As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• CyberJunnkie
  Phishing Email Challenge by LetsDefend
  
  
• Joseph Moronwi at Digital Investigator
  Malware Threat Hunting With Volatility
  
  
• Forensafe
  Investigating Android Sygic
  
  
• Fallen sky at InfoSec Write-ups
  Email analysis : avoid phishing attacks
  
  
• Joe T. Sylve, Ph.D.
  • 2022 APFS Advent Challenge Day 3 – Containers
  • 2022 APFS Advent Challenge Day 4 – NX Superblock Objects
  • 2022 APFS Advent Challenge Day 5 – Checkpoint Maps and Ephemeral Objects
  • 2022 APFS Advent Challenge Day 6 – B-Trees (Part 1)
  • 2022 APFS Advent Challenge Day 7 – B-Trees (Part 2)
    
    
• Josh Brunty
  Validation of forensic tools and methods: A primer for the digital forensics examiner
  
  
• Joshua Hickman at ‘The Binary Hick’
  • Mo’ SIMs, Mo’ Problems.  Examining Phones with Dual SIMs.
  • Android 13 Image Now Available
    
    
• Kevin Pagano at Stark 4N6
  Thawing the Ice Age – Mastodon on Android
  
  
• Kristian Lars Larsen at Data Narro
  As Digital Forensics Investigators, Can We Recover Deleted Text Messages?
  
  
• Matt C. A. Smith
  Parsing login sessions from the Windows event log with PowerShell
  
  
• Megi Pramesti at MII Cyber Security
  Dissect — Incident Response Framework
  
  
• NixIntel
  How To Identify A Company’s Domains With Azure AD
  
  
• Scott Koenig at ‘The Forensic Scooter’
  • Part B Filling a device internal storage for Optimize iPhone Storage Research
  • Photos.sqlite ZINTERNALRESOURCE Table Reference Guide
  • Do you have a Full-Sized Asset…or just a Thumbnail? Did Optimized iPhone Storage process occur?
    
    
• We are OSINTCurio.us
  Investigation Bias
  

THREAT INTELLIGENCE/HUNTING

• Ahmed Musaad
  Scanning The Top 1000 Python Packages Using Guarddog
  
  
• Anomali
  Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil
  
  
• Arctic Wolf
  • A Log4Shell (Log4j) Retrospective
  • Lorenz Ransomware Alert: Risk to Healthcare, Public Sector
    
    
• Avertium
  An Update on HIVE Ransomware
  
  
• Marshall Jones, Manuel Martinez Arizmendi, and Jonathan Nguyen at AWS Security
  How to investigate and take action on security issues in Amazon EKS clusters with Amazon Detective – Part 2
  
  
• Ben Heater
  Wazuh: File Integrity Monitoring
  
  
• Martin Zugec at Bitdefender
  Deep Dive Into a BackdoorDiplomacy Attack – A Study of an Attacker’s Toolkit
  
  
• Blackberry
  • Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
  • BlackByte Ransomware Takes an Extra Bite Using Double Extortion Methods
    
    
• Bart Blaze
  Yara rules collection
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-12-07 – Bumblebee infection with Cobalt Strike
  • 2022-12-09 – HTML smuggling leads to Qakbot (Qbot), distribution/botnet tag: azd
    
    
• Breachquest
  The Business Email Compromise (BEC) Odyssey: Credential Phishing Attack
  
  
• CERT Ukraine
  Кібератака на державні організації з використанням тематики іранських дронів-камікадзе Shahed-136 та шкідливої програми DolphinCape (CERT-UA#5683)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 2 – 9 dicembre 2022
  
  
• Check Point Research
  5th December – Threat Intelligence Report
  
  
• Chris Doman at Cado Security
  AWS EKS Incident Response
  
  
• Cisco’s Talos
  • Threat Source newsletter (Dec. 8, 2022): Your uncle clicked every link
  • Breaking the silence – Recent Truebot activity
  • Threat Round up for December 2 to December 9
    
