As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Bart Butler at ProtonMail
  A breakdown of a DKIM replay attack
  
  
• James Merritt at CCL Solutions
  Relativity Processing vs. Nuix Workstation
  
  
• Roman Ferdigg at Certitude
  Ransomware Actor May Have Leaked Their Previous Victims
  
  
• Craig Ball at ‘Ball in your Court’
  Electronic Evidence Workbook 2022
  
  
• Paul Pratley and Mark Goudie at CrowdStrike
  CrowdStrike Services Offers Incident Response Tracker for the DFIR Community
  
  
• Cyber Social Hub
  Rooting Microsoft Surface Duo
  
  
• Joshua I. James at DFIRScience
  Bitcoin forensics – visualizing blockchain transactions with Maltego
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Say No to Screenshots
  
  
• Oleg Afonin at Elcomsoft
  Agent-based full file system and keychain extraction: now up to iOS 14.8 (incl.)
  
  
• Forensafe
  • Investigating Windows Wireless Networks
  • Investigating USB Devices
    
    
• Hal Pomeranz at ‘Righteous IT’
  XFS Part 6 – B+Tree Directories
  
  
• Herbie Zimmerman at “Lost in Security”
  2022-01-09 First Round with Brim Using December’s Malware Traffic Exercise
  
  
• InfoSec Write-ups
  • EscapeRoom — PCAP Analysis with Wireshark
  • CyberDefenders | L’espion
    
    
• Md. Abdullah Al Mamun at Intarna
  Initial Steps For Investigating Compromised Website
  
  
• Jordan Klepser
  DetectionHistory Parser
  
  
• Kevin Pagano at Stark 4N6
  Shutdown Checkpoints in Android 12
  
  
• LetsDefend
  Phishing Email Analysis
  
  
• Maxim Suhanov
  macOS & FAT directories
  
  
• Megi Pramesti at MII Cyber Security
  HAYABUSA — Windows Event Log Fast Forensics Timeline Generator and Threat Hunting Tool
  
  
• The Incidental Chew Toy
  Decrypting ‘WeVault’
  
  
• Chris Camejo at TrustedSec
  • Real or Fake? How to Spoof Email
  • Real or Fake? Spoof-Proofing Email With SPF, DKIM, and DMARC
    
    
• Yönetici
  Analysis of Registry Files (Registry Forensic)
  

THREAT INTELLIGENCE/HUNTING

• Log4shell
  • CVE-2021-44228 Log4Shell: Preparing a Virtual Environment using VirtualBox
  • CVE-2021-44228 Log4jShell: Setting Up Virtual Machines for the Attacker and Victim
  • CVE-2021-44228: Exploiting Log4j Vulnerabilities using Rogue JNDI
  • APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit
  • Log4j vulnerability, supply chain attacks and SBOMs
  • Investigate Log4Shell exploits with Elastic Security and Observability
  • Log4j Exploitation Walkthrough(CVE-2021–44228) — INE Labs
  • Log4J/Log4Shell Video Glossary
  • Log4j One Month On | Crimeware and Exploitation Roundup
    
    
• Suqitian at 360 Netlab
  用DTA照亮DNS威胁分析之路 (2)
  
  
• Adam at Hexacorn
  Beyond good ol’ Run key, Part 135
  
  
• Yelisey Boguslavskiy at Advanced Intelligence
  Storm in “Safe Haven”: Takeaways from Russian Authorities Takedown of REvil
  
  
• ASEC
  ASEC Weekly Malware Statistics (January 3rd, 2022 – January, 9th 2022)
  
  
• Jan Vojtěšek at Avast Threat Labs
  Exploit Kits vs. Google Chrome
  
  
• Josue Ledesma at Bitdefender
  What is an APT?
  
  
• Brian Laskowski at Blumira
  SIEM Alerts To Expect During a Pentest
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-01-11 – Emotet activity
  • 2022-01-07 – Traffic analysis exericse – Spoonwatch
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 08 – 14 gennaio 2022
  
  
• Check Point Research
  • 10th January– Threat Intelligence Report
  • December 2021’s Most Wanted Malware: Trickbot, Emotet and the Log4j plague
    
    
• Christophe Tafani-Dereeper
  Implementing a Vulnerable AWS DevOps Environment as a CloudGoat Scenario
  
  
• Cisco’s Talos
  • Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure
  • Threat Source Newsletter (Jan. 13, 2022)
  • Threat Roundup for January 7 to January 14
    
    
• Cluster25
  2021 Ransomware Bulletin: Recent, Past and Near Future of Cyber Extortion
  
  
• Jason Trost
  10 Short links on Cybersquatting domain detection
  
  
• CrowdStrike
  • noPac Exploit: Latest Microsoft AD Flaw May Lead to Total Domain Compromise in Seconds
  • Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent
    
