As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Joshua I. James at DFIRScience
  iPhone forensics with Linux command line and bplister
  
  
• Forensafe
  • Investigating Windows 10 Maps
  • Investigating Computer Name
    
    
• Forensic-Research
  Digital Forensic Challenge 2020 [104]
  
  
• Jaron Bradley at The Mitten Mac
  What does APT Activity Look Like on MacOS?
  
  
• Kyle Song
  • Blog #32: Building a Forensic Environment with WSL & Chocolatey part 2. [EN]
  • Blog #32: Building a Forensic Environment with WSL & Chocolatey part 2. [KR]
    
    
• Amber Schroader at Paraben Corporation
  Investigating and Capturing Google Data
  
  
• SalvationData
  What is Database Forensics?
  
  
• SANS
  Windows Third-Party Apps Forensics Reference Guide Poster
  
  
• Harisuthan at Security Investigation
  PECmd – Windows Prefetch Analysis For Incident Responders
  
  
• Shaquib Izhar
  An Intro to Pagefile Forensic
  
  
• Paolo Dal Checco at Studio d’Informatica Forense
  Forensic Acquisition of Websites and Webpages – OSDFCON 2021
  
  
• The DFIR Report
  CONTInuing the Bazar Ransomware Story
  
  
• We are OSINTCurio.us
  Staying Up to Date with OSINT Content
  

THREAT INTELLIGENCE/HUNTING

• Brad Duncan at Malware Traffic Analysis
  • 2021-11-29 – Emotet epoch 5 infection sent from email on Friday 2021-11-26
  • 2021-11-24 – Gigi campaign pushes BazarLoader, leads to IcedID
    
    
• Peter Wagner at Certitude
  Unpatched Exchange servers are attacked to distribute phishing links (squirrelwaffle)
  
  
• Shmuel Cohen at Check Point Research
  Smishing Botnets Going Viral in Iran
  
  
• Cisco’s Talos
  • Threat Source Newsletter (Dec. 2, 2021)
  • Magnat campaigns use malvertising to deliver information stealer, backdoor and malicious Chrome extension
  • Threat Roundup for November 26 to December 3
    
    
• Ben Solomon at Cloudflare
  The Grinch Bot is Stealing Christmas!
  
  
• Cobalt Strike Research and Development
  • Create a proxy DLL with artifact kit
  • Nanodump: A Red Team Approach to Minidumps
    
    
• CrowdStrike
  Nowhere to Hide: Detecting SILENT CHOLLIMA’s Custom Tooling
  
  
• Csaba Fitzl at ‘Theevilbit’
  Beyond the good ol’ LaunchAgents – 24 – Folder Actions
  
  
• Cybersecurity Action Team
  Threat Horizons – Cloud Threat Intelligence November 2021 Issue 1
  
  
• Cyjax
  Ransomware Review – November 2021
  
  
• EclecticIQ
  The Analyst Prompt #40 Ransomware TA505 Iranian Nation State
  
  
• Gabriel Landau at Elastic
  Detecting and blocking unknown KnownDlls
  
  
• Nikolaos Pantazopoulos and Michael Sandee at Fox-IT
  Tracking a P2P network related to TA505
  
  
• Christopher Peacock at Scythe
  SCYTHE Presents: Threat Thursday – Red Canary October Detection Opportunities
  
  
• Malwarebytes Labs
  • Have you downloaded that Android malware from the Play Store lately?
  • Emotet being spread via malicious Windows App Installer packages
  • SideCopy APT: Connecting lures to victims, payloads to infrastructure
  • Emotet’s back and it isn’t wasting any time
    
    
• Tyler Mclellan and Brandan Schondorfer at Mandiant
  Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
  
  
• Microsoft 365 Security
  Lateral Movement with Managed Identities of Azure Virtual Machines
  
  
• Microsoft Security
  • Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack
  • Structured threat hunting: One way Microsoft Threat Experts prioritizes customer defense
    
    
• Margit Hazenbroek at NCC Group
  Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
  
  
• Nikhil Rathor at 0xthreatintel
  APT37 targets Journalists & Security Researchers
  
  
• Didier Stevens at NVISO Labs
  Cobalt Strike: Decrypting DNS Traffic – Part 5
  
  
• Robert Falcone and Peter Renals at Palo Alto Networks
  APT Expands Attack on ManageEngine With Active Campaign Against ServiceDesk Plus
  
