As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• John Lukach at 4n6ir
  Amazon Linux Triage for Anyone and Everyone
  
  
• ArcPoint
  Getting started with ALEAPP | ArcPoint Forensics
  
  
• Cyrill Brunschwiler at Compass Security
  Tutorial on how to Approach Typical DFIR Cases with Velociraptor
  
  
• Forensafe
  Investigating Ouick Access
  
  
• Harel Segev at ‘RAT In Mi Kitchen’
  The Forensic Value of the (Other) WSH Registry Key
  
  
• Lina Lau at Inversecos
  How to Investigate Insider Threats (Forensic Methodology)
  
  
• Oxygen Forensics
  Compare Call log and CDR in Oxygen Forensic ® Detective
  
  
• UnderDefense
  Massive Infection through 0-day in the Zimbra Email suite (CVE-2022-41352)
  
  
• Yamato Security
  Yamato Security’s Ultimate Windows Event Log Configuration Guide For DFIR And Threat Hunting
  
  
• Pieces0310
  APK downgrade extraction fails on Samsung smartphones – Pieces0310
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Emotet Added Two New Modules, LofyGang Distributed 200 Malicious Packages, Bumblebee Loader Expanded Its Reach, and More
  
  
• Anton Chuvakin
  Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!
  
  
• Sule Tatar at Arctic Wolf
  Threat Intelligence 101
  
  
• Avertium
  An In-Depth Look at Vice Society Ransomware
  
  
• Bitdefender
  Are Open-Source Threat Intelligence Solutions Still Competitive?
  
  
• Lawrence Abrams at BleepingComputer
  Fake Solana Phantom security updates push crypto-stealing malware
  
  
• Booz Allen Hamilton
  China’s Cyberattack Strategy Explained
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-10-10 – Qakbot (Qbot) with Cobalt Strike
  • 2022-10-14 – bb02 Qakbot (Qbot) infection
    
    
• CERT-AGID
  • Nuova campagna sLoad in atto su caselle PEC
  • Sintesi riepilogativa delle campagne malevole nella settimana del 8 – 14 ottobre 2022
    
    
• Check Point Research
  • 10th October – Threat Intelligence Report
  • September 2022’s Most Wanted Malware: Formbook on Top While Vidar ‘Zooms’ Seven Places
  • NSA, CISA& FBI Alert on Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors – Check Point Customers Remain Fully Protected
    
    
• Cisco’s Talos
  • Alchimist: A new attack framework in Chinese for Mac, Linux and Windows
  • Threat Source newsletter (Oct. 13, 2022) — Cybersecurity Awareness Month is all fun and memes until someone gets hurt
  • Threat Roundup for October 7 to October 14
    
    
• Cyber Threat Intelligence Training Center
  STIX2.1 Best Practices
  
  
• Anthony M. Freed at Cybereason
  Indicators of Behavior and the Diminishing Value of IOCs
  
  
• Cyberknow
  Update 19. 2022 Russia-Ukraine War — Cyber Group Tracker. October 12.
  
  
• Cyble
  • Massive Tech Support Scam Exposed
  • Mitsu Stealer distributed via AnyDesk Phishing Site
  • Online File Converter Phishing Page Spreads RedLine Stealer
    
    
• Dragos
  • Achieving Real-Time OT Monitoring and Mitigation with Dragos, Sentar, and Siemens Government Technologies: A MOSAICS Compatible Solution
  • New Knowledge Pack Released (KP-2022-007)
    
    
• Erik Hjelmvik at Netresec
  IcedID BackConnect Protocol
  
  
• GuidePoint Security
  GRIT Ransomware Report – Q3 2022
  
  
• Henri Hambartsumyan at Falcon Force
  FalconFriday — Detecting ADCS web services abuse — 0xFF20
  
  
• Horizon3
  • FortiOS, FortiProxy, and  FortiProxySwitchManager Authentication Bypass IOCs (CVE-2022-40684)
  • FortiOS, FortiProxy, and  FortiSwitchManager Authentication Bypass Technical Deep Dive (CVE-2022-40684)
    
    
• Intel471
  LockBit 3.0 Builder Code Leak Points to Another Disgruntled Criminal Employee
  
  
• Kostas Tsale
  Threat Hunting Series: Using Threat Emulation for Threat Hunting
  
