As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• ThinkDFIR
  Tracking screenshots with LNK files
  
  
• Adam at Hexacorn
  Analysing NSRL data set for fun and because… curious, Part 2
  
  
• Awake Security
  Forensic Investigation of the MEGAcmd Client
  
  
• Cellebrite
  • Crime and Terrorism Have Changed: Today’s Investigators Rely on Digital Evidence
  • How Digital Analysts Manage the Impact of Malware
    
    
• Nandeesha B at NII Consulting
  Threat actor groups are targeting VMware Horizon servers running versions affected by Log4Shell vulnerabilities
  
  
• Cyber Social Hub
  Working with Virtual Machines
  
  
• DFIRScience
  • A more efficient NSRL for digital forensics
  • Starting a New Digital Forensic Investigation Case in Autopsy
  • DFIR Community Hardware Fund
    
    
• Didier Stevens
  Windows Explorer: Improper Exif Data Removal
  
  
• Digital Forensics Myanmar
  Digital Forensics Acquisition Process With FTK Imager  (PDF)
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  • Meta Changes at Facebook
  • Ten Years of FotoForensics and Colors
    
    
• Elcomsoft
  • IoT Forensics: Analyzing Apple Watch 3 File System
  • checkm8 Extraction of Apple Watch Series 3
  • Apple Mobile Devices and iOS Acquisition Methods
    
    
• Forensafe
  Investigating Windows 10 Timeline
  
  
• The Incidental Chewtoy
  Decrypting ‘LOCKED Secret Calculator Vault’
  
  
• Marco Fontani at Amped
  The Full Workflow of Speed Estimation 2d in Amped FIVE
  
  
• Maxim Suhanov
  exFAT: orphan file name entries
  
  
• NixIntel
  How To Find Timestamps For Verification
  
  
• Amber Schroader at Paraben Corporation
  EMI Shielding & Why You Need It
  
  
• PWC
  Conti cyber attack on HSE
  
  
• Brian Maloney on the SANS DFIR blog
  Recreating OneDrive’s folder structure from .dat
  
  
• The DFIR Report
  Qbot Likes to Move It, Move It
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More
  
  
• Anton Chuvakin
  Who Does What In Cloud Threat Detection?
  
  
• Pablo Martínez and Kurosh Dabbagh at BlackArrow
  AD CS: from ManageCA to RCE
  
  
• Blackberry
  Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-02-07 – BazarLoader infection with Cobalt Strike
  • 2022-02-08 – Files for an ISC diary (Emotet with Cobalt Strike)
  • 2022-01-27 – Customized Atera installer –> ZLoader –> Raccoon Stealer
  • 2022-02-10 – Emotet epoch 5 infection with Cobalt Strike
    
    
• BushidoToken
  CTI Project: Android Banking Trojan Nexus
  
  
• Check Point Research
  7th February– Threat Intelligence Report
  
  
• Hazel Burton at Cisco
  Defending Against Critical Threats: Analyzing Key Trends, Part 2
  
  
• Cisco’s Talos
  Threat Roundup for February 4 to February 11
  
  
• Cofense
  Six-Year Reflection – What is Business Email Compromise Today
  
  
• CrowdStrike
  • Falcon XDR: Extending Detection and Response – The Right Way
  • Falcon XDR: Why You Must Start With EDR to Get XDR
    
    
• Csaba Fitzl at ‘Theevilbit’
  • Beyond the good ol’ LaunchAgents – 26 – Finder Sync Plugins
  • Beyond the good ol’ LaunchAgents – 27 – Dock shortcuts
  • Beyond the good ol’ LaunchAgents – 28 – Authorization Plugins
    
    
• Cybereason
  • Cybereason vs. Lorenz Ransomware
  • THREAT ANALYSIS REPORT: All Paths Lead to Cobalt Strike – IcedID, Emotet and QBot
    
    
• Daniel Pascual at VirusTotal
  MISP and VT Collections
  
  
• Daniel Roberson at DMFR Security
  • 100 Days of YARA – Day 50: libprocesshider
  • 100 Days of YARA – Day 51: bdvl
  • 100 Days of YARA – Day 52: Golang ssh package
  • 100 Days of YARA – Day 53: AutoIt 3
  • 100 Days of YARA – Day 54: Golang protobufs
  • 100 Days of YARA – Day 55: BlisterLoader
    
    
• Darktrace
  • The future of cyber security: Ransomware groups aim for maximum disruption
  • How Conti ransomware took down Operational Technology
    
    
• David Burkett at Signalblur
  Leveling up your Linux Security Monitoring
  
  
• David Okeyode
  Understanding and Protecting local authentication for Azure services — Part 1
  
  
• Timothy Chen at DomainTools
  Iris Detect: A New Way to Discover and Monitor Hostile Domains
  
  
• Anna Skelton at Dragos
  Dragos ICS/OT Ransomware Analysis: Q4 2021
  
  
• EclecticIQ
  The Analyst Prompt #02: Threat Intel for Cryptocurrency, NSO Group Rebranding, and a Distillation of Pwnkit Intel.
  
