As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Ahmed Ali
  Couch to 5K Runner: A Mobile Forensics Investigation
  
  
• Belkasoft
  Where in the world was John McAfee and An0nymous? A tell-tale sign from EXIF data
  
  
• Matt Muir at Cado Security
  Linux Attack Techniques: Dynamic Linker Hijacking with LD Preload
  
  
• Christopher Kyriacou
  Forensic Investigation of the Grubhub iOS App
  
  
• Joshua I. James at DFIRScience
  • Tableau External Write Blocker Setup and Forensic Imaging Walkthrough
  • Linux Forensics on Linux – Cyber5W CTF Walkthrough
    
    
• Digital Forensics Myanmar
  eCDFP Module (5) File System Analysis (Part-4)
  
  
• Oleg Afonin at Elcomsoft
  • Breaking Passwords on Alder Lake CPUs
  • Live System Analysis: Extracting BitLocker Keys
    
    
• Michael Karsyan at Event Log Explorer blog
  Files in Event Log Explorer Forensic Edition. Searching for removed events
  
  
• Forensafe
  Investigating Windows 10 Notifications
  
  
• Geri at ‘4n6 Ninja’
  Peeking at User Notification Events in iOS 15
  
  
• Lord Templar’s Digital Forensics Blog
  What Apple Maps Activity Can be Found Using a Logical Extraction
  
  
• Marius Sandbu
  The curious case of Azure Managed Identity and a compromised virtual machine
  
  
• N00b_H@ck3r
  CyberDefenders: Mr. Robot
  
  
• Oxygen Forensics
  • 7 Web Browsers Supported in Oxygen Forensic® Detective
  • Analysis of Volume Shadow Copies in Oxygen Forensic® Detective
    
    
• Ronan Joshua Roque
  Exploring The Samsung Galaxy Watch4 Smartwatch
  
  
• Veeraj Modi
  Mobile Forensics — Analyzing Snapseed on Android
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Not installing the installers
  
  
• Adam Nadrowski
  iThreatopedia
  
  
• Advanced Intelligence
  • Hydra with Three Heads: BlackByte & The Future of Ransomware Subsidiary Groups
  • DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape
    
    
• Anomali
  Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More
  
  
• Anton Chuvakin
  How to Think about Threat Detection in the Cloud
  
  
• Adam Vertuca at AT&T Cybersecurity
  Stories from the SOC – Persistent malware
  
  
• Bitdefender
  Bitdefender Threat Debrief | May 2022
  
  
• Lawrence Abrams at BleepingComputer
  Fake Pixelmon NFT site infects you with password-stealing malware
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-05-18 – Pcap and malware for ISC diary: EXOTIC LILY –> Bumblebee –> Cobalt Strike
  • 2022-05-18 – TA578 thread-hijacked emails and ISO example for Bumblebee
  • 2022-05-10 – TA578 Contact Forms campaign –> IcedID (Bokbot) –> Cobalt Strike
    
    
• Breachquest
  • Conti: Still here, Still Dangerous
  • The RAT is out: The new Nerbian rat on the arket
    
    
• Censys
  Tracking Deadbolt Ransomware Across the Globe
  
  
• CERT-AGID
  • Il trojan bancario Coper è arrivato anche in Italia
  • Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 maggio 2022
    
    
• Check Point Research
  • 16th May – Threat Intelligence Report
  • Twisted Panda: Check Point Research unveils a Chinese APT espionage campaign against Russian state-owned defense institutes
    
    
• CISA
  Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access
  
  
• Cisco’s Talos
  • Ransomware: How executives should prepare given the current threat landscape
  • The BlackByte ransomware group is striking users all over the globe
  • Threat Source newsletter (May 19, 2022) — Why I’m missing the days of iPods and LimeWire
  • Threat Roundup for May 13 to May 20
    
    
• Corelight
  • Another day, another DCE/RPC RCE
  • What makes evidence uniquely valuable?
  • Finding CVE-2022-22954 with Zeek
    
    
• Countercraft
  A Step-by-step BPFDoor Compromise
  
  
• Curated Intelligence
  Threat Group Naming Schemes In Cyber Threat Intelligence
  
  
• CyberCX
  Intelligence Update. A question of timing: examining the circumstances surrounding the Nauru Police Force hack and leak
  
  
• Cyberknow
  KillNet: Pro-Russian Hacktivists.
  
