As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Asger S
Deadhost Investigation and Super Timeline - Block Magnates
Rikkei Finance Hack: Explained - Cassie Doemel at AboutDFIR
App Timeline Provider – SRUM Database - Chris at AskClees
Decrypting Mega Preferences (Part 2) - Dr. Brian Carrier at Cyber Triage
Cyber Triage Lite – Identifying Malware - Digital Forensics Myanmar
- Forensafe
Investigating Paint MRU - Nicole Fishbein at Intezer
How to Analyze Phishing Email Files - Lina Lau at Inversecos
How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History - LMG Security
Understanding Phishing Attacks & Spear Phishing - Michael Koczwara
LetsDefend: Suspicious Certutil.exe Usage - Andrew Paverd at Microsoft Security Response Center
New Research Paper: Pre-hijacking Attacks on Web User Accounts - Roshan at Open Source DFIR
Investigating a GKE Container - Oxygen Forensics
6 Email Services Supported in Oxygen Forensic® Detective
THREAT INTELLIGENCE/HUNTING
- 360 Total Security
Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11 - Akamai
- Anomali
Anomali Cyber Watch: Conti’s Talent Goes to Other Ransom Groups, China-Based Espionage Targets Russia, XorDdos Stealthy Linux Trojan is on the Rise, and More - Julius Charles at AT&T Cybersecurity
Suspicious behavior: OTX Indicator of Compromise – Detection & response - AttackIQ
- Avertium
An In-Depth Look at AvosLocker Ransomware - Raghvendra Mishra at Awake Security
Finding the Needle in Haystack: Threat Hunting for Attacker Activity within DNS over HTTPS(DoH) - Bitdefender
- Blackberry
Yashma Ransomware, Tracing the Chaos Family Tree - BleepingComputer
- Erica Mixon at Blumira
Blumira Releases 2022 State of Detection and Response Report, Revealing Identity-Based Attacks as Top Threat in 2022 - Brad Duncan at Malware Traffic Analysis
2022-05-23 – IcedID infection with DarkVNC traffic - Geovany Sabillon at Breachquest
More_eggs is Back - BushidoToken
Ofgem Energy Bill Rebate Phishing Fraud - CERT-AGID
Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 maggio 2022 - Check Point Research
23rd May – Threat Intelligence Report - Cisco’s Talos
- Greg Darwin at Cobalt Strike Research and Development
Out Of Band Update: Cobalt Strike 4.6.1 - Cofense
- Energy/Infrastructure Enterprises Targeted by HTML Phishing Campaign
- Phishing Takeaways from the Conti Ransomware Leaks – Part 2
- Phishing Takeaways from the Conti Ransomware Leaks – Part 3
- Hackers Utilize SwissTransfer To Deploy Phishing Scam
- SEG Effectiveness: Three Takeaways from the 2022 State of Phishing Report
- Sven Defatsch at Compass Security
BloodHound Inner Workings & Limitations – Part 3: Session Enumeration Through Remote Registry & Summary - Corelight
- CrowdStrike
- CyberCX
Intelligence Update. Solomon Islands-China Security Agreement: Implications for Regional Cyber Risk - Cyberknow
Update 14. 2022 Russia-Ukraine war — Cyber group tracker. May 22. - Cyborg Security
6 Threat Hunting Ideas You Can Use Today! - Darktrace
Pulling back the curtain on Grief ransomware - Tim Helming at DomainTools
Network Traffic Analysis and Adversary Infrastructure - EclecticIQ
Tools to Identify Exfiltration of Large Cryptocurrency Holdings Will Reduce Risk of Large Cyberattacks and Fraud on DeFi Platforms - Eclypsium
Quanta Servers (Still) Vulnerable to Pantsdown - Flashpoint
- Gabor Matuz
Your users are getting phished. Now what?! Part 1 - Harshit Rajpal at Hacking Articles
Domain Escalation: Unconstrained Delegation - Dray Agha at Huntress
The Mechanics of Defense Evasion - InfoSec Write-ups
- Dmitry Melikov at InQuest
Tandem Espionage - Shoko Nakai at JPCERT/CC
Trends of Reported Phishing Sites and Compromised Domains in 2021 - Rakesh Seal at Keysight
A Comprehensive Guide on HAR Files - LockBoxx
Bootcamp #20: Getting SIEM comfortable - Chris Thompson, Free Wortley, and Gabe Martino at LunaSec
How two Python and PHP dependencies, ctx and Phpass, became malware that stole secrets and credentials - Malwarebytes Labs
- Microsoft Security
- PhishLabs
- Jen Ellis at Rapid7
A Year on from the Ransomware Task Force Report - Red Alert
Monthly Threat Actor Group Intelligence Report, March 2022 (ENG) - SANS