  
• FBI Cyber
  Indicators of Compromise Associated with LockBit 2.0 Ransomware
  
  
• Ilya Pomerantsev at Group-IB
  Cleaning the atmosphere
  
  
• Patrick Schläpfer at HP Wolf Security
  Attackers Disguise RedLine Stealer as a Windows 11 Upgrade
  
  
• Roger Kay at INKY
  Fresh Phish: Phishers Cast COVID Lures Drawing Victims to Freemail Traps
  
  
• Jan Geisbauer at Empty Datacenter
  Gundog 2
  
  
• Korstiaan Stam at ‘Invictus Incident Response’
  Responding to macOS attacks — Part II
  
  
• Kevin Robins at MaverisLabs
  Gaining Ground
  
  
• Darren Mayes at Microsoft Security
  Detect active network reconnaissance with Microsoft Defender for Endpoint
  
  
• Gijs Hollestelle at Falcon Force
  FalconFriday — Detecting realistic AWS cloud-attacks using Azure Sentinel — 0xFF1C
  
  
• Osama Elnaggar
  Threat Hunting with Elastic Stack – In-depth Book Review
  
  
• Penetration Testing Lab
  Shadow Credentials
  
  
• Pepe Berba
  Hunting for Persistence in Linux (Part 5): Systemd Generators
  
  
• Pete Cowman at Hatching
  New versions and new families
  
  
• Konstantin Klinger, Joshua Miller, and Georgi Mladenov at Proofpoint
  Ugg Boots 4 Sale: A Tale of Palestinian-Aligned Espionage
  
  
• Sam Langrock at Recorded Future
  How Ransomware Gangs Use Automation, and How You Can Beat It
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, December 2021
  
  
• RiskIQ
  RiskIQ Threat Intelligence Roundup: QBot, Magecart, Agent Tesla Headline Hijacked Infrastructure  
  
  
• SANS Internet Storm Center
  • web3 phishing via self-customizing landing pages, (Mon, Feb 7th)
  • Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th)
  • CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th)
  • Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th)
    
    
• Sansec
  NaturalFreshMall: a mass store hack
  
  
• Security Investigation
  • Most Common Antivirus Evasion and Bypass Techniques
  • CVE-2021-4034 – Polkit Vulnerability Exploit Detection
    
    
• Tom Hegel at SentinelOne
  ModifiedElephant APT and a Decade of Fabricating Evidence
  
  
• Tareq Alkhatib
  What Does Deprecating WMIC Mean to the Blue Team?
  
  
• Teri Radichel
  Abstraction and MITRE ATT&CK
  
  
• Joe Helle
  Windows Persistence Using WSL2
  
  
• Adam Chester at TrustedSec
  Object Overloading
  
  
• Uptycs
  Attackers Increasingly Adopting Regsvr32 Utility Execution Via Office Documents
  
  
• Ed Lin at Varonis
  Identify and Investigate Business Email Compromise Scams | Varonis
  
  
• WeLiveSecurity
  ESET Threat Report T3 2021
  

UPCOMING EVENTS

• Israel Barak, Tim Amey, and JJ Cranford at Cybereason
  Webinar February 24th 2022: Live Attack Simulation – Ransomware Threat Hunter Series
  
  
• Cyborg Security
  Thinking like a threat actor: Hunting the ghost in the machine
  
  
• Trey Amick and Drew Roberts at Magnet Forensics
  Introducing Magnet AUTOMATE Enterprise
  
  
• Scythe
  UniCon 2022
  
  
• Vicente Díaz at VirusTotal
  Build a Champion SOC with VirusTotal and Palo Alto Networks Cortex XSOAR
  

PRESENTATIONS/PODCASTS

• Alexander Adamov at ‘Malware Research Academy’
  Analysis of WhisperGate destroyers (PROMIS Webinar)
  
  
• Black Hills Information Security
  • The Azure Sandbox – Purple Edition 
  • Talkin’ About Infosec News – 2/11/2022
    
