As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• 4Discovery
  The Forged PDF
  
  
• ADEO Cyber Security Services
  Chupacabra Digital Forensic Training Set 2022 by ADEO DFIR Team
  
  
• Angry-Bender’s blog house
  • Cobalt Strike Decoding
  • Handy DFIR Excel Formulas
    
    
• Yulia Samoteykina at Atola
  RAID imaging made easy with Atola TaskForce 
  
  
• Cellebrite
  The Small Agency Guide to Modernizing Investigations
  
  
• Dan Maunz at Cisco
  Cisco StarOS Forensic Guide Published
  
  
• Forensafe
  Investigating Timezone Information
  
  
• Kevin Pagano at Stark 4N6
  Check Marks the Spot – Google Tasks from Takeout
  
  
• Kyle Song
  Blog #34: How to Decrypt Spycam Full Disk Encryption
  
  
• Magnet Forensics
  Collecting Google Drive Activity in Magnet AXIOM Cyber
  
  
• Lauren Podber and Stef Rand at Red Canary
  Raspberry Robin gets the worm early
  

THREAT INTELLIGENCE/HUNTING

• Ahmed Musaad
  Stream Okta Logs To Your Log Collector
  
  
• Francis Guibernau and Jackson Wells at AttackIQ
  Attack Graph Response to UNC1151 Continued Targeting of Ukraine
  
  
• Avast Threat Labs
  Avast Q1/2022 Threat Report
  
  
• Marshall Jones at AWS Security
  How to use new Amazon GuardDuty EKS Protection findings
  
  
• Blackberry
  • Threat Thursday: ZingoStealer – The Cost of “Free”
  • Black Basta: Rebrand of Conti or Something New?
    
    
• BleepingComputer
  • REvil ransomware returns: New malware sample confirms gang is back
  • Open source ‘Package Analysis’ tool finds malicious npm, PyPI packages
  • Conti, REvil, LockBit ransomware bugs exploited to block encryption
    
    
• Brad Duncan at Malware Traffic Analysis
  2022-05-03 – Contact Forms campaign –> Bumblebee –> Cobalt Strike
  
  
• BushidoToken
  Gamer Cheater Hacker Spy
  
  
• CERT Ukraine
  • Масове розповсюдження шкідливої програми JesterStealer з використанням тематики хімічної атаки (CERT-UA#4625)
  • Cyberattack by the APT28 group using CredoMap_v2 malware (CERT-UA#4622)
  • Кібератака групи APT28 із застосуванням шкідливої програми CredoMap_v2 (CERT-UA#4622)
  • Mass distribution of JesterStealer malware exploiting the topic of chemical attack (CERT-UA#4625)
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 30 aprile – 06 maggio 2022
  
  
• Check Point Research
  2nd May – Threat Intelligence Report
  
  
• Cisco
  Detecting Targeted Attacks on Public Cloud Services with Cisco Secure Cloud Analytics
  
  
• Cisco’s Talos
  • Conti and Hive ransomware operations: What we learned from these groups’ victim chats
  • Mustang Panda deploys a new wave of malware targeting Europe
  • Threat Source newsletter (May 5, 2022) — Emotet is using up all of its nine lives
  • Threat Roundup for April 29 to May 6
    
    
• Cofense
  • Energy/Infrastructure Enterprises Targeted by HTML Phishing Campaign
  • BEC: CEO Gift Card Scams
  • Cofense Annual Phishing Report Highlights 10 Point Increase in Credential Phishing
    
    
• Sven Defatsch at Compass Security
  BloodHound Inner Workings & Limitations – Part 1: User Rights Enumeration Through SAMR & GPOLocalGroup
  
  
• Richard Bejtlich at Corelight
  Network evidence for defensible disclosure
  
  
• Coveware
  Ransomware Threat Actors Pivot from Big Game to Big Shame Hunting
  
  
• CrowdStrike
  • Compromised Docker Honeypots Used for Pro-Ukrainian DoS Attack
  • How Falcon OverWatch Spots Destructive Threats in MITRE Adversary Emulation
  • macOS Malware Is More Reality Than Myth: Popular Threats and Challenges in Analysis
    
    
• Cybereason
  • Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
  • Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques
  • Operation CuckooBees: A Winnti Malware Arsenal Deep-Dive
  • The Global Impact of Operation CuckooBees
    
    
• Cyberknow
  Update 13. 2022 Russia-Ukraine war — Cyber group tracker. May 1.
  
