As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  • Enhancing Cado Community Edition with Velociraptor
  • WatchDog Continues to Target East Asian CSPs
  • The Ultimate Guide to Ransomware Incident Response & Forensics
    
    
• Dr. Ali Hadi
  Challenge #7 – SysInternals Case
  
  
• Oleg Afonin at Elcomsoft
  • Advanced Logical Extraction with iOS Forensic Toolkit 8: Cheat Sheet
  • Cloud Forensics: Obtaining iCloud Backups, Media Files and Synchronized Data
    
    
• Forensafe
  Investigating iTunes
  
  
• Francisco Dominguez at DiabloHorn
  Parsing atop files with python dissect.cstruct
  
  
• ghost$
  Windows Forensics 1
  
  
• Manuel Guerra at GLIDER.es
  Pendrive Forensics, Destreza en un Destrozo.
  
  
• Haircutfish
  • TryHackMe Pyramid Of Pain — Task 1 Introduction & Task 2 Hash Values (Trivial)
  • TryHackMe Pyramid Of Pain — Task 3 IP Address (Easy) & Task 4 Domain Names (Simple)
  • TryHackMe Pyramid Of Pain — Task 5 Host Artifacts (Annoying) & Task 6 Network Artifacts (Annoying)
  • TryHackMe Pyramid Of Pain — Task 7 Tools (Challenging) & Task 8 TTPs (Tough)
  • TryHackMe Pyramid Of Pain — Task 9 Practical: The Pyramid of Pain & Task 10 Conclusion
  • TryHackMe Cyber Kill Chain Room
    
    
• iBlue team
  PsExec and NTUSER data
  
  
• Magnet Forensics
  Checking in on iOS 16 in Magnet AXIOM 6.8
  
  
• Mailxaminer
  • Proper Tagging and Labeling of Evidence in Digital Forensics
  • How to Decrypt Outlook Email? Remove S/MIME & OpenPGP Encryption
  • Search in Gmail Account Database and Extract Required Evidence
  • Export PST File Into PDF Format For Digital Forensic Investigation
  • How to Analyze & Download G Suite Email for Forensics Investigation Purpose
  • Extract Outlook PST Email & Attachment Header to CSV File Format
  • How to Check Properties of Multiple Emails via Single Solution
  • AOL Email Forensics for Cybercrime Investigation
    
    
• Oxygen Forensics
  Data Search in Oxygen Forensic® Detective
  
  
• Amber Schroader at Paraben Corporation
  Fall is full of new data in iOS 16 messages
  
  
• The DFIR Report
  BumbleBee Zeros in on Meterpreter
  
  
• Thomas Millar at TrustedSec
  Linux History File Timestamps
  

THREAT INTELLIGENCE/HUNTING

• Chris Brenton at Active Countermeasures
  Proper Safelisting When Threat Hunting
  
  
• Adam at Hexacorn
  • Cracking Zeppelin
  • Beyond good ol’ Run key, Part 139
    
    
• Andreas Sfakianakis at ‘Tilting at windmills’
  ENISA Threat Landscape 2022 – Threat Actor Trends
  
  
• Anomali
  Anomali Cyber Watch: Amadey Bot Started Delivering LockBit 3.0 Ransomware, StrelaStealer Delivered by a HTML/DLL Polyglot, Spymax RAT Variant Targeted Indian Defense, and More
  
  
• AT&T Cybersecurity
  Stories from the SOC: Fortinet authentication bypass observed in the wild
  
  
• AttackIQ
  • Attack Graph Response to US-CERT Alert (AA22-320A): Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
  • Attack Graph Response to US-CERT Alert (AA22-321A): #StopRansomware: Hive Ransomware
    
    
• Avertium
  An Update on LockBit 3.0
  
  
• Blackberry
  • ARCrypter Ransomware Expands Its Operations From Latin America to the World
  • FBI Cyber Most Wanted: Iranian Threat Actors
    
    
• Lawrence Abrams at BleepingComputer
  QBot phishing abuses Windows Control Panel EXE to infect devices
  
  
• Blumira
  • A Guide To Microsoft Azure Security Logging
  • 8 Microsoft 365 Detections You’ll Get For Free With Blumira
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2022-11-14 – obama221 Qakbot (Qbot) infection with Cobalt Strike and VNC traffic
  • 2022-11-03 – Emoet infection with IcedID (Bokbot)
  • 2022-11-17 – Bumblebee infection
  • 2022-11-07 – Emoet (epoch 4) infection with IcedID (Bokbot) and Bumblebee malware
    
