As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Heather Mahalik at Cellebrite
  Final CTF 2022 Round Up
  
  
• Scott Koenig at DFIR Review
  iOS Location Services and System Services are they ON or OFF
  
  
• Digital Forensics Myanmar
  • eCDFP Module (5) File System Analysis (Part-9)  (NTFS File System Analysis)
  • eCDFP Module (5) File System Analysis (Part-10)  (NTFS File System Analysis)
    
    
• Forensafe
  • Investigating Windows Terminal
  • Investigating Mapped NEtwork Drives
    
    
• Forensic Focus
  • When Did It Happen? Dealing With Timestamps in Amped FIVE
  • PEM: Remote Forensic Acquisition of PLC Memory in Industrial Control Systems
    
    
• Joshua Hickman at ‘The Binary Hick’
  Session On Android – An App Wrapped in Signal
  
  
• Koen Van Impe
  Analysing Amazon AWS security groups and access control lists
  
  
• Kyle Song
  • Phone Scam Series: Diving into the USB Modem Artifacts
  • Phone Scam Series: VoIP Gateway Forensics
    
    
• Matt Turner
  Check out @MattETurner’s tweet
  
  
• Elli at Misconfig
  Build Azure DFIR VM
  
  
• Muhammed Aygün
  ShellBag Analizi
  
  
• RAT In Mi Kitchen
  Resolving File Paths Using The MFT
  
  
• Salvation DATA
  SQL Server Transaction Logs: What Law Enforcement Investigators Need to Know
  
  
• Joan Soriano at Security Art Work
  Correlación no estática de eventos de seguridad basada en el contexto geopolítico. Un análisis teórico
  
  
• The DFIR Report
  SELECT XMRig FROM SQLServer
  
  
• The Leahy Center for Digital Forensics & Cybersecurity
  • Binalyze Tool Evaluation Introduction
  • DFIR & Threat Intelligence
    
    
• Vishal Thakur
  Android Analysis Quickstart
  

THREAT INTELLIGENCE/HUNTING

• 3CORESec
  Community Update – 3CORESec Blacklist 📓 🍯
  
  
• Anomali
  Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More
  
  
• AttackIQ
  OilRig Attack Graphs: Emulating the Iranian Threat Actor’s Global Campaigns
  
  
• Avertium
  An In-Depth Look at Ransomware Gang, LockBit 3.0
  
  
• Andrei Pisau at Bitdefender
  A Tale of Two Threat Intelligence Solutions – Open Source (OSINT) & Commercial
  
  
• CERT Ukraine
  • Атака групи UAC-0056 на державні організації України з використанням Cobalt Strike Beacon (CERT-UA#4941)
  • Онлайн-шахрайство з використанням тематики “грошової компенсації” (CERT-UA#4964)
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 9 – 15 luglio 2022
  
  
• Check Point Research
  • 11th July – Threat Intelligence Report
  • June 2022’s Most Wanted Malware: New Banking, MaliBot, Poses Danger for Users of Mobile Banking
  • A Hit is made: Suspected India-based Sidewinder APT successfully cyber attacks Pakistan military focused targets
    
    
• Cisco’s Talos
  • Transparent Tribe begins targeting education sector in latest campaign
  • Threat Source newsletter (July 14, 2022) — Are virtual IDs worth the security risk of saving a few seconds in the TSA line?
    
    
• Fabian Bader at Cloudbrothers
  Use Unified Sign-In logs in Advanced Hunting
  
  
• Countercraft
  IOCs, Intel, and Additional Resources from the BPFDoor Compromise
  
  
• David Puzas at CrowdStrike
  Top Threats You Need to Know to Defend Your Cloud Environment
  
  
• CyberCX
  Threat Advisory. Lessons Learned: Phishing and Impersonation Campaign Targeted Australian Organisations Through Abuse of e-Learning Provider
  
  
• Anthony M. Freed at Cybereason
  RansomOps: Not Your Parent’s Ransomware
  
  
• Cyberknow
  Pro-Russian Hacktivists Possible Ransomware Ambitions
  
  
• Cyberknow
  Update 16. 2022 Russia-Ukraine War — Cyber Group Tracker. July 14.
  