  
• Cyborg Security
  Threat Hunting Hypothesis Examples: Five Hunts to Start Out
  
  
• EclecticIQ
  • The Analyst Prompt #09: Longtime Threat Actor Group REvil May be Returning to the Cyber Fight
  • 5 Questions to ask About Your EDR – Response
    
    
• Esentire
  eSentire Threat Intelligence Malware Analysis: Mars Stealer
  
  
• Flashpoint
  Insider Threats: Recruitment Tactics and TTPs You Should Prepare For
  
  
• Clement Lecigne and Christian Resell at Google Threat Analysis Group
  Protecting Android users from 0-Day attacks
  
  
• Group-IB
  Ransomware Uncovered 2021/2022
  
  
• Hornet Security
  Email Threat Review April 2022
  
  
• Patrick Schläpfer at HP Wolf Security
  PDF Malware Is Not Yet Dead
  
  
• Intezer
  • SOC Level Up: Threat Hunting and Detection With Sigma
  • Automating Alert Triage and Threat Hunting with Intezer + SentinelOne
    
    
• Lina Lau at Inversecos
  Detection and Compromise: Azure Key Vaults & Secrets
  
  
• Pieter Arntz at Malwarebytes Labs
  Sysrv botnet is out to mine Monero on your Windows and Linux servers
  
  
• Alden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor, and Ryan Serabian at Mandiant
  The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine
  
  
• MDSec
  Nighthawk 0.2 – Catch Us If you Can
  
  
• Microsoft Security
  • In hot pursuit of ‘cryware’: Defending hot wallets from attacks
  • Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
    
    
• Roy Golombick at Minerva Labs
  What makes Ransomware so different from other malware and cyber threats?
  
  
• Nisos
  Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior
  
  
• Maxime Thiebaut at NVISO Labs
  Detecting & Preventing Rogue Azure Subscriptions
  
  
• SANS Internet Storm Center
  • Wireshark 3.6.5 Released, (Sun, May 15th)
  • Why is my Honeypot a Russian Certificate Authority?, (Mon, May 16th)
  • Use Your Browser Internal Password Vault… or Not?, (Tue, May 17th)
  • Apple Patches Everything, (Mon, May 16th)
  • Do you want 30 BTC? Nothing is easier (or cheaper) in this phishing campaign…, (Wed, May 18th)
  • Bumblebee Malware from TransferXL URLs, (Thu, May 19th)
  • A ‘Zip Bomb’ to Bypass Security Controls & Sandboxes, (Fri, May 20th)
    
    
• Jake Williams and Brandon Radosevich at Scythe
  SCYTHE Presents: F5 Big-IP appliances vulnerability – Follow-up
  
  
• Securelist
  Evaluation of cyber activities and the threat landscape in Ukraine
  
  
• Beatriz Valls at Security Art Work
  Cazando con Inteligencia Artificial: Detección de dominios maliciosos (II)
  
  
• Security Intelligence
  • Malicious Reconnaissance: What It Is and How To Stop It
  • ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups
    
    
• Security Investigation
  • Detecting and Preventing F5 Big-IP Critical Vulnerability – CVE-2022-1388
  • Mapping MITRE ATT&CK with Window Event Log IDs
  • Ukraine CERT-UA Reports a phishing campaign conducted by Armageddon APT
  • Threat Actors Abuse Microsoft’s HTML help file to Deliver Malware
  • Cyber Actors Steal Credit Card Data from the US Business
  • Microsoft Notified Blueteam to Monitor Sqlps.exe and Powershell
    
    
• SOC Fortress
  OFFICE 365 — MITRE Enriched Events Using Wazuh Detection Rules
  
  
• Trend Micro
  • Uncovering a Kingminer Botnet Attack Using Trend Micro™ Managed XDR
  • Bruised but Not Broken: The Resurgence of the Emotet Botnet Malware
  • Detect Azure AD Hybrid Cloud Vulnerabilities
    
    
• Andrew Schwartz at TrustedSec
  Splunk SPL Queries for Detecting gMSA Attacks
  
  
• Adrian Perez at Trustwave SpiderLabs
  Interactive Phishing: Using Chatbot-like Web Applications to  Harvest Information
  

