As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• 4Discovery
  Case Study: The Executive Stealing Company Data
  
  
• Cado Security
  Tales From the Honeypot: WatchDog Evolves With a New Multi-Stage Cryptojacking Attack
  
  
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage Lite – Identifying OS Configuration
  
  
• Luca Ebach at cyber.wtf
  Windows Registry Analysis – Today’s Episode: Tasks
  
  
• Krzysztof Gajewski at CyberDefNerd
  How long was the malicious PowerShell script active on the compromised machine?
  
  
• Derek Eiri
  Exploring OCR Capability (Tesseract) with XWF
  
  
• Scott Koenig at DFIR Review
  iOS Settings Display Auto-Lock & Require Passcode
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  A Takedown Notice for My Honeypot
  
  
• InfoSec Write-ups
  • Tryhackme ramanalysis Writeup
  • Tryhackme tsharkpcapanalysis Writeup
  • Tryhackme linuxloganalysis Writeup
  • Tryhackme Pcap Analysis Room Official Writeup
    
    
• Mike at ØSecurity
  VSS Carving – Pt. 1, Setup
  
  
• Niels Vanhaecke at NVISO Labs
  Detecting BCD Changes To Inhibit System Recovery
  
  
• Oxygen Forensics
  Top 4 Photo Gallery Apps that are Supported in Oxygen Forensic® Detective
  
  
• Salvation DATA
  Handling Digital Evidence – The Chain of Custody in Digital Forensics
  
  
• Shanna Daly at ‘Fancy Forensics’
  ACSC BSides IR Challenge 2021 – 05 – Domain Delving
  
  
• Williams Kosasi
  Cellebrite CTF 2022 Writeup
  

THREAT INTELLIGENCE/HUNTING

• Confluence vulnerability
  • Zero-Day Exploitation of Atlassian Confluence
  • CVE-2022-26134: Confluenza Omicron Edition
  • Threat Advisory: Atlassian Confluence zero-day vulnerability under active exploitation
  • Active Exploitation of Confluence CVE-2022-26134
  • CVE-2022–26134 — Zero-Day Exploitation of Atlassian Confluence
  • Atlassian Confluence Vulnerability CVE-2022-26134
  • Detecting and mitigating CVE-2022-26134: Zero day at Atlassian Confluence
  • CVE-2022-26134: Zero-Day Vulnerability in Atlassian Confluence Server and Data Center Exploited in the Wild
  • Trustwave’s Action Response: Atlassian Confluence CVE-2022-26134
    
    
• Follina vulnerability
  • Follina- MSDT Exploit- CVE2022-30190 Explained with Detection and Mitigation
  • Testing your defenses against CVE-2022-30190: MSDT “Follina” 0-Day 
  • Outbreak of Follina in Australia
  • Technical Advisory: CVE-2022-30190 Zero-day Vulnerability “Follina” in Microsoft Support Diagnostic Tool
  • Microsoft RCE “Follina” Zero-Day (CVE-2022-30190) Found In MSDT, Office
  • CrowdStrike Falcon Protects Customers from Follina (CVE-2022-30190)
  • OverWatch Casts a Wide Net for Follina: Hunting Beyond the Proof of Concept
  • New Zero–day Exploit spotted in the wild
  • CVE-2022-30190 Actively Exploited in the Wild: MSDT Vulnerability Used For Spreading PowerShell Stealer
  • LetsDefend- SOC 173- Follina 0-Day detected // Microsoft Windows Support Diagnostic Tool (MSDT)…
  • Defeating a brand new Microsoft Office zero-day attack with ZT CDR
  • CVE-2022-30190: Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability “Follina”
  • Microsoft Office Remote Code Execution – “Follina” MSDT Attack
  • Detect MSDT 0day – Follina
  • Follina — a Microsoft Office code execution vulnerability
  • Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability
  • New Microsoft Office “Follina” zero-day Already Shared on Ransomware Forums
  • CVE-2022-30190: New Zero-Day Vulnerability (Follina) in Microsoft Support Diagnostic Tool
  • Threat Brief: CVE-2022-30190 – MSDT Code Execution Vulnerability
  • CVE-2022-30190: “Follina” Microsoft Support Diagnostic Tool Vulnerability
  • Threat analysis: MSDT exploit with maldocs
  • Follina MSDT Zero-Day Q&A
  • SANS Emergency Webcast: Follina MSDT (MS Word) 0-day – Analysis and Remediation w/ Jake Williams
  • First Exploitation of Follina Seen in the Wild, (Tue, May 31st)
  • New Microsoft Office Zero-day “Follina” – Detection & Response
  • Wazuh Detection Rules for MS RCE CVE-2022–30190, “Follina”.
  • Malicious Word doc taps previously unknown Microsoft Office vulnerability
  • RCE à La Follina (CVE-2022-30190)
  • Trustwave’s Action Response: Microsoft zero-day CVE-2022-30190 (aka Follina)
  • Nuova tecnica di attacco su MicrosoftOffice – Follina
    