    
• BushidoToken
  The Continuity of Conti
  
  
• CERT-AGID
  • Campagna di phishing sfrutta AGID e INPS per il furto di credenziali tramite servizio Glideapps
  • Sintesi riepilogativa delle campagne malevole nella settimana del 12 – 18 novembre 2022
    
    
• Check Point Research
  14th November– Threat Intelligence Report
  
  
• CISA
  • AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
  • AA22-321A: #StopRansomware: Hive Ransomware
    
    
• Cisco’s Talos
  • Threat Source newsletter (Nov. 17, 2022): Hot off the press! The Snort 2023 Calendar is here
  • Threat Round up for November 11 to 18
    
    
• Anandeshwar Unnikrishnan at CloudSEK
  Technical Analysis of the RedLine Stealer
  
  
• CTF导航
  • Operation(Đường chín đoạn) typhoon：觊觎南海九段线的赛博海莲
  • 技术干货 | 网络入侵检测系统之suricata概要介绍
  • 实战 | 记一次Word文档网络钓鱼以及绕过火绒，电脑管家和Windows Defender
  • 蓝军和elf loader
  • Brute Ratel C4 Badger分析实战与检测
    
    
• Cyble
  • CyberThreats Mushrooming over Global Nuclear Facilities
  • Phishing Campaign Targeting Indonesian BRI Bank Using SMS Stealer
  • AXLocker, Octocrypt, and Alice: Leading a new wave of Ransomware Campaigns
    
    
• Emily Dennison and Alana Witten at Cyjax
  Fangxiao: a Chinese threat actor
  
  
• Ellen Wang and Christophe Tafani-Dereeper at Datadog Security Labs
  Finding malicious PyPI packages through static code analysis: Meet GuardDog
  
  
• Axel Wauer and Johann Aydinbas at DCSO CyTec
  HZ RAT goes China
  
  
• Dragos
  New Knowledge Pack Released (KP-2022-008)
  
  
• Elastic
  • Elastic’s 2022 Global Threat Report: A roadmap for navigating today’s growing threatscape
  • Why I’m excited about the 2022 Elastic Global Threat Report
    
    
• Ben Brigida at Expel
  Expel Quarterly Threat Report Q3: Top 5 takeaways
  
  
• Greg Sinclair at Google Cloud
  Making Cobalt Strike harder for threat actors to abuse
  
  
• Nic Finn at GuidePoint Security
  GRIT Ransomware Report: October 2022
  
  
• InfoSec Write-ups
  • Python APT1 Simulator
  • Stealthy Persistence While Using Windows Terminal.
  • DLL Hijacking Persistence Using Discord
    
    
• Jouni Mikkola at ‘Threat hunting with hints of incident response’
  Recent phishing emails + Emotet recent sample analysis
  
  
• Md. Abdullah Al Mamun at Intarna
  URL Obfuscation With Decimal IP Address
  
  
• Microsoft Security
  • Token tactics: How to prevent, detect, and respond to cloud token theft
  • DEV-0569 finds new ways to deliver Royal ransomware, various payloads
    
    
• Mitiga
  • Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?
  • Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots
    
    
• James Ross and Adrian Garcia Gonzalez at MITRE-Engenuity
  Defending Infrastructure-as-a-Service with ATT&CK®
  
  
• Phylum
  W4SP Stealer Update—Attacker now Attempting to Masquerade as Popular Orgs
  
  
• Recorded Future
  • Fielding Threats: Cyber, Influence, and Physical Threats to the 2022 FIFA World Cup in Qatar Report
  • Iran and Venezuela: The Alex Saab Trans-regional Influence Campaign to Increase Anti-US Sentiment in Latin America
    
    
• Red Alert
  Monthly Threat Actor Group Intelligence Report, September 2022 (ENG)
  
  
• Laura Dabelic at ReversingLabs
  Writing detailed YARA rules for malware detection
  
