Starting off by mentioning a fantastic initiative by Chris Sanders. Contributing to Rural Tech Fund and a foodbank of your choosing will help people and you may just win a significant prize in return.
Win My Golden Ticket!

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Sal Aziz at Magnet Forensics
  Anatomy of a Business Email Compromise Investigation
  
  
• Andrea Garavaglia
  Orochi meets YARA
  
  
• Chris Sanders
  A Cognitive Skills Assessment of Digital Forensic Analysts – My Doctoral Dissertation
  
  
• Amber Schroader at Cyber Social Hub
  Investigating and Capturing Google Data
  
  
• Elliptic
  Google Killed a Criminal Botnet. Did a Bitcoin Transaction Resurrect It?
  
  
• Ex Umbra in Solem
  التحقيق الجنائي الرقمي
  
  
• Forensafe
  • Investigating Vivaldi Web Browser
  • Investigating Jump Lists
    
    
• iNPUT-ACE
  How To Calculate Vehicle Speed from Video with the VFR Lightboard
  
  
• Nicole Fishbein at Intezer
  Save Incident Response Time with Intezer Analyze
  
  
• James Smith at DFIR Madness
  Case 002 – Tyler Hudak’s Honeypot
  
  
• Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’
  IR A-Z
  
  
• Maxim Suhanov
  Things you probably didn’t know about FAT
  
  
• Rifqi Ardia Ramadhan at MII Cyber Security
  Why is there a lot of Windows Logon Success with Logon Type 3? -A quick look-
  
  
• Security Onion
  • Quick Malware Analysis: Emotet Epoch4 and Appinstaller pcap from 2021-11-30
  • Quick Malware Analysis: Obama141 Malspam with Qakbot and Matanbuchus pcap from 2021-12-07
    
    
• Vikas Singh
  Join PowerShell Script from Event Logs
  

THREAT INTELLIGENCE/HUNTING

• • Log4Shell
    • Check out @GossiTheDog’s tweet
    • Threat Alert: Log4j Vulnerability Has Been adopted by two Linux Botnets
    • Urgent｜Apache log4j-2.15.0-rc1 version has a bypass risk, please upgrade to log4j-2.15.0-rc2 as soon as possible!
    • Zero-Day RCE Vulnerability CVE-2021-44228 aka Log4Shell Affects Java
    • Protecting against CVE-2021-44228 (Apache Log4j2 versions 2.14.1)
    • Threat Advisory: Critical Apache Log4j vulnerability being exploited in the wild
    • CVE-2021-44228 – Log4j RCE 0-day mitigation
    • How Cloudflare security responded to log4j2 vulnerability
    • Actual CVE-2021-44228 payloads captured in the wild
    • Inside the log4j2 vulnerability (CVE-2021-44228)
    • Log4j2 Vulnerability “Log4Shell” (CVE-2021-44228)
    • Cybereason Solutions Are Not Impacted by Apache Log4j Vulnerability (CVE-2021-44228)
    • Cybereason Releases Vaccine to Prevent Exploitation of Apache Log4Shell Vulnerability (CVE-2021-44228)
    • Detecting Exploitation of CVE-2021-44228 (log4j2) with Elastic Security
    • Critical RCE Vulnerability: log4j – CVE-2021-44228
    • Security Advisory Regarding Log4Shell
    • CVE-2021-44228 – Log4j – MINECRAFT VULNERABLE! (and SO MUCH MORE)
    • Log4Shell: critical vulnerability in Apache Log4j | Kaspersky official blog
    • RCE 0-day exploit found in log4j, a popular Java logging package
    • Log4j zero-day “Log4Shell” arrives just in time to ruin your weekend
    • Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation
    • Microsoft’s Response to CVE-2021-44228 Apache Log4j 2
    • Log4j / Log4Shell / CVE-2021-44228
    • CVE-2021-44228-Log4Shell-Hashes
    • Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

