As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Asger S
  Deadhost Investigation and Super Timeline
  
  
• Block Magnates
  Rikkei Finance Hack: Explained
  
  
• Cassie Doemel at AboutDFIR
  App Timeline Provider – SRUM Database
  
  
• Chris at AskClees
  Decrypting Mega Preferences (Part 2)
  
  
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage Lite – Identifying Malware
  
  
• Digital Forensics Myanmar
  • Imaging Unlocated Space  & Install FTK Imager On USB
  • What Is Call Details Record (CDR) and BTS Tracking
  • FAT 32 File System
    
    
• Forensafe
  Investigating Paint MRU
  
  
• Nicole Fishbein at Intezer
  How to Analyze Phishing Email Files
  
  
• Lina Lau at Inversecos
  How to Perform Clipboard Forensics: ActivitiesCache.db, Memory Forensics and Clipboard History
  
  
• LMG Security
  Understanding Phishing Attacks & Spear Phishing
  
  
• Michael Koczwara
  LetsDefend: Suspicious Certutil.exe Usage
  
  
• Andrew Paverd at Microsoft Security Response Center
  New Research Paper: Pre-hijacking Attacks on Web User Accounts
  
  
• Roshan at Open Source DFIR
  Investigating a GKE Container
  
  
• Oxygen Forensics
  6 Email Services Supported in Oxygen Forensic® Detective
  

THREAT INTELLIGENCE/HUNTING

• 360 Total Security
  Win11 users beware! Magniber ransomware has been upgraded again, aiming at win11
  
  
• Akamai
  • REvil Resurgence? Or a Copycat?
  • DNS: The Easiest Way to Exfiltrate Data?
    
    
• Anomali
  Anomali Cyber Watch: Conti’s Talent Goes to Other Ransom Groups, China-Based Espionage Targets Russia, XorDdos Stealthy Linux Trojan is on the Rise, and More
  
  
• Julius Charles at AT&T Cybersecurity
  Suspicious behavior: OTX Indicator of Compromise – Detection & response
  
  
• AttackIQ
  • IDC’s Top Insights Around Purple Teaming
  • Announcing AttackIQ’s Malware Emulation Attack Graphs
    
    
• Avertium
  An In-Depth Look at AvosLocker Ransomware
  
  
• Raghvendra Mishra at Awake Security
  Finding the Needle in Haystack: Threat Hunting for Attacker Activity within DNS over HTTPS(DoH)
  
  
• Bitdefender
  • The Origin of Ransomware – Exploring the evolution of one of cybersecurity’s most prolific threats
  • How to Choose a Threat Intelligence Provider
    
    
• Blackberry
  Yashma Ransomware, Tracing the Chaos Family Tree
  
  
• BleepingComputer
  • Industrial Spy data extortion market gets into the ransomware game
  • New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps
  • Intuit warns of QuickBooks phishing threatening to suspend accounts
  • New Windows Subsystem for Linux malware steals browser auth cookies
    
    
• Erica Mixon at Blumira
  Blumira Releases 2022 State of Detection and Response Report, Revealing Identity-Based Attacks as Top Threat in 2022
  
  
• Brad Duncan at Malware Traffic Analysis
  2022-05-23 – IcedID infection with DarkVNC traffic
  
  
• Geovany Sabillon at Breachquest
  More_eggs is Back
  
  
• BushidoToken
  Ofgem Energy Bill Rebate Phishing Fraud
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 maggio 2022
  
  
• Check Point Research
  23rd May – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Threat Source newsletter (May 26, 2022) — BlackByte adds itself to the grocery list of big game hunters
  • Threat Roundup for May 20 to May 27
    
    
• Greg Darwin at Cobalt Strike Research and Development
  Out Of Band Update: Cobalt Strike 4.6.1
  
  
• Cofense
  • Energy/Infrastructure Enterprises Targeted by HTML Phishing Campaign
  • Phishing Takeaways from the Conti Ransomware Leaks – Part 2
  • Phishing Takeaways from the Conti Ransomware Leaks – Part 3
  • Hackers Utilize SwissTransfer To Deploy Phishing Scam
  • SEG Effectiveness: Three Takeaways from the 2022 State of Phishing Report
    
    
• Sven Defatsch at Compass Security
  BloodHound Inner Workings & Limitations – Part 3: Session Enumeration Through Remote Registry & Summary
  
  
• Corelight
  • Corelight Investigator accelerates threat hunting
  • Detecting CVE-2022-26937 with Zeek
  • Detecting CVE-2022-23270 in PPTP
    
    
• CrowdStrike
  • Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun
  • How Defenders Can Hunt for Malicious JScript Executions: A Perspective from OverWatch Elite
    
    
• CyberCX
  Intelligence Update. Solomon Islands-China Security Agreement: Implications for Regional Cyber Risk
  
  
• Cyberknow
  Update 14. 2022 Russia-Ukraine war — Cyber group tracker. May 22.
  
