As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Axelarator
  Cloud Recon
  
  
• Belkasoft
  Belkasoft CTF July 2022: Write-up
  
  
• Carlos at Carlos Cajigas at ‘Mash That Key’
  Velociraptor Playground 2022-08-02
  
  
• Cloudbrothers
  Update to the Hitchhiker’s Guide to Microsoft Defender for Endpoint exclusions
  
  
• Cyber Triage
  What is a Windows OpenSave MRU Artifact?
  
  
• Yogesh Khatri at DFRWS
  DFRWS APAC 2022 Call for participation
  
  
• Elcomsoft
  • Windows Hello: No TPM No Security
  • New in Elcomsoft System Recovery: Microsoft Azure Accounts, LUKS2 and Forensic Tool Filters
    
    
• Forensafe
  Investigating Cisco Webex Meetings
  
  
• Forensic Focus
  Deep dive into ‘METADATA’
  
  
• InfoSec Write-ups
  • Cyber Security Detection Frameworks
  • Intro to Digital Forensics
    
    
• Magnet Forensics
  Forensic Analysis of MUICache Files in Windows
  
  
• Md. Abdullah Al Mamun
  35k GitHub Forked Repo With Malware
  
  
• Mike Cohen at Rapid7
  Postprocessing Collections
  
  
• Muhammed Aygün
  • Most Recently Used (MRU) Analizi
  • UserAssist Analizi
  • AutoRun Analizi
    
    
• Nashid P
  [CTF] UACTF 2022 – Forensics
  
  
• Nicholas Dubois at Hexordia
  Creating a Full File System image from a jailbroken iOS device
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More
  
  
• Andrew Cormack at APNIC
  Incident response lessons from FIRSTCON22
  
  
• Ken Towne at AttackIQ
  Malware Emulation Attack Graph for SysJoker’s Linux Variant
  
  
• Blackberry
  • LockBit 3.0 Ransomware Abuses Windows Defender to Load Cobalt Strike
  • Not Just Another Threat Report!
    
    
• BushidoToken
  Space Invaders: Cyber Threats That Are Out Of This World
  
  
• Himaja Motheram at Censys
  Finding Hacked Web Servers with Censys Search Data 🔎
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 30 luglio – 05 agosto 2022
  
  
• Check Point Research
  • 1st August – Threat Intelligence Report
  • Check Point Software’s Mid-Year Security Report Reveals 42% Global Increase in Cyber Attacks with Ransomware the Number One Threat
    
    
• Cisco’s Talos
  • Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
  • Attackers leveraging Dark Utilities “C2aaS” platform in malware campaigns
  • Threat Source newsletter (Aug. 4, 2022) — BlackHat 2022 preview
  • Threat Roundup for July 29 to August 5
    
    
• Reza Rafati at Cyberwarzone
  Taking a look at TikTok Phishing pages on URLscan
  
  
• Cyble
  • Threat Activity Report – Government and Law Enforcement
  • Fake Atomic Wallet Website Distributing Mars Stealer
  • LOLI Stealer – Golang-based InfoStealer spotted in the wild
  • Stegomalware – Identifying possible attack vectors
  • Compromised YouTube Accounts spreading malware
    
    
• Ian Thornton-Trump at Cyjax
  The Big Myth of Ransomware
  
  
• Dylan Hinz and Gabriel Few-Wiegratz at Darktrace
  Exploring the Dangers of Remote Access Tools
  
  
• EclecticIQ
  • Threat Actors Merging Malicious Activity With Cryptocurrency Show How the Attack Landscape is Developing in Decentralized Finance
  • Malicious Use of Internet Information Services (IIS) Extensions Likely to Grow
    
    
• Elastic
  Protections Artifacts
  
  
• Esentire
  MD(I)R: Why Investigation is the Invisible ‘I’ in MDR
  
  
• Kyle Pellett at Expel
  A defender’s MITRE ATT&CK cheat sheet for Google Cloud Platform (GCP)
  
