As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrew Rathbun and Eric Zimmerman
  EZ Tools Manuals
  
  
• Digital Forensics Discord Server
  The Hitchhiker’s Guide to DFIR: Experiences From Beginners and Experts – v1.2
  
  
• Bill Thompson at OpenText
  Getting to know your tools
  
  
• Liu Zhixiang
  checkm8提取速查表：iPhone、iPad
  
  
• Derek Eiri
  Practical Linux Forensics & a Mini Linux Forensics CTF
  
  
• David Stenhouse at DS Forensics
  My Time With The Judge
  
  
• Forensafe
  Investigating Windows Defender
  
  
• James R. McGee at ‘All Dogs Are Created SQL’
  Maximizing iOS Call Log Timestamps and Call Duration Effectiveness:  Will You Answer the Call?
  
  
• Joe T. Sylve, Ph.D.
  • APFS Advent Challenge 2022
  • APFS Advent Challenge 2022 Day 1 – Anatomy of an Object
  • 2022 APFS Advent Challenge Day 2 – Kinds of Objects
  • 2022 APFS Advent Challenge – A Change of Plans
    
    
• Oleg Afonin at Elcomsoft
  • iOS Forensic Toolkit 8 Apple Watch S3 checkm8 Extraction Cheat Sheet
  • iOS Forensic Toolkit 8: Apple TV 3, 4, and 4K checkm8 Extraction Cheat Sheet
    
    
• The DFIR Report
  Emotet Strikes Again – Lnk File Leads to Domain Wide Ransomware
  
  
• Drew Kirkpatrick at TrustedSec
  Looting iOS App’s Cache.db
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Environment… is variable
  • Using make_sc_hash_db.py to create API hashing DBs
    
    
• Anomali
  Anomali Cyber Watch: Caller-ID Spoofing Actors Arrested, Fast-Moving Qakbot Infection Deploys Black Basta Ransomware, New YARA Rules to Detect Cobalt Strike, and More
  
  
• Assume-breach
  Home Grown Red Team: From Workstation To Domain Controller With Havoc C2 and Microsoft EDR
  
  
• Francis Guibernau and Ken Towne at AttackIQ
  Attack Graph Response to US-CERT Alert (AA22-335A): #StopRansomware: Cuba Ransomware
  
  
• Avast Threat Labs
  Hitching a ride with Mustang Panda
  
  
• Lawrence Abrams at BleepingComputer
  Trigona ransomware spotted in increasing attacks worldwide
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-11-28 – BB08 Qakbot (Qbot) infection with Cobalt Strike and VNC traffic
  • 2022-11-21 and 11-22 – AgentTesla and Remcos RAT from malspam
  • 2022-12-01 – Files for an ISC diary (obama224 Qakbot)
    
    
• Cado Security
  The Ultimate Guide to Incident Response in AWS
  
  
• Censys
  NEW Ebook for Threat Hunters: How to Investigate Unusual Internet Artifacts
  
  
• CERT-AGID
  • Anche i criminali sbagliano: il fattore “errore umano” nelle campagne malware
  • Sintesi riepilogativa delle campagne malevole nella settimana del 26 novembre – 2 dicembre 2022
    
    
• Check Point Research
  28th November– Threat Intelligence Report
  
  
• Daniel Fonseca Yarochewsky at Confiant
  CashRewindo: How to age domains for an investment scam like fine scotch
  
  
• Corelight
  IoT/OT/ICS threats: Detecting vulnerable Boa web servers
  
  
• Crowdstrike
  Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
  
  
• CTF导航
  • 求职陷阱：Lazarus组织以日本瑞穗銀行等招聘信息为诱饵的攻击活动分析
  • AxLocker新型勒索软件分析
  • Warzone RAT恶意软件通过不断调试.NET部署多阶段攻击
  • Cobaltstrike二开系列（三）
    
    
• Cyberknow
  Update 20. 2022 Russia-Ukraine War — Cyber Group Tracker. November 28.
  