  
• Paolo
  Network visibility in docker environment
  
  
• Shanna Daly at ParaFlare
  Uncovering a watering hole attack
  
  
• Pete Cowman at Hatching
  Advanced Submit Screen and Emotet Powershell Parsing
  
  
• Proofpoint
  • Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors 
  • High Volume German Phishing Campaign Aims to Steal Banking Credentials
    
    
• Pascal Geenens at Radware
  • Ransomware & Ransom DoS, Why They Are Similar But Different
  • DDOS Attacks Targeting Payment Services of Global Financial Institutions
    
    
• Glenn Thorpe at Rapid7
  Ongoing Exploitation of Windows Installer CVE-2021-41379
  
  
• Red Canary
  • ProxyShell exploitation leads to BlackByte ransomware
  • KMSPico and Cryptbot: A spicy combo
    
    
• SANS Internet Storm Center
  • Wireshark 3.6.0 Released, (Mon, Nov 29th)
  • Hunting for PHPUnit Installed via Composer, (Tue, Nov 30th)
  • TA551 (Shathak) pushes IcedID (Bokbot), (Thu, Dec 2nd)
  • Info-Stealer Using webhook.site to Exfiltrate Data, (Wed, Dec 1st)
  • The UPX Packer Will Never Die!, (Fri, Dec 3rd)
  • A Review of Year 2021, (Sat, Dec 4th)
    
    
• Sansec
  NginRAT parasite targets Nginx
  
  
• Sean Fernandez at Binary Defense
  Threat Hunting AWS CloudTrail with Sentinel: Part 2
  
  
• Security Intelligence
  • Understanding the Adversary: How Ransomware Attacks Happen
  • Roundup: Ransomware, the Future of the Cloud and Cyber Careers
  • Treasury Crypto Security Sanction Blocks Exchange Favored by Ransomware Actors
  • How to Cut Down on Data Breach Stress and Fatigue
  • X-Force Threat Intelligence: Monthly Malware Roundup
    
    
• Infosec Coproscribe
  The Water Bear that Wasn’t: Tardigrade
  
  
• Sucuri
  • What We’ve Learned About SSH Brute Force Attacks
  • WordPress Admin Creator – A Simple, But Effective Attack
  • Is My Site Hacked? 4 Gut Checks
    
    
• Symantec Enterprise
  Yanluowang: Further Insights on New Ransomware Threat
  
  
• ThreatFabric
  Deceive the Heavens to Cross the sea
  
  
• Trend Micro
  • Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
  • Analyzing How TeamTNT Used Compromised Docker Hub Accounts
  • Vulnerabilities Exploited for Monero Mining Malware Delivered via GitHub, Netlify
    
    
• VirusTotal
  • Insights on ransomware attacks
  • Introducing VirusTotal Collections
    
    
• Vishal Thakur
  RansomExx
  
  
• Alexis Dorais-Joncas and Facundo Muñoz at WeLiveSecurity
  Jumping the air gap: 15 years of nation‑state effort
  

UPCOMING EVENTS

• Yulia Samoteykina at Atola
  Top digital forensics conferences in 2022
  
  
• Cado and SentinelOne
  Automation Flips the Script: Augmenting Real-Time Detection with Modern DFIR
  
  
• Cybereason
  Join Us for DefenderCon 2021!
  
  
• DFRWS
  DFRWS EU 2022 CFP
  
  
• Elan at DFIR Diva
  DFIR Related Events for Beginners – December, 2021
  
  
• Gerald Auger at Simply Cyber
  • First Things First – Cybersecurity Threat Briefing | DEC 6 2021
  • First Things First – Cybersecurity Threat Briefing
    
    
• Magnet Forensics
  Dig Deeper: Cloud Investigations with AXIOM Cyber
  
  
• Brittany Roberts at ADF
  Top 5 Law Enforcement Webinars
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Incident Response Training Course, Malware Incident Triage, How to Install Cuckoo, Day 16
  
  
• ArcPoint Forensics
  • Unallocated Space Presented by ArcPoint Forensics
  • UNALLOCATED SPACE S1: EP01: JESSICA HYDE
    
