As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Jessica Hyde at Hexordia
  Peer Review for Mobile Forensics
  
  
• Joseph Moronwi at Digital Investigator
  File Carving In Windows
  
  
• Forensafe
  • Investigating Microsoft Management Console (MMC) MRU
  • Investigating WordPad Recent Files
    
    
• Lina Lau at Inversecos
  Forensic Detection of Files Deleted via SDelete
  
  
• Magnet Forensics
  What is MRU (Most Recently Used)?
  
  
• Mattia Epifani at Zena Forensics
  Android Forensics References: a curated list
  
  
• Muhammed Aygün
  • NTFS (New Technologies File System) Dosya Sistem Analizi
  • NTFS $I30 Files Attributes Analizi
    
    
• Marco Brotto at Open Source DFIR
  Timesketch, Header Mapping for CSV imports
  
  
• Mike Cohen at Velociraptor Blog
  The Velociraptor process tracker
  

THREAT INTELLIGENCE/HUNTING

• Alex Teixeira
  SIEM Hyper Queries: atomic alerts, correlation and other hard truths (part II/II)
  
  
• Anomali
  Anomali Cyber Watch: EvilProxy Defeats Second Factor, Ragnar Locker Ransomware Hits Critical Infrastructure, Montenegro Blames Russia for Massive Cyberattack, and More
  
  
• Francis Guibernau, Ken Towne, and Jackson Wells at AttackIQ
  Attack Graph Response to US-CERT Alert (AA22-249A): #StopRansomware Vice Society
  
  
• Martin Chlumecký at Avast Threat Labs
  Pro-Russian Group Targeting Ukraine Supporters with DDoS Attacks
  
  
• Shanice Jones at Bitdefender
  Tactical Threat Intelligence – Everything You Need to Know
  
  
• BleepingComputer
  Are Default Passwords Hiding in Your Active Directory? Here’s how to check
  
  
• Bobby Rauch
  • “GIFShell” — Covert Attack Chain and C2 Utilizing Microsoft Teams GIFs
  • Microsoft Teams — Attachment Spoofing and Lack of Permissions Enforcement Could Lead to RCE via…
    
    
• Cado Security
  • ECS Fargate Incident Response
  • Attacking the Cloud: cloud-init as a persistence mechanism
    
    
• Casey Smith at Thinkst
  Sensitive Command Token – So much offense in my defense
  
  
• Censys
  • C2: When Attackers Use Our Weapons Against Us
  • The Neverending Story of Deadbolt
    
    
• Certfa Lab
  Charming Kitten: “Can We Have A Meeting?”
  
  
• Check Point Research
  • 05th September – Threat Intelligence Report
  • DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
  • Weaponized cybercrime: What organizations can learn from the conflict in Ukraine
    
    
• Cisco’s Talos
  • MagicRAT: Lazarus’ latest gateway into victim networks
  • Researcher Spotlight: How Asheer Malhotra looks for ‘instant gratification’ in threat hunting
  • Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues
  • Talos EMEA Monthly Threat Update: How do you know if cyber insurance is right for you?
  • Lazarus and the tale of three RATs
  • Threat Source newsletter (Sept. 8, 2022) — Why there is no one-stop-shop solution for protecting passwords
    
    
• Andy Mann and Dylan Main at Cofense
  Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing
  
  
• CrowdStrike
  • CrowdStrike Introduces Sandbox Scryer: A Free Threat-Hunting Tool for Generating MITRE ATT&CK and Navigator Data
  • Defense Against the Lateral Arts: Detecting and Preventing Impacket’s Wmiexec
  • Getting Started Guide: Falcon Long Term Repository
    