  
• Magnet Forensics
  Identify Malicious Files and IOCs With YARA Rules in Magnet IGNITE
  
  
• Malwarebytes Labs
  • Top 5 ransomware detection techniques: Pros and cons of each
  • Chinese APT’s favorite vulnerabilities revealed
    
    
• Mandiant
  • The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform
  • Gain Visibility Into Attacker Activity with Threat Campaigns
    
    
• Microsoft Security
  • New “Prestige” ransomware impacts organizations in Ukraine and Poland
  • Hunting for Cobalt Strike: Mining and plotting for fun and profit
    
    
• OALABS Research
  Threat Intel – Building A Simple Botnet Tracker
  
  
• Amer Elsad and Daniel Bunce at Palo Alto Networks
  Ransom Cartel Ransomware: A Possible Connection With REvil
  
  
• PhishLabs
  RedLine Stealer Leads Payloads in Q3
  
  
• Recorded Future
  • Malign Influence During the 2022 US Midterm Elections Report
  • Takeaways from Predict 2022 – The Intelligence Summit
  • Magecart Attacks: The Dark Art Fraudsters Use to Steal Payment Data
    
    
• Robindimyan
  Early Warning Intelligence — How to predict cyber attacks?
  
  
• SANS Internet Storm Center
  • Wireshark: Specifying a Protocol Stack Layer in Display Filters, (Mon, Oct 10th)
  • Curl’s resolve Option, (Sun, Oct 9th)
  • Scans for old Fortigate Vulnerability: Building Target Lists?, (Wed, Oct 12th)
  • Analysis of a Malicious HTML File (QBot), (Thu, Oct 13th)
  • Malware – Covid Vaccination Supplier Declaration, (Sat, Oct 15th)
    
    
• Tom Hegel at SentinelOne
  8220 Gang Cloud Botnet Targets Misconfigured Cloud Workloads
  
  
• Sonatype
  This Week in Malware – Over 50 Packages Discovered
  
  
• Matt Wixey at Sophos
  Are threat actors turning to archives and disk images as macro usage dwindles?
  
  
• Simon O’Brien at Splunk
  APAC BOTS Day 2022
  
  
• Sucuri
  SiteCheck Malware Trends Report – Q3 2022
  
  
• Symantec Enterprise
  Budworm: Espionage Group Returns to Targeting U.S. Organizations
  
  
• Lesley Carhart
  ASIS Article – Preparing for OT Incident Response
  
  
• Trend Micro
  • Black Basta Ransomware Gang Infiltrates networks via QAKBOT, Brute Ratel, and Cobalt Strike
  • Prevent Ransomware Attacks on Critical Infrastructure
    
    
• Ashley Pearson and Shane Hartman at TrustedSec
  Back to Basics: The TrustedSec Guide to Strong Cyber Hygiene—Part 2
  
  
• Javier Inclan at VMware Security
  Emotet Exposed: A Look Inside the Cybercriminal Supply Chain
  

UPCOMING EVENTS

• Binalyze
  Redefining the future of digital forensics and incident response with AIR 3.0.
  
  
• Cellebrite
  • Why Cellebrite Premium is a must!
  • Updates, Tips and Tricks for Cellebrite Premium
  • Cellebrite Premium: Vanderburgh County Cyber Crime Task Force Digital Transformation
    
    
• Magnet Forensics
  • We’re Coming Back to Nashville for Magnet User Summit 2023!
  • Tips & Tricks // Putting Geolocation Data on the Map
  • Digital Forensics and eDiscovery: Where One Stops and the Other Begins
  • Ask Me Anything: Live Q&A With Magnet Forensics Trainers
    
    
• Microsoft Security Response Center
  BlueHat 2023 Call for Papers is Now Open!
  
  
• SANS Institute
  Ask Me Anything
  

PRESENTATIONS/PODCASTS

• Ali Hadi
  • C5W Agent Peer2Peer Capability
  • Grouping Agents
    
    
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2022-10-10
  • AASLR: Flash CTF walkthrough with Serena, live from WWHF Deadwood 2022
    
    
• Brakeing Down Security Podcast
  07-oct-news-twitch streaming
  
  
• Breaking Badness
  134. OSINTillating Conversation
  
  
• Heather Mahalik at Cellebrite
  iOS Offline Tracking, Wiping and the U1 Chip – Mitch Kajzer
  
  
• Cloud Security Podcast by Google
  Next Special – Can We Escape Ransomware by Migrating to the Cloud?
  
