As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Active Countermeasures
  Hunting Windows Event Logs
  
  
• Oleg Afonin at Elcomsoft
  Windows Account Passwords: Why and How to Break NTLM Credentials
  
  
• Forensafe
  Investigating Window Google Drive
  
  
• Karthikeyan Nagaraj at InfoSec Write-ups
  • Advent of Cyber 2022 [Day 11]-Memory Forensics-Not all gifts are nice Write up
  • Advent of Cyber 2022 [Day 14]-Packet Analysis | Simply having a wonderful pcap time — Simple Write…
    
    
• Joe T. Sylve, Ph.D.
  • 2022 APFS Advent Challenge Day 8 – Object Maps
  • 2022 APFS Advent Challenge Day 9 – Volume Superblock Objects
  • 2022 APFS Advent Challenge Day 11 – File System Trees
  • 2022 APFS Advent Challenge Day 12 – Inode and Directory Records
    
    
• Kevin Pagano at Stark 4N6
  Thawing the Ice Age Pt. 2 – Tusky on Android
  
  
• Matt C. A. Smith
  Investigating Explorer’s temporary ZIP folders and retrieving files
  
  
• Terryn at chocolatecoat4n6
  Investigation Framework | Part 4 – Correlation
  
  
• Vikas Singh
  Parse Scheduled Tasks XMLs
  

THREAT INTELLIGENCE/HUNTING

• Anders Olsson at Truesec
  VMware ESXi 8.0 and execInstalledOnly – The Good, the Bad and the Ugly
  
  
• Anomali
  Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers
  
  
• Adriano Bybyk at Aon
  SCL -1: The Dangerous Side of Safe Senders
  
  
• Arch Cloud Labs
  Detecting off The Land – Hash Lookups from Native Tooling
  
  
• Francis Guibernau and Ken Towne at AttackIQ
  Emulating the Financially Motivated North Korean Adversary BlueNoroff
  
  
• Avertium
  Everything You Need to Know About Royal Ransomware
  
  
• Amanda Berlin at Blumira
  A Blue Teamer’s Bug Report
  
  
• Brad Duncan at Malware Traffic Analysis
  2022-12-14 – Pcap and malware for an ISC diary
  
  
• Cado Security
  • Improving MTTR (Mean Time To Respond) Through Automation
  • Quick Update on Recent Denonia Samples
  • Experimenting with ChatGPT for Incident Response
    
    
• Caprico’s Cave
  Ransomware: Warnings of actors targeting healthcare
  
  
• CERT Ukraine
  Кібератака на користувачів системи DELTA з використанням шкідливих програм FateGrab/StealDeal (CERT-UA#5709)
  
  
• CERT-AGID
  • Campagna Ursnif in corso a tema Agenzia delle Entrate
  • Terzo monitoraggio sull’utilizzo del protocollo HTTPS e sullo stato di aggiornamento dei CMS sui sistemi della PA
    
    
• Check Point Research
  • 12th December – Threat Intelligence Report
  • November 2022’s Most Wanted Malware: A Month of Comebacks for Trojans as Emotet and Qbot Make an Impact
    
    
• Checkmarx Security
  • New Ransomware Strain Discovered Lurking in Open-Source Packages
  • Hunting for Malicious Code: The Dangers of WASP Stealer
  • How 140k NuGet, NPM, and PyPi Packages Were Used to Spread Phishing Links
    
    
• Cisco’s Talos
  • HTML smugglers turn to SVG images
  • Talos Year in Review 2022
  • Ukraine Topic Summary Report: Cisco Talos Year in Review 2022
  • Threat Source newsletter (Dec. 15, 2022): Talos Year in Review is here
  • Threat Round up for December 9 to December 16
    
    
• Sparsh Kulshrestha and Mayank Satnalika at CloudSEK
  Security Flaw in Atlassian Products (Jira, Confluence,Trello, BitBucket) Affecting Multiple Companies
  