    
• Bhabesh Raj Rai at Active Countermeasures
  Threat Hunting Process Injection With Jupyter Notebook and Sysmon
  
  
• Anomali
  Anomali Cyber Watch: TURLA’s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More
  
  
• Anton Chuvakin
  Detection as Code? No, Detection as COOKING!
  
  
• AttackIQ
  • MITRE ATT&CK at Seven: The Seven Biggest Milestones
  • Response to US-CERT Alert AA22-152A – Karakurt Data Extortion Group 
  • Attack Graph Response to US CERT AA22-152A: Karakurt Data Extortion Group 
    
    
• Avertium
  An In-Depth Look at Black Basta Ransomware
  
  
• AWS Security
  • Correlate IAM Access Analyzer findings with Amazon Macie
  • IAM policy types: How and when to use them
    
    
• Martin Zugec at Bitdefender
  Homograph Phishing Attacks – When User Awareness Is Not Enough
  
  
• Blackberry
  • BlackBerry Prevents BoratRAT
  • Threat Thursday: BlackCat Slinks Out of the Shadows with Ransomware-as-a-Service
    
    
• CERT Ukraine
  Кібератака на державні організації України з використанням шкідливої програми Cobalt Strike Beacon та експлойтів до вразливостей CVE-2021-40444 і CVE-2022-30190 (CERT-UA#4753)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 28 maggio – 03 giugno 2022
  
  
• Check Point Research
  30th May – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Threat Source newsletter (June 2, 2022) — An RSA Conference primer
  • Threat Roundup for May 27 to June 3
    
    
• CloudSEK
  Analysis and Attribution of the Eternity Ransomware: Timeline and Emergence of the Eternity Group
  
  
• Stan Kiefer at Corelight
  Enriching NDR logs with context
  
  
• CrowdStrike
  • Naming Adversaries and Why It Matters to Your Security Team
  • How CrowdStrike Achieves Lightning-Fast Machine Learning Model Training with TensorFlow and Rust
  • Detecting Poisoned Python Packages: CTX and PHPass
  • CrowdStrike Uncovers New MacOS Browser Hijacking Campaign
    
    
• CyberArk
  2022 Verizon DBIR: 15 Years, 15 Takeaways
  
  
• Cybereason
  • How to Choose the Right Endpoint Sensor
  • Spear Phishing: A Technical Case Study for XDR
  • Latest SOC Survey Anticipates Shift Toward MDR and XDR
    
    
• Cyberwarzone
  • Security reports on Killnet (Collection)
  • Killnet aims towards USA after Italy
  • Killnet pays respect to Italian CSIRT
  • URLscan threat hunting for beginners
    
    
• Cyble
  Cyberattacks on Government Machinery
  
  
• Simon Kenin at Deep Instinct
  Iranian Threat Actor Continues to Develop Mass Exploitation Tools
  
  
• Kyle O’Meara and Michael Gardner at Dragos
  End of Life of an Indicator of Compromise (IOC)
  
  
• Esentire
  • The Popular Malware Downloader, GootLoader, Expands its Payloads Yet Again, Infecting a Law Firm with IcedID
  • Gootkit Loader Returns to Deliver Cobalt Strike
    
    
• Shunichi Imano, James Slaughter, Gergely Revay and Fred Gutierrez at Fortinet
  Threat Actors Prey on Eager Travelers
  
  
• Gabor Matuz
  Your users are getting phished. Fight back!
  
  
• Nikita Rostovcev and Alexander Badaev at Group-IB
  SideWinder.AntiBot.Script
  
  
• InfoSec Write-ups
  • AWS IAM Exploitation Techniques
  • Anatomy Of Spring4Shell CVE-2022–22965
  • Enumeration and lateral movement in GCP environments
  • Testing EDRs for Linux — Things I wish I knew before getting started
    
    
• Roger Kay at INKY
  Fresh Phish: Phishers Take Advantage of Telegraph’s Loose Governance
  
  
• Avigayil Mechtinger at Intezer
  Stay Ahead of the Latest Threats with Threat Family Tracking
  