    
• Basis Technology
  • Velociraptor: Dig Deeper with Mike Cohen [OSDFCon 2021]
  • A Golden Ticket to the Cloud with Nader Zaveri [OSDFCon 2021]
  • Leaving No Stone Unturned with Jamie Levy [OSDFCon 2021]
  • ARTHIR: ATT&CK Remote Threat Hunting Incident Response Windows Tool by Michael Gough [OSDFCon 2021]
  • Windows Event Log Trick-Shots in Rust! with Matthew Seyer [OSDFCon 2021]
  • Forensic Acquisition of Websites, Webpages and Online Services with Open Source Tools [OSDFCon 2021]
  • Incident Recorder with Kenneth Ray [OSDFcon 2021]
  • Autopsy Update at OSDFCon 2021 with Brian Carrier
  • I know what your AD did last summer…! Yossi Sassi talks about Active Directory at OSDFCon 2021
  • Autopsy Scoring: Finding the Relevant Data with Analysis Results [OSDFCon 2021]
  • Where Have UAL Been? with Brian Moran and Kevin Stokes [OSDFCon 2021]
    
    
• Belkasoft
  How to extract and decode internet browser passwords—14th episode of BelkaTalk on DFIR
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2021-11-29
  
  
• Cellebrite
  • Cellebrite UFED: Top 7 Tip Tuesdays with Heather Mahalik
  • Episode 15: iBeg to DFIR – Location Data on iOS and Android Devices
    
    
• Cloud Security Podcast by Google
  EP45 VirusTotal Insights on Ransomware Business and Technology
  
  
• DFIRScience
  iPhone forensics with Linux command line and bplister
  
  
• Digital Forensic Survival Podcast
  DFSP # 302 – Lateral MM Fast Triage 4
  
  
• Dump-Guy Trickster
  So you Really think you Know What Powershell Is ???
  
  
• Gerald Auger at Simply Cyber
  The TRUTH About A Cybersecurity Threat and Vulnerability Program (2.0)
  
  
• Hasherezade
  PE-sieve demos (for Pentester Academy ToolBox)
  
  
• InfoSec_Bret
  SANS ISC – May 2021 Contest: Forensic Challenge
  
  
• John Hammond
  • TryHackMe! Advent of Cyber – 2021 KICKOFF: 25 Days of Learning CYBERSECURITY
  • ZipSlip w/ TAR & Server-Side Template Injection – HackTheBox University CTF – “Slippy”
  • 2022 OSCP EXAM CHANGES – Goodbye Buffer Overflow, Hello Active Directory
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 31 – Regular Expression Searching (Ikea Breach)
  
  
• LetsDefend
  How to become Incident Responder?
  
  
• Magnet Forensics
  Make the Move to AXIOM Cyber
  
  
• MSAB
  The New Report Builder in XAMN
  
  
• Nextron Systems
  ASGARD Management Center v2 – Installation
  
  
• SANS
  Wrap Up Panel
  
  
• SecurityNinja
  TryHackMe – Carnage
  
  
• The Digital Forensics Files Podcast
  Stephen Cordon, Digital Forensics Expert and Automation Process Enthusiast Joins Tyler Hatch
  
  
• Zeek in Action
  Zeek in Action, Video 10, Radius Protocol Analyzer with Spicy
  

MALWARE

• Alex Turing and Hui Wang at 360 Netlab
  EwDoor Botnet Is Attacking AT&T Customers
  
  
• Jan Rubín and Jakub Kaloč at Avast Threat Labs
  Toss a Coin to your Helper (Part 2 of 2)
  
  
• Michael Zandi at Blackberry
  Reverse Engineering Ebpfkit Rootkit With BlackBerry’s Enhanced IDA Processor Tool
  
  
• Cisco’s Talos
  Talos Takes Ep. #79: Emotet’s back with the worst type of holiday present
  
  
• Cleafy
  Mobile banking fraud: BRATA strikes again
  
  
• Cyber Geeks
  Just another analysis of the njRAT malware – A step-by-step approach
  
  
• Ron Ben Yizhak at Deep Instinct
  The Re-Emergence of Emotet
  
  
• Esentire
  Dridex Excel Spam Feature
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #67: Decompiler helpers
  
  
• Dr. Joakim Kennedy at Intezer
  All Your Go Binaries are Belong to Us
  
  
• Mahmoud Morsy
  • Phishing Attacks 1_12_2021
  • Phishing Attacks 4_12_2021
    
    
• Nik Alleyne at ‘Security Nik’
  Beginning malloc – C Programming
  
  
• Securelist
  • WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019
  • ScarCruft surveilling North Korean defectors and human rights activists
    
    
• Security Onion
  • Quick Malware Analysis: Hancitor and Cobalt Strike pcap from 2021-04-07
  • Quick Malware Analysis: Emotet Epoch 5 pcap from 2021-11-26
  • Quick Malware Analysis: Gigi, Bazarloader, and IcedId pcap from 2021-11-24
  • Quick Malware Analysis: TA551/Shathak and Qakbot/Qbot pcap from 2021-01-26
    