  
• Giuseppe Scalzi at Compass Security
  The Threat, the Fox, and the Sentinel
  
  
• CTF导航
  APT Cloud Atlas: Unbroken Threat
  
  
• CyberCX
  Cyber Adviser Newsletter – December 2022
  
  
• Max Heinemeyer at Darktrace
  Integration in Focus: Bringing Machine Learning to Third-Party EDR Alerts
  
  
• Barry Rellis at DomainTools
  Flying Phish
  
  
• Domiziana Foti
  ATT&CK for Cyber Threat Intelligence Training — Module 3: Mapping to ATT&CK from raw data
  
  
• Dragos
  • OT Cybersecurity Best Practices for Small & Medium Organizations: How to Respond to a Ransomware Attack
  • Neighborhood Keeper in the Broader Context of Cyber Threat Intelligence
    
    
• EclecticIQ
  Hunting Emotet Made Easy with EclecticIQ Endpoint Response
  
  
• Erik Hjelmvik at Netresec
  NetworkMiner in FLARE VM
  
  
• Flashpoint
  Flashpoint Year In Review: 2022 Breaches and Malware Threat Landscape
  
  
• GuidePoint Security
  GRIT Ransomware Report: November 2022
  
  
• Haircutfish
  • TryHackMe MISP — Task 1 Room Overview, Task 2 MISP Introduction: Features & Terminologies, & Task…
  • TryHackMe OpenCTI — Task 6 Investigative Scenario & Task 7 Room Conclusion
  • TryHackMe MISP — Task 4 Feeds & Taxonomies, Task 5 Scenario Event, & Task 6 Conclusion
  • TryHackMe Traffic Analysis Essentials Room
  • TryHackMe Snort — Task 1 Introduction, Task 2 Interactive Material and VM, & Task 3 Introduction…
    
    
• InfoSec Write-ups
  Using Threat Intelligence data to generate MISP alerts
  
  
• Chase Sims and Nick Chalard at InQuest
  Black Basta: Riding the Crimeware Sleigh
  
  
• Jamie Collier
  Eliminating Distraction with CTI
  
  
• Jouni Mikkola at “Threat hunting with hints of incident response”
  HTML Smuggling – how does it look like?
  
  
• Korstiaan Stam at ‘Invictus Incident Response’
  A Royal update
  
  
• Lina Lau at Inversecos
  How to Detect Malicious OAuth Device Code Phishing
  
  
• Malwarebytes Labs
  • Iranian hacking group uses compromised email accounts to distribute MSP remote access tool
  • Silence is golden partner for Truebot and Clop ransomware
    
    
• Mandiant
  • I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware
  • Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government
    
    
• Microsoft Security
  IIS modules: The evolution of web shells and how to detect them 
  
  
• Elli at Misconfig
  The Reality of SSH Brute-Force in Azure Linux VM
  
  
• Nozomi Networks
  Tracking Malicious Glupteba Activity Through the Blockchain
  
  
• NSA
  APT5: Citrix ADC Threat Hunting Guidance
  
  
• Jos van der Peet at Falcon Force
  FalconFriday — Using public intelligence feeds to improve detections — 0xFF22
  
  
• Oz Soprin and Shachar Roitman at Palo Alto Networks
  Precious Gemstones: The New Generation of Kerberos Attacks
  
  
• Proofpoint
  Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations
  
  
• Akshat Pradhan at Qualys
  Dissecting the Empire C2 Framework
  
  
• Recorded Future
  • Restrictive Laws Push Chinese Cybercrime toward Novel Monetization Techniques Report
  • What Is Threat Intelligence? Definition and Examples
  • What is Threat Intelligence?
  • 2022 Adversary Infrastructure Report
  • The 2022 Adversary Infrastructure Report
    
    
• Ryan Fetterman at Splunk
  Zoom. Enhance!: Finding Value in Macro-level ATT&CK Reporting
  