  
• Cyble
  Water and Wastewater treatment facilities vulnerable to Cyber Attacks
  
  
• Cyborg Security
  Cyber Threat Hunting – What Is It, Really?
  
  
• Ivan Righi at Digital Shadows
  ALPHV: The First Rust-Based Ransomware
  
  
• DomainTools
  A Sticky Situation Part 1: The Pervasive Nature of Credit Card Skimmers
  
  
• Dosxuz
  Poor Man’s Threat Hunting
  
  
• Abdulrahman H. Alamri at Dragos
  Dragos ICS/OT Ransomware Analysis: Q1 2022
  
  
• EclecticIQ
  The Analyst Prompt #08: EclecticIQ Data Show Emotet Gained Momentum in Recent Months
  
  
• Esentire
  AsyncRAT Activity
  
  
• F-secure
  Scheduled Task Tampering
  
  
• Formobile
  Mobile Forensics – The File Format Handbook
  
  
• Axelle Apvrille at Fortinet
  Warning: GRIM and Magnus Android Botnets are Underground
  
  
• Gemini Advisory
  Russian Invasion of Ukraine and Sanctions Portend Rise in Card Fraud
  
  
• Billy Leonard at Google Threat Analysis Group
  Update on cyber activity in Eastern Europe
  
  
• Hardik Manocha at Fourcore
  The Curious Case Of Mavinject.Exe
  
  
• Dray Agha at Huntress
  What Is Defense Evasion?
  
  
• InfoSec Write-ups
  The ABCs of Kerberoasting
  
  
• Intel471
  Cybercrime loves company: Conti cooperated with other ransomware gangs
  
  
• Jeffrey Appel
  Detect and block Credential Dumps with Defender for Endpoint & Attack Surface Reduction
  
  
• Kevin Beaumont at DoublePulsar
  BPFDoor — an active Chinese global surveillance tool
  
  
• Malwarebytes Labs
  • Nigerian Tesla: 419 scammer gone malware distributor unmasked
  • Ransomware: April 2022 review
    
    
• Mandiant
  • UNC3524: Eye Spy on Your Email
  • Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
    
    
• Michael Matthews and Nikolaos Pantazopoulos at NCC Group
  North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
  
  
• Paolo Passeri at Netskope
  Cloud Threats Memo: What We Can Learn From the Top 15 Routinely Exploited Threats of 2021
  
  
• Daniel Russell at ParaFlare
  BlackCat Detection Development, file exclusion of *.exe in Microsoft Defender Endpoint
  
  
• Phil Keeble at Nettitude Labs
  • Introducing MalSCCM
  • Introducing SharpWSUS
    
    
• PhishLabs
  Why BitB Attacks are Concerning
  
  
• Nathan Sportsman at Praetorian
  Computer Account Relaying Vulnerabilities Part 2
  
  
• Kelsey Merriman And Pim Trouerbach at Proofpoint
  This isn’t Optimus Prime’s Bumblebee but it’s Still Transforming
  
  
• Swapnil Ahirrao at Qualys
  Ransomware Insights from the FBI’s 2021 Internet Crime Report
  
  
• Recorded Future
  • SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
  • Session Hijacking and MFA Bypass
    
    
• Red Alert
  Monthly Threat Actor Group Intelligence Report, March 2022 (KOR)
  