    
• Corelight
  • Zeek on Windows
  • Replace IDS and extend entity visibility
    
    
• Cyble
  • Cybercriminals e-tailing on e-commerce storefronts – A Growing Trend
  • Predictions of evolving Cyber threat landscape with the advent of ChatGPT and its limitations
  • A Closer look at BlackMagic ransomware
  • Mallox Ransomware showing signs of Increased Activity
  • Threat Actors Targeting Fans Amid FIFA World Cup Fever
    
    
• Ryan at DefaultCredentials
  Small Cyber Bytes – 1 – Event Consumers – Malware Persistence
  
  
• DomainTools
  Crypto Winter: Fraudsters Impersonate Ukraine’s Government to Steal NFTs and Cryptocurrency
  
  
• EclecticIQ
  Escalation of Information Stealer Capabilities Targeting Valid Accounts Increases Risk Into 2023
  
  
• Nigel Douglas at Falco
  Blog: Cryptomining Detection Using Falco
  
  
• GitGuardian
  Thinking Like a Hacker: Finding Leaked Code on GitHub
  
  
• Clement Lecigne and Benoit Sevens at Google Threat Analysis Group
  Internet Explorer 0-day exploited by North Korean actor APT37
  
  
• Haircutfish
  • TryHackMe Threat Intelligence Tools Task 4 Abuse.ch,
  • TryHackMe Threat Intelligence Tools — Task 7 Scenario 1
  • TryHackMe Threat Intelligence Tools — Task 8 Scenario 2 & Task 9 Conclusion
  • TryHackMe Yara Room
  • TryHackMe OpenCTI — Task 1 thru Task 5
    
    
• Dorin Karasik at Human Security
  How an E-commerce Retailer Reduced Malicious Login Attempts by Millions
  
  
• Dray Agha at Huntress
  Defense Evasion: Defenders Strike Back!
  
  
• InfoSec Write-ups
  Operationalizing MITRE ATT&CK to harden cyber defenses
  
  
• Intel471
  Countering One-Time Password Bots
  
  
• Keisuke Shikano at JPCERT/CC
  TSUBAME Report Overflow (Jul-Sep 2022)
  
  
• Asher Langton at Juniper Networks
  A Custom Python Backdoor for VMWare ESXi Servers
  
  
• Leonid Grustniy at Kaspersky Lab
  What is Log4Shell and why is it still dangerous a year later?
  
  
• Keith Wojcieszek, Stephen Green, and Elio Biasiotto at Kroll
  AvosLocker Ransomware Update: Backup Targeting and Defense Evasion Techniques
  
  
• Microsoft Security
  • DEV-0139 launches targeted attacks against the cryptocurrency industry
  • Mitigate threats with the new threat matrix for Kubernetes
    
    
• Nextron Systems
  Sigma Rule Feed in Valhalla
  
  
• Or Yair at Safebreach
  SafeBreach Labs Researcher Discovers Multiple Zero-Day Vulnerabilities in Leading Endpoint Detection and Response (EDR) and Antivirus (AV) Solutions
  
  
• Palo Alto Networks
  • Vice Society: Profiling a Persistent Threat to the Education Sector
  • Compromised Cloud Compute Credentials: Case Studies From the Wild
    
    
• pat_h/to/file
  Gaining Threat-Intelligence the REALLY dodgy way
  
  
• Patrick Orzechowski at Todyl
  Threat Advisory: New IcedID Trojan Campaign
  
  
• Recorded Future
  Exposing TAG-53’s Credential Harvesting Infrastructure Used for Russia-Aligned Espionage Operations
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, October 2022 (KOR)
  
  
• SANS Internet Storm Center
  • Finger.exe LOLBin, (Sun, Dec 4th)
  • VLC’s Check For Updates: No Updates?, (Sun, Dec 4th)
  • Packet Tuesday Episode 4: TLS Client Hello. https://www.youtube.com/playlist?list=PLs4eo9Tja8biVteSW4a3GHY8qi0t1lFLL, (Tue, Dec 6th)
  • Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers., (Tue, Dec 6th)
  • Wireshark 4.0.2 and 3.6.10 released, (Wed, Dec 7th)
  • Finding Gaps in Syslog – How to find when nothing happened, (Wed, Dec 7th)
  • Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!), (Fri, Dec 9th)
    