    
• ctfiot
  暗夜小偷：Redline Stealer 木马盗币分析
  
  
• Reza Rafati at Cyberwarzone
  Malware in House of the Dragon downloads
  
  
• Cyborg Security
  Red Team Tools: Hunting for the Top 3 Tools
  
  
• Jovana Macakanja at Cyjax
  Poland: The Increasing Threat of Cyber Attacks
  
  
• Darktrace
  From BumbleBee to Cobalt Strike: Steps of a BumbleBee intrusion   
  
  
• Dheeraj Kumar and Ella Dragun at Securonix
  Securonix Threat Labs Monthly Intelligence Insights – August
  
  
• Tim Helming at DomainTools
  Network Traffic Analysis and Adversary Infrastructure Part II
  
  
• Doug Metz at Baker Street Forensics
  Mal-Hash – interacting with Virus Total API via PowerShell
  
  
• Dragos
  • Understanding and Mitigating Insider Threats in Operational Technology (OT) Systems
  • Ransomware Attacks in Small and Medium-Sized Organizations and Manufacturing Are On the Rise
    
    
• Dray Agha
  Check out @Purp1eW0lf’s tweet
  
  
• Aaron Jewitt at Elastic
  Detection engineering — Maximizing analyst efficiency using Cardinality Threshold rules on your alerts
  
  
• Emanuele De Lucia
  Alphv / Blackcat: Threat Assessment And Profile
  
  
• Expel
  • Incident report: how a phishing campaign revealed BEC before exploitation
  • Detection and response in action: an end-to-end coverage story
    
    
• Flashpoint
  • Three Types of Threat Intelligence: Defined and Explained
  • Five Must-Have Skills Every Cyber Threat Intel Analyst Should Possess
  • WT1SHOP: Authorities Seize Online Marketplace Selling Stolen Login Credentials and Other PII
    
    
• Pierre-Marc Bureau at Google Threat Analysis Group
  Initial access broker repurposing techniques in targeted attacks against Ukraine
  
  
• Intel471
  Conti vs. Monti: A Reinvention or Just a Simple Rebranding?
  
  
• Josh Lemon
  Cybersecurity Alert Priority Matrix
  
  
• Jouni Mikkola
  From Shodan to MDE queries
  
  
• JPCERT/CC
  JPCERT/CC Releases URL Dataset of Confirmed Phishing Sites
  
  
• Kaspersky
  • Findings and tips from the GERT report | Kaspersky official blog
  • Threat landscape for industrial automation systems for H1 2022
    
    
• Mandiant
  APT42: Crooked Charms, Cons, and Compromises
  
  
• Matt Zorich at Microsoft Sentinel 101
  Improving your security baseline with KQL
  
  
• Michael Haag
  Atomic Red Team — DumpLSASS
  
  
• Microsoft Security
  • Profiling DEV-0270: PHOSPHORUS’ ransomware operations
  • The art and science behind Microsoft threat hunting: Part 1
  • Microsoft investigates Iranian attacks against the Albanian government
    
    
• Jennifer Fernick at NCC Group
  Tool Release – Monkey365
  
  
• Dor Attar at Palo Alto Networks
  Credential Gathering From Third-Party Software
  
  
• Quentin Jerome
  SysmonEnte but not Sysmon End
  
  
• Chad Knipschild at Recorded Future
  Use a Threat Map, Visualize Your Cyber Threats
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, July 2022 (KOR)
  
  
• SANS Internet Storm Center
  • Video: VBA Maldoc & UTF7 (APT-C-35), (Sun, Sep 4th)
  • Analysis of an Encoded Cobalt Strike Beacon, (Tue, Sep 6th)
  • Quickie: Grep & Tail -f With Notepad++, (Mon, Sep 5th)
  • PHP Deserialization Exploit attempt, (Wed, Sep 7th)
  • Analyzing Obfuscated VBS with CyberChef, (Thu, Sep 8th)
  • Maldoc With Decoy BASE64, (Fri, Sep 9th)
  • Phishing Word Documents with Suspicious URL, (Sat, Sep 10th)
  • Wireshark 3.6.8 and 4.0.0rc1 Released, (Sun, Sep 11th)
    