  
• RiskIQ
  RiskIQ Threat Intelligence Roundup: Phishing, Botnets, and Hijacked Infrastructure  
  
  
• Ryan Hausknecht
  Azure Virtual Machine Execution Techniques
  
  
• Sandfly Security
  Security Monitoring for Threats on Embedded Linux
  
  
• SANS Internet Storm Center
  • Detecting VSTO Office Files With ExifTool, (Mon, May 2nd)
  • Some Honeypot Updates, (Tue, May 3rd)
  • Finding the Real “Last Patched” Day (Interim Version), (Tue, May 3rd)
  • Password-protected Excel spreadsheet pushes Remcos RAT, (Thu, May 5th)
  • What is the simplest malware in the world?, (Fri, May 6th)
  • Phishing PDF Received in my ISC Mailbox, (Sat, May 7th)
    
    
• Tim Schulz and Christopher Peacock at Scythe
  SCYTHE Presents: Adaptive Emulation (Part 2): Execution Methods
  
  
• Denis Legezo at Securelist
  A new secret stash for “fileless” malware
  
  
• Dominik Sowinski at Security Intelligence
  The Growing Danger of Data Exfiltration by Third-Party Web Scripts
  
  
• Security Investigation
  • Ngrok Threat Hunting: Detect Hackers at the End of the Tunnel
  • Microsoft Cloud App Security Anomaly Detection Policies
    
    
• Rajan Sanhotra at Sophos
  Getting started with threat hunting: five steps to support successful outcomes
  
  
• Splunk
  CI/CD Detection Engineering: Dockerizing for Scale, Part 4
  
  
• Sucuri
  • WooCommerce Credit Card Skimmers Concealed In Fake Images
  • Manually Identifying an X-Cart Credit Card Skimmer
    
    
• Sysdig
  • Compromising Read-Only Containers with Fileless Malware
  • Hunting AWS RDS Security Events with Sysdig
    
    
• Joshua Picolet at Team Cymru
  Sliver Case Study: Assessing Common Offensive Security Tools
  
  
• Trellix
  Trellix Threat Labs Research Report: April 2022
  
  
• Uptycs
  Vulnerable Docker Installations Are A Playhouse for Malware Attacks
  
  
• Rob Sobers at Varonis
  Bad Rabbit Ransomware
  
  
• Roger Park at VMware Security
  Infographic – Exposing Malware in Linux-Based Multi-Cloud Environments
  

UPCOMING EVENTS

• Cybereason
  • Webinar May 12th 2022: Live Attack Simulation – Ransomware Threat Hunter Series
  • Webinar May 19th 2022: Live Attack Simulation – XDR vs. Modern Ransomware
  • Webinar May 25th 2022: Organizations at Risk: Ransomware Attackers Don’t Take Holidays
    
    
• Greynoise
  GreyNoise 101
  
  
• Hacker Valley Blue
  Hacker Valley Studio – Beyond Gold with Simone Biles
  
  
• Magnet Forensics
  • Format Matters: DD Outperform E01s for DVR Hard Drives
  • Magnet Automate Enterprise and How It Can Streamline Workflows for the Corporate World
    
    
• SANS
  • 8 Reasons You Don’t Want to Miss SANS ICS Security Summit & Training 2022
  • Prevent, Detect, Respond: An Intro to Google Workspace Security and Incident Response
  • SANS Threat Analysis Rundown | Katie Nickels
  • Cyber Executive Communications Master Class
    
    
• Doug Burks at Security Onion
  Security Onion Conference 2022 Save the Date and CFP
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Threat Hunting Tutorial- Day 6, APT39 Hunting using Splunk
  
  
• Arman Gungor at Metaspike
  Email Forensics Workshop 2022 CTF Solution
  
  
• BlueMonkey 4n6
  Magnet Virtual Summit Capture The Flag 2022 – Egg Hunt!
  