    
• Curated Intelligence
  • OSINT on REvil
  • BlackVue dashcam privacy leaks disclosed
  • Reversing Rook Ransomware
    
    
• Niv Yona, Ofir Ozer, Chen Erlich, Omri Refaeli, and Daichi Shimabukuro at Cybereason
  Threat Analysis Report: DatopLoader Exploits ProxyShell to Deliver QBOT and Cobalt Strike
  
  
• Brian P. Mohr at CyberMohr
  Ensure Critical Log Collection in Microsoft Sentinel
  
  
• Tristan De Souza at Cyjax
  Geopolitical and Cybersecurity Weekly Brief – 10 January 2022
  
  
• Daniel Roberson at DMFR Security
  • 100 Days of YARA – Day 21: DCRat
  • 100 Days of YARA – Day 22: Parent Process ID Spoofing
  • 100 Days of YARA – Day 23: socat
  • 100 Days of YARA – Day 24: Run Keys
  • 100 Days of YARA – Day 25: Hive Ransomware Obfuscated Strings
  • 100 Days of YARA – Day 26: Merlin C2
  • 100 Days of YARA – Day 27: LOKI2
  • 100 Days of YARA – Day 28: pyinstaller
    
    
• Eclypsium
  The iLOBleed Implant: Lights Out Management Like You Wouldn’t Believe
  
  
• Elastic
  • Linux malware protection in Elastic Security
  • Identifying beaconing malware using Elastic
    
    
• Shunichi Imano and Fred Gutierrez at Fortinet
  COVID Omicron Variant Lure Used to Distribute RedLine Stealer
  
  
• Huntress
  • Ransomware Canaries: A 2022 Update
  • Threat Advisory: VMware Horizon Servers Actively Being Hit With Cobalt Strike
    
    
• Huseyin Rencber
  Yara Kural Yapısı ve Kullanımı
  
  
• Koen Van Impe
  Visualising MISP galaxies and clusters
  
  
• Mandiant
  • What’s Better Than Free Threat Intelligence?
  • Proactive Preparation and Hardening to Protect Against Destructive Attacks
    
    
• Microsoft Security
  Destructive malware targeting Ukrainian organizations
  
  
• Roy Golombick at Minerva Labs
  Windows Defender Vulnerability allows anyone to read AV exclusions
  
  
• Michael Gorelik at Morphisec
  How to Stop Ransomware: Breach Prevention vs. Cobalt Strike Backdoor
  
  
• Olaf Hartong at Falcon Force
  FalconFriday — Suspicious named pipe events — 0xFF1B
  
  
• Cecilia Hu, Tao Yan, Taojie Wang and Jin Chen at Palo Alto Networks
  The Year in Web Threats: Web Skimmers Take Advantage of Cloud Hosting and More
  
  
• Patrick Wardle at ‘Objective-See’
  SysJoker
  
  
• Penetration Testing Lab
  Domain Escalation – sAMAccountName Spoofing
  
  
• Recorded Future
  • Combating Human Trafficking With Threat Intelligence — Prevention
  • How to Make the Attack Lifecycle Actionable with Intelligence
  • FIN7 Uses Flash Drives to Spread Remote Access Trojan
    
    
• Jimmy Astle and Matt Graeber at Red Canary
  Better know a data source: Antimalware Scan Interface
  
  
• Robert M. Lee
  Structuring Cyber Threat Intelligence Assessments: Musings and Recommendations
  
  
• SANS Internet Storm Center
  • Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th)
  • A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th)
  • Use of Alternate Data Streams in Research Scans for index.jsp., (Fri, Jan 14th)
    
    
• Seongsu Park and Vitaly Kamluk at Securelist
  The BlueNoroff cryptocurrency hunt is still on
  
  
• Anusthika Jeyashankar at Security Investigation
  How DNS Tunneling works – Detection & Response
  
  
• Dave Getman at SentinelOne
  Rapid Response with XDR One-Click Remediations
  
  
• Amitai Ben Shushan Ehrlich at SentinelOne
  Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
  
  
• Tareq Alkhatib
  How To Use ATT&CK’s Application Datasource
  
  
• That Intel Blog
  Post #1 Intelligence Requirements
  
  
• The Citizen Lab
  • Proyecto Torogoz: Hackeo extensivo de los medios de comunicación y la sociedad civil en El Salvador con el programa espía Pegasus
  • Project Torogoz: Extensive Hacking of Media & Civil Society in El Salvador with Pegasus Spyware
    
    
• Siddharth Sharma at Uptycs
  Cryptominer Campaign Targeting Vmware vsphere Services for Coin Mining
  