  CVE-2021-44228 – Log4j 2 Vulnerability Analysis

  • Widespread Exploitation of Critical Remote Code Execution in Apache Log4j
  • RCE in log4j, Log4Shell, or how things can get bad quickly, (Fri, Dec 10th)
  • Log4j / Log4Shell Followup: What we see and how to defend (and how to access our data), (Sat, Dec 11th)
  • Update on Apache Log4j Zero-Day Vulnerability
  • CVE-2021-44228: Staying Secure – Apache Log4j Vulnerability
  • Apache Log4j Zero-Day Being Exploited in the Wild
  • Log4Shell log4j vulnerability (CVE-2021-44228) – cheat-sheet reference guide
  • CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)
  • Emergency Update for CVE-2021-44228 (log4j / Log4Shell)
    
    
  • 360 Netlab
    • 解析服务提供商对非授权域名解析情况的评估
    • An assessment of Non-Authorized Domain Name Resolution provided by DNS Resolution Service Provider
    • 公有云网络安全威胁情报（202111）：云上多个资源对外发起攻击
      
      
  • Accenture
    Karakurt rises from its lair
    
    
  • Anomali
    Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More
    
    
  • Anton Chuvakin
    SOC Technology Failures — Do They Matter?
    
    
  • Sean Fernandez at Binary Defense
    Threat Hunting AWS CloudTrail with Sentinel: Part 3
    
    
  • Blackberry
    Threat Thursday: Babuk Ransomware Shifts Attack Methods to Double Extortion
    
    
  • Thu Pham at Blumira
    How To Detect Signs of Cuba Ransomware
    
    
  • Brad Duncan at Malware Traffic Analysis
    • 2021-12-08 – Pcap for an ISC diary (December 2021 Forensic Challenge)
    • 2021-11-30 – Emotet epoch 4 uses appinstaller for infection
    • 2021-12-07 – obama141 malspam pushes both Qakbot and Matanbuchus
    • 2021-12-10 – TA551 (Shathak) IcedID with Cobalt Strike and DarkVNC
      
      
  • Adam Hillel and Katerina Tiddy at Cado Security
    How to add Forensics to your SIEM and Start Automating Investigations
    
    
  • CERT-FR
    CERTFR-2021-CTI-011 : 🇬🇧 Phishing campaigns by the Nobelium intrusion set (06 décembre 2021)
    
    
  • Check Point Research
    • 6th December – Threat Intelligence Report
    • Trickbot Rebirths Emotet: 140,000 Victims in 149 Countries in 10 Months
      
      
  • Cisco’s Talos
    • Threat Source Newsletter (Dec. 9, 2021)
    • Threat Roundup for December 3 to December 10
      
      
  • Cofense
    • New COVID Variant Can Lead to New Phish Themes
    • German Users Targeted in Digital Bank-Heist Phishing Campaigns
      
      
  • CrowdStrike
    • Trust Erodes Amid Ransomware Growth: 2021 CrowdStrike Global Security Attitude Survey
    • Critical Hit: How DoppelPaymer Hunts and Kills Windows Processes
      
      
  • Cybereason
    • Ransomware by the Numbers – An Impact Overview
    • THREAT ALERT: The Return of Emotet
      
      
  • Brian P. Mohr at CyberMohr
    Microsoft Sentinel Azure AD Connector Log Breakdown
    
    
  • Justin Fier at Darktrace
    The double extortion business: Conti Ransomware Gang finds new avenues of negotiation
    
    
  • Mike Hoffman and Gloria Cedillo at Dragos
    Detecting PLC Switch Position Changes Through the Network
    
    
  • Mark Huijnen at EclecticIQ
    Discover What’s New in EclecticIQ Intelligence Center 2.11
    
    
  • Nate Magee and Vicente J. Jiménez Miras at Falco
    Blog: Discover how GitLab uses Falco to detect abnormal behaviour in code dependencies
    
    
  • Google Threat Analysis Group
    • Disrupting the Glupteba operation
    • New action to combat cyber crime
      
      
  • Dmitry Shestakov and Andrey Zhdanov at Group-IB
    Inside the Hive
    
    
  • GuidePoint Security
    • An unholy threat: ransomware gang dubbed ‘Sabbath’ targeting critical US infrastructure
    • Warnings about ransomware strain called Yanluowang
      
      
  • InfoSec Write-ups
    • DLL Injection & DLLInjector
    • Remote Code Execution via Exif Data .
      