  
• Cyborg Security
  6 Threat Hunting Ideas You Can Use Today!
  
  
• Darktrace
  Pulling back the curtain on Grief ransomware
  
  
• Tim Helming at DomainTools
  Network Traffic Analysis and Adversary Infrastructure
  
  
• EclecticIQ
  Tools to Identify Exfiltration of Large Cryptocurrency Holdings Will Reduce Risk of Large Cyberattacks and Fraud on DeFi Platforms
  
  
• Eclypsium
  Quanta Servers (Still) Vulnerable to Pantsdown
  
  
• Flashpoint
  • The Evolution of Ransomware: Understanding Its Past, Present, and Future
  • Insider Threats: Recruitment Tactics and TTPs You Should Prepare For
    
    
• Gabor Matuz
  Your users are getting phished. Now what?! Part 1
  
  
• Harshit Rajpal at Hacking Articles
  Domain Escalation: Unconstrained Delegation
  
  
• Dray Agha at Huntress
  The Mechanics of Defense Evasion
  
  
• InfoSec Write-ups
  • Antivirus Evasion
  • Operational Methodologies of Cyber Terrorist Organization “Transparent Tribe”
  • Firewall Evasion Techniques using Nmap
    
    
• Dmitry Melikov at InQuest
  Tandem Espionage
  
  
• Shoko Nakai at JPCERT/CC
  Trends of Reported Phishing Sites and Compromised Domains in 2021
  
  
• Rakesh Seal at Keysight
  A Comprehensive Guide on HAR Files
  
  
• LockBoxx
  Bootcamp #20: Getting SIEM comfortable
  
  
• Chris Thompson, Free Wortley, and Gabe Martino at LunaSec
  How two Python and PHP dependencies, ctx and Phpass, became malware that stole secrets and credentials
  
  
• Malwarebytes Labs
  • Unknown APT group has targeted Russia repeatedly since Ukraine invasion
  • How the Saitama backdoor uses DNS tunnelling
    
    
• Microsoft Security
  • Anatomy of a DDoS amplification attack
  • Detecting and preventing privilege escalation attacks leveraging Kerberos relaying (KrbRelayUp)
    
    
• PhishLabs
  • Report: Quarterly Threat Trends & Intelligence – May 2022
  • Vishing Attacks Are at an All-Time High, Report Finds
    
    
• Jen Ellis at Rapid7
  A Year on from the Ransomware Task Force Report
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, March 2022 (ENG)
  
  
• SANS
  • Purple Teaming Threat-Informed Detection Engineering
  • How to Use Phishing Benchmarks Effectively to Assess Your Program – Part 3
    
    
• SANS Internet Storm Center
  • ctx Python Library Updated with “Extra” Features, (Tue, May 24th)
  • Attacker Scanning for jQuery-File-Upload, (Mon, May 23rd)
  • Using NMAP to Assess Hosts in Load Balanced Clusters, (Wed, May 25th)
  • Huge Signed PE File, (Thu, May 26th)
  • Huge Signed PE File: Keeping The Signature, (Sat, May 28th)
    
    
• Jake Williams, Kristen Cotten, Nathali Cano, and Christopher Peacock at Scythe
  SCYTHE Presents: Threat Emulation: Industroyer2 Operation
  
  
• Securelist
  • Managed detection and response in 2021
  • The Verizon 2022 DBIR
    
    
• Security Investigation
  • How to Detect Raising New XORDDOS Linux Trojan
  • Splunk Commands – BIN and its Arguments
  • PDF Campaign Delivering Snake Keylogger
    
    
• SOC Fortress
  Enforcing Security in Web App Firewalls using Wazuh Active Response
  
  
• Soumyadeep Basu
  AWS Threat Detection with Stratus Red Team
  
  
• Andy Robbins at SpecterOps
  Automating Azure Abuse Research — Part 1
  
  
• Stefan Grimminck
  Building a Threat Intelligence Feed using the Twitter API and a bit of code
  
  
• Sucuri
  • Credit Card Stealer Targets PsiGate Payment Gateway Software
  • Top Ten Most Cumbersome Website Infections to Remove in 2021
    