  
• US Cyber Command
  Iranian intel cyber suite of malware uses open source tools
  
  
• Jason Reaves and Joshua Platt at Walmart
  Signed DLL campaigns as a service
  
  
• Xorhex
  • ImHex Pattern and YARA Functionality
  • Day 6 of 100 Discontiguous Days of YARA
  • Day 7 of 100 Discontiguous Days of YARA
    

UPCOMING EVENTS

• Basis Technology
  Log Parser as a Forensic Tool
  
  
• Cellebrite
  Hello 2022: Annual Update of Cellebrite Digital Intelligence Solutions
  
  
• Kristian Lars Larsen at Data Narro
  Your 2022 Guide to eDiscovery Conferences (U.S.-based)
  
  
• Magnet Forensics
  • The Basics of Forensic Video Recovery with DVR Examiner
  • PowerShell Tools for IR Forensics Collection
    
    
• Pavel Yosifovich
  Planned Upcoming Classes
  
  
• SANS
  ICS Security Summit 2022: What to Expect
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Incident Response Training, Persistence Techniques- Day 17
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 1/14/2021
  
  
• BlueMonkey 4n6
  How to disable automount in Windows – tutorial
  
  
• Brakeing Down Security Podcast
  OSS sustainability, log4j fallout, developer damages own code-p1
  
  
• Cellebrite
  Top 10 Tip Tuesdays for Cellebrite Physical Analyzer
  
  
• Cisco’s Talos
  • Beers with Talos, Ep. #114: And then there were two…
  • Talos Takes Ep. #82: Log4j followed us in 2022
    
    
• Countercraft
  Cobalt Strike Explained—What it is and How to Detect it | Founder Chat
  
  
• Day Cyberwox
  • Cloud Detection Project in Azure with CharlesQ (@Cyberwox Academy Co-Founder)
  • I’m Taking Fewer Certifications in 2022…Here’s Why
  • TOP 2 False Positive Alerts Triaged by Cybersecurity Analysts
  • Blue Team Level 1 (BTL1) Final Study Session
    
    
• Digital Forensic Survival Podcast
  • DFSP # 306 – Lateral MM Fast Triage 5
  • DFSP # 307 – Career Strategy Checkup
  • DFSP # 308 – Cloud Access Controls
    
    
• InfoSec_Bret
  IR – SOC151-99 – Unauthorized Root Access
  
  
• John Hubbard at SecHubb
  A Brief Discussion on Cyber Attack Metrics: Are Cyber Attacks Growing in 2022? By How Much?
  
  
• Mac Admins podcast
  Episode 247: Cat Part Deux
  
  
• Magnet Forensics
  • Tips & Tricks // Acquiring WhatsApp Data: There’s More Than One Way to Get the Data
  • Security Incidents WILL Happen
  • Tips & Tricks // Magnet AXIOM Cyber Remote Agent
  • DFIRL Episode 03: Murder of Laramie Cline
    
    
• Mike Cohen
  Linux Conf Au 2022
  
  
• Nicolas Brulez at Hexorcist
  Reverse Engineering Tutorial for Beginners: Retro Crackme 2
  
  
• Nuix
  Responding to the Log4Shell Vulnerability using Nuix Adaptive Security (overview)
  
  
• SANS Institute
  • SOC 2 TSCs
  • 2021 SANS+HBCU Year in Review
  • Do This 1 Thing | Leadership Water Cooler
    
    
• Sumuri
  Using Templates in RECON ITR
  
  
• X-Force
  • Analyzing PowerShell Payloads – Part 1
  • Analyzing PowerShell Payloads – Part 2
  • Analyzing PowerShell Payloads – Part 3
    

MALWARE

• Alexandre Borges at ‘Exploit Reversing’
  Malicious Document Analysis: Example 2
  
  
• ASEC
  • Infostealer Disguised as Well-Known Korean Web Portal File
  • Magniber Ransomware Being Distributed via Edge and Chrome
    
    
• Atomic Matryoshka
  • Malware Headliners: Dridex
  • Malware Headliners: Qakbot
    
    
• Blackberry
  Threat Thursday: Jupyter Infostealer is a Master of Disguise
  
  
• Matt Muir at Cado Security
  Abcbot – An Evolution of Xanthe
  
  
• CERT-AGID
  • Nuova campagna malware sLoad veicolata via PEC
  • In atto campagna massiva Gozi/Urnsif veicolata come una comunicazione della Agenzia delle Entrate
    
    
• Anmol Maurya at CrowdStrike
  TellYouThePass Ransomware Analysis Reveals a Modern Reinterpretation Using Golang
  
  
• Cryptax
  Multidex trick to unpack Android/BianLian
  
  
• Patrick Schläpfer at HP Wolf Security
  How Attackers Use XLL Malware to Infect Systems
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #72: More string literals
  