      
  • Keisuke Shikano at JPCERT/CC
    TSUBAME Report Overflow (Jul-Sep 2021)
    
    
  • Malwarebytes Labs
    Is your web browser vulnerable to data theft? XS-Leak explained
    
    
  • Mandiant
    • FIN13: A Cybercriminal Threat Actor Focused on Mexico
    • Suspected Russian Activity Targeting Government and Business Entities Around the Globe
    • Suspected Russian Activity Targeting Government and Business Entities Around the Globe
      
      
  • Menasec
    Detecting Token Stealing using Sysmon v13.30 and EQL
    
    
  • Microsoft Security
    • NICKEL targeting government organizations across Latin America and Europe
    • A closer look at Qakbot’s latest building blocks (and how to knock them down)
      
      
  • Netflix
    Snaring the Bad Folks
    
    
  • Peng Peng, Fang Liu, Ben Zhang, Stefan Springer and Oleksii Starov at Palo Alto Networks
    Detecting Patient Zero Web Threats in Real Time With Advanced URL Filtering
    
    
  • Melanie Ninovic at ParaFlare
    Attack Lifecycle Detection of an Operational Technology Breach
    
    
  • Proofpoint
    • University Targeted Credential Phishing Campaigns Use COVID-19, Omicron Themes
    • That Holiday Feelin’: TA575 Brings the Warm and Fuzzies with Year-end, Festive Lures
      
      
  • Rawsec
    HTB Cyber Santa CTF 2021 – Write-up
    
    
  • Recorded Future
    • Magecart Groups Abuse Google Tag Manager
    • Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
    • 6 Ways Intelligence Stops Ransomware
      
      
  • Red Alert
    Monthly Threat Actor Group Intelligence Report, October 2021
    
    
  • Red Canary
    • Better know a data source: Process integrity levels
    • 2021 Gartner® Market Guide for MDR Services: Behind the Research
      
      
  • RiskIQ
    Retailers Using WooCommerce are at Risk of Magecart Attacks
    
    
  • SANS Internet Storm Center
    • The Importance of Out-of-Band Networks, (Mon, Dec 6th)
    • December 2021 Forensic Challenge, (Wed, Dec 8th)
    • Webshells, Webshells everywhere! , (Tue, Dec 7th)
    • Phishing Direct Messages via Discord, (Thu, Dec 9th)
    • Python Shellcode Injection From JSON Data, (Fri, Dec 10th)
      
      
  • Securelist
    The story of the year: ransomware in the headlines
    
    
  • Sucuri
    • WooCommerce Credit Card Swiper Injected Into Random Plugin Files
    • PHP Re-Infectors – The Malware that Keeps On Giving
      
      
  • Trustwave SpiderLabs
    Law Enforcement Collaboration Has Eastern-European Cybercriminals Questioning Whether There Is A Safe Haven Anymore
    
    
  • Volexity
    XE Group – Exposed: 8 Years of Hacking & Card Skimming for Profit
    
    
  • WMC Global
    Microsoft Office 365 Voicemail Phishing Attack
    

UPCOMING EVENTS

• Michelle Coan at Amped
  See the Amped Software Training Calendar for 2022!
  
  
• Belkasoft
  [WEBINAR] WeChat Forensics with Belkasoft X
  
  
• Cellebrite
  Webinar Tecnico: ottimizzare il flusso delle tue investigazioni
  
  
• Magnet Forensics
  • Slacking on insider threats? Investigative and monitoring approaches to use within Slack to locate bad actors
  • Tips & Tricks // Remotely Collect from Off-Network Endpoints Using AWS and AXIOM Cyber
  • Tips & Tricks // Acquiring Data from the Cloud
    
    
• Brittany Roberts at ADF
  Best 2022 Digital Forensic Conferences to Attend | In-Person or Online
  
  
• SANS
  Join us for the FREE Virtual Cyber Threat Intelligence Summit 2022!
  