    
• Sygnia
  • Hybrid Phishing Attack Vector – Complementing Phishing Campaigns With Wide Infrastructure Exploitations
  • How to Detect TOR Network Connections with Falco
    
    
• Vicente Díaz at VirusTotal
  Introducing Autocomplete for VirusTotal Intelligence queries
  
  
• Jason Reaves and Joshua Platt at Walmart
  SocGholish Campaigns and Initial Access Kit
  

UPCOMING EVENTS

• Acelab
  Watch ACE Lab Presentation at Ondata Live on May 25, 2022
  
  
• Kelvin Balcacer at Cellebrite
  Cellebrite UFED Cloud: Private and Public Extractions Pt. 1
  
  
• Magnet Forensics
  • Log Analysis
  • Tips & Tricks // Get To Evidence Faster in DVR Examiner
    
    
• Recorded Future
  Credit Card Fraud: What the Dark Web Fraudsters Don’t Want You to Know
  
  
• SANS Institute
  • Live with Ed Skoudis | RSA Conference 2022
  • Live with Carlos Carillo and Jeff McJunkin | RSA Conference 2022
  • Live with Russell Eubanks | RSA Conference 2022
  • Live with Dr Johannes Ullrich | RSA Conference 2022
  • Live with Jamie Williams | RSA Conference 2022
  • Live with Rob T Lee | RSA Conference 2022
  • Live with Carlos Carillo and Jeff McJunkin | RSA Conference 2022
  • Live with Katie Nickels | RSA Conference 2022
  • Live with Chris Cochran | RSA Conference 2022
  • Live with James Lyne | RSA Conference 2022
    

PRESENTATIONS/PODCASTS

• Active Countermeasures
  Jumping the T-Shark with Chris Brenton – Video Blog
  
  
• Ali Hadi
  • Comparison between Loading a Dirty and Clean Windows.edb using WinSearchDBAnalyzer
  • Fixing Windows edb and using WinSearchDBAnalyzer
    
    
• Archan Choudhury at BlackPerl
  • Threat Hunting Course with Jupyter, All Prerequisites covered, Part 1
  • Threat Hunting Course with Jupyter, Hunting PowerShell execution , Part 2
  • Threat Hunting Course with Jupyter, Hunting PowerShell Remote Execution , Part 3
  • Threat Hunting Course with Jupyter, Hunting for Service Creation , Part 4
  • Threat Hunting Course with Jupyter, Hunting for Persistence WMI Eventing , Part 5
  • Threat Hunting Course with Jupyter, Hunting for Privilege Escalation , Part 6
  • Threat Hunting Course with Jupyter, Hunting for Defense Evasion- DLL Injection , Part 7
  • Threat Hunting Course with Jupyter, Hunting for Credential Access-LSASS Access, Part 8
  • Threat Hunting Course with Jupyter, Hunting for Discovery- SAM Registry Hive, Part 9
  • Threat Hunting Course with Jupyter, Hunting for Lateral Movement, Part 10
  • Threat Hunting Course- Day 8, Hunt with Jupyter Notebook
    
    
• ArcPoint Forensics
  UNALLOCATED SPACE S1: EP07: Jennifer Salvadori
  
  
• Black Hills Information Security
  • Spoofing Microsoft 365 Like It’s 1995
  • Talkin’ About Infosec News – 4/25/2022
  • BHIS | Intro to Windows Event Collecting | Nick & Noah | 1 Hour
  • BHIS | Intro to Windows Event Collecting | Nick & Noah | 1-Hour
    
    
• Brakeing Down Security Podcast
  news, infosystir’s talk at RSA, conti has an ‘image’ problem
  
  
• Breaking Badness
  122. Inside the Threat Actor’s Studio
  
  
• Heather Mahalik at Cellebrite
  How to Create Sysdiagnose Logs for Bug Reporting on iOS Devices
  
  
• Cyber Secrets
  • CSI Linux 2022 1 Prerelease updates May 27th 2022
  • Unveiling CSI Linux 2022.1 – A complete rebuild
    
    
• Day Cyberwox
  • Exploiting AWS – Attacker’s Perspective (Flaws2.Cloud)
  • Day In The Life | Cloud Threat Detection Engineer at Datadog | Work Vlog
    
    
• DFIRScience
  Linux Forensics with Linux – CTF Walkthrough
  
  
• Digital Forensic Survival Podcast
  DFSP # 327 – Persistence Part 1
  
  
• InfoSec_Bret
  CyberDefenders – Elastic-Case
  
  
• Justin Tolman at AccessData
  • CISA Ep4 Containment
  • FTK Feature Focus – Episode 44 – Additional Carvers for FTK 7.5.2
    