  
• Intezer
  • New SysJoker Backdoor Targets Windows, Linux, and macOS
  • How to Analyze Malicious Microsoft Office Files
  • Detection Rules for Sysjoker (and How to Make Them With Osquery)
    
    
• John Hammond
  Async RAT – Batch Obfuscation
  
  
• Lab52
  • TokyoX: DLL side-loading an unknown artifact
  • TokyoX: DLL side-loading an unknown artifact (Part 2)
    
    
• Netskope
  • Netskope Threat Coverage: Night Sky
  • Abusing Microsoft Office Using Malicious Web Archive Files
    
    
• Pete Cowman at Hatching
  New Year, New Family Updates
  
  
• Security Onion
  • Quick Malware Analysis: TA551 / SHATHAK / IcedID / BOKBOT with Cobalt Strike pcap from 2022-01-05
  • Quick Malware Analysis: TA551 / SHATHAK / IcedID / BOKBOT pcap from 2022-01-06
    
    
• Security Onion
  Quick Malware Analysis: Emotet pcap from 2022-01-11
  
  
• Tony Lambert
  Inspecting a PowerShell Cobalt Strike Beacon
  
  
• Lloyd Macrohon and Rodel Mendrez at Trustwave SpiderLabs
  Decrypting Qakbot’s Encrypted Registry Keys
  

MISCELLANEOUS

• Adam at Hexacorn
  • Windows Installation animation
  • ms-cxh and ms-cxh-full handlers
    
    
• Anton Chuvakin
  • New Paper: “Future Of The SOC: Process Consistency and Creativity: a Delicate Balance” (Paper 3 of…
  • Left of SIEM? Right of SIEM? Get It Right!
    
    
• Brett Shavers
  There are Only Two things That set you Apart from Another DFIR Practitioner
  
  
• AboutDFIR
  • My Experience: FOR508 & GCFA
  • AboutDFIR Site Content Update 1/15/22
    
    
• Anthony M. Freed at Cybereason
  EDR, MDR and XDR – What Are the Differences?
  
  
• Garry Dukes at DME Forensics
  What is the DVR Password?
  
  
• Bryan Geraldo at Expel
  Threat hunting: Build or buy?
  
  
• Forensic Focus
  • Protected: Video Fraud
  • Magnet Forensics’ Stephen Boyce on Collaboration, Automation, and Developing DFIR Skills
  • Who’s Using Amped Software Products?
  • Empower Your Investigation With On-Site Forensic Tool, MD-LIVE
  • The Potential of Digital Traces in Providing Evidence at Activity Level
  • Passware Kit Mobile – Now with iOS 15.2 Support
  • Be That Trusted Advisor
  • Launching the Binalyze Forensic Investigation Suite
    
    
• Tom Kopchak at Hurricane Labs
  Deploying the Splunk Universal Forwarder on Linux
  
  
• LimaCharlie
  LimCharlie & Velociraptor Enable the Automation of Deep Forensic Capability
  
  
• Magnet Forensics
  Employee Misconduct: the Great Threat – How to Keep Your Business Safe and Productive
  
  
• NCC Group
  NCC Group’s 2021 Annual Research Report
  
  
• James Robinson and Vadon Willis at Netskope
  Building Out SaaS Incident Response Capabilities
  
  
• Nextron Systems
  Product Surveys – Tell us what you think
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — January 9 to January 15
  
  
• SANS
  Instructor Spotlight: Serge Borso
  
  
• Abby Ross at Security Intelligence
  The Best Threat Hunters Are Human
  
  
• Security Onion
  Coming Soon in Security Onion 2.3.100!
  
  
• Shannon Brazil
  Check out @4n6lady’s tweet
  
  
• Alberto Pellitteri at Sysdig
  Malicious modifications to open source projects affecting thousands – Sysdig Secure
  

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 23195: Speed Estimation 2d
  
  
• ANSSI DFIR-ORC
  v10.1.0-rc9
  
  
• Capa
  v3.1.0
  
  
• DFIRTrack
  v2.3.0
  
  
• Elcomsoft
  iOS Forensic Toolkit 7.10 adds low-level extraction for iOS 14.4 through 14.8
  
  
• ExifTool
  ExifTool 12.39
  
  
• Hasherezade
  pe-bear 0.5.5.2
  
  
• Maxim Suhanov
  dfir_ntfs 1.1.3
  
  
• Metaspike
  Forensic Email Intelligence v1.3.8049
  
  
• Volatility Foundation
  Volatility 3 2.0.0
  
  
• Rizin Organisation
  Cutter 2.0.5
  
  
• Xways
  X-Ways Forensics 20.5 Preview 1
  
  
• YARA
  YARA v4.2.0-rc1
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!