  
• Reza Rafati at Cyberwarzone
  Onedrive phishing scam analysis 2022
  
  
• Cyble
  • New Ransomware Groups on the Rise
  • Oil and Gas Sector report
  • AIRAVAT Malware Targeting Android Users
  • ApolloRat: Evasive Malware Compiled using Nuitka
    
    
• Joe Wrieden at Cyjax
  Who is Trickbot?
  
  
• Ivan Righi at Digital Shadows
  RANSOMWARE IN Q2 2022: RANSOMWARE IS BACK IN BUSINESS
  
  
• DomainTools
  • Fraud in the Time of COVID
  • The DomainTools Spring 2022 Report
    
    
• Dragos
  The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
  
  
• Esentire
  Resurgence in Qakbot Malware Activity
  
  
• Grzegorz Tworek
  Persistence Info
  
  
• Tirut Hawoldar at Hacking Articles
  MimiKatz for Pentester: Kerberos
  
  
• Andrea at InfoSec Write-ups
  Hunting malwares with Yara
  
  
• Roger Kay at INKY
  New Wine, Old Bottle: Abused QuickBooks Site Sends Phone Scam Emails
  
  
• Intel471
  Why organizations should (and should not) worry about KillNet
  
  
• John Hammond
  BLOODHOUND Domain Enumeration (Active Directory #06)
  
  
• Jonny Johnson
  Check out @jsecurity101’s tweet
  
  
• Marcin Kleczynski at Malwarebytes Labs
  Ransomware rolled through business defenses in Q2 2022
  
  
• Microsoft Security
  • From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
  • North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware
    
    
• Michael Mullen and Nikolaos Pantazopoulos
  Climbing Mount Everest:  Black-Byte Bytes Back?
  
  
• PhishLabs
  Emotet Tops Payload Attack Volume in Q2
  
  
• Proofpoint
  Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media
  
  
• Ryan Marcotte Cobb
  Azure AD Research with ROADtools
  
  
• SANS Internet Storm Center
  • Excel 4 Emotet Maldoc Analysis using CyberChef, (Sun, Jul 10th)
  • Using Referers to Detect Phishing Attacks, (Wed, Jul 13th)
  • A “DHCP is Broken” story, and a Blast from the Past (or should I say “Storm” from the past), (Thu, Jul 14th)
    
    
• Secureworks
  5 Takeaways from Incident Response Engagements
  
  
• Security Investigation
  • Threat Actors Delivers New Rozena backdoor with Follina Bug – Detection & Response
  • NJRAT returns with New TTPS – Detection & Response
  • Threat actors Real names, DOB & Images
  • Qakbot Attacks Evolving New Threat Techniques – Detection & Response
  • HTML Smuggling Phishing Attacks on Rise – Detection & Response
    
    
• Pedro Tavares at Segurança Informática
  Anubis Networks is back with new C2 server
  
  
• Vikram Navali at SentinelOne
  How Attackers Exploit Security Support Provider (SSP) for Credential Dumping
  
  
• SOC Fortress
  Detecting APT29 With SOCFortress
  
  
• Sophos
  • The State of Ransomware in Education 2022
  • Rapid Response: The Ngrok Incident Guide
  • BlackCat ransomware attacks not merely a byproduct of bad luck
    
    
• Splunk
  Introducing Splunk Attack Range v2.0
  
  
• Sucuri
  • Infected WordPress Site Reveals Malicious C&C Script
  • Security Lessons Learned from 2021
    
    
• Sysdig
  Detecting suspicious activity on AWS using cloud logs
  
  
• Kyle Krejci at Team Cymru
  An Analysis of Infrastructure linked to the Hagga Threat Actor
  
  
• Giuliana Carullo at Tenable
  Securing Critical Infrastructure: What We’ve Learned from Recent Incidents
  
  
• David French at Threat Punter
  Okta threat hunting tips
  
  
• Tyranid’s Lair
  Access Checking Active Directory
  

UPCOMING EVENTS

• Cyborg Security
  • Dispatches from Somewhere Else
  • Out of the Woods: The Threat Hunting Podcast
    

PRESENTATIONS/PODCASTS

• Adrian Crenshaw
  OISF 2022
  
  
• Archan Choudhury at BlackPerl
  Hunting Ransomware- Jupyter Notebook, Sysmon, Windows Security Log
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2022-07-11
  • AASLR: Intro to DLL Sideloading | Greg Hatcher & John Stigerwalt
  • AASLR: The Totally Not Dry Subject of Linux File Permissions, | Derek Rook
  • Talkin’ About Infosec News – 7/11/2022
    