  
• Reza Rafati at Cyberwarzone
  BianLian ransomware group in 2022: 52 companies compromised
  
  
• Cyble
  Exposed Remote Desktop Protocol actively targeted by Threat Actors to deploy Ransomware
  
  
• Rory McCune at Datadog Security Labs
  Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
  
  
• DomainTools
  Purpose Built Criminal Proxy Services and the Malicious Activity They Enable
  
  
• Eliad Kimhy & Badette Tribbey at Akamai
  A Closer Look at Ransomware Attack Trends in APJ
  
  
• Esentire
  Disrupting an Active Ransomware Attack Over the Course of Hours
  
  
• Hiroki Akamatsu at Falco
  Blog: Restructuring the Kubernetes Threat Matrix and Evaluating Attack Detection by Falco
  
  
• Google Threat Analysis Group
  TAG Bulletin: Q4 2022
  
  
• Haircutfish
  • TryHackMe MITRE Room-Task 4 CAR Knowledge Base & Task 5 MITRE Engage
  • TryHackMe MITRE Room-Task 6 MITRE D3FEND & Task 7 ATT&CK® Emulation Plans
  • TryHackMe MITRE Room-Task 8 ATT&CK® and Threat Intelligence & Task 9 Conclusion.
  • TryHackMe Diamond Model Room
  • TryHackMe Intro to Cyber Threat Intel Room
  • TryHackMe Threat Intelligence Tools Task 1 Room Outline, Task 2 Threat Intelligence, and Task 3…
    
    
• HP Wolf Security
  HP Wolf Security Threat Insights Report Q3 2022
  
  
• Chase Sims at InQuest
  Don’t Get Caught Under The MistleTOAD
  
  
• Ismael Valenzuela at Blackberry
  Cyber Threat Intelligence: How CTI Boosts InfoSec Defenses
  
  
• JFrog
  Invisible npm malware – evading security checks with crafted versions
  
  
• John Hammond
  catch EVERY reverse shell while hacking! (VILLAIN)
  
  
• Jouni Mikkola at “Threat hunting with hints of incident response”
  MDE/MDI/MDO365 advanced hunt queries to ELK
  
  
• Keysight
  Taking Heed of CISA alerts
  
  
• Lauren Proehl
  The Anatomy of a Threat Hunting Hypothesis
  
  
• Luis Francisco Monge Martinez
  Hunting Office Macros with Sysmon and Pandas.
  
  
• Mandiant
  • Decentralized Robbery: Dissecting the Nomad Bridge Hack and Following the Money
  • Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations | Blog
    
    
• Martin Zugec at Bitdefender
  Bitdefender Threat Debrief | November 2022
  
  
• Elli at Misconfig
  The Power of investigation with Microsoft XDR
  
  
• Guillaume Bossiroy at NVISO Labs
  Can we block the addition of local Microsoft Defender Antivirus exclusions?
  
  
• Ohad Zaidenberg
  Victimology Analysis and Data Leaks Site
  
  
• Dominik Reichel, Esmid Idrizovic and Bob Jung at Palo Alto Networks
  Blowing Cobalt Strike Out of the Water With Memory Analysis
  
  
• Erick Galinkin at Rapid7
  Leaked Android Platform Certificates Create Risks for Users
  
  
• Recorded Future
  Suspected Iran-Nexus TAG-56 Uses UAE Forum Lure for Credential Theft Against US Think Tank
  
  
• ReversingLabs
  • ZetaNile: Open source software trojans from North Korea
  • Log4j one year in: Vulnerability fuels attacks — and a new urgency for software supply chain security
  • W4SP continues to nest in PyPI: Same supply chain attack, different distribution method
    