    
• Scythe
  SCYTHE Presents: SCYTHE New Version 4.0 Enhances Collaboration Across Multiple Security Team Roles
  
  
• Secureworks
  BRONZE PRESIDENT Targets Government Officials
  
  
• Security Investigation
  OS Credential Dumping- LSASS Memory vs Windows Logs
  
  
• Sekoia
  • Improving Threat Detection with Sigma Correlations
  • Lapsus$: when kiddies play in the big league
  • A war on multiple fronts – the turbulent cybercrime landscape
    
    
• Michael Sherman at Snyk
  How to find and fix XML entity vulnerabilities
  
  
• Puja Mahendru at Sophos
  The State of Ransomware in Retail 2022
  
  
• Jared Atkinson at SpecterOps
  On Detection: Tactical to Function – Part 6: What is a Procedure?
  
  
• Ben Martin at Sucuri
  How Are Favicon (.ico) Files Used in Website Malware?
  
  
• Syed Hasan
  Detection & Compromise: Secrets from the AWS Secrets Manager
  
  
• Tareq Alkhatib
  How To Respond To Alerts? Introducing “Suspects”
  
  
• Team Cymru
  Mythic Case Study: Assessing Common Offensive Security Tools
  
  
• ThreatFabric
  Malware successfully exploiting BNPL-apps
  
  
• Trend Micro
  • Play Ransomware’s Attack Playbook Similar to that of Hive, Nokoyawa
  • How Malicious Actors Abuse Native Linux Tools in Attacks
    
    
• Kimberly Hall at TrustedSec
  Detection and Alerting: Selecting a SIEM
  
  
• WeLiveSecurity
  • Worok: The big picture
  • RDP on the radar: An up‑close view of evolving remote access threats
    

UPCOMING EVENTS

• Cellebrite
  Unlock Flexibility With Premium as a Service
  
  
• Cyborg Security
  Threat hunting workshop: hunting for execution
  
  
• Forensic Focus
  What’s Happening at Techno Security San Diego: October 10-12, 2022
  
  
• Griffeye
  Webinar: Processing Electronic Service Provider Data using Analyze DI
  
  
• Magnet Forensics
  Responding to Cybersecurity Incidents in Healthcare and Public Health (HPH) Sector
  
  
• Paul Lorentz at Cellebrite
  Unlock Flexibility With Premium as a Service
  
  
• Carlos Canto at Rapid7
  VeloCON 2022: Digging Deeper Together!
  
  
• SANS Institute
  SANS Cyber Solutions Fest 2022 | Explore Topic Tracks
  
  
• Teel Technologies
  Live Event – Imaging Multiple Drives, Raid Arrays Recognition, & Automation
  
  
• Tom Smit at Splunk
  Americas’ BOTS Day ’22
  

PRESENTATIONS/PODCASTS

• Active Countermeasures
  • Malware Command and Control – How it Works – Video Blog
  • Threat Hunting – Long Connection Detection – Video Blog
    
    
• Black Hills Information Security
  • AASLR: Ingress Tool Transfer with LOLbins | Carrie Roberts
  • Offensive Windows Event Logs w/ Tim Fowler | 1-Hour
  • BHIS | Offensive Windows Event Logs | Tim Fowler | 1 Hour
  • Talkin’ About Infosec News – 9/9/2022
    
    
• Matt Lembright at Censys
  Report Walkthrough: Russian Ransomware C2 Network Discovered In Censys Data
  
  
• Cloud Security Podcast
  Cloud Security Monitoring in a Modern Security Stack
  
  
• Cloud Security Podcast by Google
  EP82 Mega-confused by XDR? You Are Not Alone! This XDR Skeptic Clarifies!
  