    
• Kristen Cotten and Jake Williams at Scythe
  SCYTHE Presents: Qakbot Reloaded
  
  
• Joan Soriano at Security Art Work
  Threat Hunting: Probability based model for TTP covering (Parte II)
  
  
• Sekoia
  Calisto show interests into entities involved in Ukraine war support
  
  
• Skynet_Cyber
  • Sharing my journey with what I’ve learned with the cyber community!
  • Phishing Emails! Yikes!
  • A Little Web Attacks Here and There
    
    
• SOC Fortress
  Part 9. Log Normalization
  
  
• SOCRadar
  Danger Lurking in GitHub Repositories
  
  
• Matt Wixey at Sophos
  The scammers who scam scammers on cybercrime forums: Part 1
  
  
• Splunk
  Detecting Cloud Account Takeover Attacks: Threat Research Release, October 2022
  
  
• Sucuri
  • Infected WordPress Plugins Redirect to Push Notification Scam
  • How to Securely Shop With Your Credit Card: Use a Virtual Card & Check for Skimmers
    
    
• Biagio Dipalma at Sysdig
  Discovered new BYOF technique to cryptomining with PRoot
  
  
• Team Cymru
  Iranian Exploitation Activities Continue as of November 2022
  
  
• Team Cymru
  Iranian Exploitation Activities Continue as of November 2022
  
  
• Adam Todd at TrustedSec
  More Active Directory for Script Kiddies
  
  
• Trustwave SpiderLabs
  • Going Mobile: BEC Attacks Are Moving Beyond Email
  • Trojanized OneNote Document Leads to Formbook Malware
    

UPCOMING EVENTS

• Black Hills Information Security
  Atomic Spotlight: PowerShell History Shenanigans
  
  
• David Colvin at ADF
  Best Digital Forensics Conferences for 2022 | In-Person or Online
  
  
• Magnet Forensics
  • Magnet Virtual Summit 2023: The Virtual DFIR Event of the Year is Coming Soon!
  • The Basics of Digital Image and Video Compression
  • Critical Cybersecurity Practices for Energy Infrastructure
    
    
• Markus Schober at Blue Cape Security
  Topic: Essential Skills for Investigating a Ransomware Attack
  
  
• SANS Institute
  SANS Difference Makers Awards Ceremony
  
  
• Zimperium
  Spyware for Sale: The Growing Threat to Mobile Security
  

PRESENTATIONS/PODCASTS

• AhmedS Kasmani
  Vidar Stealer Malware Analysis
  
  
• Black Hills Information Security
  • AASLR: Leveraging SSH Keys for Lateral Movement | Hal Pomeranz
  • AASLR: Tools for Testing API’s | Jennifer Shannon
  • Talkin’ About Infosec News – 12/6/2022
  • PlumHound Reporting Engine for BloodHoundAD
    
    
• Breaking Badness
  140. Party of Five
  
  
• Heather Mahalik at Cellebrite
  • Physical Analyzer 7.58 – Updated to Meet Your Examination Needs
  • Physical Analyzer 7.58 – iOS Features and Parsing Enhancements
  • Physical Analyzer 7.58 – Updated Android Artifacts and Support
    
    
• Digital Forensic Survival Podcast
  DFSP # 355 – Network Triage
  
  
• Dump-Guy Trickster
  Deobfuscation of  .NET using PowerShelling & dnlib  – Eternity Malware
  
  
• Gerald Auger at Simply Cyber
  • Applying Blue Team Defender Theory In Practice (Defend the House)
  • Crush SOC Analyst Alert Fatigue! (Integrations with Automations)
  • Test Your Cybersecurity Skills (Live Cyber Range Action with Haiku Pro!)  12/12/22
    
    
• Grzegorz Tworek
  How to use conditional ACEs to get a file one app can open, while another one cannot.
  