    
• Magnet Forensics
  • How to Investigate a Ransomware Attack
  • Legally Investigating the Cloud: Your Questions Answered
  • Jumpstart Incident Response with YARA Rule Scanning in AXIOM Cyber
    
    
• Mathias Fuchs at CyberFox
  Memory Forensics with Jupyter Notebooks #DFIR
  
  
• OALabs
  Malware Triage Tips: How To Stop Wasting Time in IDA On Packed Samples [ Twitch Clip ]
  
  
• Phil Cobley and Adam Firman at ‘Forensics Reformatted’
  Episode 1: New Beginnings
  
  
• PyCon US
  Talk – Aaron Stephens: Python for Threat Intelligence
  
  
• Scythe
  AMA with Jake Williams
  
  
• The Defender’s Advantage Podcast
  Frontline Stories: OT/ICS Security
  
  
• The Digital Forensics Files Podcast
  Stephen Cordon and Tyler Hatch of DFI Forensics
  

MALWARE

• Chuong Dong at 0ffset
  BAZARLOADER: Analysing The Main Loader
  
  
• ASEC
  • ASEC Weekly Malware Statistics (May 9th, 2022 – May 15th, 2022)
  • Kimsuky’s Attack Attempts Disguised as Press Releases of Various Topics
  • Method that Tricks Users to Perceive Attachment of PDF File as Safe File
  • XLL Malware Distributed Through Email
  • ASEC Weekly Malware Statistics (May 16th, 2022 – May 22nd, 2022)
    
    
• Erik Pistelli at Cerbero
  Internal Project Files
  
  
• Anandeshwar Unnikrishnan at CloudSEK
  Technical Analysis of Emerging, Sophisticated Pandora Ransomware Group
  
  
• Cyble
  • ERMAC Back In Action
  • New malware Campaign delivers Android RAT
    
    
• Bar Block at Deep Instinct
  Blame the Messenger: 3 Types of Dropper Malware in Microsoft Office & How to Detect Them
  
  
• Doug Burks at Security Onion
  • Quick Malware Analysis: Emotet and Cobalt Strike pcap from 2022-03-29
  • Quick Malware Analysis: IcedID, Bokbot, and DarkVNC pcap from 2022-05-23
    
    
• Fortinet
  • New Nokoyawa Variant Catching Up to Peers with Blatant Code Reuse
  • Spoofed Saudi Purchase Order Drops GuLoader: Part 1
  • Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part II
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #91: Item flags
  
  
• Microsoft Security
  Android apps with millions of downloads exposed to high-severity vulnerabilities
  
  
• Mike at “CyberSec & Ramen”
  Analyzing the Royal Road to Space Pirates
  
  
• Muhammad Hasan Ali at muha2xmad
  Full Anubis android malware analysis
  
  
• Nikola
  Cuckoo 3 Installation Guide
  
  
• OALabs Research
  Does Entropy Matter? A Pseudoscientific Study!
  
  
• petikvx
  • CryptoLock AutoIT
  • Crackinglessons crackme2 keyfile
  • Crackinglessons Crackme1 Patch
  • Freedomteam Ransomware
  • Pxj Ransomware
  • Symmi Ransomware
  • YourCyanide Ransomware
  • Babuk Ransomware ttii
  • Goodwill Ransomware
  • Sodinokibi Ransomware
  • Viruschecker check api premium virustotal
  • Infinitylock Ransomware
  • DeriaLock
  • Birele Ransomware
  • BadRabbit Ransomware – How to extract infpub.dat
  • BadRabbit Ransomware
  • 7ev3n Ransomware
  • Trojan.Win32.Agentb.klur Analyzes
  • Brightblack Ransomware
  • PolyRansom Ransomware
  • Petya Ransomware
  • NoMoreRansom Ransomware
  • Conti Ransomware .TIYSV
  • How to create quickly malware’s VM analyzes
    
    
• Poncho
  • FlareVM Tips and Tricks
  • Identifying Cobalt Strike
    
    
• Aedan Russell at Red Canary
  ChromeLoader: a pushy malvertiser
  
  
• Kevin Henson and Dave McMillen at Security Intelligence
  Black Basta Besting Your Network?
  
