As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Marco Fontani at Amped
  Introducing Amped Engine: Our New Product to Integrate Video Conversion Everywhere
  
  
• Oleg Afonin at Elcomsoft
  Low-level Extraction for iOS 16 with iPhone 14/14 Pro Support
  
  
• Magnet Forensics
  How to Investigate Infostealer Malware 
  
  
• Salvation DATA
  Western Digital USB Hard Disk Data Recovery Tips — Step by Step
  
  
• Megan Roddie at SANS
  Google Workspace Log Extraction
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  Permission to Capture Packets
  
  
• Adam Goss
  Python Threat Hunting Tools: Part 9 — Creating Python Packages with Poetry
  
  
• Akamai
  • The L in Linux Stands for Lateral Movement
  • Proxyjacking: The Latest Cybercriminal Side Hustle
    
    
• Anton Chuvakin
  Log Centralization: The End Is Nigh?
  
  
• AT&T Cybersecurity
  • Blacktail: Unveiling the tactics of a notorious cybercrime group
  • Stories from the SOC: Fighting back against credential harvesting with ProofPoint
    
    
• Francis Guibernau and Andrew Costis at AttackIQ
  Emulating APT36’s Recent Activities Against the Indian Education Sector
  
  
• Avanan
  • URL-Based Phishing: The Fake Meta Mask Page
  • Phorm Phishing: Using Form Service APIs to Steal Credentials
    
    
• Avertium
  How Ransomware Has Caused Patient Deaths in Healthcare
  
  
• AWS Security
  Three ways to accelerate incident response in the cloud: insights from re:Inforce 2023
  
  
• BI.Zone
  Hunting the hunter: BI.ZONE traces the footsteps of Red Wolf
  
  
• Martin Zugec at Bitdefender
  Bitdefender Threat Debrief | June 2023
  
  
• BleepingComputer
  • Inside Threat Actors: Dark Web Forums vs. Illicit Telegram Communities
  • Linux version of Akira ransomware targets VMware ESXi servers
    
    
• Amanda Berlin at Blumira
  Authentication Protocols 101: NTLM, Kerberos, LDAP and RADIUS
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-06-26 – 30 days of Formbook: Day 22, Monday 2023-06-26 – “G0E8”
  • 2023-06-25 – 30 days of Formbook: Day 21, Sunday 2023-06-25 – “CX01”
  • 2023-06-24 – 30 days of Formbook: Day 20, Saturday 2023-06-24 – version 3.8 “AK”
  • 2023-06-23 – 30 days of Formbook: Day 19, Friday 2023-06-23 – “P1A4”
  • 2023-06-27 – 30 days of Formbook: Day 23, Tuesday 2023-06-27 – “FGH2”
  • 2023-06-28 – 30 days of Formbook: Day 24, Wednesday 2023-06-28 – “RX63”
  • 2023-06-26 – Files for an ISC diary (Loader-style infection for Remcos RAT)
  • 2023-06-28 – IcedID (Bokbot) activity
  • 2023-06-29 – 30 days of Formbook: Day 25, Thursday 2023-06-29 – “CS94”
  • 2023-06-30 – 30 days of Formbook: Day 26, Friday 2023-06-30 – “S28Y”
    
    
• CERT-AGID
  • Campagna sLoad veicolata tramite PEC
  • Sintesi riepilogativa delle campagne malevole nella settimana del 24 – 30 giugno 2023
    
    
• Check Point Research
  26th June – Threat Intelligence Report
  
  
• Kian Buckley Maher at Cofense
  Malicious Actors Utilizing QR Codes to Deploy Phishing Pages to Mobile Devices
  
  
• CTF导航
  PDF Analysis
  
  
• Francis Yom at CyberArk
  macOS Least Privilege Best Practices to Combat Rising Ransomware
  
  
• Liora Ziv at CyberProof
  A look at Advanced Persistent Threats (APTs) Related to Chinese Proxies
  
  
• Cyberwarzone
  • Why is lsass.exe Knocking on Port 80’s Door?
  • A Guide on Creating SIGMA Rules
  • Your Eyes on Suspicious RDP Logins
  • Security Event IDs for Threat Hunters
  • Critical Windows Event IDs for Cybersecurity Pros
  • IRIS: Your Open-Source Ally in Incident Response
  • Fileless Malware Poweliks and Kovter
  • LaZagne: The Superhero of Password Retrieval
    
    
• Cyble
  • Unveiling Wagner Group’s Cyber-Recruitment
  • Akira Ransomware Extends Reach to Linux Platform
  • Multiple New Clipper Malware Variants Discovered in the Wild
    
    
• Cyborg Security
  • Revving Up Threat Hunting with Query Tuning
  • Threat Hunting: Cybersecurity’s Long-Overdue Wake-Up Call
  • The Hunt Is On: Why Threat Hunting Still Reigns Supreme Over Vulnerability Hunting
  • Threat Hunting: Closing the Gap in Cybersecurity Defenses
    
    
• Cyfirma
  Weekly Intelligence Report – 30 June 2023
  
  
• Simon Kenin at Deep Instinct
  PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
  
  
• Aleksander W. Jarosz at EclecticIQ
  Early High-Profile Cyberattacks Provide Best-Practices For Cryptocurrency Platforms Prior to Established Attack Pattens
  
  
• Devaney Devoe at Flashpoint
  Lessons From Clop: Combating Ransomware and Cyber Extortion Events
  