  
• Sandfly Security
  How To Detect and Decloak Linux Stealth Rootkit Data
  
  
• SANS Internet Storm Center
  • Extracting ‘HTTP CONNECT’ Requests with Python, (Mon, Nov 14th)
  • Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th)
  • Evil Maid Attacks – Remediation for the Cheap, (Wed, Nov 16th)
  • McAfee Fake Antivirus Phishing Campaign is Back!, (Sat, Nov 19th)
    
    
• Sansec
  Adobe Commerce merchants to be hit with TrojanOrders this season
  
  
• Kristen Cotten at Scythe
  SCYTHE Presents: CloudFox
  
  
• Securelist
  • Advanced threat predictions for 2023
  • DTrack activity targeting Europe and Latin America
    
    
• Dr. Robert Ames at Security Scorecard
  Russian-Speaking Threat Actors Claim New DDoS Attacks Against U.S. Targets
  
  
• D. Iuzvyk, T. Peck and O. Kolesnikov at Securonix
  Securonix Threat Labs Security Advisory: Qbot/QakBot Malware’s New Initial Execution Uses Grifted Regsvr32 Binary to Run DLL Payload
  
  
• Semperis
  • Construction Firm Strengthens its ITDR Foundation with Purple Knight
  • SyncJacking: Hard Matching Vulnerability Enables Azure AD Account Takeover
    
    
• Sean Gallagher at Sophos
  Sophos 2023 Threat Report: the continued evolution of “Crime-as-a-Service”
  
  
• Jonathan Johnson at SpecterOps
  Uncovering Window Security Events
  
  
• Splunk
  • Inside the Mind of a ‘Rat’ – Agent Tesla Detection and Analysis
  • This Feels Scripted: Zeek Scripting and Splunk
    
    
• Sucuri
  • New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques
  • How to Fix the “This Site May Harm Your Computer” Warning
    
    
• Symantec Enterprise
  Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries
  
  
• Sysdig
  • Does cloud log management shield you from threats? CloudTrail vs CloudWatch
  • The Real Cost of Cryptomining: Adversarial Analysis of TeamTNT
  • Using Sysdig Secure to Detect and Prioritize Mitigation of CVE 2022-3602 & CVE 2022-3786: OpenSSL 3.0.7
  • Detecting Cryptomining Attacks “in the Wild”
    
    
• Trellix
  Ransomware Activity Doubles in Transportation and Shipping Industry
  
  
• Nick Dai, Vickie Su, and Sunny Lu at Trend Micro
  Earth Preta Spear-Phishing Governments Worldwide
  
  
• Ben Mauch at TrustedSec
  The Art of Bypassing Kerberoast Detections with Orpheus
  
  
• Vicente Díaz at VirusTotal
  • Deception at scale: How attackers abuse governmental infrastructure
  • Stopping  Cobalt Strike with YARA
    
    
• Jean-Ian Boutin at WeLiveSecurity
  ESET APT Activity Report T2 2022
  
  
• Piotr Bazydło at Zero Day Initiative
  Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend
  
  
• Zoë Brammer at the Institute for Security and Technology
  Mapping the Ransomware Payment Ecosystem: A Comprehensive Visualization of the Process and Participants
  

UPCOMING EVENTS

• Black Hills Information Security
  Atomic Spotlight: Dead Simple C2 Comms with OpenSSL
  
  
• Cellebrite
  • Top Trends in Corporate Investigations and What to Expect in 2023
  • Cellebrite Solutions – 2022 Summary
    
    
• Greynoise
  Open Forum 4
  
  
• Jared Luebbert and Toni Pärn at Belkasoft
  macOS Forensics: decryption and analysis of APFS images from Macs with T2
  
  
• Magnet Forensics
  Conducting Corporate Investigations with Magnet AXIOM Cyber
  

PRESENTATIONS/PODCASTS

• Black Hat
  Black Hat USA 2022
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2022-11-14
  • AASLR: Getting started with Ansible | Ralph May
  • AASLR: 15 minutes with Joff Thyer | Antisyphon Instructor
  • Talkin’ About Infosec News – 11/16/2022
    
    
• Breaking Badness
  139. Something’s Polyglot To Give
  
  
• Cellebrite
  Normalizing Modern Data from Preservation to Production
  
  
• Chris Sienko at the Cyber Work podcast
  Behind the scenes of ransomware negotiation  | Guest Tony Cook
  
  
• Cloud Security Podcast by Google
  • EP96 Cloud Security Observability for Detection and Response
  • Special: Coordinated Release of Detection Rules for CobaltStike Abuse
    