    
• SANS Internet Storm Center
  • Ukraine Themed Twitter Spam Pushing iOS Scareware, (Mon, Nov 28th)
  • Packet Tuesday Episode 3: TCP Urgent Flag. https://packettuesday.com , (Tue, Nov 29th)
  • Identifying Groups of “Bot” Accounts on LinkedIn, (Tue, Nov 29th)
  • What’s the deal with these router vulnerabilities?, (Thu, Dec 1st)
  • obama224 distribution Qakbot tries .vhd (virtual hard disk) images, (Fri, Dec 2nd)
  • Linux LOLBins Applications Available in Windows, (Sat, Dec 3rd)
    
    
• Scythe
  • SCYTHE Presents: Threat Emulation: STEEP#MAVERICK
  • SCYTHE Presents: Black Basta IOCs
    
    
• Secjuice
  • Windows Post Exploitation – WDigest Credentials Cache
  • What You Overlook In Malware Analysis
  • A Quick Look At YARA
    
    
• Roman Nazarov, Pierre Delcher, and Konstantin Sapronov at Securelist
  Indicators of compromise (IOCs): how we collect and use them
  
  
• Sekoia
  Lucky Mouse: Incident Response to Detection Engineering
  
  
• SOC Fortress
  Part 8. Firewall Threat Intel With GreyNoise
  
  
• Kai Huang at SpecterOps
  Stalking inside of your Chromium Browser
  
  
• Splunk
  • From Macros to No Macros: Continuous Malware Improvements by QakBot
  • How Good is ClamAV at Detecting Commodity Malware?
    
    
• Jason Avery at Sysdig
  Extortion in Cloud Storage
  
  
• Michael Langford at Trend Micro
  How the MITRE ATT&CK Framework Enhances Cloud Security
  
  
• Triskele Labs
  Our Take on the 2022 ACSC Annual Threat Report
  
  
• Alexey Firsh at VirusTotal
  Threat Hunting with VirusTotal
  
  
• WeLiveSecurity
  • RansomBoggs: New ransomware targeting Ukraine
  • Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin
    

UPCOMING EVENTS

• Black Hills Information Security
  Atomic Spotlight: User Account Control Bypasses with UACME Project Executables
  
  
• Cado Security
  Captured by Cado
  
  
• Cellebrite
  • Episode 19: Nothing to see here – I BEG TO DFIR – Smart Flow
  • iOS 16 – A Walkthrough of Collecting and Analyzing iOS 16 devices
    
    
• Magnet Forensics
  • AXIOM Cyber Feature and Functionality Highlights From 2022
  • AXIOM Feature and Functionality Highlights From 2022
  • Digital Evidence from Social Networking Sites & Smartphone Apps
    
    
• Passware
  Webinar: Best Practices for Password Recovery on Encrypted Evidence
  

PRESENTATIONS/PODCASTS

• Black Hat
  Black Hat Europe 2022
  
  
• Black Hills Information Security
  • New PowerShell History Defense Evasion Technique
  • AASLR: Intro to Tabletop Exercises & IR Playbook Fun (*Non Denominational Winter Holiday Version)
  • Talkin’ About Infosec News – 11/30/2022
  • How to Build a Home Lab for Infosec with Ralph May | 1 Hour
    
    
• BlueMonkey 4n6
  Reading Linux filesystems with Windows – ext2/ext3/ext4, XFS, ZFS, BTFS
  
  
• Breaking Badness
  Voices from Infosec with Caitlin Kiska
  
  
• ComfyCon
  ComfyConAU2022Too
  
  
• Digital Forensic Survival Podcast
  DFSP # 354 – Fast Triage
  
  
• Gerald Auger at Simply Cyber
  Cyber Threat Intel Exposed (What It Really Looks Like)
  
  
• Hacker Valley Blue
  Collaborating Capabilities in the DETH Squad with Eric Thomas
  
  
• InfoSec_Bret
  DFIR Challenge – Phishing Email
  
  
• Insane Forensics
  How To Use Process Hacker to Explore Malicious Service and Network Activity During DFIR/Threat Hunts
  
  
• Justin Tolman at AccessData
  FTK Over the Air – Episode 14 – DFIR Life After Law Enforcement
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Ghidra vs Cutter vs Binary Ninja vs IDA Free
  