  
• Jamf
  Jamf protects against ‘pymafka’ malware
  
  
• Jeffrey Appel
  Use automation/playbooks in Microsoft Sentinel during incident update activity using update triggers
  
  
• Mike Vizard at Barracuda
  Ransomware offensive gets underway
  
  
• LockBoxx
  Bootcamp #22: Alert Triage Tips and Tricks
  
  
• Amarjit Labhuram at MacroSEC
  Abusing CVE-2022-26923 through SOCKS5 on a Mythic C2 agent
  
  
• Malwarebytes Labs
  • Threat profile: RansomHouse makes extortion work without ransomware
  • Introducing EDR for Linux: Remediating and isolating threats on Linux servers
  • Ransomware: May 2022 review
    
    
• Mandiant
  • To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions
  • Trending Evil: Spotlight on Mandiant MDR Prevention of Destructive Campaigns Against Ukrainian Entities
    
    
• Michael Koczwara
  Diamond Model of Intrusion Analysis in Practice
  
  
• Microsoft Security
  • Using Python to unearth a goldmine of threat intelligence from leaked chat logs
  • Exposing POLONIUM activity and infrastructure targeting Israeli organizations
    
    
• William Suryajaya at MII Cyber Security
  Advanced Threat Hunting for Persistence Using KQL (Kusto Query Language)
  
  
• Palantir
  Democratizing Security Detection | Palantir
  
  
• Jesse Mack at Rapid7
  3 Takeaways From the 2022 Verizon Data Breach Investigations Report
  
  
• Recorded Future
  • Chinese Cybercrime in Neighboring Countries Report
  • Chinese Cybercrime in Neighboring Countries
  • The Importance of Attack Surface Management in the 2022 Verizon DBIR
    
    
• Red Alert
  Monthly Threat Actor Group Intelligence Report, April 2022 (KOR)
  
  
• Brian Donohue and Justin Schoenfeld at Red Canary
  Detecting suspicious email forwarding rules in Office 365
  
  
• RiskIQ
  Skimming for Sale: Commodity Skimming and Magecart Trends in Q1 2022
  
  
• SANS Internet Storm Center
  • Extracting The Overlay Of A PE File, (Sun, May 29th)
  • New Microsoft Office Attack Vector via “ms-msdt” Protocol Scheme, (Mon, May 30th)
  • HTML phishing attachments – now with anti-analysis features, (Wed, Jun 1st)
  • Quick Answers in Incident Response: RECmd.exe, (Thu, Jun 2nd)
  • Sandbox Evasion… With Just a Filename!, (Fri, Jun 3rd)
  • Spam Email Contains a Very Large ISO file, (Sat, Jun 4th)
    
    
• Security Intelligence
  • Countdown to Ransomware: Analysis of Ransomware Attack Timelines
  • Recovering Ransom Payments: Is This the End of Ransomware?
    
    
• Security Investigation
  • APT-C-53 (aka Gamaredon) launches new DDOS attacks using LOIC
  • CVE-2022-30190 Detection Extended For Directory Traversal
  • How the APT34 uses Saitama Backdoor for DNS tunnelling
  • Microsoft Search-ms Zero day – Detection and Response
    
    
• Vikram Navali at SentinelOne
  Protecting Your Active Directory from AdminSDHolder Attacks
  
  
• Sophos
  The State of Ransomware in Healthcare 2022
  
  
• Symantec Enterprise
  Clipminer Botnet Makes Operators at Least $1.7 Million
  
  
• Tareq Alkhatib
  You Cannot Detect Techniques in the Execution Tactic! And What To Do Instead
  
  
• Telsy
  • The Locky ransomware
  • WannaCry ransomware
    
    
• Trend Micro
  • YourCyanide: A CMD-based Ransomware With Multiple Layers of Obfuscation
  • Trend Micro Partners With Interpol and Nigeria’s EFCC for Operation Killer Bee, Takes Down Nigerian BEC Actors
    
    
• Sebastiano Mariani at VMware Security
  How to Build Detection Lab on VMware’s NSX-T and vSphere
  
  
• WeLiveSecurity
  ESET Threat Report T 1 2022
  
  
• Deepen Desai, Rajdeepsinh Dodia, Nirmal Singh, and Brett Stone-Gross at ZScaler
  The 2022 ThreatLabz State of Ransomware Report
  

UPCOMING EVENTS

• Andrew Rathbun at Kroll
  How to Identify Timestomping Using KAPE
  
  
• Belkasoft
  [Webinar] What Is New In Belkasoft X V.1.13
  
  
• Cybereason
  • Webinar June 23rd 2022: Live Attack Simulation – XDR vs. Modern Ransomware
  • Webinar June 30th 2022: Live Attack Simulation – Ransomware Threat Hunter Series
    
    
• Gerald Auger at Simply Cyber
  Hacking All The Things – Attacking Orgs
  
  
• Magnet Forensics
  • Magnet Forensics CTF
  • Digital Forensics’s role in e-Discovery
  • Vehicle Forensics: The Road to Success!
    