    
• Breaking Badness
  126. Give ‘Em the Old RaaSleDazzle
  
  
• Cellebrite
  • How to Lawfully Collect the Maximum Amount of Data From Android Devices
  • Fundamentals Matter: Cellebrite Review Fundamentals – Tips from the Pros
    
    
• Check Point Research
  Twisted Panda: China vs. Russia
  
  
• Cybereason
  Malicious Life Podcast: Silk Road – The Amazon of Drugs Part 1
  
  
• Joshua I. James at DFIRScience
  • DFIR Science nominated for Forensic 4:cast Award
  • Fast password cracking – Hashcat wordlists from RAM
  • Linux LVM Ext4 Support in Windows with Arsenal Image Mounter
  • Mounting Linux Logical Volumes in Forensic Disk Images
    
    
• Digital Forensic Survival Podcast
  DFSP # 334 – Service Changes
  
  
• Forensic Focus
  • Introducing 2 Forensic Focus Podcast Co-Hosts: Simon Biles and Alex Desmond
  • Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic Computing
    
    
• John Hubbard at ‘The Blueprint podcast’
  • David Hoelzer: Threat Detection with Machine Learning and AI
  • James Rowley: Creating and Running and Insider Threat Program
  • Dean Parsons: Cyber Security for OT and ICS
  • Blueprint Live at SANSFIRE 2022: A panel with Heather Mahalik, Katie Nickels and Jeff McJunkin
    
    
• Magnet Forensics
  • Magnet Forensics Training and Certification Programs Overview
  • Magnet REVIEW Collaboration vs. Portable Cases: A Roundtable Discussion
    
    
• MalGamy
  Unpacking RedLineStealer malware
  
  
• Marcus Hutchins
  Real Hacker Reacts To Mr Robot Hacking Scenes
  
  
• MITRE
  MITRE ATT&CKcon 3.0
  
  
• NixIntel
  • Geolocation Tips & Techniques
  • Layer 8 Podcast Interview
  • OSINT Discussion With David Bombal
    
    
• NTCore
  AbuseCH Intelligence 2.0
  
  
• SANS
  DFIR Sneak Peek Course Animations | FOR585: Smartphone Forensic Analysis In-Depth
  
  
• SANS Cloud Security
  • Low Hanging Logs: GCP & Azure Logs for Lazy People
  • Using Devops and Infrastructure as Code to Secure Your Multi-Cloud Environments
  • Speeding Up AWS IAM Least Privileges with Cloudsplaining, Elastic Stack, & AWS Access Analyzer
    
    
• The Defender’s Advantage Podcast
  Threat Trends: How Adversaries Are Leveraging AI in Cyber Operations
  
  
• The Ransomware Files
  Dr. Ransomware, Part 1
  
  
• Uriel Kosayev
  LockBit 3.0 Ransomware Analysis – Malware for Fun
  

MALWARE

• ASEC
  • Meterpreter Distributed to Vulnerable Server of Korean Medical Institution
  • AppleSeed Disguised as Purchase Order and Request Form Being Distributed
  • GuLoader Disguised as Estimate Requests Being Distributed via Phishing Email
    
    
• David Álvarez at Avast Threat Labs
  Go malware on the rise
  
  
• Alexander Taylor at Binary Ninja
  Introducing Decompiler Explorer
  
  
• Cerbero
  AbuseCH Intelligence 2.0 Package
  
  
• Forensic-Research
  [Lazarus] UUID Shellcode Execution
  
  
• James Slaughter at Fortinet
  Spoofed Saudi Purchase Order Drops GuLoader – Part 2
  
  
• Patrick Schläpfer at HP Wolf Security
  Stealthy OpenDocument Malware Deployed Against Latin American Hotels
  
  
• Karlo Licudine at AccidentalRebel
  String anti-virus evasion in x64 assembly (Part 2)
  
  
• Karsten Hahn at G Data
  The real reason why malware detection is hard—and underestimated
  
  
• Lina Lau at Inversecos
  Heap Overflows on iOS ARM64: Heap Grooming, Use-After-Free (Part 3)
  
  
• Malware Hell
  Reversing Additional Lockbit 3.0 API Hashing
  
  
• Roberto Santos and Hossein Jazi at Malwarebytes Labs
  Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
  
  
• Natalie Zargarov at Minerva Labs
  Lockbit 3.0 AKA Lockbit Black is here, with a new icon, new ransom note, new wallpaper, but less evasiveness?
  