  
• First
  TRAFFIC LIGHT PROTOCOL (TLP) – FIRST Standards Definitions and Usage Guidance — Version 2.0
  
  
• Aaron Stratton at InfoSec Write-ups
  Malware Traffic Analysis Exercise | Burnincandle | IcedID Malware
  
  
• Roger Kay at INKY
  Phishers Bounce Lures Off Unprotected Snapchat, Amex Sites
  
  
• Institute for Security + Technology
  Ransomware Task Force Releases Blueprint for Ransomware Defense
  
  
• Intel471
  Why cybercriminals are flocking to Telegram
  
  
• Ryan Robinson at Intezer
  Detection Rules for Lightning Framework (and How to Make Them With Osquery)
  
  
• Lina Lau at Inversecos
  Detecting Linux Anti-Forensics: Timestomping
  
  
• Malwarebytes Labs
  Ransomware review: July 2022
  
  
• Mandiant
  • Pro-PRC “HaiEnergy” Information Operations Campaign Leverages Infrastructure from Public Relations Firm to Disseminate Content on Inauthentic News Sites
  • Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations
    
    
• MDSec
  • Fourteen Ways to Read the PID for the Local Security Authority Subsystem Service (LSASS)
  • PART 3: How I Met Your Beacon – Brute Ratel
    
    
• Microsoft
  Azure Threat Research Matrix
  
  
• Microsoft Security
  Microsoft Defender Experts for Hunting proactively hunts threats
  
  
• Nasreddine Bencherchali
  Behind The Detection — Schtasks
  
  
• Michael Mathews at NCC Group
  Top of the Pops: Three common ransomware entry techniques
  
  
• NSFOCUS Threat Intelligence
  Analysis of APT32 Organization’s Attack Activities on my country’s Guanji Units
  
  
• Dan O’Day at Palo Alto Networks
  Today’s Cyberthreats: Ransomware, BEC Continue to Disrupt
  
  
• Brad Duncan at Palo Alto Networks
  Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
  
  
• pat_h/to/file
  Commandline Cloaking 2 – Tetragon and Nim
  
  
• John Wilson at PhishLabs
  The “I’s” Have It: How BEC Scammers Validate New Targets with Blank Emails
  
  
• Harshal Tupsamudre at Qualys
  Here’s a Simple Script to Detect the Stealthy Nation-State BPFDoor
  
  
• Jake Baines at Rapid7
  QNAP Poisoned XML Command Injection (Silently Patched)
  
  
• Recorded Future
  • Initial Access Brokers Are Key to Rise in Ransomware Attacks Report
  • Ransomware Trends in Australia: 2021 to 2022
    
    
• Thomas Gardner at Red Canary
  How process streams can help you detect Linux threats
  
  
• Joseph Edwards at ReversingLabs
  GwisinLocker ransomware targets South Korean industrial and pharma firms
  
  
• SANS Internet Storm Center
  • A Little DDoS in the Morning – Followup, (Tue, Aug 2nd)
  • Increase in Chinese “Hacktivism” Attacks, (Tue, Aug 2nd)
    
    
• Alexander Gutnikov, Oleg Kupreev, and Yaroslav Shmelev at Securelist
  DDoS attacks in Q2 2022
  
  
• Security Investigation
  • The Flow of Event Telemetry Blocking – Detection & Response
  • Hackers Opted for New techniques after Microsoft disables Excel 4.0 macros
  • Hackers Use New Static Expressway Phishing Technique on Lucidchart
    
    
• Pedro Tavares at Segurança Informática
  How to build a hook syscall detector
  
  
• Aleksandar Milenkoski and Jim Walter at SentinelLabs
  Who Needs Macros? | Threat Actors Pivot to Abusing Explorer and Other LOLBins via Windows Shortcuts 
  
  
• Michael Kavka at Silicon Shecky
  Defender, KQL and Lockbit
  
  
• SOC Fortress
  SOCFortress Attack Simulator
  
  
• Ax Sharma at Sonatype
  Ransomware in PyPI: Sonatype Spots ‘Requests’ Typosquats
  
