL1)
  
  
• Detection: Challenging Paradigms
  S2 – Episode 6: Tweet Extravaganza
  
  
• DFIRScience
  Fast iPhone forensic analysis with iLEAPP
  
  
• Didier Stevens
  Obfuscated Maldoc: Reversed BASE64
  
  
• Digital Forensic Survival Podcast
  • DFSP # 299 – Malicious Powershell with Blumira
  • DFSP # 300 – Case Study Ocean Lotus
    
    
• Down the Security Rabbithole Podcast
  DtSR Episode 474 – Unraveling Mountains of Evidence
  
  
• InfoSec_Bret
  • SANS ISC – October 2021 Contest: Forensic Challenge
  • InfoSec Tools – ANY.RUN (Interactive Sandbox)
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 31 – AI Object Recognition in Video Files
  
  
• Magnet Forensics
  • Investigate Malware & Ransomware with Speed and Efficiency
  • Rapid Triage for Mac with Magnet OUTRIDER
  • Tips & Tricks // Remote Agents and the Agent Status Dashboard
    
    
• Metaspike
  Forensic Email Intelligence Launch Event
  
  
• Rasta Mouse
  External C2 over Discord
  
  
• SANS
  • Fundamentos de Lógicas de Detección Basadas en Data
  • Stay ahead of the game: automate your threat hunting workflows
  • Practical Threat Hunting With Machine Learning
  • Building Better Hunt Data
  • Live at SANS Pen Test HackFest 2021
  • Live at SANS Pen Test HackFest 2021 | Mon 12:30pm ET
  • Live at SANS Pen Test HackFest 2021 | 10a
  • SANS Live at Pen Test HackFest | Tuesday 10am ET
  • What Keeps You Up At Night?
    
    
• SecurityNinja
  • TryHackMe – Squid Game 오징어 게임
  • TryHackMe – REvil Corp
    
    
• Sumuri
  Time to give back | November 25, 2021
  

MALWARE

• Hui Wang, Alex Turing, Litao3rd, and Yang Xu at 360 Netlab
  The Pitfall of Threat Intelligence Whitelisting: Specter Botnet is ‘taking over’ Top Legit DNS Domains By Using ClouDNS Service
  
  
• Any.Run
  How to Get Free Malware Samples and Reports
  
  
• Ben Martin at Sucuri
  Fake Ransomware Infection Spooks Website Owners
  
  
• Blackberry
  Threat Thursday: DanaBot’s Evolution from Bank Fraud to DDos Attacks
  
  
• Cobi Aloia at Cofense
  Phishing Campaign Utilizes DocuSign to Counter Security Controls
  
  
• Luca Ebach at cyber.wtf
  Guess who’s back
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #65: stack frame view
  
  
• Intezer
  • New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk
  • The State of Malware Analysis
    
    
• Jake
  Check out @JCyberSec_’s Tweet
  
  
• Andrey Polkovnychenko and Shachar Menashe at JFrog
  Python Malware Imitates Signed PyPI Traffic in Novel Exfiltration Technique
  
  
• Malwarebytes Labs
  • Evasive maneuvers: HTML smuggling explained
  • TrickBot helps Emotet come back from the dead
  • SoNot SoSafe: Android malware disguises itself as secure messaging app
  • SharkBot Android banking Trojan cleans users out
  • Bogus JS libraries become sustained ransomware threat for Roblox gamers
  • Phishers target TikTok influencers with verification promises and copyright threats
  • Malwarebytes CrackMe – contest summary
    
    
• N00b_H@ck3r
  Try Hack Me: Squid Game
  
  
• Netskope
  • Netskope Threat Coverage: The Return of Emotet
  • Malicious Office Documents: Multiple Ways to Deliver Payloads
    
    
• PC’s Xcetra Support
  Excel 4 macro code obfuscation
  
  
• Pete Cowman at Hatching
  Emotet Updates and BazarLoader Emulation
  
  
• Ryan Campbell at ‘Security Soup’
  Quick Post — Emotet: The Mummy Returns (Again)
  
  
• Shahar Tavor at Security Intelligence
  BrazKing Android Malware Upgraded and Targeting Brazilian Banks
  
  
• Pedro Tavares at Segurança Informática
  MalLocker Android ransomware analysis
  
  
• Phil Stokes at SentinelOne
  • Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma
  • Backdoor macOS.Macma Spies On Activists But Can’t Hide From Behavioral Detection
    
    
• Splunk
  Detecting Remcos Tool Used by FIN7 with Splunk
  
  
• Alan Chang at ‘Trail of Bits’
  MUI: Visualizing symbolic execution with Manticore and Binary Ninja
  
  
• Xavier Mertens at /dev/random
  Portable Malware Analyzis Lab
  
  
• Yoroi
  Office Documents: May the XLL technique change the threat Landscape in 2022?
  