  
• Mustafa M. Hussien
  Redline Malware
  
  
• Palo Alto Networks
  • ChromeLoader: New Stubborn Malware Campaign
  • Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption
    
    
• Pete Cowman at Hatching
  Triage Thursday Ep. 80
  
  
• Aleksandar Milenkoski at SentinelLabs
  Inside Malicious Windows Apps for Malware Deployment
  
  
• Shaquib Izhar
  Fileless Binary Analysis with Cuckoo sandbox
  
  
• Tarun Dewan and Aditya Sharma at ZScaler
  Rise in Qakbot attacks traced to evolving threat techniques
  

MISCELLANEOUS

• Belkasoft
  BelkaCTF #5 Registration
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 7/16/22
  
  
• Brett Shavers at DFIR.Training
  If you come from less, you must do more to make it in DFIR
  
  
• Elizabeth Schweinsberg at DFRWS
  Outfit Yourself in DFRWS USA 2022 Backgrounds!
  
  
• Oleg Afonin at Elcomsoft
  Building an Efficient Password Recovery Workstation: Power Savings and Waste Heat Management
  
  
• Emma at ‘The Forgotten Nook’
  • DFIR Python Study Group – Class 0
  • DFIR Python Study Group: Class 1
  • DFIR Python Study Group: Class 2
  • DFIR Python Study Group: Class 3
  • DFIR Python Study Group: Class 3 – practice script
    
    
• Hardik Manocha at Fourcore
  Genesis – The Birth Of A Windows Process (Part 1)
  
  
• Heather Mahalik at Cellebrite
  Cellebrite Nominated for 10 Forensic 4:Cast Awards Categories
  
  
• Magnet Forensics
  • Regulatory Requirements for Reporting Data Breaches Just Got Tougher for Banks
  • Meet Magnet Forensics’ Training Team: Preston McNair
  • Meet Magnet Forensics’ Training Team: Mason Miller
  • Meet Magnet Forensics’ Training Team: Danny Norris
    
    
• Oxygen Forensics
  Get More From Storage Apps
  
  
• Laura Brosnan at Red Canary
  What coming-of-age films can teach us about incident response
  
  
• Salvation DATA
  Computer Forensics Lab: 7 Golden Design Rules for Optimal Working Conditions
  
  
• SANS
  • Month of PowerShell: Threat Hunting with PowerShell Differential Analysis
  • Month of PowerShell – Windows File Server Enumeration
  • Build Your Best You in Cyber Defense with Blueprint Podcast
  • Month of PowerShell – Working with the Event Log, Part 1
  • Month of PowerShell – Working with the Event Log, Part 2 – Threat Hunting with Event Logs
  • Month of PowerShell: Working with Log Files
  • Month of PowerShell – Working with the Event Log, Part 3 – Accessing Message Elements
  • Month of PowerShell: Merging Two Files (Understanding ForEach)
    
    
• Security Intelligence
  • 5 Essential Steps for Every Ransomware Response Plan
  • Why Threat Analysis Will Continue to Play a Vital Role in Security
    
    
• Tareq Alkhatib
  Cyber Certifications Are A Scam!
  
  
• Laura Kenner at Uptycs
  What Is Detection Engineering?
  

SOFTWARE UPDATES

• Alexis Brignoni
  ALEAPP 3.0.0
  
  
• Costas K
  EvtxLogBrowser
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Hasherezade pe-bear
  0.5.5.5
  
  
• Hashlookup Forensic Analyser
  hashlookup-forensic-analyser version 1.1 released
  
  
• MemProcFS-Analyzer
  MemProcFS-Analyzer-v0.4
  
  
• Metaspike
  Forensic Email Collector v3.75.1.13 Release Notes
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 3.75.1.13
  
  
• OSForensics
  V10.0 Build 1000 14th July 2022
  
  
• Passware
  Passware Kit Mobile 2022 v3 Now Available
  
  
• Regipy
  2.6.1
  
  
• Xways
  X-Ways Forensics 20.6 Beta 4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!