    
• SANS Institute
  Fireside Chat with Caroline Wong
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Zloader Malware Analysis – 1. Unpacking First stage.
  
  
• Black Hills Information Security
  • Talkin’ About Infosec News – 5/9/2022
  • Impacket Offense Basics With an Azure Lab
  • AASLR: Antisyphon Address Space Layout Randomization
  • BHIS | How Bartending Made Me a Better Infosec Consultant | Ben Burkhart | 1-Hour
  • BHIS | How Bartending Made Me a Better Infosec Consultant | Ben Burkhart | 1 Hour
    
    
• BlueMonkey 4n6
  Secrets of USB serial numbers – what you can find with Windows and Linux tools
  
  
• Cellebrite
  • Cellebrite Guardian – Simplify & Streamline Your Investigative Management
  • JPSO: Bring Your Investigations Into Focus
    
    
• Cloud Security Podcast by Google
  EP67 Cyber Defense Matrix and Does Cloud Security Have to DIE to Win?
  
  
• Detection: Challenging Paradigms
  Episode 24: Jamie Williams
  
  
• Didier Stevens
  Maldoc .DOCX MSDT Inside Sandbox
  
  
• Digital Forensic Survival Podcast
  DFSP # 328 – Linux Executables
  
  
• Dump-Guy Trickster
  From Zero to Hero – Advanced Usage of Tiny_Tracer tracing APT29
  
  
• Gerald Auger at Simply Cyber
  • Network IDS Like a Boss
  • Let’s Ransomware Manufacturing Company
    
    
• InfoSec_Bret
  CyberDefenders – MrRobot
  
  
• John Hammond
  • Prevention First #shorts Watch the FULL Interview HERE: https://youtu.be/nECLeO7kgSo
  • Exploiting MSDT 0-Day CVE-2022-30190
  • RECOVERING FILES with Autopsy #shorts  Watch FULL Video HERE — https://youtu.be/6NcIbiKhIis
    
    
• Justin Tolman at AccessData
  • CISA Cyber security Incident Response Playbooks – Episode 5 – Eradication and Recovery
  • FTK Feature Focus – Episode 45 – Optical Character Recognition
    
    
• Magnet Forensics
  • Accessing VirusTotal Insights Through Magnet AXIOM Cyber
  • Reviewing Email Evidence with Email Explorer in Magnet AXIOM Cyber
  • Log Analysis
  • Tips & Tricks // Get To Evidence Faster in DVR Examiner
    
    
• SANS
  • A Visual Summary of SANS ICS Security Summit 2022
  • ICS Fireside Chat- Principal Industrial Hunter, Dragos
  • ICS Fireside Chat- Vulnerability Research Team Lean, Claroty
  • ICS Fireside Chat- CEO Amphere Industrial Security, Certified SANS Instructor
    
    
• Sumuri
  RECON LAB: Introducing Face Analysis
  
  
• The Defender’s Advantage Podcast
  Threat Trends: After the Headlines – Practical Experience of Rebuilding Trust After a Breach
  
  
• The Ransomware Files
  Bonus Ep. #1: REvil Is Foiled
  
  
• Watson Infosec
  • How to ElasticXDR 8.2.0 Gitbook Build Overview
  • How To ElasticXDR 8.2.2 Build Demo
    

MALWARE

• 0day in {REA_TEAM}
  [QuickNote] CobaltStrike SMB Beacon Analysis
  
  
• Any.Run
  Fast and Simple Access to Malware Details
  
  
• ASEC
  • ASEC Weekly Malware Statistics (May 23rd, 2022 – May 29th, 2022)
  • NSIS Installer Malware Included with Various Malicious Files
  • AgentTesla Being Distributed Through Windows Help File (*.chm)
    
    
• Erik Pistelli at Cerbero
  UPX Unpacker Package
  
  
• Alexey Bukhteyev & Raman Ladutska at Check Point Research
  XLoader Botnet: Find Me If You Can
  
  
• Cyble
  Hazard Token Grabber
  
  
• Cyborg Security
  How to Prevent Ransomware: 5 Common Behaviors to Hunt
  
  
• Eclypsium
  Conti Targets Critical Firmware
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #92: Address details
  
  
• Johannes Bader
  The Domain Generation Algorithms of SharkBot
  
  
• Linkcabin
  Reversing Unfiltered: Emulating a 2011 Banker Trojans Hardware ID generation
  
  
• Mike at “CyberSec & Ramen”
  Overview of AppleSeed Dropper
  
  
• Gustavo Palazolo at Netskope
  GoodWill Ransomware? Or Just Another Jasmin Variant?
  
