As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Aditya Pratap
  Windows Triaging with Powershell — Part 2: Artifacts Collection
  
  
• Heather Mahalik at Cellebrite
  Cellebrite Capture the Flag – May 2022
  
  
• Chris at AskClees
  Decrypting Mega’s megaprefences Sqlite Database
  
  
• Digital Forensics Myanmar
  eCDFP Module (5) File System Analysis (Part-3)
  
  
• Elcomsoft
  checkm8: Unlocking and Imaging the iPhone 4s
  
  
• Forensafe
  Investigating UserAssist
  
  
• Kevin Pagano at Stark 4N6
  • Magnet Virtual Summit 2022 CTF – Egg Hunt
  • Magnet Virtual Summit 2022 CTF – Android
    
    
• Oxygen Forensics
  Now Supported in Oxygen Forensic® Cloud Extractor: Runkeeper
  
  
• SecNigma
  A guide to recovering damaged and rotten CDs
  
  
• The DFIR Report
  SEO Poisoning – A Gootloader Story
  

THREAT INTELLIGENCE/HUNTING

• Pepe Berba at Active Countermeasures
  Hunting for Persistence in Linux (Part 1): Auditd, Sysmon, Osquery (and Webshells)
  
  
• Amalul Arifin
  Abusing Command and Control using DNS ; A little write-ups on BHIS Webcast
  
  
• Anomali
  Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More
  
  
• Ramin Yazdani at APNIC
  Open DNS resolvers, from bad to worse
  
  
• AT&T Cybersecurity
  Stories from the SOC – Command and Control
  
  
• AttackIQ
  Attack Graph Response to US-CERT AA22-108A: North Korean Targeting of Blockchain Companies
  
  
• Avertium
  Ragnar Locker Ransomware: Everything You Need To Know (Attacks & Analysis)
  
  
• Bank Security
  Hunting Cobalt Strike Servers
  
  
• Bank Security
  Threat_Hunting
  
  
• Daniel Ballmer at Blackberry
  Russia-Linked Conti Group Creates National Emergency for Costa Rica
  
  
• CERT Ukraine
  • Кібератаки групи UAC-0010 (Armageddon) з використанням шкідливої програми GammaLoad.PS1_v2 (CERT-UA#4634,4648)
  • Онлайн-шахрайство з використанням тематики “грошової допомоги в рамках соціальної програми ООН” (CERT-UA#4657)
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 07 – 13 maggio 2022
  
  
• Check Point
  • 9th May – Threat Intelligence Report
  • Info-stealer Campaign targets German Car Dealerships and Manufacturers
  • April 2022’s Most Wanted Malware:  A Shake Up in the Index but Emotet is Still on Top
  • How the evolution of Ransomware changed the threat landscape
  • Ransomware cyber-attacks in Costa Rica and Peru drives national response
    
    
• Cisco’s Talos
  • Talos Incident Response added to German BSI Advanced Persistent Threat response list
  • Bitter APT adds Bangladesh to their targets
  • EMEAR Monthly Talos Update: Wiper malware
  • Threat Source newsletter (May 12, 2022) — Mandatory MFA adoption is great, but is it too late?
  • Threat Roundup for May 6 to May 13
    
    
• Cluster25
  Cozy Smuggled Into the Box: APT29 Abusing Legitimate Software for Targeted Operations in Europe
  
  
• Sven Defatsch at Compass Security
  BloodHound Inner Workings & Limitations – Part 2: Session Enumeration Through NetWkstaUserEnum & NetSessionEnum
  
  
• Stan Kiefer at Corelight
  Spotting Log4j traffic in Kubernetes environments
  
  
• CrowdStrike
  • Proactive Threat Hunting Bears Fruit: Falcon OverWatch Detects Novel IceApple Post-Exploitation Framework
  • Follow the Money: How eCriminals Monetize Ransomware
    
    
• Cybereason
  • Cybereason vs. Quantum Locker Ransomware
  • How Do Ransomware Attacks Impact Victim Organizations’ Stock?
  • Russia Is Waging Cyberwar–with Little Success
  • Behavioral Execution Prevention: Next-Generation Antivirus Evolved
    