  
• Phil Stokes at SentinelLabs
  Use of Obfuscated Beacons in ‘pymafka’ Supply Chain Attack Signals a New Trend in macOS Attack TTPs
  
  
• Ax Sharma at Sonatype
  PyPI package ‘ctx’ and PHP library ‘phpass’ compromised to steal environment variables
  
  
• Squiblydoo.blog
  Solarmarker: May 2022 Persistence
  
  
• Team Cymru
  Bablosoft; Lowering the Barrier of Entry for Malicious Actors
  
  
• Arianne Dela Cruz, Byron Gelera, McJustine De Guzman, and Warren Sto.Tomas at Trend Micro
  New Linux-Based Ransomware ‘Cheerscrypt’ Targets EXSi Devices
  
  
• Bernard Bautista at Trustwave SpiderLabs
  Grandoreiro Banking Malware Resurfaces for Tax Season
  
  
• Oleg Boyarchuk and Stefano Ortolani at VMware Security
  Emotet Config Redux
  

MISCELLANEOUS

• Adam at Hexacorn
  Not installing the installers, part 2
  
  
• Anton Chuvakin
  Anton’s Security Blog Quarterly Q2 2022
  
  
• Belkasoft
  [Free On-demand Сourse] Incident Investigations with Belkasoft X
  
  
• Brett Shavers
  • “By the book”
  • Amazon lowered the price of the X-Ways Forensics Practitioner’s Guide?!?
  • That sliver of space between first and second place in the DFIR space
  • Amazon Reviews of X-Ways Forensics Practitioner’s Guide/Second Edition
    
    
• Cybereason
  • Targeted by Ransomware? Here are Three Things to Do Straight Away
  • Cybereason Improves Investigation, Enhances Protection and Infrastructure Management
  • Improving SOC Workflows with Cybereason Role-Based Incident Response
    
    
• Didier Stevens
  PoC: Cobalt Strike mitm Attack
  
  
• Erik Hjelmvik at Netresec
  Real-time PCAP-over-IP in Wireshark
  
  
• Forensic Focus
  In April, Research Examines Reliability, Hybrid Learning, and New Insights on Familiar Names
  
  
• Holly Kennedy
  Welcome to The Open DFIR Policies and Procedures Manual!
  
  
• John Doyle at Mandiant
  Introducing the Mandiant Cyber Threat Intelligence (CTI) Analyst Core Competencies Framework
  
  
• Kibaffo33
  Tempo, a lightweight timestamp for MacOS
  
  
• Magnet Forensics
  New Guide: Modernizing Digital Forensics Workflows with Magnet AUTOMATE Enterprise
  
  
• Ashwin Radhakrishnan at MITRE-Engenuity – Medium
  MITRE Engenuity ATT&CKⓇ Evaluations Results from Deception Trials
  
  
• Neil Thacker at Netskope
  What to Do in the First 24 Hours After You’ve Been Breached
  
  
• Warwick Webb at Rapid7
  DFIR Without Limits: Moving Beyond the “Sucker’s Choice” of Today’s Breach Response Services
  
  
• Brittany Roberts at ADF
  5 Tips for Getting the Right Digital Investigation Software
  
  
• Salvation DATA
  18 Areas of Computer Forensics Services in a Nutshell
  
  
• Megan Roddie at SANS
  FOR509 Course Update – Introducing Google Workspace, the Multi-Cloud Intrusion Challenge, and more
  
  
• Jennifer Gregory at Security Intelligence
  How to Respond to Non-Malicious Data Breaches
  
  
• Shinigami
  Mental Health and Burnout in CTI
  

SOFTWARE UPDATES

• Amped
  Amped Replay Update 24783: Annotation Grouping, Color Matching Eyedropper Tool, Simplified Enhancement View, and Much More
  
  
• Apache Tika
  Release 1.28.3 – 5/23/2022
  
  
• Vitaliy Mokosiy at Atola
  Wipe multiple drives in Atola Insight Forensic 5.2
  
  
• Didier Stevens
  • Update: 1768.py Version 0.0.14
  • Update: pdf-parser.py Version 0.7.6
  • Update: re-search.py Version 0.0.20
  • Update: pecheck.py Version 0.7.15
  • Update: Python Templates Version 0.0.7
    
    
• Eric Zimmerman
  ChangeLog
  
  
• F-Response
  F-Response 8.3.1.15 and Collect 4.0.1.7 Released – Updates to Collect, Classic, and Universal
  
  
• Metaspike
  Forensic Email Collector v3.15 Released
  
  
• Xways
  • X-Ways Forensics 20.1 SR-14
  • X-Ways Forensics 20.2 SR-9
  • X-Ways Forensics 20.3 SR-11
  • X-Ways Forensics 20.4 SR-7
  • X-Ways Forensics 20.5 SR-2
  • X-Ways Forensics 20.6 Preview 1
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!