    
• Computer Crime Chronicles
  Episode 7: Work Smarter, Not Harder
  
  
• Digital Forensic Survival Podcast
  DFSP # 352 – Startup Locations
  
  
• FIRST
  2022 FIRST CTI Symposium Berlin
  
  
• Gerald Auger at Simply Cyber
  Make Learning Digital Forensics A Reality 💪 with Haiku Pro🔥
  
  
• Hacker Valley Blue
  Pentesting for a Better Purple Team with PlexTrac’s Nick Popovich
  
  
• Rachel Bishop at Huntress
  Tradecraft, Shenanigans and Spice: hack_it 2022 Recap
  
  
• InfoSec_Bret
  CyberDefenders – GrabThePhisher
  
  
• Insane Forensics
  How To Use User Agents to Save The World (And Improve Cyber Threat Hunting and Detection)
  
  
• LASCON
  LASCON 2022
  
  
• LetsDefend
  How to create a Incident Response Plan?
  
  
• Magnet Forensics
  • Creating Agent Placeholders for Remote Collections in AXIOM Cyber
  • Lost Time, Can It Be Found?
  • Tips & Tricks // Building Streamlined Digital Forensics Workflows with Magnet AUTOMATE
    
    
• SANS Cyber Defense
  • Packet Tuesday – Episode 0
  • Packet Tuesday – DNS Feature
  • Confidence in Chaos: Strategies for World-Class Security Operations
  • From IT to Blue Team – Your Time is Now!
  • Dispatch from the SOC
    
    
• SentinelLabs
  LABScon Replay | Demystifying Threats to Satellite Communications in Critical Infrastructure
  
  
• Sumuri
  Time to give back | SUMURI
  
  
• The Defender’s Advantage Podcast
  Frontline Stories: Cyber Insurance to Make Companies Safer
  
  
• hacks4pancakes at tisiphone.net
  Podcast: Securing Bridges | A Live Stream Podcast With Alyssa Miller | Guest: Lesley Carhart | Episode 28
  

MALWARE

• Arch Cloud Labs
  Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg
  
  
• ASEC
  • A Dropper-Type Malware Bomb Being Distributed Again in the Disguise of Cracks
  • DAGON LOCKER Ransomware Being Distributed
  • ASEC Weekly Malware Statistics (November 7th, 2022 – November 13th, 2022)
    
    
• Jossef Harush at Checkmarx Security
  WASP Attack on Python — Polymorphic Malware Shipping WASP Stealer; Infecting Hundreds Of Victims
  
  
• CISA
  10387061-1.v1 XMRig Cryptocurrency Mining Software
  
  
• Chris Neal at Cisco’s Talos
  Get a Loda This: LodaRAT meets new friends
  
  
• Cofense
  Microsoft Customer Voice URLs Used In Latest Phishing Campaign
  
  
• Simon Kenin at Deep Instinct
  Emotet’s Vacation is Over: No Rest for the Wicked
  
  
• Fortinet
  • New RapperBot Campaign – We Know What You Bruting for this Time
  • Tips and Tricks: Debugging .NET Malware in a Multi-Stage Malware Deployment
    
    
• hasherezade’s 1001 nights
  Flare-On 9 – Task 8
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #115: Set callee address
  
  
• Jonathan Sar Shalom at JFrog
  Common Payloads Attackers Plant in Malicious Software Packages
  
  
• Nick Habour at Mandiant
  Flare-On 9 Challenge Solutions
  
  
• N00b_H@ck3r
  How to Setup Your Own Malware Analysis Box – Cuckoo Sandbox
  
  
• OALABS Research
  • Amadey Loader
  • AgentTesla
    
    
• Akshata Rao, Zong-Yu Wu and Wenjun Hu at Palo Alto Networks
  An AI Based Solution to Detecting the DoubleZero .NET Wiper
  
  
• petikvx
  Crypt / Decrypt
  
  
• Pim Trouerbach and Axel F at Proofpoint
  A Comprehensive Look at Emotet’s Fall 2022 Return
  
  
• Daniel Smith at Radware
  How Information Stealers Get User Credentials
  
  
• Jim Walter at SentinelOne
  Venus Ransomware | Zeoticus Spin-off Shows Sophistication Isn’t Necessary for Success
  