    
• Cyble
  A closer look at Eternity Malware
  
  
• Cyborg Security
  • BlackCat Ransomware
  • Quantum Ransomware
  • 5 Threat Hunting Tips from a Seasoned Hunt Team
    
    
• Mackenize Morris at Dragos
  How to Improve OT Network Visibility
  
  
• EclecticIQ
  Five Ways the Ukraine-Russia War Could Alter the Cyber Landscape
  
  
• Eclypsium
  April Firmware Threat Report
  
  
• Elastic
  • Shell Evasion: An Insider Threat
  • Detecting Living-off-the-land attacks with new Elastic Integration
    
    
• David Carlisle at Elliptic
  Money Laundering Through DEXs and Mixers
  
  
• Esentire
  Redline Stealer Masquerades as Photo Editing Software
  
  
• Flashpoint
  • What Is Threat Intelligence? Understanding the Foundations of an Effective Threat Intel Program
  • Flashpoint Ransomware Dashboard: Helping CTI and SOC Teams Better Defend Against Ransomware Attacks
    
    
• Google Workspace Updates
  New delegated VirusTotal privilege in the Alert Center
  
  
• Harshit Rajpal at Hacking Articles
  • A Detailed Guide on Rubeus
  • Domain Persistence: Silver Ticket Attack
    
    
• HP Wolf Security
  HP Wolf Security Threat Insights Report Q1 2022
  
  
• Dray Agha at Huntress
  Evicting the Adversary
  
  
• Intel471
  What malware to look for if you want to prevent a ransomware attack
  
  
• Ari Eitan at Intezer
  How to Write YARA Rules That Minimize False Positives
  
  
• Jeffrey Appel
  Microsoft Defender for Endpoint – The ultimate blog series for Windows (Intro)
  
  
• Jonathan Johnson
  Defending the Three Headed Relay
  
  
• Jonathan Tanner at Barracuda
  Majority of attacks against SMB protocol attempt to exploit EternalBlue
  
  
• Chris Hall and Jared Stroud at Lacework
  Malware targeting latest F5 vulnerability
  
  
• Marius Sandbu
  • Phishing attacks in Microsoft Teams and external federation
  • A Cloud-native ecosystem – Some tools
  • Deployment of Kubernetes, Helm and YAML files using Terraform
    
    
• Matt Zorich at Microsoft Sentinel 101
  Azure AD Conditional Access Insights & Auditing with Microsoft Sentinel
  
  
• Microsoft Security
  • Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
  • Microsoft security experts outline next steps after compromise recovery
  • Center for Threat-Informed Defense, Microsoft, and industry partners streamline MITRE ATT&CK® matrix evaluation for defenders
    
    
• Mike Cunningham, Alexia Crumpton, Jon Baker, and Ingrid Skoog at MITRE-Engenuity
  Where to begin? Prioritizing ATT&CK Techniques
  
  
• Adriaan Neijzen at NVISO Labs
  Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound
  
  
• Gijs Hollestelle at Falcon Force
  FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D
  
  
• Pavel Yosifovich
  Zombie Processes
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, February 2022 (ENG)
  
  
• Red Canary
  • Marshmallows & Kerberoasting
  • The Goot cause: Detecting Gootloader and its follow-on activity
    
    
• RiskIQ
  RiskIQ Threat Intelligence Roundup: Phishing, Botnets, and Hijacked Infrastructure  
  
  
• Ryan Nicholson at SANS
  Cloud Instance Metadata Services (IMDS)
  
  
• SANS Internet Storm Center
  • Octopus Backdoor is Back with a New Embedded Obfuscated Bat File, (Mon, May 9th)
  • TA578 using thread-hijacked emails to push ISO files for Bumblebee malware, (Wed, May 11th)
  • When Get-WebRequest Fails You, (Thu, May 12th)
  • Quick Analysis Of Phishing MSG, (Sat, May 14th)
    
    
• Scythe
  • SCYTHE Presents: VULN ALERT: F5 Big-IP appliances vulnerability – CVE-2022-1388
  • SCYTHE Presents: Actionable Purple Teaming: Why and How You Can (and Should) Go Purple
    
    
• Securelist
  New ransomware trends in 2022
  
  
• Secureworks
  COBALT MIRAGE Conducts Ransomware Operations in U.S.
  