  
• Brakeing Down Security Podcast
  Mick Douglas on threat intel, customer worries about being hacked, and more
  
  
• Breaking Badness
  119. A Steaming Cup of Malicious Javascript
  
  
• Heather Mahalik at Cellebrite
  • How to View the Keychain Dump in Cellebrite Physical Analyzer
  • Q and A with Shahar Tal – VP of Business Development at Cellebrite
  • Q and A with the Cellebrite Dream Team – Ryan Salmon
  • Modernizing Investigations: Episode 1- Why Closing the Public Safety Gap is of Paramount Importance
    
    
• Check Point Research
  Inside Russia’s Biggest Ransomware Operation
  
  
• Cloud Security Podcast by Google
  EP63 State of Autonomic Security Operations: Are There Sharks in Your SOC with Robert Herjavec
  
  
• Countercraft
  What is MITRE Engage and How to Use It | Founder Chat
  
  
• Cybereason
  Malicious Life Podcast: Operation Sundevil and the Birth of the EFF
  
  
• Day Cyberwox
  • AWS Incident Response using CloudTrail Logs
  • Security Analyst vs Security Engineer
  • AWS Security Labs 6 – Amazon Inspector (Latest Version)
    
    
• Digital Forensic Survival Podcast
  DFSP # 324 – Malware Triage Part 1
  
  
• InfoSec_Bret
  CyberDefenders – GetPDF
  
  
• Justin Tolman at AccessData
  • CISA Cybersecurity Incident Response Playbook – Episode 1 – An Overview
  • FTK Feature Focus – Episode 42 – Video Thumbnail Generation
    
    
• Magnet Forensics
  • Collecting Google Drive Activity in Magnet AXIOM Cyber
  • Key Findings from Magnet Forensics’ Annual Survey of Enterprise DFIR Professionals
  • Introducing Magnet IGNITE: An Early Case Assessment Triage Tool
    
    
• SANS Cloud Security
  Building a Cloud Security Roadmap in 2022
  
  
• SANS Institute
  • New2Cyber Catch-22: Getting Experience When You Have No Experience
  • Why I’m Encouraged to BARF at Work
  • You’ve Got This: Success Stories Panel
  • Taking the Plunge:  Advice from People Who Literally Wrote the Book on Cybersecurity Careers Panel
  • Analysis 101 for the Incident Responder
  • Don’t Get Popped: Vulnerability Management Do’s and Don’ts
    
    
• Sumuri
  • RECON Lab Examiner Space
  • Get Answers Quicker with RECON LAB’s Selective Processing!
    
    
• The Defender’s Advantage Podcast
  Threat Trends: UNC3524 – Eye Spy on Your Email
  
  
• The Ransomware Files
  Ryuk’s Rampage
  
  
• WeLiveSecurity
  • 3 most dangerous types of Android malware
  • Defending against APT attacks – Week in security with Tony Anscombe
    

MALWARE

• Alexandre Borges at ‘Exploit Reversing’
  Malware Analysis Series (MAS) – Article 3
  
  
• Fernando Martinez at AT&T Cybersecurity
  Analysis on recent wiper attacks: examples and how wiper malware works
  
  
• ASEC
  • Word Files Related to Diplomacy and National Defense Being Distributed
  • Distribution of Malicious Word File Related to North Korea’s April 25th Military Parade
    
    
• Avertium
  An In-Depth Look at Ragnar Locker Ransomware
  
  
• Cluster25
  The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet
  
  
• Cyble
  • Rebranded Babuk Ransomware in Action: DarkAngels Ransomware Performs Targeted Attack
  • Black Basta Ransomware
    
    
• Elastic
  Deep dive on the BLISTER loader
  
  
• Gergely Revay at Fortinet
  Unpacking Python Executables on Windows and Linux
  
  
• Drew Schmitt at GuidePoint Security
  How to Peel a PowerShell Onion: A Bloodhound Case Study
  