PRESENTATIONS/PODCASTS

• AGDC Services
  How To Extract & Decrypt Qbot Configs Across Variants
  
  
• Basis Technology
  Funny Stories from the Trenches with Harlan Carvey [OSDFCon 2021]
  
  
• Belkasoft
  Learning Process In DFIR, Expert’s Personal Experience —15th Episode of BelkaTalk on DFIR
  
  
• Black Hat
  • Anatomy of Native IIS Malware
  • Symbexcel: Bringing the Power of Symbolic Execution to the Fight Against Malicious Excel 4 Macros
    
    
• Black Hills Information Security
  • BHIS | Intro to Ransomware and Industrial Control Systems (ICS) w/ Ashley Van Hoesen (1-Hour)
  • Talkin’ About Infosec News – 12/09/2021
    
    
• Breaking Badness
  105. The Call Is Coming From Inside the House
  
  
• Heather Mahalik at Cellebrite
  • Digital Intelligence Benchmark Survey Results – Fireside Chat with Mark Gambill and Christian Quinn
  • Top 7 Cellebrite UFED Tip Tuesdays Episodes
  • iOS 15 Cloud Extractions in Cellebrite UFED
  • How to Find Location Artifacts from Weather Data in Cellebrite Physical Analyzer
  • How to Find Location Artifacts from Weather Data in Cellebrite Physical Analyzer
    
    
• Cisco’s Talos
  Talos Takes Ep. #80: I’ll have a blue Christmas without a CTIR retainer
  
  
• DFIRScience
  • Cryptocurrency Investigation – Blockchain basics
  • Win a FREE month of TryHackMe
    
    
• Didier Stevens
  MiTM Cobalt Strike Network Traffic
  
  
• Digital Forensic Survival Podcast
  DFSP # 303 – Mac Artifacts with SUMURI
  
  
• Dump-Guy Trickster
  Full malware analysis Work-Flow of AgentTesla Malware
  
  
• Gerald Auger at Simply Cyber
  • Immediate Threat Purple Teaming with Arien Seghetti
  • Want a Career as a Penetration Tester in Cybersecurity?
  • First Things First – YOUR Cybersecurity Threat Briefing
    
    
• InfoSec_Bret
  SANS ISC – April 2021 Contest: Forensic Challenge
  
  
• John Hammond
  • TryHackMe! Advent of Cyber Day 8 “Santa’s Bag of Toys”
  • NEW DESK SETUP! FlexiSpot Kana Pro Standing Desk EC8
    
    
• Tony Burgess at Barracuda
  Secured.21: Combating the 21 types of OWASP Automated Threats
  
  
• Justin Tolman at AccessData
  Beyond the Button – Episode 2 – exif data structure
  
  
• MSAB
  From crime to court room: Streamline the reporting with XAMN Report Builder
  
  
• OALabs
  IDA Pro Plugins For Malware Reverse Engineering
  
  
• Open Threat Research
  • InfoSec Jupyterthon 2021 – Day 1
  • InfoSec Jupyterthon 2021 – Day 2
    
    
• SANS Institute
  • Oh Crap…Forgot About That One
  • NetWars Tournament of Champions Live Stream | December 16th 6pm ET
  • NetWars Tournament of Champions Live Stream | December 17th 6pm ET
  • Tournament Overview | SANS Core NetWars Tournament of Champions
  • Culture, Collaboration, and Empathy for Cyber Security Leaders
  • Top 10 SANS Summits Talks of 2021
  • SANS Institute Business Case: Softbank
  • Translating Cyber Risk into Business Risk
    
    
• Security Unlocked
  Decoding NOBELIUM
  
  
• This Month in 4n6
  This Month In 4n6 – November – 2021
  
  
• Zeek in Action
  Zeek in Action, Video 11, Examining the Four Types of Network Security Monitoring Data
  

MALWARE

• Alexandre Borges at ‘Exploit Reversing’
  Malware Analysis Series (MAS) – Article 1
  
  
• Hasmik Khachunts at Any.Run
  11 Ways Hackers are Using Automation to Boost Malware Attacks
  
  
• John Requejo at Countercraft
  blueheaven: Command and Control Malware
  
  
• Itay Vanzetti at Deep Instinct
  [Down]loaded by GuLoader Malware
  
  
• Eclypsium
  When Honey Bees Become Murder Hornets
  
  
• Fortinet
  • Mirai-based Botnet – Moobot Targets Hikvision Vulnerability
  • MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability
  • Phishing Campaign Targeting Korean to Deliver Agent Tesla New Variant
    