  
• Beatriz Valls at Security Art Work
  Cazando con Inteligencia Artificial: Detección de dominios maliciosos (I)
  
  
• Rich Erdmann at Security Intelligence
  MITRE ATT&CK and SIEM Rules:  What Should Your Expectations Be?
  
  
• Security Investigation
  • Windows Event ID 5379 to Detect Malicious Password-Protected File unlock
  • Hackers are Hiding Malware in Windows Event Logs Category 0x4142
  • Sysmon Event ID 13 to Detect Malicious Password-Protected File unlock and Registry Changes
  • APT34 Returns with New TTPs And Delivers Malicious Files
    
    
• Tom Hegel at SentinelLabs
  Putting Things in Context | Timelining Threat Campaigns
  
  
• SOC Fortress
  • FREE Incident Response With Velociraptor
  • Monitoring Corporate Software Policies using Wazuh EDR and Sysmon.
    
    
• Sucuri
  • Examining Emerging Backdoors
  • Massive WordPress JavaScript Injection Campaign Redirects to Ads 
    
    
• Oddvar Moe at TrustedSec
  Diving into pre-created computer accounts
  
  
• Trustwave SpiderLabs
  Trustwave’s Action Response: F5 BIG-IP Vulnerability (CVE-2022-1388)
  
  
• Ashwin Vamshi and Shilpesh Trivedi at Uptycs
  KurayStealer: A Bandit Using Discord Webhooks
  
  
• Tal Peleg at Varonis
  Spoofing SaaS Vanity URLs for Social Engineering Attacks
  

UPCOMING EVENTS

• Cellebrite
  Tips & Tricks for Using Cellebrite Physical Analyzer
  
  
• ENISA
  Threathunt 2030: How to Hunt Down Emerging & Future Cyber Threats
  
  
• Magnet Forensics
  • Linux Acquisitions Made Easier – An Open-Source, Extensible Framework
  • Tips & Tricks // Download Apple Warrant Return Data: Remove the Roadblocks
    
    
• Recorded Future
  Analysis and Mitigations of Wiper Malware Variants Used Against Ukraine
  
  
• SANS
  DFIR Summit 2022
  
  
• TeelTech
  Live Event – AI Based Triage in Digital Forensics
  

PRESENTATIONS/PODCASTS

• Ann Bramson
  Digital Forensics – How Do Images End Up in iOS Safari’s Cache.db
  
  
• Archan Choudhury at BlackPerl
  Threat Hunting Tutorial- Day 7, Hunt on Network Logs, PCAP
  
  
• Black Hills Information Security
  • Talkin’ Bout [infosec] News 2022-05-09
  • BHIS | How DNS can be abused for Command & Control | Troy Wojewoda | 1-Hour
  • BHIS | How DNS can be abused for Command & Control | Troy Wojewoda | 1 Hour
    
    
• BlueMonkey 4n6
  Mouse Jigglers – intro and forensic applications
  
  
• Brakeing Down Security Podcast
  Mieng-Lim-Ransomware-Best-Practices-p1
  
  
• Breaking Badness
  120-reading-the-iot-leaves
  
  
• Cellebrite
  • Exploring Additional Features Built Into Cellebrite UFED
  • Explaining Timestamps Associated with Carved Locations
  • How To Refute an Alibi Using the Mutual Locations feature in Cellebrite Pathfinder
  • How to Identify Signs of “Obstruction of Justice” in Digital Evidence using Cellebrite Pathfinder
  • Modernizing Investigations: Episode 1 – Why Closing the Public Safety Gap is of Paramount Importance
    