  
• Reza Rafati at Cyberwarzone
  The MITRE Attack Framework explained in basic language
  
  
• Cyborg Security
  Threat Hunting Workshop: Hunting for Execution
  
  
• Didier Stevens
  • PNG + mimikatz.exe
  • PNG Analysis
  • Analysis of a Malicious HTML File (QBot)
    
    
• Digital Forensic Survival Podcast
  DFSP # 347 – Weblogs
  
  
• Digital Forensics in Real Life
  Ep. 10 The eBay Swindler
  
  
• Down the Security Rabbithole Podcast
  DtSR Episode 521 – The Peanut Gallery Takes on XDR
  
  
• InfoSec_Bret
  DFIR – Windows Forensics – Part 1
  
  
• Magnet Forensics
  • YARA Rules in Magnet IGNITE: Identify Malicious Files and IOCs
  • Timing is Everything: What You Need to Know About DVR Dates & Times
  • Duty to Preserve, but How?
    
    
• MalGamy
  Play with bruteratel framework payload
  
  
• SANS Institute
  Technology is the Reasonable Accommodation | SANS Cyber Solutions Fest 2022
  
  
• The Defender’s Advantage Podcast
  Threat Trends: The Threat Lanscape in APJ
  
  
• The Digital Forensics Files Podcast
  How Lawyers and Litigants Can Spot Fake Text Messages!
  
  
• Lesley Carhart
  (Podcast) ITSP – Martial Arts, Marksmanship, And ICS Cyber Incident Response | A Conversation With Lesley Carhart
  
  
• Uriel Kosayev
  Why Malware Analysis is important in Red Teams – Proelium Conference
  

MALWARE

• ASEC
  • Qakbot Being Distributed as ISO Files Instead of Excel Macro
  • ASEC Weekly Malware Statistics (September 26th, 2022 – October 2nd, 2022)
  • GlobeImposter Ransomware Being Distributed in Korea
  • Lazarus Group Uses the DLL Side-Loading Technique (mi.dll)
    
    
• Blackberry
  BianLian Ransomware Encrypts Files in the Blink of an Eye
  
  
• Anandeshwar Unnikrishnan at CloudSEK
  Technical Analysis of BlueSky Ransomware
  
  
• CTF导航
  • 异常问题汇总_sample_malaware_report
  • MEDUSA:an Extensible and Modularised framework that automates processes and techniques practiced during the dynamic analysis of Android Applications
  • 라자루스 그룹 DLL Side-Loading 기법 이용 (mi.dll)
  • Lsass memory dump
  • JAVA加载DLL或Shellcode方法学习
  • .NET下规避双引号实现MySQL写入Shell
    
    
• Deep Instinct
  The Russian SpyAgent – a Decade Later and RAT Tools Remain at Risk
  
  
• Esentire
  Qakbot and HTML Smuggling Resurgence
  
  
• Fortinet
  • Ukrainian Military-Themed Excel File Delivers Multi-Stage Cobalt Strike Loader
  • Ransomware Roundup: Royal Ransomware
    
    
• Patrick Schläpfer at HP Wolf Security
  Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates
  
  
• Hussein Adel
  DarkSide Ransomware Analysis
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #110: Self-relative offsets
  
  
• Aaron Stratton at InfoSec Write-ups
  njRAT Malware Analysis
  
  
• John Hammond
  • a CYBERCRIME UNIVERSITY!?!? (“FREE” hacking courses – Dark Web Documentary #12)
  • Reverse Shell UNDETECTED by Microsoft Defender (hoaxshell)
  • ACCESS what you WERE NEVER SUPPOSED TO
  • VULNERABLE File Uploads (Python Django)
    
    
• Yasuyuki Tanaka at NTT Security Japan
  LockBit3.0 BuilderによるEncryptorの特徴解析
  
  
• OALABS Research
  Icarus Stealer – What is it?
  