  
• Sky Blueteam
  Flare-on 9 write-up
  
  
• Lance James and Joel Lathrop at Unit 221B
  0XDEAD ZEPPELIN
  
  
• Vlad Pasca at Security Scorecard
  A Technical Analysis of Royal Ransomware
  
  
• Bethany Hardin, Lavine Oluoch, Tatiana Vollbrecht, Deborah Snyder and Nikki Benoit at VMware Security
  BATLOADER: The Evasive Downloader Malware
  
  
• Yoroi
  Reconstructing the last activities of Royal Ransomware 
  
  
• Zhassulan Zhussupov
  Malware development: persistence – part 19. Disk Cleanup Utility. Simple C++ example.
  
  
• Nipun Gupta at Zimperium
  The Case of Cloud9 Chrome Botnet
  

MISCELLANEOUS

• Anton Chuvakin
  More SRE Lessons for SOC: Simplicity Helps Security
  
  
• Any.Run
  3 Reasons Why You Need an Incident Response Plan
  
  
• Cellebrite
  • Cellebrite’s 2022 Industry Trends study reveals the digital evidence ‘tipping point’ has been reached, creating new challenges for law enforcement agencies
  • Cellebrite Announces Third Quarter 2022 Results
    
    
• Craig Ball at ‘Ball in your Court’
  Don’t Seek Direct Access to Opponents’ Devices
  
  
• Desi at Hardly Adequate
  I made innovation 🙂
  
  
• Dragos
  • OT Cybersecurity Best Practices for Small & Medium Organizations: A New Monthly Blog Series By Dragos OT-CERT
  • That’s a Wrap on DISC 2022! Another Successful Year with a Growing Audience for Our ICS-Focused Security Event
    
    
• Forensic Focus
  • HTCIA, DFRWS-APAC, and the DFIR Events Industry: A Critique
  • What You Need to Know Now About macOS 13 and iOS 16
  • Import Microsoft Outlook Data Files Into Oxygen Forensic® Detective
  • XAMN Report Builder From MSAB
  • Binalyze AIR 3.0 Cloud Forensics
    
    
• Jouni Mikkola at ‘Threat hunting with hints of incident response’
  My version of a home lab
  
  
• Magnet Forensics
  • 10 Ways Magnet Forensics Supports eDiscovery
  • Enhancing Your Incident Response Playbook With Magnet AXIOM Cyber
  • Creating Agent Placeholders for Remote Collections in AXIOM Cyber
    
    
• MISP
  Curate events with an organisation confidence level
  
  
• SANS
  • A Visual Summary of SANS Pen Test HackFest Summit 2022
  • Get Ahead of the Five Most Dangerous New Attack Techniques
    
    
• Mark Stone at Security Intelligence
  What People Get Wrong About Incident Responders
  
  
• Security Scorecard
  The Future of Digital Forensics: Challenges & Opportunities
  
  
• Sumuri
  SUMURI Gives Back: Our Mission of Helping Others Continues
  
  
• Terryn at chocolatecoat4n6
  Investigation Framework |  Part 3 – Analysis
  

SOFTWARE UPDATES

• AccessData
  Forensic Tools 7.6.0 Service Pack 1
  
  
• Amped
  Amped Authenticate 26549: New Face GAN Deepfake Detection Filter, Updated Social Media Identification Database, and More
  
  
• Breakpoint Forensics
  BFIP4Griffeye V4.2 A Big Update! – APFS Support
  
  
• Cellebrite
  Now Available: Cellebrite Endpoint Inspector 1.5
  
  
• Costas K
  Jumplist-Browser
  
  
• IntelOwl
  v4.1.2
  
  
• Magnet Forensics
  • Magnet AXIOM 6.8: Introducing Pre-Processing Date Filters
  • Magnet AXIOM Cyber 6.8: Refining Your Evidence Collection and Review
    
    
• Metaspike
  Forensic Email Intelligence v2.0 Release Notes
  
  
• OSForensics
  V10.0 Build 1005 14th November 2022
  
  
• Passware
  Passware Kit Ultimate: Introducing The All-in-One Forensic Decryption Suite
  
  
• Ulf Frisk
  MemProcFS Version 5.2
  
  
• WithSecure Labs
  Chainsaw v2.3.0
  
  
• Xways
  X-Ways Forensics 20.7
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!