  
• InfoSec_Bret
  CyberDefenders –  l337 S4uc3 – Part 1
  
  
• Insane Forensics
  Breaking Into Industrial Cybersecurity: What It Is, How To Get Into The Field, And Common Mistakes
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Analysis – Decrypt NighHawk Strings with Ghidra Scripting
  
  
• Magnet Forensics
  • Digital Evidence from Social Networking Sites & Smartphone Apps
  • AXIOM Cyber Feature and Functionality Highlights From 2022
  • AXIOM Feature and Functionality Highlights From 2022
    
    
• Mossé Cyber Security Institute
  • Investigating Network Artefacts with Volatility
  • Investigating Registry Artefacts with Volatility
  • Recovering Windows Event Logs from a Memory Dump
  • Investigating Disk Artefacts with Volatility
  • Using YARA Rules with Volatility
    
    
• OALabs
  • Using CyberChef To Automatically Extract Shellcode from PowerShell Loader [Twitch Clip]
  • Hacking chatGPT with mrexodia [ Twitch Clip ]
    
    
• RickCenOT
  • SIMATIC SMACKDOWN vs. ICS: Siemens S7-300 (virtual) and S7-1200
  • BREAKDOWN Realistic Pentest/Hacking of a Beckhoff Industrial Control System CX-9001
    
    
• SANS
  Top 10 SANS Summits Talks of 2022
  
  
• SANS Cyber Defense
  • IR Prep and Detection Engineering When the Cloud is Your Data Center
  • Packet Tuesday – TLS Client Hello
  • Don’t Relay Me:  Empirically Diagnose Privilege Escalation via Active Directory Account Sighting
  • Baby Steps to the Future:  Evolving into the Next-Gen SOC
    

MALWARE

• ASEC
  • Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE)
  • Phishing Email Disguised as a Well-Known Korean Airline
  • ‘Resume.xll’ File Being Distributed in Korea (LockBit 2.0)
  • ASEC Weekly Malware Statistics (November 28th, 2022 – December 4th, 2022)
  • Phishing Email Impersonating Quasi-governmental Organization Being Distributed
  • ASEC Weekly Phishing Email Threat Trend (November 20th, 2022 – November 26th, 2022)
    
    
• Assume-breach
  Home Grown Red Team: Let’s Make Some Malware In C: Part 1
  
  
• CTF导航
  Flare-ON 9th 之第八题BackDoor
  
  
• Cybereason
  Threat Analysis: MSI – Masquerading as a Software Installer
  
  
• Simon Kenin at Deep Instinct
  • Polonium APT Group: Uncovering New Elements
  • New MuddyWater Threat: Old Kitten; New Tricks
    
    
• Didier Stevens
  Extracting Certificates For Defender
  
  
• Esentire
  • eSentire Threat Intelligence Malware Analysis: Redline Stealer
  • GootLoader Striking with a New Infection Technique
    
    
• Fatih Yilmaz
  • PE Format
  • PE Mimarisi
  • x86 Assembly 101
  • x86 Assembly Language 101
    
    
• Fortinet
  • The Story of a Ransomware Turning into an Accidental Wiper
  • Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
  • Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 1)
  • Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants
    
    
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #118: Structure creation in the decompiler
  
  
• InfoSec Write-ups
  Anti-Reversing Techniques (Part 2)
  
  
• Lacework
  AndroxGh0st – the python malware exploiting your AWS keys
  
  
• Théo Letailleur at Synacktiv
  PrideLocker – a new fork of Babuk ESX encryptor
  
  
• Ana Maria Martinez Gomez, Blaine Stancill, and Moritz Raabe at Mandiant
  FLARE VM: A FLAREytale Open to the Public
  
  
• Morphisec
  Babuk Ransomware Variant in Major New Attack
  
  
• Louis Lang at Phylum
  Phylum Detects Ongoing Typosquatting Campaign in PyPI
  
  
• Poncho
  Creating macOS Ransomware.
  
