As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Baki Onur Okutucu at 4sysops
  Manage Activity Logs in Azure using PowerShell
  
  
• Cyber Social Hub
  Android Viber Forensics
  
  
• Digital Forensics Myanmar
  • eCDFP  (Disk Drives) – Part (2)
  • eCDFP  (Disk Drives) – Lab
  • SSD Forensics Challenges  (Part-2)
  • SSD Forensics Challenges  (Part-2)
  • SSD Forensics Challenges (Part-2)
    
    
• Forensafe
  • Investigating Evernote
  • Investigating Printers Information
    
    
• Ian Whiffin at DoubleBlak
  Researching iOS Using ArtEx
  
  
• John Hammond
  COBALT STRIKE Forensics: PCAP & Memdump – “Strike Back” HackTheBox University CTF 2021
  
  
• Jumpsec Labs
  No Logs? No Problem! Incident Response without Windows Event Logs
  
  
• N00b_H@ck3r
  Try Hack Me: Carnage
  
  
• Scott Koenig at ‘The Forensic Scooter’
  Photos.Sqlite Queries
  
  
• Security Onion
  • Quick Malware Analysis: MATANBUCHUS QAKBOT OBAMA128B Cobalt Strike pcap from 2021-11-15
  • Quick Malware Analysis: Contact Forms Campaign, Bazarloader, and Cobalt Strike pcap from 2021-11-22
    
    
• Securizame
  ¡NUEVO CURSO ONLINE ++! Detección avanzada de intrusos con Wazuh y Sysmon
  
  
• Simi Ruprai
  Conducting a Manual Acquisition of an iOS Device Using Windows: A Workaround
  
  
• Arnaud Pilon, Jean-Christophe Delaunay, and Rémi Jullian at Synacktiv
  Yet Another BEC Investigation On M365
  

THREAT INTELLIGENCE/HUNTING

• Rugang Chen at 360 Netlab
  公有云网络安全威胁情报（202110）：趋势及典型案例分析
  
  
• Sean Fernandez at Binary Defense
  Threat Hunting AWS CloudTrail with Sentinel: Part 1
  
  
• Check Point Research
  22nd November – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021
  • Attackers exploiting zero-day vulnerability in Windows Installer — Here’s what you need to know and Talos’ coverage
    
    
• Austin Jones at Cofense
  Credential Phishing: The Key to Your Company’s Vulnerabilities
  
  
• Colin Hardy
  Was it Really North Korea? Tools and Techniques to Attribute Malware Campaigns to Nation States
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 23 – emond, The Event Monitor Daemon
  
  
• CyberArk
  How to Use the MITRE ATT&CK Framework to Fight Ransomware Attacks
  
  
• Anthony M. Freed at Cybereason
  Which Data Do Ransomware Attackers Target for Double Extortion?
  
  
• Camille Stauffer at Dragos
  Assessing Ransomware Risk in IT and OT Environments
  
  
• Derek Manky and Aamir Lakhani at Fortinet
  Threat Landscape Evolution – Following the Attack Trends
  
  
• Inversecos
  How to Detect Azure Active Directory Backdoors: Identity Federation
  
  
• Hido Cohen & Arnold Osipov at Morphisec
  The BABADEDA Crypter – an Emerging Crypter targeting the Crypto, NFT, and DeFi communities
  
  
• Jos van der Peet at Falcon Force
  Falcon Friday — Detecting code execution through Microsoft SQL Server and Oracle Database
  
  
• Pepe Berba
  • Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, and Webshells
  • Hunting for Persistence in Linux (Part 2): Account Creation and Manipulation
    
    
• Brenton Morris at ProferoSec
  From the Trenches: Common-Sense Measures to Prevent Cloud Incidents
  
  
• SANS Internet Storm Center
  • Backdooring PAM, (Sun, Nov 21st)
  • Simple YARA Rules for Office Maldocs, (Mon, Nov 22nd)
  • YARA’s Private Strings, (Thu, Nov 25th)
  • Searching for Exposed ASUS Routers Vulnerable to CVE-2021-20090, (Fri, Nov 26th)
  • Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis, (Sat, Nov 27th)
  • Video: YARA Rules for Office Maldocs, (Sun, Nov 28th)
    