    
• Sean Gallagher at Sophos
  Two flavors of Tor2Mine miner dig deep into networks with PowerShell, VBScript
  

MISCELLANEOUS

• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 12/4/21
  
  
• Martino Jerian at Amped
  Announcing the Amped User Community on Discord
  
  
• Belkasoft
  Why term-based license is NOT good for DFIR market
  
  
• Amanda Berlin at Blumira
  Top 10 SIEM Log Sources To Prioritize
  
  
• Heather Mahalik at Cellebrite
  How to Use Guidance Mode and SOPs in Cellebrite UFED
  
  
• Cybereason
  • A Brief History of Ransomware Evolution
  • Planned Parenthood Ransomware Attack Has Far Reaching Implications
  • Lives at Risk from Planned Parenthood Ransomware Attack
  • Cl0p Ransomware Gang Tries to Topple the House of Cards
    
    
• Joshua I. James at DFIRScience
  November DFIRDev Winners!
  
  
• dr3ad_0X1
  Malice in Kernel land
  
  
• Oleg Afonin at Elcomsoft
  Worthless Security Practices
  
  
• Forensic Focus
  • OpenText’s Chuck Dodson on Digital Evidence Management and Information Sharing
  • Identifying Interception Possibilities for WhatsApp Communication
  • Register for Webinar: Delivering the DFIR Advantage to the Frontlines
  • Putting Evidence on the Map and Bad Guys Behind the Bars With Oxygen Forensic Detective
  • Extract Silent Phone Data in Oxygen Forensic Detective
  • Examining Vehicle Data With Magnet AXIOM
  • Law Enforcement Educational Challenges for Mobile Forensics
    
    
• Stuart Krivis at Hurricane Labs
  Ingesting a CSV file into Splunk
  
  
• Jesse Spangenberger at ‘Cyber Fenix DFIR & Technology’
  Review: CSI Linux + Training
  
  
• Josh Brunty
  My 2022 Forensic 4:Cast Nominations
  
  
• Leo Pitt
  How to Quickly Setup an ELK Stack and Elastic Agent to Monitor macOS Event Data
  
  
• LimaCharlie
  Why Does LimaCharlie Exist?
  
  
• Florian Roth at Nextron Systems
  Reasons Why to Use THOR instead of THOR Lite
  
  
• Oxygen Forensics
  Silent Phone: security lifted
  
  
• Panther
  SIEM vs. Log Management: An Overview
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — November 21 to November 27
  
  
• Ross Moore at Secjuice
  The Tabletop Exercise (TTX)
  
  
• Rebecca Taylor at Secureworks
  Recovering from Ransomware: Cyber Insurance and Incident Response
  
  
• Priyadharshini Balaji at Security Investigation
  MISP – Open Source Threat Intelligence and Sharing Platform
  
  
• Jessica Stanford at Cado Security
  3 Ways to Speed Up Investigations with Modern DFIR
  
  
• John Patzakis at X1
  Case Law Update: Social Media Screenshots Held Inadmissible Under the Best Evidence Rule
  

SOFTWARE UPDATES

• Alexis Brignoni
  RLEAPP 1.0.2
  
  
• Acelab
  The New SAS adapter for PC-3000 Portable III: Available for Order!
  
  
• ANSSI DFIR-ORC
  dfir-orc v10.0.22
  
  
• c3rb3ru5
  binlex v1.1.0
  
  
• Cyber Triage
  Cyber Triage 3.0.2 Update is Live
  
  
• Costas K
  PrefetchBrowser v.0.0.4.0
  
  
• Curated Intelligence
  ATT&CK Lookup for MITRE developed by Curated Intelligence
  
  
• Didier Stevens
  • New Tool: cs-parse-traffic.py
  • Update: cs-extract-key.py Version 0.0.3
    
    
• iNPUT-ACE
  iNPUT-ACE Version 2.7
  
  
• Metaspike
  Forensic Email Intelligence v1.2.8006
  
  
• Passmark Software
  OSForensics V9.1 build 1003 2nd December 2021
  
  
• Security Onion
  Security Onion 2.3.90 AIRGAP Hotfix Now Available!
  
  
• Vound
  Intella 2.5
  
  
• Xways
  X-Ways Forensics 20.4 SR-1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!