  
• LASCON
  No Code No Risk? What Happens When We Leave No Code up for Grabs – Michael Bargury
  
  
• Magnet Forensics
  • DVR Examiner 3 | How to Filter Clip List
  • DVR Examiner 3 | How to Create a Profiler
  • DVR Examiner 3 | How to Add Location and Device Sources
  • DVR Examiner 3 | Detection Results & Scan Options Screen
  • DVR Examiner 3 | Date and Time Offset
  • DVR Examiner 3 | How to Build A Case
  • DVR Examiner 3 | Overview of the Start Screen
  • DVR Examiner 3 | How to Add  Multiple Sources to a Case
  • Comprehensive Collection of Data for Early Case Assessments using Magnet AXIOM Cyber
  • Conducting Corporate Investigations with Magnet AXIOM Cyber
  • Introduction to Magnet AXIOM
    
    
• OALabs
  Retroactive Malware Hunting [ Twitch Clip ]
  
  
• Open Threat Research
  • Jupyterthon 2022 Day 1
  • Jupyterthon 2022 Day 2
    
    
• petikvx
  How to setup IDM on Tor browser
  
  
• RickCenOT
  Realistic Pentest/Hacking of a Beckhoff Industrial Control System CX9001 PLC with open Source Tools
  
  
• SANS
  • Hunting Threat Actors Using OSINT
  • Analysis Paralysis? Setting the Right Goal for Your Incident Analysis
  • A Deep Dive into AWS IAM Privilege Escalation Attacks: Defenders’ Edition 2022
  • Packet Tuesday – TCP Urgent Flag
  • Designing Security from the Ground Up
  • Once Upon a Login: How Logon Sessions Help Defenders See the Bigger Picture
  • Prioritizing Defensive Capabilities
  • Holiday Hack Revisited: Past Winners Tell All
    
    
• The Defender’s Advantage Podcast
  Skills Gap: Transitioning from Military Service to a Role in Cyber
  

MALWARE

• 0ffset Training Solutions
  Developing YARA Rules Based on Byte Patterns: ROMCOM
  
  
• Nitzan Yaakov at Aqua
  Aqua Nautilus Discovers Redigo — New Redis Backdoor Malware
  
  
• ASEC
  • LockBit Ransomware Being Mass-distributed With Similar Filenames
  • How Is My Phone Number Leaked?
  • Domains Used for Magniber Distribution in Korea
  • Phishing Website Disguised as a Famous Korean Email Login Website Being Distributed
  • ASEC Weekly Malware Statistics (November 21st, 2022 – November 27th, 2022)
  • ASEC Weekly Phishing Email Threat Trend (November 13th, 2022 – November 19th, 2022 )
    
    
• Guy Nachshon at Checkmarx Security
  Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package
  
  
• CISA
  AA22-335A: #StopRansomware: Cuba Ransomware
  
  
• Cyble
  • Redline Stealer being Distributed via Fake Express VPN Sites
  • Fraudulent Digital Lending Andriod App Steals Users’ Sensitive Data
  • DuckLogs – New Malware Strain Spotted In The Wild
    
    
• Google Threat Analysis Group
  New details on commercial spyware vendor Variston
  
  
• Hussein Adel
  Analysis ClickMe .NET
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #117: Reset pointer type
  
  
• Anil Yelken at InfoSec Write-ups
  Python Malware Analysis
  
  
• Lab52
  Analyzing the encryption method of emerging ransomware families
  
  
• MalFind
  Malware triage in 30 minutes or how to get infected when browsing google
  
  
• Malware Hell
  Reversing Redline Stealer
  
  
• Mandiant
  • FLARE IDA Pro Script Series: Automating Function Argument Extraction
  • Applying Function Types to Structure Fields in IDA
  • FLARE IDA Pro Script Series: MSDN Annotations Plugin for Malware Analysis
  • FLARE IDA Pro Script Series: Automatic Recovery of Constructed Strings in Malware
  • FLARE IDA Pro Script Series: Applying Function Prototypes to Indirect Calls
    