    
• Check Point Research
  Ransomversary : Wannacry’s 5th Anniversary Special and The Evolution of Ransomware
  
  
• Detections by SpectreOps
  Episode 23: Gabriel Bassett
  
  
• Digital Forensic Survival Podcast
  DFSP # 325 – Malware Triage Part 2
  
  
• Erik Hjelmvik at Netresec
  Emotet C2 and Spam Traffic Video
  
  
• InfoSec_Bret
  • CyberDefenders – GetPDF Follow Up
  • CyberDefenders – DumpMe
    
    
• John Hammond
  Restructuring PCAP Network Packets (PicoCTF 2022 #45 ‘eavesdrop’)
  
  
• Justin Tolman at AccessData
  • CISA Cybersecurity Incident Response Playbook – Episode 2 – Preparation Phase
  • At Techno Myrtle Beach this week. So no Feature Focus this week.
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Book Review – Malware Analysis and Detection Engineering
  
  
• Magnet Forensics
  • Magnet Certified Forensic Examiner (MCFE)
  • Magnet Automate Enterprise and How It Can Streamline Workflows for the Corporate World
    
    
• OALabs
  Emotet 64-bit Emulation and String Decryption with Dumpulator [Twitch Clip ]
  
  
• SANS Institute
  New Shell in Town: Adventures in using PowerShell on Linux
  
  
• Sumuri
  • 012 – Inside SUMURI Training
  • Recon ITR UTILIZE TEMPLATE
    
    
• The ./havoc Podcast
  John Dwyer: X-Force and DLL Side-Loading
  
  
• Uriel Kosayev
  Yashma Ransomware Builder Analysis – Malware for Fun
  
  
• X-Force
  Behind the Shield: Critical Condition | IBM Security Expert TV
  
  
• Zeek in Action
  Zeek in Action, Video 16, Interpreting Cyber Threat Intelligence Reports
  

MALWARE

• Alexandre Borges at ‘Exploit Reversing’
  Malware Analysis Series (MAS) – Article 4
  
  
• ASEC
  • ASEC Weekly Malware Statistics (April 25th, 2022 – May 1st, 2022)
  • Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application
  • ASEC Weekly Malware Statistics (May 2nd, 2022 – May 8th, 2022)
    
    
• Atomic Matryoshka
  Emotet .xls Dropper
  
  
• Blackberry
  • Threat Thursday: Malware Rebooted – How Industroyer2 Takes Aim at Ukraine Infrastructure
  • BlackBerry Prevents Purple Fox Rootkit
  • Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains
    
    
• Cryptax
  Reversing an Android sample which uses Flutter
  
  
• Doug Burks at Security Onion
  Quick Malware Analysis: TA578 Contact Forms IcedID Cobalt Strike pcap from 2022-05-10
  
  
• Emanuele De Lucia
  Reverse and Hunt: Between the jumps of ArguePatch
  
  
• Forensic-Research
  CVE-2022-22965 Vulnerability Analysis
  
  
• Fortinet
  • Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I
  • Please Confirm You Received Our APT
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #89: En masse operations
  
  
• Steve Esling at InQuest
  Detection Multiplexing
  
  
• Malvuln
  • APT28 FancyBear – Code Execution Vulnerability
  • LockBit Ransomware / Code Exec Vulnerability PWNED at Scale PoC
    
    
• Malwarebytes Labs
  APT34 targets Jordan Government using new Saitama backdoor
  
  
• Marco Ramilli
  A Malware Analysis in RU-AU conflict
  
  
• Roy Golombick at Minerva Labs
  Malware evasion techniques – Obfuscated Files and Information
  
  
• Hido Cohen at Morphisec
  SYK Crypter Distributing Malware Families Via Discord
  
  
• Gustavo Palazolo at Netskope
  RedLine Stealer Campaign Using Binance Mystery Box Videos to Spread GitHub-Hosted Payload
  
  
• OALABS Research
  Bumblebee Loader
  
  
• Tyler Halfpop at Palo Alto Networks
  Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla
  