    
• Patrick Schläpfer at HP Wolf Security
  Emotet’s Return: What’s Different?
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #68: Skippable instructions
  
  
• Intel471
  How the new Emotet differs from previous versions
  
  
• Andrey Polkovnychenko and Shachar Menashe at JFrog
  Malicious npm Packages Are After Your Discord Tokens – 17 New Packages Disclosed
  
  
• PC’s Xcetra Support
  Peeling away the layers of obfuscation from Excel VBA to dll
  
  
• Pete Cowman at Hatching
  Backend updates and family detection improvements
  
  
• Adam Prescott at PWC
  Chasing Shadows: A deep dive into the latest obfuscation methods being used by ShadowPad
  
  
• S2W Lab
  BlackCat : New Rust based ransomware borrowing BlackMatter’s configuration
  
  
• Pedro Tavares at Segurança Informática
  NetWire malware analysis
  
  
• Thomas Roccia
  [Reverse Engineering Tips] — Extracting MSU file
  
  
• Trend Micro
  • The Evolution of IoT Linux Malware Based on MITRE ATT&CK TTPs
  • New Yanluowang Ransomware Found to be Code-Signed, Terminates Database-Related Processes
    
    
• Virus Bulletin
  New paper: Collector-stealer: a Russian origin credential and information extractor
  
  
• Vishal Thakur
  Revix Linux Ransomware
  

MISCELLANEOUS

• Alex Verboon at ‘Anything about IT’
  Defender for Endpoint – unified solution for Windows Server 2012 R2 and 2016 (Part2)
  
  
• Belkasoft
  Belkasoft Customer Survey 2021
  
  
• Cellebrite
  2021 Digital Intelligence Benchmark Survey Results
  
  
• Tanushree Sharma at Cloudflare
  Store your Cloudflare logs on R2
  
  
• Kate McGeever at DME Forensics
  Customizing Workflow to Fit Your Needs in DVR Examiner
  
  
• Doug Metz at Baker Street Forensics
  VS Code Interactive Notebooks
  
  
• EclecticIQ
  The Analyst Prompt #41 Insurance Costs Rise as Attackers Seek to Cash in on Cyber Insurance Payouts
  
  
• Forensic Focus
  • Jesse Lindmar on Digital Forensics Lab Quality Assurance and Accreditation
  • Use of Automated Systems for Rapid Decisions
  • How to Export Report and Media in MD-VIDEO
  • Merged Extractions in Oxygen Forensic Detective
  • Magnet OUTRIDER 3.0 Triage for macOS
  • IoT Network Traffic Analysis: Opportunities and Challenges for Forensic Investigators
    
    
• Frikkylikeme
  Shuffle’s advent giveaway and revenue sharing initiative!
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: Quarantine
  
  
• Sergey Soldatov at Kaspersky Lab
  Five steps to prevent burnout in SOC teams | Kaspersky official blog
  
  
• Kevin Pagano at Stark 4N6
  My 2022 Forensic 4Cast Awards Nominations
  
  
• MantaRay Forensics
  VirusShare Hash Sets Q4 2021
  
  
• Eli Sohl at NCC Group
  Announcing NCC Group’s Cryptopals Guided Tour!
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — November 28 to December 11
  
  
• Jeff Gamet at Security Intelligence
  What to Do When a Ransomware Group Disappears
  
  
• Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.3.90!
  

SOFTWARE UPDATES

• Amped
  Amped Authenticate Update 22874: Introducing VPF Analysis for Video Double Encoding Detection and Improvements to the Shadows Filter
  
  
• ANSSI DFIR-ORC
  v10.1.0-rc8
  
  
• Costas K
  • PrefetchBrowser
  • MFTBrowser.exe (x64)
    
    
• ExifTool
  ExifTool 12.37
  
  
• Marius Genheimer
  blackCatConf
  
  
• Metaspike
  Forensic Email Intelligence v1.2.8012
  
  
• Mihari
  v3.11.0
  
  
• OSForensics
  V9.1 build 1004 9th December 2021
  
  
• radare2
  5.5.2
  
  
• Security Onion
  Security Onion 2.3.90 20211210 Hotfix Now Available to Mitigate log4j Vulnerability!
  
  
• Smart Projects
  IsoBuster 4.9 Beta released
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!