    
• OALABS Research
  • Laplace Clipper
  • Titan Stealer
    
    
• Pete Cowman at Hatching
  Triage Thursday Ep. 91
  
  
• SentinelLabs
  • The Mystery of Metador | Unpicking Mafalda’s Anti-Analysis Techniques
  • LABScon Replay | The Mystery of Metador
    
    
• Andrew Brandt at Sophos
  LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling
  
  
• Denis Sinegubko at Sucuri
  Chinese Gambling Spam Targets World Cup Keywords
  
  
• Satyajit Daulaguphu at Tech Zealots
  How QakBot Leverages DLL Side Loading Technique? – Technical Analysis
  
  
• Callum Roxan, Paul Rascagneres, and Robert Jan Mora at Volexity
  ₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware
  
  
• Zhassulan Zhussupov
  Malware development tricks: part 24. Listplanting. C++ example.
  

MISCELLANEOUS

• Jessica Hyde at Hexordia
  Top 10 places to search for a Digital Forensics Job
  
  
• Marco Fontani at Amped
  Amped’s New Deepfake Detection Algorithm Published in Journal of Imaging
  
  
• Belkasoft
  Win a free full-featured Belkasoft X license! Traditional Belkasoft end-of-the-year customer survey has started.
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 12/3/22
  
  
• Chris Doman at Cado Security
  Automated Incident Response Definition, Best Practices and Tools 
  
  
• Jerzy ‘Yuri’ Kramarz and Giannis Tziakouris at Cisco’s Talos
  Protecting major events: an incident response blueprint
  
  
• Cyborg Security
  Threat Hunting Should Become a Standard Requirement
  
  
• Brett Shavers at DFIR.Training
  Attribution or bust.
  
  
• John G. Asmussen at Everything DFIR…
  • First Blog Post…
  • Setting up a forensic workstation – Part I
  • Setting up a forensic workstation – Part II
    
    
• Forensic Focus
  • Cyacomb’s Graham Little & Mike Burridge on Making the Online World a Safer Place
  • Register for Webinar: Getting Started With Amped FIVE
  • Uncover Evidence With XAMN, the Best Digital Forensic Analysis Solution
    
    
• Gaylene Granger at VTO Labs
  New Drone Forensics Course!
  
  
• Ethan Tancredi at Huntress
  Incident Response: A Choose Your Own Adventure Exercise
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (12/1/2022)
  
  
• LockBoxx
  Revisiting JonathanData1 A Year Later
  

SOFTWARE UPDATES

• Berla
  iVe Software v4.1 Release
  
  
• Costas K
  • PrefetchBrowser
  • JumplistBrowser (x64)
    
    
• Crowdstrike
  • Falconpy Version 1.2.5
  • Falcon Toolkit Version 3.0.1
    
    
• Datadog Security Labs
  GuardDog v0.1.7
  
  
• Didier Stevens
  Update: python-per-line.py Version 0.0.9
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Joachim Schict
  Mft2Csv v2.0.0.49
  
  
• Metaspike
  Forensic Email Intelligence 2.0.15 Release Notes
  
  
• MISP
  MISP 2.4.166 released with many improvements, bugs fixed and security fixes.
  
  
• Passmark Software
  OSForensics V10.0 Build 1006
  
  
• Rapid7
  Velociraptor Version 0.6.7: Better Offline Collection, Encryption, and an Improved NTFS Parser Dig Deeper Than Ever
  
  
• reecdeep
  HiveV5 file decryptor PoC
  
  
• ADF Solutions
  Announcing New Scan and Screen Recording Features with Version 5.6
  
  
• IsoBuster
  IsoBuster 5.1 beta released
  
  
• Thiago Canozzo Lahr
  uac-2.4.0
  
  
• Xways
  • X-Ways Forensics 20.6 SR-6
  • X-Ways Forensics 20.7 SR-2
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!