    
• Evgeny Goncharov at Securelist
  Threats to ICS and industrial enterprises in 2022
  
  
• Javier Bachiller at Security Art Work
  Purple Team: ¿pero esto qué es? (III). Vectr.io
  
  
• Security Investigation
  • Advance Mitre Threat Mapping – Attack Navigator & TRAM Tools
  • Autoruns v14.06 – Malware Autostart locations for Incident Responders
  • Proxyshell Vulnerability – Large Exploitation of Microsoft Exchange Servers
    
    
• Ian Kenefick at Trend Micro
  BazarLoader Adds Compromised Installers, ISO to Arrival and Delivery Vectors
  

UPCOMING EVENTS

• Monica Harris and Dr. Joe T. Sylve at Cellebrite
  Best practices for Collecting from macOS 12 including the M1 chip
  
  
• LetsDefend
  Which skills make a great Incident Responder?
  
  
• Magnet Forensics
  • How much can we automate in a digital investigation?
  • Make the Move to AXIOM Cyber
  • Tips & Tricks // Acquiring Data from the Cloud
    
    
• Scott Poley and Eric Sigman at Cyborg Security
  Threat Hunting Fireside Chat
  

PRESENTATIONS/PODCASTS

• Andrew Rathbun at 13Cubed
  EventTranscript.db Deep Dive – New Windows Forensic Artifact!
  
  
• Archan Choudhury at BlackPerl
  Black Friday, Cyber Monday 2021- GiveAways, Win Incident Response Training Course
  
  
• Belkasoft
  • Belkasoft Certified Training for Partners
  • Can You Recover Passwords from a Memory Dump—13th episode of BelkaTalk on DFIR
    
    
• Black Hills Information Security
  Talkin’ About Infosec News – 11/26/2021
  
  
• Breaking Badness
  104. The Old Bait and Glitch
  
  
• Cellebrite
  • Part 2 – SQLite Joins: Different Types of Joins in Cellebrite Physical Analyzer
  • Part 5: And That’s a Wrap for the 2021 Capture the Flag (CTF)
  • Introducing Cellebrite Physical Analyzer Ultra
    
    
• Chris Sienko at the Cyber Work podcast
  How to disrupt ransomware and cybercrime groups | Cyber Work Podcast
  
  
• Cisco’s Talos
  Talos Takes Ep. #78: Attackers would love to buy you a non-existent PS5 this holiday season
  
  
• Cloud Security Podcast by Google
  EP44 Evolving a SIEM for the Future While Learning from the Past
  
  
• Cybereason
  Malicious Life Podcast: Inside Operation Flyhook Part 2
  
  
• Day Cyberwox
  Deep Work (For Cybersecurity)
  
  
• Joshua I. James at DFIRScience
  • Fast iPhone forensic analysis with iLEAPP
  • Fast Software Prototyping – Python iLEAPP module example
    
    
• Didier Stevens
  YARA Rules for Office Maldocs
  
  
• Digital Forensic Survival Podcast
  DFSP # 301 – OSDFCON 2021
  
  
• Down the Security Rabbithole Podcast
  DtSR Episode 475 – Community Sourced Threat Instructions
  
  
• Dump-Guy Trickster
  • Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part1]
  • Powershell and DnSpy tricks in .NET reversing – AgentTesla [Part2]
    
    
• Gerald Auger at Simply Cyber
  Everything ICS / OT Cybersecurity with Clint Bodungen
  
  
• InfoSec_Bret
  • IR BETA – SOC157-107 – Suspicious WAR File
  • LetsDefend IR Training
    
    
• Magnet Forensics
  • Collect and Analyze Data from Off-Network Endpoints with AXIOM Cyber
  • Modernizing Digital Investigations with Microsoft Azure and the Magnet Digital Investigation Suite
    
    
• MSAB
  File Selection with XRY
  
  
• OALabs
  Introduction To Binlex A Binary Trait Lexer Library and Utility – Machine Learning First Steps…
  
  
• SANS
  • Common misconceptions and mistakes made in Threat Hunting
  • Hunting Beacon Activity with Fourier Transforms
  • Open Threat Research – The Hunt for Red Apples: How to threat hunt and emulate Ocean Lotus on macOS
    