  
• Didier Stevens
  • VBA Maldoc & UTF7 (APT-C-35)
  • An Obfuscated Beacon – Extra XOR Layer
  • Maldoc Analysis Video – Rehearsed & Unrehearsed
    
    
• Digital Forensic Survival Podcast
  DFSP # 342 – FLUX It
  
  
• Forensic Focus
  • Enhancing Digital Investigations With Cloud-Based Evidence
  • User Searches in Oxygen Forensic Detective
  • Preparing for Court Testimony: What Happens When You Press That Button?
    
    
• IT Wolves Podcast
  Episode Four: Threat hunting made easy
  
  
• John Dwyer
  Let’s talk about data! Practical Application of the Open Threat Hunting Framework – Episode 3
  
  
• John Hammond
  • Industrial Spy – Ransomware Leak Market (Dark Web Documentary #07)
  • DANGEROUS Python Flask Debug Mode Vulnerabilities
    
    
• John Hubbard at ‘The Blueprint podcast’
  Joe Lykowski: Building a Transparent, Data-Driven SOC
  
  
• Justin Tolman at AccessData
  • FTK Over the Air – Episode 13 – Going Beyond the Button with Brett Shavers
  • FTK Over the Air – Episode 12 – The Next Generation of Digital Policing with John Price
  • FTK Feature Focus – Episode 46 – Collecting Volatile Data with FTK Enterprise
  • FTK Feature Focus – Episode 47 – Remote Preview and Collection using FTK Enterprise
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Kernel Mode Driver Emulation with Speakeasy
  
  
• Magnet Forensics
  • PowerShell Tools for IR Forensics Collection
  • Tips & Tricks // Remotely Collect from Off-Network Endpoints Using AWS and AXIOM Cyber
  • Collecting Data From Google Workspace
    
    
• MalGamy
  Decrypt strings by de4dot tool with moisha ransomware
  
  
• ReversingLabs
  ConversingLabs: Unpacking the Follina exploit
  
  
• Stairwell
  • Webinar: Why security teams are missing attacks
  • Webinar: Beneath the surface of Maui ransomware
    
    
• Sumuri
  How to content search with RECON LAB!
  
  
• The Defender’s Advantage Podcast
  Threat Trends: APT42 – Crooked Charms, Cons, and Compromises
  
  
• Brian Thomas at Uptycs
  osquery@scale Best Of: Monitoring and Compliance
  

MALWARE

• 4rchib4ld Victory Road
  It’s getting hot in here
  
  
• ASEC
  HWP File Disguised as Personal Profile Form (OLE Object)
  
  
• Ofer Caspi at AT&T Cybersecurity
  Shikitega – New stealthy malware targeting Linux
  
  
• Avertium
  An In-Depth Look at the Emotet Botnet
  
  
• Brett Stone-Gross at ZScaler
  The Ares Banking Trojan Learns Old Tricks: Adds the Defunct Qakbot DGA
  
  
• c3rb3ru5d3d53c
  • [44] Malware Theory – Introduction to Packers and Unpacking
  • [45] Quick Tips – Top 10 Mistakes People Make When Getting a Career in Cyber
  • [46] Malware Lab – Introduction to x64dbg
  • [47] Malware Lab – Unpacking Process Hollowing
    
    
• Cybereason
  THREAT ANALYSIS REPORT: PlugX RAT Loader Evolution
  
  
• Cyble
  • Spyware Campaign Targeting The Uyghur Community
  • Adversaries Actively Utilizing PowerShell Empire
  • Bumblebee Returns with New Infection Technique
  • The Rise in Incidence of Fake e-shop Scams
  • Zimbra Email Vulnerability (CVE-2022-37042) Weaponized to Cause Large-scale Compromise
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #105: Offsets with custom base
  
  
• InfoSec Write-ups
  • Malware Analysis — NanoCore Rat
  • Anti-Reversing Techniques (Part 1)
  • [Malware Analysis #3] — Disk Writer
  • Malware Analysis — FFDroider
    
    
• Ahmad Abolhadid at Insinuator
  Spymax: The android RAT and it works like that….
  