  
• OALABS Research
  Triage Amadey Loader
  
  
• Pete Cowman at Hatching
  A Few Weeks of Configuration Extractor and Detection Updates
  
  
• petikvx
  • Avaddon Ransomware
  • DarkSide Ransomware
  • WhiteC4t Ransomware
  • How to install flare vm
  • Crackme – CrackMe PlanetHaX
  • Gabor’s crackme2
  • How to update Flare VM
  • How to use UPX on Linux and Windows
  • Cryptedpay Ransomware
  • Thanos ransomware locked
  • EAF Ransomware
  • Lockbit 2.0 Ransomware
  • Exorcist Ransomware .xVIGfc
  • StopWarInUkraine Ransomware
    
    
• Securelist
  WinDealer dealing on the side
  
  
• Denis Sinegubko at Sucuri
  Analysis of the Massive NDSW/NDSX Malware Campaign
  
  
• Pritam Salunkhe and Shilpesh Trivedi at Uptycs
  WarzoneRAT Can Now Evade Detection With Process Hollowing
  

MISCELLANEOUS

• Alican Kiraz
  Incident Response Part 3.2: Eradication |EN
  
  
• Hank Schless at AT&T Cybersecurity
  5 ways to prevent Ransomware attacks
  
  
• Erica Mixon at Blumira
  Building a SOC: What Does It Actually Take?
  
  
• Brett Shavers
  Don’t buy the (wrong) X-Ways Practitioner’s Guide
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 6/4/22
  
  
• Ugo Sangiorgi at Elastic
  Too many fields! 3 ways to prevent mapping explosion in Elasticsearch
  
  
• Forensic Focus
  • West Midlands Police Is First Force to Deploy Exterro’s Cloud-Based Digital Forensics Platform
  • How MD-VIDEO AI Can Perform the World’s Best Gun Recognition Feature
  • How To Build A Mobile Device Forensics Lab: 6 Things To Consider
  • Farewell, Myrtle Beach: Recapping Techno Security 2022
  • How to Search Images for Text Values Using OCR
  • Detego® Unified Digital Forensics Platform v4.8 From Detego Global
    
    
• Ken Pryor at ‘No Pryor Knowledge’
  Setting up My Learning Environment
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (6/1/2022)
  
  
• Magnet Forensics
  • The Expanding Case for Early Case Assessment With Rapid Triage Tools
  • Reviewing Email Evidence with Email Explorer in Magnet AXIOM Cyber
  • Accessing VirusTotal Insights Through Magnet AXIOM Cyber
    
    
• Justin Palk at Red Siege Information Security
  Creating a Simple Windows Domain for Offensive Testing : Part 1
  
  
• JP Redding at ADF
  What is Cyber Crime Investigation?
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — May 22 to May 28
  
  
• SANS
  • Instructor Spotlight: Matt Edmondson
  • Instructor Spotlight: Nick Mitropoulos
    
    
• Joshua Wright at SANS
  Searching SMB Share Files
  

SOFTWARE UPDATES

• Acelab
  A new software version of the PC-3000 Ver. 7.1.6, Data Extractor / Data Extractor RAID Edition Ver. 6.1.6, PC-3000 SSD Ver. 3.0.4 has been released
  
  
• Cerbero
  Suite 5.6 and Engine 2.6 are out!
  
  
• CyberChef
  v9.38.6
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.42 (production release)
  
  
• Griffeye
  Release of Analyze 22.1
  
  
• IntelOwl
  v3.4.1
  
  
• Korstiaan Stam at ‘Invictus Incident Response’
  Introduction of the Microsoft 365 Extractor suite
  
  
• Magnet Forensics
  • AXIOM Cyber 6.2: Email Explorer, VirusTotal Integration and Volatile Artifacts.
  • Magnet AXIOM 6.2: Surface Handwritten Documents Automatically
    
    
• Mihari
  v4.7.0
  
  
• MISP
  MISP 2.4.159 released with many improvements including performance
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.14.5
  
  
• radare2
  5.7.0
  
  
• Regipy
  2.4.1
  
  
• Xways
  X-Ways Forensics 20.6 Preview 2
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!