  
• Patrick Schläpfer at HP Wolf Security
  Tips for Automating IOC Extraction from GootLoader, a Changing JavaScript Malware
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #88: Character operand type and stack strings
  
  
• Barak Aharoni at InfoSec Write-ups
  Shellcode Analysis
  
  
• Mahmoud Morsy
  • Phishing Attacks 23_4_2022
  • Phishing Attacks 22_4_2022
    
    
• Malvuln
  • Ransom CTBLocker  –  Code Execution Vulnerability PoC
  • Trojan Ransom LockerGoga – Code Execution Vulnerability
  • Trojan Ransom.Cerber –  Code Execution Vulnerability
  • Trojan-Ransom.CryptoWall – Code Execution Vulnerability
  • Ransom Petya Code – Execution Vulnerability
  • Trojan Ransom Radamant – Code Execution Vulnerability
  • Ransom Cryakl  – Code Execution Vulnerability
  • Trojan CryptoLocker – Code Execution Vulnerability
  • Ransomware Conti – Code Execution Vulnerability
  • Ransom Satana – Code Execution Vulnerability
    
    
• McAfee Labs
  • Instagram Credentials Stealers: Free Followers or Free Likes
  • Instagram Credentials Stealer: Disguised as Mod App
    
    
• Natalie Zargarov at Minerva Labs
  • New Black Basta Ransomware Hijacks Windows Fax Service
  • A new BluStealer Loader Uses Direct Syscalls to Evade EDRs
    
    
• Muhammad Hasan Ali
  MS Word to drop Remcos
  
  
• Gustavo Palazolo at Netskope
  Emotet: New Delivery Mechanism to Bypass VBA Protection
  
  
• OALABS Research
  • Emotet 64-bit
  • Syscall Reversing
  • Magniber Ransomware Triage
    
    
• Chris Navarrete, Durgesh Sangvikar, Yu Fu, Yanhui Jia and Siddhart Shibiraj
  Cobalt Strike Analysis and Tutorial: CS Metadata Encoding and Decoding
  
  
• Pete Cowman at Hatching
  SAML Release and Family Updates
  
  
• Igor Golovin at Securelist
  Mobile subscription Trojans and their little tricks
  
  
• Security Onion
  • Quick Malware Analysis: Hancitor with Cobalt Strike and Mars Stealer pcap from 2022-03-21
  • Quick Malware Analysis: MetaStealer pcap from 2022-04-06
  • Quick Malware Analysis: Qakbot, Cobalt Strike, and VNC pcap from 2022-03-16
  • Quick Malware Analysis: Contact Forms Campaign, Bumblebee, and Cobalt Strike pcap from 2022-05-03
  • Quick Malware Analysis: Trickbot pcap from 2020-05-28
    
    
• Joey Chen and Amitai Ben Shushan Ehrlich at SentinelLabs
  Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad
  
  
• Andreas Klopsch at Sophos
  Attacking Emotet’s Control Flow Flattening
  
  
• Trend Micro
  • AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
  • NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
    
    
• Nathan Noll at TrustedSec
  ELFLoader: Another In Memory Loader Post
  
  
• VMRay
  VMRay Analyzer 4.5 Feature Highlight – Malware Configuration Extraction
  
  
• Yoroi
  Yoroi ha scoperto una serie di attacchi che stanno infettando le aziende manifatturiere italiane con finti documenti Microsoft Office ed Excel attraverso la botnet Dridex
  
  
• Javier Vicente and Brett Stone-Gross at ZScaler
  Analysis of BlackByte Ransomware’s Go-Based Variants
  
  
• Claroty
  Fundamental Building Blocks for Secure Operations and Critical Infrastructure
  
  
• Salvation DATA
  • What is Database Forensics?
  • DFIR Essentials: An Introduction to Cyber Security Incident Response
    

MISCELLANEOUS

• Alican Kiraz
  Incident Response Part 3.1: Containment |EN
  
  
• Emi Polito at Amped
  The Answers To Your Amped FIVE Questions
  
  
• Atropos4n6
  My 2022 Forensic 4cast (@4cast) nominations
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 5/7/22
  