  
• Yusuf Polat at Sophos
  Genesis Brings Polish to Stolen-Credential Marketplaces
  
  
• Jared Atkinson at SpecterOps
  On Detection: Tactical to Functional
  
  
• Tanium
  New Report Reveals Commodity Malware Surpasses Ransomware: Cyber Threat Intelligence Roundup
  
  
• Tareq Alkhatib
  How To Objectively Measure A Detection Rule’s Strength
  
  
• Trustwave SpiderLabs
  The Price Cybercriminals Charge for Stolen Data
  
  
• Vicente Díaz at VirusTotal
  Deception at a scale
  
  
• Xorhex
  YARA – Following FALLCHILL’s E8 Call
  

UPCOMING EVENTS

• CCL Solutions
  Webinar: SPEKTOR Ultra and MOBILedit
  
  
• Cellebrite
  Cellebrite UFED Cloud: Private and Public Extractions Pt. 2
  
  
• Elan at DFIR Diva
  DFIR & Cybersecurity Events are Back!
  
  
• Magnet Forensics
  • Top Cyber Threats to Financial Services & How to Rapidly Investigate with Digital Forensic Solutions
  • Best Practices for Digital Forensics Workflow Orchestration & Automation
  • Tips & Tricks // Instantly Search and Filter a Target Endpoint with AXIOM Cyber
    
    
• PhishLabs
  • Emerging Threats: Disrupt Counterfeit Activity Targeting Retail Brands
  • Quarterly Threat Trends & Intelligence Webinar (August 2022)
    
    
• SANS Cloud Security
  Free, Virtual, Half-Day, Multi-Lingual SANS 2022 Cloud Security Exchange
  
  
• Security heroes wear blue capes
  How to conduct a forensic investigation of a compromised employee workstation
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Threat Hunting Tutorial- Day 11, Hunting Process Creation with Splunk
  
  
• Arsenal Recon
  Arsenal Image Mounter v3.9.217 – DPAPI Bypass – Magnet CTF 2020
  
  
• AttackIQ
  How to Test Your Defenses Against Personalized Top 10 MITRE ATT&CK Techniques
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2022-08-01
  • AASLR: Tailor Your Resume to Get Noticed Part 2, with Kip Boyle
  • AASLR: John Strand talks about any topic he wants!
  • Talkin’ About Infosec News – 8/1/2022
  • BHIS | How to Fail at a Pentest with John Strand | 1-Hour
    
    
• Heather Mahalik at Cellebrite
  • How To Get the Most from The Cellebrite Community Portal – Part 1
  • How to Vote for Cellebrite in the Forensic 4:cast Awards
  • How to Use the New File System View in Physical Analyzer Ultra
  • How to Create a New Lab Submission in Cellebrite Guardian – Part 2
  • How to Create a New Lab Submission in Cellebrite Guardian – Part 1
  • How To Use The Open Advanced Feature In Cellebrite Physical Analyzer
    
    
• Check Point Research
  Check Point’s 2022 Mid-Year Cyber Attack Trends report
  
  
• Cloud Security Podcast by Google
  EP77 Operational Realities of SOAR: Automate and/or Enrich, Playbooks, Magic
  
  
• Cybereason
  Malicious Life Podcast: Andrew Ginter – A 40-Year-Old Backdoor
  
  
• Detections by SpectreOps
  Episode 25: Mehmet Ergene
  
  
• Digital Forensic Survival Podcast
  DFSP # 337 – ResponderCon
  
  
• D3pak
  Threat Intelligence
  
  
• Forensic Focus
  Knock, Knock, Log: Threat Analysis, Detection & Mitigation of Covert Channels in Syslog Using Port Scans as Cover
  
  
• InfoSec_Bret
  DFIR – Investigate Web Attack
  
  
• John Hubbard at ‘The Blueprint podcast’
  Corissa Koopmans and Mark Morowczynski: Azure AD Threat Detection and Logging
  
  
• Magnet Forensics
  Putting Your DFIR Lab in the Cloud: Lessons Learned
  
  
• MISP
  Past MISP-related events
  
  
• NTCore
  Blitz 37 Seconds XLS Malware Payload Extraction
  
  
• NVISO Belgium
  Ear to the Ground – How to Find Digital Risks Before They Become Threats
  
  
• OALabs
  Vulnerable Antivirus Driver Used by Ransomware – We Reverse Engineer How!!?
  