    
• BlueMonkey 4n6
  CAINE – 14 – Ophcrack – Windows password cracker
  
  
• CactusCon
  CactusCon 2022
  
  
• Heather Mahalik at Cellebrite
  • ALeapp for Android Devices: Parsing Even More Data
  • Images and Export Options in Cellebrite Physical Analyzer
  • Network Usage   Cellebrite Physical Analyzer
  • ProtonMail Built-in Parser in Cellebrite Physical Analyzer
  • Investigative Workflow Pain Points – Cellebrite Guardian
  • How to Find Location Artifacts from Weather Data in Cellebrite Physical Analyzer
  • iOS 15 Cloud Extractions in Cellebrite UFED
  • How to Use Guidance Mode and SOPs in Cellebrite UFED
    
    
• Cisco’s Talos
  Beers with Talos, Ep. #116: Let’s wade into the MuddyWater filled with Vipers
  
  
• Day Cyberwox
  Career Paths for Cybersecurity Analysts
  
  
• DFIRHub
  05 Windows DFIR – EventLogs | Digital Forensics & Incident Response [Arabic]
  
  
• Digital Forensic Survival Podcast
  • DFSP # 311 – Data Spoliation Fast Triage
  • DFSP # 312 – Cloud Network Security Services
    
    
• InfoSec_Bret
  • End User Submission – Reddit0
  • IR – SOC152-100 – Encrypted Files Detected
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Theory – Overview to Malware Vaccines
  
  
• LetsDefend
  Being a Content Creator in InfoSec
  
  
• Magnet Forensics
  • Multiple Request Submission in ATLAS 3.0
  • Using the new Task Manager in ATLAS 3.0
  • DVR Examiner Integration in AUTOMATE 3.0
  • Device Platform Autodetection in AUTOMATE 3.0
  • Coming Soon in Magnet REVIEW 4.0: Primary/Secondary Artifact Classification and Multi-Artifact View
  • Magnet AXIOM Cyber to support eDiscovery
  • Magnet AXIOM Cyber for Incident Response Investigations
  • Magnet AXIOM Cyber for Employee Misconduct Investigations
  • Leveraging the Cloud to Get More Data in Your Mobile Investigations
  • Rapid Ransomware Response: A Survival Guide
  • Tips & Tricks // Deep Dive into DVR Examiner
    
    
• MRE Conference
  Threat Intelligence Webinar
  
  
• OALabs
  Quick Tips For Learning Assembly and Reverse Engineering at The Same Time
  
  
• Richard Frawley at ADF
  Solving Financial Crimes: Preparing for a Financial Crime Investigation
  
  
• SANS
  • You Get What You Ask For: Building Intelligent Teams for CTI Success – CTI Summit 2022
  • Visions, Priorities and Strategy – Oh My!
    
    
• X-Force
  Analyzing PowerShell Payloads – Part 7
  
  
• Zeek in Action
  Zeek in Action, Video 13, Running Brim Inside Windows Sandbox
  

MALWARE

• ASEC
  • Phishing Script Files Being Distributed by Impersonating Various Groupware
  • ASEC Weekly Malware Statistics (January 17th, 2022 – January 23rd, 2022)
  • Distribution of Kimsuky Group’s xRAT (Quasar RAT) Confirmed
  • Emotet Being Distributed in Korea via Excel Files
  • Phishing Email Disguised as a Well-Known Korean Web Portal
  • ASEC Weekly Malware Statistics (January 31st, 2022 – February 6th, 2022)
    
    
• Atomic Matryoshka
  Basic PDF Analysis – Formbook Malware
  
  
• Avast Threat Labs
  Decrypted: TargetCompany Ransomware
  
  
• Blake’s R&D
  How would you analyse 200,000 executables?
  
  
• CERT-AGID
  È in corso una nuova campagna malware sLoad veicolata tramite PEC
  
  
• Alexey Bukhteyev at Check Point Research
  Invisible Sandbox Evasion
  
  
• Vanja Svajcer and Vitor Ventura at Cisco’s Talos
  What’s with the shared VBA code between Transparent Tribe and other threat actors?
  