  
• Positive Technologies
  We study the Trojan agenda with mimicry under XDSpy
  
  
• Joey Chen and Amitai Ben Shushan Ehrlich at SentinelLabs
  WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
  
  
• ThreatFabric
  TOAD attacks: Vishing combined with Android banking malware now targeting Italian banks
  
  
• Uptycs
  Agent Tesla Malware Analysis: WSHRAT Acting As A Dropper
  
  
• Brian Baskin at VMware Security
  LockBit 3.0 Also Known as LockBit Black
  
  
• WeLiveSecurity
  • POLONIUM targets Israel with Creepy malware
  • ESET research into POLONIUM’s arsenal – Week in security with Tony Anscombe
    
    
• Zhassulan Zhussupov
  • Malware development: persistence – part 14. Event Viewer help link. Simple C++ example.
  • Malware development: persistence – part 15. Internet Explorer. Simple C++ example.
    
    
• Nipun Gupta at Zimperium
  We Smell A RatMilad Android Spyware
  
  
• Tarun Dewan and Stuti Chaturvedi at ZScaler
  New PHP Variant of Ducktail Infostealer Targeting Facebook Business Accounts
  

MISCELLANEOUS

• Belkasoft
  Internal or external: what data breach elicits the greater risk and damage?
  
  
• Breachquest
  Ransomware Attack! Now what?
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 10/9/22
  
  
• Cellebrite
  Cellebrite to Release Third Quarter 2022 Financial Results on November 17, 2022
  
  
• Forensic Focus
  • Amped Software’s Martino Jerian on Key Challenges and Opportunities for Video Evidence
  • Exterro FTK Launches a Benchmark Forensics Survey
  • Register For Webinar: The Amped Ecosystem: From the Crime Scene to the Courtroom
    
    
• Huntress
  • The State of the Dark Web
  • What Is Threat Hunting?
    
    
• Microsoft 365 Security
  • How to implement the Exchange Split Permissions Model?
  • Patching Exchange Server 2019 and 2016: October 2022 (KB5019077) – Elevation of Privilege Vulnerabilities
  • History of Exchange with having wide permissions in AD
    
    
• Ashwin Radhakrishnan at MITRE-Engenuity
  MITRE Engenuity ATT&CK® Evaluations: Enterprise — Turla Welcomes 31 Participants
  
  
• Politie
  Nederlandse gedupeerden geholpen in unieke ransomware-actie
  
  
• Rich Plummer
  Basic Concepts in Mobile Device Forensics Part 4 – Evidence Fundamentals
  
  
• SANS
  • How to Automate in Azure Using PowerShell – Part 1
  • How to Automate Azure Using PowerShell – Part 1
  • It’s Time to Break the SOC Analyst Burnout Cycle
  • Tis the season (SMeaSon?) for Smishing
  • GIAC Introduces Industry-First Cloud Forensic Responder (GCFR) Certification
    
    
• Security Intelligence
  How the US Government is Fighting Back Against Ransomware
  
  
• SOC Fortress
  • Part 2. Graylog Install — Log Ingestion
  • Part 3. Wazuh Manager Install — Log Analysis
    
    
• Kurt Muhl at TrustedSec
  Set Up an Android Hacking Lab for $0
  

SOFTWARE UPDATES

• AccessData
  KFF 7.6
  
  
• CISA
  RedEye
  
  
• Crowdstrike
  Falconpy Version 1.2.3
  
  
• CyberChef
  v9.48.0
  
  
• Didier Stevens
  Update: base64dump.py Version 0.0.24
  
  
• ExifTool
  ExifTool 12.48
  
  
• Grzegorz Tworek
  FwOffline
  
  
• iNPUT-ACE
  Axon Investigate Version 3.0
  
  
• IntelOwl
  v4.1.0
  
  
• Jake Hildreth
  Locksmith
  
  
• Martin Willing
  MemProcFS-Analyzer-v0.6
  
  
• MISP
  MISP 2.4.164 released with new tag relationship feature, improvements and a security fix
  
  
• Passware
  Passware Kit Mobile 2022 v4 Now Available
  
  
• Raymond Roethof
  Microsoft Defender for Identity Log Analyzer
  
  
• Sandfly Security
  Sandfly 4.2 – Automatic Host Discovery and Faster Than Ever
  
  
• Xways
  • X-Ways Forensics 20.6 SR-4
  • X-Ways Forensics 20.7 Preview 3
    
    
• Yamato Security
  Hayabusa v1.7.1 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!