  
• Pete Cowman at Hatching
  Qakbot, BumbleBee, Gh0stRAT and Redline Improvements
  
  
• Ed Amoroso at PhishLabs
  Advanced Cyber Threat Intelligence
  
  
• Andrew Northern, Pim Trouerbach, Tony Robinson, and Axel F at Proofpoint
  Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques
  
  
• Amit Gadhave at Qualys
  Ursnif Malware Banks on News Events for Phishing Attacks
  
  
• Jiho Kim at S2W Lab
  The History of BlackGuard Stealer
  
  
• Sandfly Security
  BPFDoor – An Evasive Linux Backdoor Technical Analysis
  
  
• Secureworks
  REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence
  
  
• Francisco Montiel at Security Art Work
  Offensive Golang (I)
  
  
• Tony Lambert
  Analyzing a Pirrit adware installer
  
  
• Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, and Nathaniel Morales at Trend Micro
  Examining the Black Basta Ransomware’s Infection Routine
  

MISCELLANEOUS

• Aditya Pratap
  Intelligence Gathering with Open-Source Tools
  
  
• Any.Run
  Expert Q&A: Aleksey Lapshin,  ANY.RUN
  
  
• Brett Shavers
  A forensic book is not just a forensic book if you do forensics.
  
  
• Camille Lore
  Wireshark 101
  
  
• Cellebrite
  Cellebrite Announces First Quarter 2022 Results
  
  
• Forensic Focus
  • Mobile Device Biometrics – What They Are and How They Work
  • Combating Corporate Fraud With Detego’s Technology
    
    
• LockBoxx
  Bootcamp #16: Intro to Security Operations Center (SOC) Analysis
  
  
• Magnet Forensics
  • Meet the Magnet Forensics’ Training Team: Anthony DaSilva
  • Meet the Magnet Forensics’ Training  Team: Thad Winkelman
  • Three New Magnet Training Certifications Available to Demonstrate Your Expertise
    
    
• NIST
  NIST Publishes Review of Digital Forensic Methods
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — May 8 to May 14
  
  
• Salvation DATA
  DFIR Phases: What Are the 6 Phases of a Cyber Security Incident Response Plan?
  
  
• SANS
  A Visual Summary of SANS Neurodiversity Summit 2022
  
  
• Dave Melvin at Sumuri
  Meet the SUMURI Training Team
  
  
• Will Elder at ADF
  7 ICAC Investigation Best Practices | Digital Forensics | CSAM Triage
  
  
• John Patzakis at X1
  Usage-Based Pricing Model Increasingly Driving eDiscovery Software Growth
  

SOFTWARE UPDATES

• Alexis Brignoni
  • ALEAPP 2.0.05
  • RLEAPP 1.0.24
    
    
• Amped
  Amped DVRConv Update 24628: More Formats Decoded, New Format for Writing, and New Frame Rate Adjustment Option
  
  
• Belkasoft
  Sneak peek of Belkasoft X v.1.13: Major updates, including nested archives analysis and review, Tableau integration, BTRFS support, iOS acquisition update, advanced eDiscovery filters, and many more
  
  
• Cellebrite
  Now Available: Cellebrite Physical Analyzer, Logical Analyzer, Reader, and UFED Cloud v7.55
  
  
• Didier Stevens
  • Update: zipdump.py Version 0.0.22
  • Update: oledump.py Version 0.0.67
    
    
• eCrimeLabs
  MISP auto tagging: In Organizations we trust
  
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 8.0 beta 7 unlocks and extracts legacy iOS devices
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.16.8
  
  
• Geoffrey Czokow at Hex Rays
  IDA Teams beta release
  
  
• Metaspike
  Forensic Email Intelligence v1.7.8166
  
  
• MSAB
  XRY 10.1.1 Released today – More devices, more apps, more extractions, more data
  
  
• Nisarg Suthar
  Veritas
  
  
• Regipy
  2.3.2
  
  
• Ulf Frisk
  MemProcFS Version 4.8
  
  
• Velociraptor
  Release 0.6.4-2
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!