  
• Richard Davis at 13Cubed
  MemProcFS – This Changes Everything
  
  
• SANS Institute
  The R Word: Retelling the Recent Rise and Resurgence of Resilient Ransomware-as-a-Service Operators
  
  
• The Defender’s Advantage Podcast
  Frontline Stories: Shields Up, Mandiant
  
  
• The Ransomware Files
  Dr. Ransomware, Part 2
  
  
• Uptycs
  osquery@scale Best Of: Cloud Security
  

MALWARE

• ASEC
  • Word File Provided as External Link When Replying to Attacker’s Email (Kimsuky)
  • Malicious CHM Being Distributed to Korean Universities
  • ASEC Weekly Malware Statistics (July 18th, 2022 – July 24th, 2022)
  • Phishing Email Disguised as Korean Web Portal Page (Daum)
  • AppleSeed Being Distributed to Maintenance Company of Military Bases
  • Attackers Profiting from Proxyware
  • ASEC Weekly Malware Statistics (July 25th, 2022 – July 31st, 2022)
  • Gwisin Ransomware Targeting Korean Companies
    
    
• Erik Pistelli at Cerbero
  Video: Blitz XLS Malware Payload Extraction
  
  
• Giulian Guran at Certitude
  Bypass phishing detections with Google Translate
  
  
• Anandeshwar Unnikrishnan at CloudSEK
  Technical Analysis of Bumblebee Malware Loader
  
  
• Daji and Suqitian at 360 Netlab
  A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
  
  
• Joseph Moronwi at Digital Investigator
  • PE Forensics – DOS And PE Headers
  • PE Forensics – The DataDirectory
  • Windows PE Forensics – The Section Table and Sections
    
    
• Flashpoint
  • COURT DOC: USA v. Aleksandr Viktorovich Ionov, aka “Alexander Ionov”, aka “Sasha”
  • COURT DOC: USA v. Arian Taherzadeh and Haider Ali
  • COURT DOC: USA v. Walter Glenn Primrose, aka “Bobby Edward Fort” and Gwynn Darle Morrison, aka “Julie Lyn Montague”
    
    
• Fortinet
  • Fileless Malware: What It Is and How It Works
  • So RapperBot, What Ya Bruting For?
  • Ransomware Roundup: Redeemer, Beamed, and More
    
    
• Hex Rays
  • IDA 8.0: Qt 5.12.2 sources & build scripts
  • Igor’s tip of the week #101: Decompiling variadic function calls
    
    
• Aaron Stratton at InfoSec Write-ups
  Analyzing a Remcos RAT Infection
  
  
• Karlo Licudine at AccidentalRebel
  Talking about Mitre’s Malware Behavior Catalog
  
  
• Malwarebytes Labs
  Woody RAT: A new feature-rich malware spotted in the wild
  
  
• Gustavo Palazolo at Netskope
  Ousaban: LATAM Banking Malware Abusing Cloud Services
  
  
• Oliver Bachtik at NVISO Labs
  Finding hooks with windbg
  
  
• petikvx
  • Joker Ransomware
  • Rasftuby Trojan
  • Avaddon Ransomware
  • Shinolock Ransomware
  • Petya Ransomware II
  • Saiko Ransomware
  • Kriptor Ransomware
  • GlobeImposter Ransomware
    
    
• Trend Micro
  • SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant
  • Brand-New HavanaCrypt Ransomware Poses as Google Software Update App, Uses Microsoft Hosting Service IP Address as C&C Server
    