MISCELLANEOUS

• Martino Jerian at Amped
  Amped FIVE Does Not Use A.I. And Implements Forensically Safe Algorithms to Enhance Video Evidence
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 11/20/21
  
  
• Heather Mahalik at Cellebrite
  CLBX – A New File Format for Full File System Extractions – Cellebrite UFED
  
  
• Lior Div at Cybereason
  Dear Defenders,
  
  
• Brian P. Mohr at CyberMohr
  Microsoft Sentinel Log Usage
  
  
• Daniel Miessler
  Degrees and Credentials in InfoSec
  
  
• Garry Dukes at DME Forensics
  Feature Focus: New Reporting Features in DVR Examiner
  
  
• Joe St Sauver at Farsight Security
  Passive DNS and SIE File Formats
  
  
• Forensic Focus
  • Jad Saliba, Founder & CTO, Magnet Forensics on the Magnet Idea Lab
  • SafeToNet’s Thomas Farrell on the Spectrum of Online Child Protection
  • Detego secures US Patent for Red-Amber-Green alert technology in its Innovative Triage Solution
  • Teaching the Next Generation of Cyber Sleuths
  • Register for Webinar: Enhancement and Restoration in Amped FIVE: Basic and Advanced Techniques to Improve Video Evidence
  • Android File System Extraction With Oxygen Forensic Detective
  • Revolutionize Your Investigations With the Brand New Binalyze Forensic Investigation Suite
  • What Science Gives Us and What We Give to Science
  • What’s New in XRY 9.6 and XAMN 6.2
  • Your Car Is Recording: Metadata-Driven Dashcam Analysis System
  • Leading Enterprises Turn to Magnet AXIOM Cyber to Investigate Critical Cybersecurity Incidents
  • Lab Management and Novel Methods and Tools in the Forensic Sciences: Research from October
  • MD5 Limited Announces the Launch of VFC Version 6
    
    
• Griffeye
  Griffeye user wellbeing features
  
  
• LockBoxx
  Book Review: Cybersecurity Blue Team Toolkit
  
  
• MalwareTech
  An in-depth look at hacking back, active defense, and cyber letters of marque
  
  
• Laura Brosnan at Red Canary
  Plan ahead with Red Canary’s new Incident Response and Preparedness guide
  
  
• Richard Frawley at ADF
  Preview and Collect Digital Evidence
  
  
• Bob Rudis
  Creating A Custom MaxMind mmdb File For Cloud Provider Ranges
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — November 14 to November 20
  
  
• Ryan McGeehan
  How to estimate legal costs from a data breach.
  
  
• SANS
  • A Visual Summary of SANS Pen Test HackFest Summit 2021
  • SANS and TechVets partner to help veterans find their path in cybersecurity
    
    
• Syed Hasan
  Honest Review of TCM Security’s Practical Malware Analysis and Triage
  
  
• John Patzakis at X1
  Social Media Algorithms Foster Relevant Evidence in Litigation
  

SOFTWARE UPDATES

• iLEAPP
  iLEAPP v1.16.9
  
  
• RLEAPP
  RLEAPP 1.0
  
  
• AccessData
  Forensic Toolkit (FTK) International version 7.5.1
  
  
• Arsenal
  Arsenal Image Mounter v3.6.188
  
  
• Berla
  iVe Software v3.4 Release
  
  
• Brim
  v0.28.0
  
  
• c3rb3ru5
  Initial Release + Bug Fixes
  
  
• Costas K
  MFTBrowser.exe (x64)
  
  
• Didier Stevens
  Update: 1768.py Version 0.0.10
  
  
• DME Forensics
  DVR Examiner 3.1.0 is Now Available
  
  
• Elcomsoft
  iOS Forensic Toolkit 8.0 beta 2 brings forensically-sound checkm8 extraction and iOS 15 support
  
  
• Kroll
  Kape Changelog – 1.1.0.1
  
  
• ExifTool
  ExifTool 12.36
  
  
• Magnet Forensics
  • New in Magnet AXIOM 5.7: Preprocess iOS Keychains and Connect Directly to GrayKey for Android Extractions
  • XFS Parsing Now in Magnet AXIOM Cyber 5.7
    
    
• OSForensics
  V9.1 build 1002 19th November 2021
  
  
• radare2
  5.5.0 – 希
  
  
• Sumuri
  • RECON ITR Version 1.1.4 (A5)
  • RECON LAB Version 1.4.9 (A2)
    
    
• Xways
  • X-Ways Forensics 19.9 SR-16
  • X-Ways Forensics 20.0 SR-14
  • X-Ways Forensics 20.4 Beta 7
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!