  
• SANS Internet Storm Center
  • Quickie: CyberChef Sorting By String Length, (Sun, Dec 11th)
  • Open Now: 2022 SANS Holiday Hack Challenge & KringleCon, (Sat, Dec 10th)
  • Packet Tuesday: ICMP Errors and the recent FreeBSD “ping” vulnerability. https://www.youtube.com/watch?v=Bgmfl17AQWA, (Tue, Dec 13th)
  • Google ads lead to fake software pages pushing IcedID (Bokbot), (Thu, Dec 15th)
  • CyberChef & Entropy, (Sat, Dec 17th)
    
    
• Kristen Cotten and Michael Pattison at Scythe
  SCYTHE Presents: Black Basta svvhost
  
  
• Joan Soriano at Security Art Work
  Threat Hunting: Probability based model for TTP covering (Parte III)
  
  
• SentinelLabs
  Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers
  
  
• SOC Fortress
  Part 10. MISP Threat Intel
  
  
• SOCRadar
  • APT5 Exploits Zero-Day Vulnerability on Citrix ADC and Gateway Devices
  • Dark Web Profile: Black Basta Ransomware
    
    
• Sophos
  • Sophos Endpoint Tamper Protection Thwarts a Sophisticated Ransomware Attack
  • Signed driver malware moves up the software trust chain
  • The scammers who scam scammers on cybercrime forums: Part 2
  • SophosLabs Intelix now integrates with OpenCTI
    
    
• Krasimir Konov at Sucuri
  Backdoor Targets FreePBX Asterisk Management Portal 
  
  
• Thomas Roccia
  6 Useful Infographics for Threat Intelligence
  
  
• Trend Micro
  • Intrusion Detection & Prevention Systems Guide
  • Ransomware Business Models: Future Pivots and Trends
    
    
• Dominik Breitenbacher at WeLiveSecurity
  Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities
  

UPCOMING EVENTS

• Black Hills Information Security
  Atomic Spotlight: Execute PowerShell Code From DNS Text Records
  
  
• Cellebrite
  How to Simplify Workplace App Collections with Endpoint Inspector
  
  
• Tony Burgess at Journey Notes – Your guide to a safer path
  Webinar: SOC response to Log4J attack
  
  
• Trellix
  Top 3 Insights from Trellix’s 2023 Threat Predictions
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  The LEAPPs win the Open Source Tool of the Year at the SANS Difference Makers Awards 2022
  
  
• Andreas Sfakianakis at ‘Tilting at windmills’
  Setting Your CTI Process In Motion
  
  
• Black Hills Information Security
  • AASLR: SMUDGE the new opensource passive fingerprinting tool
  • AASLR: Breaching buckets CyberRange Walkthrough with Serena
  • BHIS – Talkin’ Bout [infosec] News 2022-12-12
  • Talkin’ About Infosec News – 12/15/2022
    
    
• BlueMonkey 4n6
  Nuances in using FTK Imager to perform a logical copy – you can get delete files!
  
  
• Breaking Badness
  141. Scam a-Lama Ding Dong
  
  
• Cisco’s Talos
  • Beers with Talos Ep. 129: Talos Year in Review 2022 w/ Dave Liebenberg
  • Talos Takes Ep. 122: Year in Review & Ukraine Activities
    
    
• Cloud Security Podcast by Google
  EP101 Cloud Threat Detection Lessons from a CISO
  
  
• CON Forense
  1-Day CONForense 2022
  
  
• Cyber Triage
  ResponderCon 2022 Ransomware Videos (Batch 2)
  
  
• Day Cyberwox
  Detection Opportunities for Cloud Security Attacks – Palo Alto Unit 42 Report Analysis
  
  
• Digital Forensic Survival Podcast
  DFSP # 356 – CMD Triage
  
  
• Gerald Auger at Simply Cyber
  What’s It Like to Negotiate With a Ransomware Operator? (Real Talk)
  
  
• Hacker Valley Blue
  Becoming a Purple Team Ambassador with SCYTHE’s Jorge Orchilles
  
  
• InfoSec_Bret
  CyberDefenders –  l337 S4uc3 – Part 2
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 50 – What’s the Deal with Timestamps?
  