UPCOMING EVENTS

• Dave Cowen at SANS
  FOR509: Cloud Forensics & Incident Response Course – What to Expect
  
  
• Basis Technology
  CyberResponderCon: Investigating Ransomware
  
  
• Cellebrite
  Tips & Tricks for Using Cellebrite Physical Analyzer
  
  
• Cybereason
  Webinar June 2nd 2022: Live Attack Simulation – Ransomware Threat Hunter Series
  
  
• Griffeye
  Webinar: Weeding out the noise – Part 2 (Efficient Victim-centric Workflows in Analyze DI)
  
  
• Magnet Forensics
  • Legally Investigating the Cloud: Your Questions Answered
  • Jumpstart Incident Response with YARA Rule Scanning in AXIOM Cyber
    
    
• Recorded Future
  Analysis and Mitigations of Wiper Malware Variants Used Against Ukraine
  
  
• Ryan Chapman at SANS
  Learning to Combat Ransomware
  

PRESENTATIONS/PODCASTS

• Magnet Forensics
  Tips & Tricks // Download Apple Warrant Return Data: Remove the Roadblocks
  
  
• Black Hills Information Security
  • How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity
  • BHIS – Talkin’ Bout [infosec] News 2022-05-16
  • BHIS/Antisyphon – Talkin’ Bout [infosec] News 2022-05-23
  • Geopolitical Cyber-Detection Lures for Attribution with Microsoft Sentinel 
    
    
• Brakeing Down Security Podcast
  Mieng Lim, Ransomware actions, using insurance to offset risk, good IR/PR comms
  
  
• Breaking Badness
  121. IR You Afraid of the Dark Web?
  
  
• Cellebrite
  How To Refute an Alibi Using the Mutual Locations feature in Cellebrite Pathfinder
  
  
• Cloud Security Podcast by Google
  EP65 Is Your Healthcare Security Healthy? Mandiant Incident Response Insights
  
  
• Cybereason
  Malicious Life Podcast: Inside Operation CuckooBees
  
  
• DFIRScience
  Tableau External Write Blocker Setup and Forensic Imaging Walkthrough
  
  
• Digital Forensic Survival Podcast
  DFSP # 326 – MFT
  
  
• Dump-Guy Trickster
  • Analyzing HTML Application “HTA” Loading .NET Runtime
  • Get-UnJlaive – Jlaive Protector Reconstructor
    
    
• InfoSec_Bret
  CyberDefenders – BankingTroubles
  
  
• John Hammond
  RECOVERING FILES with Autopsy (PicoCTF 2022 #47 ‘operation-oni’)
  
  
• Justin Tolman at AccessData
  • CISA Cybersecurity Incident Response Playbooks – Episode 3 Detection and Analysis
  • FTK Feature Focus – Episode 43 – FTK 7.5.2 Index Search Optimizations
    
    
• Lee Reiber’s Forensic Happy Hour
  Forensic Happy Hour Episode 305
  
  
• SANS
  • Hunting Is Sacred, But We Never Do It for Sport! – SANS THIR Summit 2019
  • Did I do that? – Understanding action & artifacts w/ Matthew Seyer & David Cowen – SANS DFIR Summit
    
    
• Sumuri
  How to Update your PALADIN PRO!
  
  
• The Defender’s Advantage Podcast
  Threat Trends: Information Operations Surrounding the Russian Invasion of Ukraine
  
  
• Uriel Kosayev
  RDP Credentials Hijacking – Abusing KeyMgr.dll
  

MALWARE

• Any.Run
  Release Notes  May 20, 2022
  
  
• ASEC
  • Malicious Help File Disguised as Missing Coins Report and Wage Statement (*.chm)
  • Lazarus Group Exploiting Log4Shell Vulnerability (NukeSped)
  • Why Remediation Alone Is Not Enough When Infected by Malware
  • Emotet Being Distributed Using Various Files
    
    
• Atomic Matryoshka
  Emotet DLL Part 2: Dynamic Analysis
  
  
• Blackberry
  .NET Stubs: Sowing the Seeds of Discord
  
  
• Kian Maher at Cofense
  Hackers Utilize SwissTransfer To Deploy Phishing Scam
  
  
• Vlad Ciuleanu at CrowdStrike
  Mirai Malware Variants for Linux Double Down on Stronger Chips in Q1 2022
  
  
• Mike at Cyber&Ramen
  Analysis of an Obfuscated RTF File
  
  
• Cyble
  Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon
  
  
• Deep Instinct
  What’s Hiding in Your Event Logs?
  