  
• Securelist
  • If one sheep leaps over the ditch…
  • Main phishing and scamming trends and techniques
  • DeathStalker targets legal entities with new Janicab variant
  • How to train your Ghidra
    
    
• Secureworks
  Drokbk Malware Uses GitHub as Dead Drop Resolver
  
  
• Phil Stokes at SentinelOne
  Top 10 macOS Malware Discoveries in 2022
  
  
• ThreatFabric
  Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers
  
  
• Oleg Boyarchuk and Stefano Ortolani at VMware Security
  EmoLoad: Loading Emotet Modules without Emotet 
  
  
• WeLiveSecurity
  • Fantasy – a new Agrius wiper deployed through a supply‑chain attack
  • Xenomorph: What to know about this Android banking trojan
    
    
• Nipun Gupta at Zimperium
  Schoolyard Bully Trojan Facebook Credential Stealer
  

MISCELLANEOUS

• Adam at Hexacorn
  The Future of SOC
  
  
• Adrian at ‘Agood cloud’
  ssh honeypot with fail2ban and AWS SQS to MISP
  
  
• Brian Maloney
  Azure App IDs
  
  
• Chris Sanders
  Win My 2022 Golden Ticket for Free Training
  
  
• Bret at Cyber Gladius
  Building Custom Company-Specific Wordlists
  
  
• Reza Rafati at Cyberwarzone
  • Threat actors
  • Build your own SOC in 10 steps
    
    
• Desi at Hardly Adequate
  New way to think about risk
  
  
• Brett Shavers at DFIR.Training
  DFIR Training Survey with a Book Giveaway as a Bonus
  
  
• Forensic Focus
  • Detego’s Andy Lister on Interoperability Between Field & Lab
  • Cyacomb Examiner and Cyacomb Offender Manager Tools
  • Register For Webinar: Speed Up Your Incident Response
    
    
• Grayshift
  Grayshift Disrupts Mobile Digital Forensics Market by Introducing Broad Consent Access for Android Devices and Extending GrayKey Support to Xiaomi, Huawei, and Oppo Mobile Phones
  
  
• Lesley Carhart
  Career Counseling Office Hours!
  
  
• Magnet Forensics
  • New Solution Brief: Complement Your SOAR by Automatically Collecting, Processing, & Preserving Forensic Evidence
  • Magnet Spotlight: How the LAPD ICAC Unit is Tackling Child Exploitation
  • How to Build a Windows 10 ‘Windows to Go’ drive to support offline collections with Magnet OUTRIDER and Magnet ACQUIRE
  • Enhancing Your Incident Response Playbook With Magnet AXIOM Cyber
    
    
• MobilEdit
  MOBILedit Forensic Helps on the Battlefield
  
  
• Richard Frawley at ADF
  Screen Recording, Screenshots, and Screen Mirroring on Android
  
  
• Salvation DATA
  6 Crucial Tips to Effectively Conduct Forensic Video Investigation
  
  
• SANS
  Don’t Miss the 2022 SANS Holiday Hack Challenge – Now Open for Free Play
  

SOFTWARE UPDATES

• Brian Maloney
  OneDriveExplorer v2022.12.09
  
  
• Costas K
  • MFTBrowser.exe (x64)
  • JumplistBrowser (x64)
    
    
• GCHQ
  CyberChef v9.55.0
  
  
• Datadog Security Labs
  GuardDog v0.1.9
  
  
• Doug Burks at Security Onion
  Security Onion 2.3.190 Hotfix 20221207 Now Available!
  
  
• Doug Metz at Baker Street Forensics
  Mal-Hash.ps1 (v1.3 Update)
  
  
• Elcomsoft
  Advanced Intuit Password Recovery 3.13 supports Quicken 2021/2022 and QuickBooks 2022/2023
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.52
  
  
• F-Response
  F-Response 8.5.1.10 – New Collect, Universal, and Classic Installer
  
  
• Metaspike
  Forensic Email Collector v3.85 Release Notes
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.15.2
  
  
• Passware
  Passware Kit Mobile 2023 v1 Now Available
  
  
• X1
  Significant Microsoft 365 eDiscovery Challenges Require a New Approach
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!