  
• Magnet Forensics
  • Leveling the Playing Field With the LevelDB View in Magnet AXIOM and AXIOM Cyber
  • Loading iOS Full Filesystem Extractions in Magnet AXIOM
  • Leveling the Playing Field With the LevelDB View in Magnet AXIOM and AXIOM Cyber
    
    
• MISP
  • Training Video – MISP Workflow
  • Training Video – MISP Best Practices for Encoding Threat Intelligence
    
    
• Mossé Cyber Security Institute
  • How to perform Email Forensics on a Gmail account
  • How is Open Source Intelligence used in Cybersecurity?
  • Data Sources for Open Source Intelligence
    
    
• MSAB
  • What’s new in XAMN 7.4
  • What’s new in XRY 10.4
  • What’s new in XEC 7.4
    
    
• RickCenOT
  Realistic Pentest/Hacking of a Moxa industrial communication processor NPort 5110
  
  
• SANS
  Top 5 Blueprint Podcast Episodes of 2022
  
  
• SANS Cyber Defense
  Packet Tuesday – FreeBSD Ping Vulnerability
  
  
• The Defender’s Advantage Podcast
  Threat Trends: A Year in Review with Sandra Joyce
  

MALWARE

• 0day in {REA_TEAM}
  [QuickNote] VidarStealer Analysis
  
  
• Abdallah Elshinbary
  • Writing x64dbg plugins
  • Writing x64dbg scripts
    
    
• Any.Run
  The End of Sodinokibi: the Infamous Ransomware Goes Down
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (November 27th, 2022 – December 3rd, 2022)
  • How Similar Is the Microsoft Account-stealing Phishing Page to the Actual Page?
  • ASEC Weekly Malware Statistics (December 5th, 2022 – December 11th, 2022)
  • Caution! Magniber Ransomware Restarts Its Propagation on December 9th With COVID-19 Related Filenames
  • STOP Ransomware Being Distributed in Korea
    
    
• Assume-breach
  Home Grown Red Team: Let’s Make Some Malware In C: Part 2
  
  
• Ayedaemon
  Recording system events with auditd
  
  
• Jiri Vinopal at Check Point Research
  Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
  
  
• CTF导航
  IDA 插件大赛 2022
  
  
• Cybereason
  Royal Rumble: Analysis of Royal Ransomware
  
  
• Cyble
  • Venom RAT expands its operations by adding a Stealer Module 
  • Sophisticated DarkTortilla Malware Spreading Via Phishing Sites
  • Con Games: Fraudsters posing as VLEs duping CSC Bank Mitra Scheme Subscribers
    
    
• Jin Lee at Fortinet
  Supply Chain Attack via New Malicious Python Package, “shaderz” (Part 2)
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #119: Force call type
  
  
• InfoSec Write-ups
  • Advent of Cyber 2022 [Day 12]-Malware Analysis Forensic McBlue to the REVscue! Write up
  • Malware analysis
    
    
• Andrey Polkovnychenko at JFrog
  PyPI malware creators are starting to employ Anti-Debug techniques
  
  
• John Hammond
  Unraveling the IcedID Malware Stager & Phishing Email
  
  
• Malvuln
  • Cybergate Trojan RAT  / Insecure Proprietary Encryption Vulnerability
  • Atom Silo Ransomware / Crypto Logic Flaw
    
    
• OALABS Research
  Guloader
  
  
• Phylum
  • Into The W4SPs Nest
  • W4SP Stealer Update—They’re Still At It
    
    
• Sonatype
  Malware Monthly – November 2022
  
  
• Thomas Roccia
  10 Underrated Resources about Malware Techniques
  
  
• ThreatFabric
  BrasDex: A new Brazilian ATS Android Banker with ties to Desktop malware
  
  
• Trend Micro
  • Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
  • Agenda Ransomware Uses Rust to Target More Vital Industries
    
    
• Zhassulan Zhussupov
  Malware development: persistence – part 20. UserInitMprLogonScript (Logon Script). Simple C++ example.
  