  
• Doug Burks at Security Onion
  • Quick Malware Analysis: Qakbot and Cobalt Strike pcap from 2022-04-14
  • Quick Malware Analysis: Exotic Lily, Bumblebee, and Cobalt Strike pcap from 2022-05-18
  • Quick Malware Analysis: Qakbot and DarkVNC pcap from 2022-04-19
    
    
• Colson Wilhoit, Alex Bell, Rhys Rustad-Elliott, and Jake King at Elastic
  A peek behind the BPFDoor
  
  
• Gergely Revay and Shunichi Imano at Fortinet
  Chaos Ransomware Variant Sides with Russia
  
  
• Guilherme Thomazi Bonicontro
  Linux.Nasty: Assembly x64 ELF virus
  
  
• Herbie Zimmerman at “Lost in Security”
  2022-05-13 Quick Remcos Deobfusction
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #90: Suspicious operand limits
  
  
• Jaron Bradley, Stuart Ashenbrenner and Matt Benyo at Jamf
  UpdateAgent Adapts Again
  
  
• Shusei Tomonaga at JPCERT/CC
  Analysis of HUI Loader
  
  
• Koen Van Impe
  MISP sharing groups demonstration video
  
  
• Malvuln
  Trojan Ransom Thanos – Code Execution Vulnerability
  
  
• Hossein Jazi and Jérôme Segura at Malwarebytes Labs
  Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis
  
  
• Mike at “CyberSec & Ramen”
  Analysis of an Obfuscated RTF File
  
  
• NCC Group
  • earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
  • Tool Release – Ghostrings
  • Metastealer – filling the Racoon void
    
    
• OALABS Research
  Emotet x64 Stack Strings Config Emulation
  
  
• Palo Alto Networks
  • A Look Into Public Clouds From the Ransomware Actor’s Perspective
  • Emotet Summary: November 2021 Through January 2022
  • Weaponization of Excel Add-Ins Part 2: Dridex Infection Chain Case Studies
    
    
• PC’s Xcetra Support
  Pealing back the layers of a batch script ransomware
  
  
• petikvx
  • How does work LNK malwares
  • How to generate Sandbox Script
  • FuckinUnicorn Ransomware
  • Trojan-Ransom.Win32.Encoder.mhm Analyze
  • Avoslocker Ransomware
  • Trojan-Ransom.Win32.Encoder.mhm
  • How to extract macros from MSOffice docs
  • Taakj2005 VBS encrypter
  • Thanos Ransomware
  • Trojan-Ransom.Win32.Delf.sp
  • Maze Ransomware
  • Hydracrypt Ransomware
  • Blackmatter Ransomware JEoHh4cHS
  • Thanos .ltnuhr Ransomware
  • Spook Ransomware
  • Thanos Boom Ransomware
  • Haron Chaddad Ransomware
  • Prometheus Ransmware
  • Spora Ransomware
  • RCRU64 Ransomware
  • G0nnac0pe Trojan
  • Nokoyawa Ransomware
  • Yashma Ransomware Builder 1.2 – PLEASE UPDATE YOUR AV
  • Nefilim Ransomware
  • Cerber Ransomware
  • mietek1528’s First crackme
  • Pandore Ransomware
  • InfinityLock Ransomware
    
    
• Roman Dedenok at Securelist
  HTML attachments in phishing e-mails
  
  
• Francisco Montiel at Security Art Work
  Offensive Golang (II)
  
  
• Juan Andrés Guerrero-Saade and Phil Stokes at SentinelLabs
  CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware
  
  
• Ax Sharma at Sonatype
  New ‘pymafka’ malicious package drops Cobalt Strike on macOS, Windows, Linux
  
  
• Sucuri
  • X-Cart Skimmer with DOM-based Obfuscation
  • Analyzing a WooCommerce Credit Card Skimmer
    