- SANS Internet Storm Center
- Jake Williams, Kristen Cotten, Nathali Cano, and Christopher Peacock at Scythe
SCYTHE Presents: Threat Emulation: Industroyer2 Operation - Securelist
- Security Investigation
- SOC Fortress
Enforcing Security in Web App Firewalls using Wazuh Active Response - Soumyadeep Basu
AWS Threat Detection with Stratus Red Team - Andy Robbins at SpecterOps
Automating Azure Abuse Research — Part 1 - Stefan Grimminck
Building a Threat Intelligence Feed using the Twitter API and a bit of code - Sucuri
- Sygnia
- Vicente Díaz at VirusTotal
Introducing Autocomplete for VirusTotal Intelligence queries - Jason Reaves and Joshua Platt at Walmart
SocGholish Campaigns and Initial Access Kit
UPCOMING EVENTS
- Acelab
Watch ACE Lab Presentation at Ondata Live on May 25, 2022 - Kelvin Balcacer at Cellebrite
Cellebrite UFED Cloud: Private and Public Extractions Pt. 1 - Magnet Forensics
- Recorded Future
Credit Card Fraud: What the Dark Web Fraudsters Don’t Want You to Know - SANS Institute
- Live with Ed Skoudis | RSA Conference 2022
- Live with Carlos Carillo and Jeff McJunkin | RSA Conference 2022
- Live with Russell Eubanks | RSA Conference 2022
- Live with Dr Johannes Ullrich | RSA Conference 2022
- Live with Jamie Williams | RSA Conference 2022
- Live with Rob T Lee | RSA Conference 2022
- Live with Carlos Carillo and Jeff McJunkin | RSA Conference 2022
- Live with Katie Nickels | RSA Conference 2022
- Live with Chris Cochran | RSA Conference 2022
- Live with James Lyne | RSA Conference 2022
PRESENTATIONS/PODCASTS
- Active Countermeasures
Jumping the T-Shark with Chris Brenton – Video Blog - Ali Hadi
- Archan Choudhury at BlackPerl
- Threat Hunting Course with Jupyter, All Prerequisites covered, Part 1
- Threat Hunting Course with Jupyter, Hunting PowerShell execution , Part 2
- Threat Hunting Course with Jupyter, Hunting PowerShell Remote Execution , Part 3
- Threat Hunting Course with Jupyter, Hunting for Service Creation , Part 4
- Threat Hunting Course with Jupyter, Hunting for Persistence WMI Eventing , Part 5
- Threat Hunting Course with Jupyter, Hunting for Privilege Escalation , Part 6
- Threat Hunting Course with Jupyter, Hunting for Defense Evasion- DLL Injection , Part 7
- Threat Hunting Course with Jupyter, Hunting for Credential Access-LSASS Access, Part 8
- Threat Hunting Course with Jupyter, Hunting for Discovery- SAM Registry Hive, Part 9
- Threat Hunting Course with Jupyter, Hunting for Lateral Movement, Part 10
- Threat Hunting Course- Day 8, Hunt with Jupyter Notebook
- ArcPoint Forensics
UNALLOCATED SPACE S1: EP07: Jennifer Salvadori - Black Hills Information Security
- Brakeing Down Security Podcast
news, infosystir’s talk at RSA, conti has an ‘image’ problem - Breaking Badness
122. Inside the Threat Actor’s Studio - Heather Mahalik at Cellebrite
How to Create Sysdiagnose Logs for Bug Reporting on iOS Devices - Cyber Secrets
- Day Cyberwox
- DFIRScience
Linux Forensics with Linux – CTF Walkthrough - Digital Forensic Survival Podcast
DFSP # 327 – Persistence Part 1 - InfoSec_Bret
CyberDefenders – Elastic-Case - Justin Tolman at AccessData
- Magnet Forensics
- Mathias Fuchs at CyberFox
Memory Forensics with Jupyter Notebooks #DFIR - OALabs
Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ] - Phil Cobley and Adam Firman at ‘Forensics Reformatted’
Episode 1: New Beginnings - PyCon US
Talk – Aaron Stephens: Python for Threat Intelligence - Scythe
AMA with Jake Williams - The Defender’s Advantage Podcast
Frontline Stories: OT/ICS Security - The Digital Forensics Files Podcast
Stephen Cordon and Tyler Hatch of DFI Forensics
MALWARE
- Chuong Dong at 0ffset
BAZARLOADER: Analysing The Main Loader - ASEC
- ASEC Weekly Malware Statistics (May 9th, 2022 – May 15th, 2022)
- Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics
- Method that Tricks Users to Perceive Attachment of PDF File as Safe File
- XLL Malware Distributed Through Email
- ASEC Weekly Malware Statistics (May 16th, 2022 – May 22nd, 2022)
- Erik Pistelli at Cerbero
Internal Project Files - Anandeshwar Unnikrishnan at CloudSEK
Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group - Cyble
- Bar Block at Deep Instinct
Blame the Messenger: 3 Types of Dropper Malware in Microsoft Office & How to Detect Them - Doug Burks at Security Onion
- Fortinet
- Igor Skochinsky at Hex Rays
Igor’s tip of the week #91: Item flags - Microsoft Security
Android apps with millions of downloads exposed to high-severity vulnerabilities - Mike at “CyberSec & Ramen”
Analyzing the Royal Road to Space Pirates - Muhammad Hasan Ali at muha2xmad
Full Anubis android malware analysis - Nikola
Cuckoo 3 Installation Guide - OALabs Research
Does Entropy Matter? A Pseudoscientific Study! - petikvx
- CryptoLock AutoIT
- Crackinglessons crackme2 keyfile
- Crackinglessons Crackme1 Patch
- Freedomteam Ransomware
- Pxj Ransomware
- Symmi Ransomware
- YourCyanide Ransomware
- Babuk Ransomware ttii
- Goodwill Ransomware
- Sodinokibi Ransomware
- Viruschecker check api premium virustotal
- Infinitylock Ransomware
- DeriaLock
- Birele Ransomware
- BadRabbit Ransomware – How to extract infpub.dat
- BadRabbit Ransomware
- 7ev3n Ransomware
- Trojan.Win32.Agentb.klur Analyzes
- Brightblack Ransomware
- PolyRansom Ransomware
- Petya Ransomware
- NoMoreRansom Ransomware
- Conti Ransomware .TIYSV
- How to create quickly malware’s VM analyzes
- Poncho
- Aedan Russell at Red Canary
ChromeLoader: a pushy malvertiser - Kevin Henson and Dave McMillen at Security Intelligence
Black Basta Besting Your Network? - Phil Stokes at SentinelLabs
Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs - Ax Sharma at Sonatype
PyPI package ‘ctx’ and PHP library ‘phpass’ compromised to steal environment variables - Squiblydoo.blog
Solarmarker: May 2022 Persistence - Team Cymru
Bablosoft; Lowering the Barrier of Entry for Malicious Actors - Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, and Warren Sto.Tomas at Trend Micro
New Linux-Based Ransomware ‘Cheerscrypt’ Targets EXSi Devices - Bernard Bautista at Trustwave SpiderLabs
Grandoreiro Banking Malware Resurfaces for Tax Season - Oleg Boyarchuk and Stefano Ortolani at VMware Security
Emotet Config Redux
MISCELLANEOUS
- Adam at Hexacorn
Not installing the installers, part 2 - Anton Chuvakin
Anton’s Security Blog Quarterly Q2 2022 - Belkasoft
[Free On-demand Сourse] Incident Investigations with Belkasoft X - Brett Shavers
- Cybereason
- Didier Stevens
PoC: Cobalt Strike mitm Attack - Erik Hjelmvik at Netresec
Real-time PCAP-over-IP in Wireshark - Forensic Focus
In April, Research Examines Reliability, Hybrid Learning, and New Insights on Familiar Names - Holly Kennedy
Welcome to The Open DFIR Policies and Procedures Manual! - John Doyle at Mandiant
Introducing the Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework - Kibaffo33
Tempo, a lightweight timestamp for MacOS - Magnet Forensics
New Guide: Modernizing Digital Forensics Workflows with Magnet AUTOMATE Enterprise - Ashwin Radhakrishnan at MITRE-Engenuity – Medium
MITRE Engenuity ATT&CKⓇ Evaluations Results from Deception Trials - Neil Thacker at Netskope
What to Do in the First 24 Hours After You’ve Been Breached - Warwick Webb at Rapid7
DFIR Without Limits: Moving Beyond the “Sucker’s Choice” of Today’s Breach Response Services - Brittany Roberts at ADF
5 Tips for Getting the Right Digital Investigation Software - Salvation DATA
18 Areas of Computer Forensics Services in a Nutshell - Megan Roddie at SANS
FOR509 Course Update – Introducing Google Workspace, the Multi-Cloud Intrusion Challenge, and more - Jennifer Gregory at Security Intelligence
How to Respond to Non-Malicious Data Breaches - Shinigami
Mental Health and Burnout in CTI
SOFTWARE UPDATES
- Amped
Amped Replay Update 24783: Annotation Grouping, Color Matching Eyedropper Tool, Simplified Enhancement View, and Much More - Apache Tika
Release 1.28.3 – 5/23/2022 - Vitaliy Mokosiy at Atola
Wipe multiple drives in Atola Insight Forensic 5.2 - Didier Stevens
- Eric Zimmerman
ChangeLog - F-Response
F-Response 8.3.1.15 and Collect 4.0.1.7 Released – Updates to Collect, Classic, and Universal - Metaspike
Forensic Email Collector v3.15 Released - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!