  
• Fernando Ortega at Zimperium
  MoneyMonger: Predatory Loan Scam Campaigns Move to Flutter
  

MISCELLANEOUS

• Anton Chuvakin
  Combined SOC Webinar Q&A: From EDR to ITDR and ASO … and ChatGPT
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 12/17/22
  
  
• Craig Ball at ‘Ball in your Court’
  Seven Stages of Snakebitten Search
  
  
• DFIR.Training
  Digital triage can do more than you time. It may save a life.
  
  
• Forensic Focus
  • Cyacomb’s Jeffrey Bell, Brandon Gardner & Alan McConnell on the Facets of Digital Forensic Triage
  • Si and Desi Holiday Special 2022
  • Jad Saliba, Founder & CTO, Magnet Forensics
  • Call for Participation: Women in Forensic Computing (WinFC) Digital Forensics Workshop and Bootcamp
    
    
• Jonathan Johnson
  Uncovering Window Security Events
  
  
• Kathryn Hedley
  GIAC exam prep hints & tips
  
  
• Magnet Forensics
  • Meet the Magnet Forensics’ Training Team: Matt Latham
  • Meet the Magnet Forensics’ Training Team: Denise Duffy
  • Leveling the Playing Field With the LevelDB View in Magnet AXIOM and AXIOM Cyber
  • Comparing Magnet AXIOM Performance Speeds Through the Ages
  • The Top 10 Updates to Magnet AXIOM Cyber in 2022
  • The Top 15 Updates to Magnet AXIOM in 2022
    
    
• MantaRay Forensics
  VirusShare Hash Sets 2022 Q4
  
  
• Oscar Delgado and Jan Hoff at Dragos
  2nd Annual DISC 2022 Capture the Flag (CTF) Event a Success!
  
  
• Pavel Yosifovich
  Unnamed Directory Objects
  
  
• Laura Hamel at Red Canary
  Confidence from context: The Red Canary threat timeline
  
  
• SANS
  SANS MGT433 Managing Human Risk – Now Expanded to Three Days
  
  
• The Security Noob.
  Interview with DFIR Legend Alexis Brignoni
  

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 26914: Import Replay Project, Subtitle Loader, Save & Load Convert DVR Settings, Page Number Macro, and Much More
  
  
• Cellebrite
  • Now Available: Cellebrite Inspector 10.7
  • Now Available: Cellebrite Endpoint Inspector 1.5.1
    
    
• Costas K
  WinEDB_Browser
  
  
• Crowdstrike
  Falconpy Version 1.2.6
  
  
• Datadog Security Labs
  GuardDog v0.1.10
  
  
• Didier Stevens
  • Update: count.py Version 0.3.1
  • Update: hash.py Version 0.0.9
  • Update: virustotal-search.py Version 0.1.8
  • Update: zipdump.py Version 0.0.23
    
    
• F-Response
  F-Response 8.5.1.11 – New Collect, Universal, and Classic Installer
  
  
• Federico Lagrasta
  PersistenceSniper v1.8.0
  
  
• Hex Rays
  IDA 8.2 released
  
  
• Magnet Forensics
  • Magnet AXIOM Cyber 6.9 – Adding Pre-Processing for SharePoint and Improving LevelDB Insights and YARA Rules
  • Magnet AXIOM 6.9: Providing Insight Into LevelDB Databases
    
    
• Metaspike
  Forensic Email Collector 3.85.0.6
  
  
• MSAB
  New release: XRY 10.4, XAMN 7.4 and XEC 7.4
  
  
• OpenCTI
  5.5.0
  
  
• Passware
  Passware Kit 2023 v1 Now Available
  
  
• Grace Chi at Pulsedive
  Screenshots for All
  
  
• Volatility Foundation
  Volatility 3 2.4.0
  
  
• Smart Projects
  IsoBuster 5.1 released
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!