    
• SecurityNinja
  Let’s Defend Review – New Features
  
  
• Sumuri
  SUMURI Gives Back 2021
  

MALWARE

• Chuong Dong at 0ffset
  HANCITOR: Analysing The Malicious Document
  
  
• Vito Lucatorto at CERT-AGID
  In crescita il fenomeno delle campagne di phishing adattivo
  
  
• Gameel Ali
  Agent Tesla
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #66: Decompiler annotations
  
  
• imp0rtp3
  A deep dive into SoWaT: The paranoid router implant used by APT 31
  
  
• Enoch Root at Kaspersky Lab
  Trojan Source: Hidden source code implants | Kaspersky official blog
  
  
• Mahmoud Morsy
  • IOCs 28_11_2021
  • Phishing Attacks 27_11_2021
    
    
• Lasq at MalFind
  • From the archive #1: OSTap downloader deobfuscation and analysis
  • From the archive #2: Ursnif dropper deobfuscation
    
    
• Nikhil Rathor at 0xthreatintel
  • Unpacking of APT29 PolyglotDuke
  • Analysis of Stop Ransomware.
  • Static Analysis of Bluelight Malware
    
    
• Sansec
  CronRAT malware hides behind February 31st
  
  
• Pankaj Kohli at Sophos
  Android APT spyware, targeting Middle East victims, enhances evasiveness
  
  
• Squibydoo
  Review: Practical Malware Analysis and Triage (PMAT)
  
  
• Thomas Roccia
  [Reverse Engineering Tips] — Enumerators
  

MISCELLANEOUS

• Forensic Focus
  • Deputy Chief Constable Paul Gibson on Coordinating Countrywide Digital Forensics Standardization
  • Monitoring an Anonymity Network: Toward The Deanonymization of Hidden Services
  • Register For Webinar: AI Helping Good People Make This World Safer
  • How to Automatically Tag Your Assets During an Investigation
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: .DS_Store files
  
  
• Kyle Song
  • Blog #31: Building a Forensic Environment with WSL & Chocolatey part 1. [KR]
  • Blog #31: Building a Forensic Environment with WSL & Chocolatey part 1. [EN]
    
    
• Microsoft 365 Security
  Azure IaaS: Managing Azure Virtual Machines
  
  
• MSAB
  Unlock the most challenging Qualcomm chipsets with MSAB
  
  
• OpenText
  • Introducing OpenText Digital Evidence Center
  • Introducing OpenText EnCase Incident Response
    
    
• Oxygen Forensics
  Oxygen Forensic® KeyScout Receives Major Upgrades in Latest Release
  
  
• Dean Parsons at SANS
  SANS Addresses ICS/OT Cyber Defence
  
  
• SentinelOne
  EDR vs Enterprise Antivirus: What’s the Difference?
  

SOFTWARE UPDATES

• Alexis Brignoni
  RLEAPP 1.0.1
  
  
• Acelab
  Sign up for ACE Lab Free Webinar on the Modern Challenges in Data Recovery & Digital Forensics!
  
  
• Cellebrite
  Now Available: Cellebrite UFED and Cellebrite Responder Version 7.50
  
  
• Costas K
  MFTBrowser.exe (x64)
  
  
• Didier Stevens
  • Update: base64dump.py Version 0.0.18
  • Update: cs-decrypt-metadata.py Version 0.0.3
  • New tool: cs-analyze-processdump.py
    
    
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.16.5
  
  
• Griffeye
  Release of Analyze 21.3
  
  
• IntelOwl
  v3.2.2
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – v3.62.3.0
  
  
• MISP
  MISP 2.4.151 released (Black friday threat intel rush release)
  
  
• OpenText
  • What’s new in OpenText EnCase Endpoint Investigator
  • What’s new in OpenText EnCase Forensic
    
    
• Security Onion
  • Security Onion 2.3.90 now available!
  • Security Onion 2.3.90 WAZUH Hotfix Now Available!
    
    
• Ulf Frisk
  MemProcFS Version 4.4
  
  
• Xways
  X-Ways Forensics 20.4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!