    
• VinCSS
  • [RE027] China-based APT Mustang Panda might have still continued their attack activities against organizations in Vietnam
  • [RE027] Nhóm APT Mustang Panda có thể vẫn đang tiếp tục hoạt động tấn công vào các tổ chức tại Việt Nam
    
    
• Oleg Boyarchuk, Stefano Ortolani, and Jason Zhang at VMware Security
  Emotet Moves to 64 bit and Updates its Loader
  
  
• WeLiveSecurity
  • The downside of ‘debugging’ ransomware
  • Sandworm uses a new version of ArguePatch to attack targets in Ukraine
    
    
• Yoroi
  A deep dive into Eternity Group: A new emerging Cyber Threat
  

MISCELLANEOUS

• Jessica Hyde at Hexordia and Magnet Forensics
  Update on Magnet Summit 2022 Capture the Flag Contests
  
  
• AboutDFIR
  • The Effect of Ransomware After The Investigation
  • AboutDFIR Site Content Update 5/21/22
    
    
• Adam at Hexacorn
  Hijacking HijackThis
  
  
• Alex Verboon at ‘Anything about IT’
  How to analyze Microsoft Sentinel Daily Cap Alerts – AADNonInteractiveUserSignInLogs
  
  
• Brett Shavers at ‘The X-Ways Forensics Practitioner’s Guide/2E’
  The XWF Guide is Worldwide!
  
  
• Cloudflare
  • Integrating Network Analytics Logs with your SIEM dashboard
  • Monitoring our monitoring: how we validate our Prometheus alert rules
    
    
• Greg Day at Cybereason
  Ransomware: What’s in a Name?
  
  
• Derek Eiri
  Growing with XWF
  
  
• Richard Witucki at Dragos
  Improving ICS/OT Security Perimeters with Network Segmentation
  
  
• Forensic Focus
  • March’s Spread of Digital Forensics Research Examines Implementation
  • Hex Searching in Oxygen Forensic Detective
  • The Answers to Your Amped FIVE Questions
  • FEE Brings Together Industry Expertise to Transform Forensics
    
    
• Carla Brinker at GuidePoint Security
  A Comprehensive and Secure Approach to Offboarding Employees
  
  
• InfoSec Write-ups
  Active Directory Overview
  
  
• Kaspersky Lab
  How to upgrade an incident response specialist’s skills
  
  
• LockBoxx
  • Bootcamp #18: Hands-on Blue Team Exercises
  • Bootcamp #19: Getting Famaliar with EDR
    
    
• ADF
  • Next-Generation Digital Forensics Software: 5 Areas That You Want Your Department To Be Ahead In
  • Speed Digital Investigations with Multimedia
  • Cryptocurrency Traces
    
    
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — May 15 to May 21
  
  
• Salvation DATA
  Information Security: 10 Disaster Prevention Tips From Digital Forensics Experts
  
  
• SANS
  SANS MGT521 Security Culture Course – New Version Released
  
  
• Stacy Leidwinger at Secureworks
  How to Reduce Alert Fatigue: A Q&A Session with SecOps Experts
  
  
• Gabriela Silk at Uptycs
  What Is Cyber Threat Hunting?
  
  
• Koos Goossens at Wortell
  • Use Sentinel Basic and Archive logs
  • Archive Microsoft 365 Defender logs
    

SOFTWARE UPDATES

• Brian Maloney
  OneDriveExplorer v2022.05.18
  
  
• Brim
  Version 0.30.0
  
  
• Didier Stevens
  Update: base64dump.py Version 0.0.21
  
  
• Doug Burks at Security Onion
  Sneak Peek: Security Onion 2.3.130 and New Analyzers Feature
  
  
• EclecticIQ
  EclecticIQ Intelligence Center goes API-first and more with release 2.12
  
  
• Elcomsoft
  Elcomsoft Distributed Password Recovery 4.4 optimized for Intel Alder Lake
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Mark Mckinnon
  Meet The Newest Member of the xLeapp Family
  
  
• Matt Shannon at F-Response
  F-Response 8.3.1.14 and Collect 4.0.1.7 Released – Updates to Collect, Classic, and Universal
  
  
• Mihari
  v4.6.1
  
  
• Regipy
  2.3.3
  
  
• Yamato Security
  Hayabusa v1.2.2 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!