  
• CodeColorist
  Photographers WannCry (2017)
  
  
• Doug Burks at Security Onion
  • Quick Malware Analysis: Bazarloader and Cobalt Strike pcap from 2022-02-04
  • Quick Malware Analysis: Bazarloader and Cobalt Strike pcap from 2022-02-07
  • Quick Malware Analysis: Atera ZLoader and Raccoon Stealer pcap from 2022-01-27
    
    
• hasherezade’s 1001 nights
  Ida tips: how to use a custom structure
  
  
• Hex Rays
  • Introducing the IDAClang Tutorial
  • Introducing the ‘Patching’ plugin
  • Igor’s tip of the week #76: Quick rename
    
    
• Joakim Kennedy at Intezer
  Radare Plugin is Here for Intezer Community
  
  
• Malwarebytes Labs
  • “We absolutely do not care about you”: Sugar ransomware targets individuals
  • Ransomware author releases decryption keys, says goodbye forever
    
    
• Muhammad Hasan Ali
  Full Hancitor malware analysis
  
  
• S2W Lab
  Post Mortem of KlaySwap Incident through BGP Hijacking
  
  
• Secjuice
  Threat Intelligence: Intelligence Requirement
  
  
• Suguru Ishimaru at Securelist
  Roaming Mantis reaches Europe
  
  
• Pedro Tavares at Segurança Informática
  HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
  
  
• Tony Lambert
  • AgentTesla From RTF Exploitation to .NET Tradecraft
  • XLoader/Formbook Distributed by Encrypted VelvetSweatshop Spreadsheets
    
    
• Sunil Bharti and Nitesh Surana at Trend Micro
  Detecting PwnKit (CVE-2021-4034) Using Trend Micro™ Vision One™ and Cloud One™
  

MISCELLANEOUS

• Michelle Coan at Amped
  Launching the Amped FIVE Training Modules
  
  
• Olga Milishenko at Atola
  Image. Anything. Fast.  What makes TaskForce the ultimate forensic imager
  
  
• Belkasoft
  Magic wand or scientific approach? Myths and realities about digital forensic software
  
  
• Brett Shavers
  I lived a double life.
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Update 2/12/22
  
  
• Forensic Focus
  • Mason Toups and Emre Tinaztepe on Efficient Incident Response Through Collaboration
  • Chip Chop: Smashing the Mobile Phone Security Chip for Fun and Digital Forensics
  • Exterro Law Enforcement Grant Program Announces 2021 Recipients
  • Discover How GrayKey Provides Critical Evidence in Sexual Assault and Robbery Case
  • Cellebrite Pioneers Industry-First Remote Mobile Device Data Collection Solution
  • Magnet Forensics Introduces Magnet AUTOMATE Enterprise
  • Robust Malware Detection Models: Learning From Adversarial Attacks and Defenses
  • The Latest Guide to Discover Meaningful Data from Samsung Secure Folder
  • New Release From MSAB: Recover Even More Digital Evidence From Apps With XRY 10.0.1
    
    
• Leonardo M. Falcon
  How is an Incident Response Retainer Essential For Your Success?
  
  
• Magnet Forensics
  • Coming Soon in Magnet REVIEW 4.0: New Device Dashboard, Customizable Artifact Views, Chat Thread Previews, and More
  • Custom Fields: New Feature in DVR Examiner
    
    
• MobilEdit
  Apple Watch Connection Kit
  
  
• Laura Brosnan and Stuart Smith at Red Canary
  Cyber insurance in the age of ransomware
  
  
• SANS
  SANS DFIR Course Roadmap and Job Role Matrix
  
  
• Doug Burks at Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.3.100!
  
  
• Mail Xaminer
  • Working With Keywords Using The Mailxaminer Tool
  • Working With Advanced Filters – Mailxaminer Tool

SOFTWARE UPDATES

• Alexis Brignoni
  iLEAPP v1.17.0
  
• AbdulRhman Alfaifi
  Fennec v0.1.0
  
• Apache
  Apache Tika – Release 1.28.1 – 2/8/2022
  
• Brian Maloney
  OneDriveExplorer v2022.02.11
  
• Cyber Triage
  Cyber Triage 3.1.0 Update is Live
  
• Didier Stevens
  Update: jpegdump.py Version 0.0.9
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 8.0 beta 5: forensically sound checkm8 extraction of Apple Watch 3
  
• Eric Zimmerman
  ChangeLog
  
• ExifTool
  ExifTool 12.40
  
• Exterro
  FTK Imager 4.7
  
• Foxton Forensics
  BrowseHound
  
• Magnet Forensics
  • New in Magnet AUTOMATE 3.0: DVR Examiner Integration, Warrant Return Processing, Device Platform Autodetection, and more
  • New in Magnet ATLAS 3.0: Improved Task Manager, File Attachment Upload API, and More
  • See What’s New in the Magnet Digital Investigation Suite
    
• Metaspike
  Forensic Email Intelligence 1.4.8077
  
• Mihari
  v4.1.2
  
• MSAB
  Released today: Recover even more digital evidence from apps with XRY 10.0.1
  
• Polito Inc.
  X-Ways-HashExporter-Extension
  
• Xways
  X-Ways Forensics 20.5 Preview 4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!