    
• Joshua Platt and Jason Reaves at Walmart
  IcedID leverages PrivateLoader
  
  
• Richard Melick at Zimperium
  4 Common types of Malware and What’s the Difference (Trojan, Spyware, Viruses, Ransomware)
  
  
• ZScaler
  • Technical Analysis of Industrial Spy Ransomware
  • X-FILES Stealer Evolution – An Analysis and Comparison Study
    

MISCELLANEOUS

• Adam at Hexacorn
  • Week of Data Dumps, Part 5 – commands
  • Week of Data Dumps, Part 6 – file names
  • Week of Data Dumps, Part 7 – registry
    
    
• Any.Run
  Expert Q&A: Renzon Cruz, Unit 42 on How to Get into Cybersecurity
  
  
• Atomic Matryoshka
  CRTP Course and Exam Review
  
  
• Brett Shavers at DFIR.Training
  Drowning in an ocean of DFIR resources
  
  
• Joe Slowik at Gigamon
  Revisiting the Idea of the “False Positive”
  
  
• Grayshift
  Introducing Reveal by Grayshift, the Industry’s First Cloud-Native Mobile Device Forensic Analysis Solution, and Powerful New Features in GrayKey
  
  
• Hal Pomeranz
  Getting Started Career Advice
  
  
• IntaForensics
  • Meet the Team: Carl Osborne
  • Meet the Team: Hayley Marron
    
    
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (8/1/2022)
  
  
• Bill Cozens at Malwarebytes Labs
  Ransomware protection with Malwarebytes EDR: Your FAQs, answered!
  
  
• Ashwin Radhakrishnan at MITRE-Engenuity
  Community Advisory Board and Vendor Council + Updates for ATT&CK® Evaluations Enterprise — Turla
  
  
• Oxygen Forensics
  macOS Extraction of User Data and Credentials with Oxygen Forensic® KeyScout
  
  
• Kevin Gee at Red Canary
  No place like home: Meet your new Red Canary dashboard
  
  
• Nuris Rodriguez at ADF
  How Digital Forensics Services Can Help You
  
  
• SANS
  • Month of PowerShell – Keyboard Shortcuts Like a Boss
  • Month of PowerShell – Offensive PowerShell with Metasploit Meterpreter
  • Month of PowerShell – Discoveries from the Month of PowerShell
  • A Visual Summary of SANS Security Awareness Summit 2022
    
    
• John Doyle at SANS
  Mapping SANS FOR578 Coverage to the Mandiant CTI Core Competencies Framework
  
  
• Michael Evert at Sucuri
  7 Tips to Clean & Maintain Your Website
  
  
• Telsy
  The TrickBot malware
  
  
• VTO Labs
  VTO’s IoT & Drone Forensics courses are now international!
  

SOFTWARE UPDATES

• Brim
  Version 0.31.0
  
  
• CRU
  Download WriteBlocking Validation Utility
  
  
• Elcomsoft
  Elcomsoft System Recovery 8.30 recovers PIN-protected Windows accounts, supports LUKS2 encryption
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Federico Lagrasta
  PersistenceSniper v1.0
  
  
• Hex Rays
  IDA 8.0 released
  
  
• Nextron Systems
  THOR TechPreview 10.7.3 Features
  
  
• Open Source DFIR
  Plaso 20220724 released
  
  
• OpenText
  Enabling collaboration in digital forensic investigations
  
  
• OSForensics
  V10.0 Build 1002 5th August 2022
  
  
• Paraben Corporation
  E3 Forensic Platform Version 3.3 with new Remote Cloud Collector
  
  
• radare2
  5.7.6
  
  
• SpecterOps
  Introducing BloodHound 4.2 — The Azure Refactor
  
  
• Stratosphere IPS
  New Slips version 0.9.3 is here!
  
  
• Ulf Frisk
  MemProcFS Version 5.0
  
  
• Xways
  • X-Ways Forensics 20.6 SR-1
  • Excire PhotoAI
    
    
• Yamato Security
  Hayabusa v1.4.3 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!