  
• Malwarebytes Labs
  Ransomware review: August 2022
  
  
• Matthew
  Check out @embee_research’s Tweet
  
  
• Muhammad Hasan Ali at muha2xmad
  Technical analysis of SharkBot android malware
  
  
• OALABS Research
  DbatLoader Triage
  
  
• OverTheNet
  Code of Malware
  
  
• Chao Lei, Zhibin Zhang, Cecilia Hu and Aveek Das at Palo Alto Networks
  Mirai Variant MooBot Targeting D-Link Devices
  
  
• Aleksandar Milenkoski and Jim Walter at SentinelLabs
  Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection
  

MISCELLANEOUS

• Abhiram Kumar
  FOR610 & GREM – My experience
  
  
• Ali Alwashali at ‘HackDefend Labs’
  A Tour Inside a SOC Analyst Mind
  
  
• Blake Regan
  Getting started with chain of custody for DFIR investigations
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 9/10/22
  
  
• Cybereason
  • RansomOps vs. Extended Detection and Response
  • The Cybereason Approach to Sensor Tamper Protection
    
    
• Simson Garfinkel at Digital Corpora
  New Android 10 and 11 Images!
  
  
• Doug Burks at Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.3.160!
  
  
• Florian Roth
  The Bicycle of the Forensic Analyst
  
  
• InfoSec Write-ups
  Insufficient Logging and Monitoring
  
  
• LockBoxx
  Book Review: “Forensics”
  
  
• Stephanie Calabrese at Microsoft Security Response Center
  Curious, Innovative, Creative, Community Driven: Meet Cyb3rWard0g, Roberto Rodriquez
  
  
• Oxygen Forensics
  Why Your Company Needs Digital Forensics
  
  
• Salvation DATA
  6 Types of Online Banking Fraud: Guidelines for Investigators
  
  
• SANS
  • ICS Security Management VS. ICS Attack Targeting
  • Getting Started in Cybersecurity with a Non-Technical Background
  • Mature ICS Security with Metrics
    
    
• Antonio Sanz at Security Art Work
  CFP (Call For Papers): consejos para que tu propuesta no quede en el tintero
  
  
• SecurityJosh
  Configuring email notifications for HTML Smuggled files using Download Blocker and IFTTT
  
  
• Brandon Lee at Specops Software
  How to recover from a ransomware attack
  
  
• The Security Noob.
  [DFIR TOOLS] Timeline Explorer, what is it & how to use!
  
  
• The Security Noob.
  Interview with 13 Cubed who is also DFIR Investigator for Microsoft Richard Davis.
  

SOFTWARE UPDATES

• Adam V. Link
  routerOS Artifact Collector
  
  
• Belkasoft
  Belkasoft X v.1.14
  
  
• CyberChef
  v9.46.4
  
  
• Didier Stevens
  • Update: oledump.py Version 0.0.70
  • Update: xor-kpa.py Version 0.0.6
  • Update: translate.py Version 2.5.12
  • Update: hex-to-bin.py Version 0.0.6
    
    
• Don C. Weber
  ICS Packet Capture Visualizer
  
  
• Federico Lagrasta
  PersistenceSniper v1.7.0
  
  
• Grzegorz Tworek
  Extract-BootTimes.ps1
  
  
• Hasherezade
  pe-bear 0.5.5.7
  
  
• IntelOwl Project
  go-intelowl
  
  
• Jason Ostrom
  PurpleCloud v1.0.0
  
  
• Jerzy ‘Yuri’ Kramarz
  Cloud-Investigate
  
  
• MemProcFS-Analyzer
  MemProcFS-Analyzer-v0.5
  
  
• Olaf Schwarz
  gMetaDataParse
  
  
• SigmaHQ
  Sigma 0.22
  
  
• Rapid7
  Velociraptor Release 0.6.6
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!