  
• CrowdStrike
  Start Logging Everything: Humio Community Edition Series
  
  
• Cyberwox Academy
  Intro to Threat Detection with YARA
  
  
• Darkdefender
  Writing : Getting Started
  
  
• Doug Metz at Baker Street Forensics
  Play it Again Sam – A Recap of MUS 2022
  
  
• Oleg Afonin at Elcomsoft
  Identifying the iPhone Model
  
  
• Forensic Focus
  • How to Quickly Acquire and Analyze Media Data Evidence at the Crime Scene
  • FTK Imager 100 One-Day Course From Exterro
  • Digital Forensics Challenge 2022 (DFC 2022)
  • Magnet Forensics Acquires Cybersecurity Software Firm Comae Technologies
  • Exterro Enhances DFIR Automation with Major Upgrades to FTK Connect
    
    
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (5/1/2022)
  
  
• Magnet Forensics
  • Highlights From an Amazing Magnet Summit 2022
  • Magnet Forensics Acquires Cybersecurity Software Firm Comae Technologies
    
    
• Vasu Jakkal at Microsoft Security
  Microsoft launches Defender for Business to help protect small and medium businesses
  
  
• Morphisec
  MITRE ATT&CK Evaluation: Reading Between the Lines
  
  
• MSAB
  MSAB part of new European standard for mobile forensics
  
  
• lightkunyagami
  Security Blue Team: More Than Just a Cyber Defender Company, But Also a Mental Health Defender
  
  
• Raj Munusamy at OpenText
  The growing need for digital forensic investigators
  
  
• Oxygen Forensics
  • Data Storage Apps Supported by Oxygen Forensic® Detective
  • Time Machine Backup: Importing and Parsing in Oxygen Forensic® Detective
    
    
• Brittany Roberts at ADF
  ADF Supported Web Browsers ft. Chromium Based Browsers
  
  
• Ryan Campbell at ‘Security Soup’
  • Weekly News Roundup — April 24 to April 30
  • Weekly News Roundup — May 1 to May 7
    
    
• SANS
  • A Visual Summary of SANS CloudSecNext Summit 2022
  • 6 Reasons SANS 2022 Security Awareness Summit is a Must-Attend
    
    
• Mohammed Hussein at The Leahy Center for Digital Forensics & Cybersecurity
  Mohammed Hussein: Building a Cyber Range
  

SOFTWARE UPDATES

• AccessData
  Forensic Tools 7.5.2
  
  
• Apache
  Tika – Release 2.4.0 – 04/23/2022
  
  
• c3rb3ru5
  Binlex v1.1.1-rc1
  
  
• Erik Pistelli at Cerbero
  MalwareBazaar Intelligence
  
  
• Didier Stevens
  • Update: oledump.py Version 0.0.66
  • Update: cs-parse-traffic.py Version 0.0.5
    
    
• Grayshift
  Grayshift Accelerates GrayKey Innovation for Android Devices and Enhances Market Leadership in Mobile Device Digital Forensics
  
  
• Hashlookup
  hashlookup-forensic-analyser version 1.0 released
  
  
• IntelOwl
  v3.4.0
  
  
• Magnet Forensics
  • Magnet AXIOM 6.1: More Evidence from the Outlook App and Google Chrome
  • What’s New in Magnet AXIOM Cyber 6.1
    
    
• Metaspike
  Forensic Email Collector (FEC) Changelog – v3.70.1.8
  
  
• Ninoseki
  Mihari v4.5.2
  
  
• Paraben Corporation
  E3 Forensic Platform Version 3.2 Released
  
  
• Sandfly Security
  Sandfly 3.3 – Reporting, SSO, Veracode Certified, Suspicious IP Detection and More
  
  
• Semantics21
  LASERi updates
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!