  
• Laura Kata Szegi & Krijn de Mik at Hunt & Hackett
  Spear Phishing: How it works and why you should care
  
  
• Huntress
  • One MSP, Three Microsoft 365 Compromises, 72 Hours
  • dmXProtect: Stop, Drop, Shut Malware Down Before It Opens Up Shop
    
    
• Alison Rusk at INKY
  Fresh Phish: Malicious QR Codes Are Quickly Retrieving Employee Credentials
  
  
• K7 Labs
  • Cobalt Strike’s Deployment with Hardware Breakpoint for AMSI Bypass
  • The Malicious Abuse of the Trusted PYPI
    
    
• Keith McCammon
  • Roundup of threat modeling resources
  • Threat modeling output templates
  • Threat modeling, the cloud, and shared responsibility
    
    
• Malwarebytes Labs
  • Malvertising: A stealthy precursor to infostealers and ransomware attacks
  • Understanding ransomware reinfection: An MDR case study
    
    
• Alex Marvi, Greg Blaum, Ron Craft at Mandiant
  Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts
  
  
• Monty Security
  Hunting via Google Trends
  
  
• Arnold Osipov at Morphisec
  GuLoader Campaign Targets Law Firms in the US
  
  
• Natasha Rohner at Blackberry
  BlackBerry’s Cylance AI Prevents Terminator EDR Killer
  
  
• Nestori Syynimaa at AADInternals
  DoSing Azure AD
  
  
• Emile Antone at Obsidian Security
  Behind the Breach: Phishing & Token Compromise in SaaS Environments
  
  
• Olaf Hartong
  Sysmon 15.0 — File executable detected
  
  
• Palo Alto Networks
  • Detecting Popular Cobalt Strike Malleable C2 Profile Techniques
  • Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
    
    
• Plainbit
  Sysmon v15.0 Update
  
  
• Tom Caiazza at Rapid7
  The Japanese Threat Landscape: A Report on Cyber Threats in the Third Largest Economy on Earth
  
  
• Justin Palk at Red Siege Information Security
  Introduction to Mythic C2
  
  
• ReliaQuest
  • Cobalt Strike Team Servers: The Great Ransomware Enabler
  • Key Findings from the ReliaQuest Annual Cyber-Threat Report 2023
  • How and Why to Automate Threat Detection, Investigation, and Response
    
    
• Ryan Kovar at Splunk
  Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
  
  
• Kyle Schwaeble and James Tytler at S-RM Insights
  Cyber Intelligence Briefing: 30 June 2023
  
  
• Sandfly Security
  SSH Key Compromise Risks and Countermeasures
  
  
• SANS Internet Storm Center
  • The Importance of Malware Triage, (Tue, Jun 27th)
  • Kazakhstan – the world’s last SSLv2 superpower… and a country with potentially vulnerable last-mile internet infrastructure, (Wed, Jun 28th)
  • GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT, (Thu, Jun 29th)
  • DShield pfSense Client Update, (Fri, Jun 30th)
  • Sandfly Security, (Sat, Jul 1st)
    
    
• Securelist
  Andariel’s silly mistakes and a new malware family
  
  
• Security Intelligence
  • All About PowerShell Attacks: The No. 1 ATT&CK Technique
  • The Trickbot/Conti Crypters: Where Are They Now?
  • How Application Allowlisting Combats Ransomware Attacks
  • Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution
    
    
• Sekoia
  Following NoName057(16) DDoSia Project’s Targets
  
  
• SentinelOne
  • LABScon Replay | Quiver – Using Cutting Edge ML to Detect Interesting Command Lines for Hunters
  • Looking Within | Strategies for Detecting and Mitigating Insider Threats
  • JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware
  • Rhysida Ransomware | RaaS Crawls Out of Crimeware Undergrowth to Attack Chilean Army 
    
    
• Joshua Rawles, Rhys Burns, Greg Iddon at Sophos
  Investigator, API Yourself: Deploying Microsoft Graph on the trail of an attacker
  
  
• System Weakness
  Decoding Cyber Attack Strategies used by Threat Actors..
  
  
• ThreatFabric
  Anatsa banking Trojan hits UK, US and DACH with new campaign
  
  
• Lucas Silva, RonJay Caragay, Arianne Dela Cruz, Gabriel Cardoso at Trend Micro
  Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator
  
  
• Uptycs
  Unmasking the Meduza Stealer: Comprehensive Analysis & Countermeasures
  
  
• Karl Hiramoto at VirusTotal
  Threat hunting converting SIGMA to YARA
  
  
• Deborah Snyder, Fae Carlisle, Dana Behling and Bria Beathley at VMware Security
  8Base Ransomware: A Heavy Hitting Player
  
  
• Ankur Saini and Charlie Gardner at Volexity
  Charming Kitten Updates POWERSTAR with an InterPlanetary Twist
  
  
• Kleiton Kurti at White Knight Labs
  Navigating Stealthy WMI Lateral Movement
  

UPCOMING EVENTS

• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2023-07-17
  • BHIS – Talkin’ Bout [infosec] News 2023-07-10
    
    
• Magnet Forensics
  • An Introduction to the MITRE ATT&CK Framework
  • Magnet Forensics Solutions for Public Safety: Amplifying your Digital Investigations at Every Step
    
    
• MOBILedit
  • Cloud Forensics
  • Smartwatch Forensics
  • Advanced Application Analysis
  • Phone Security Bypassing
  • MOBILedit Forensic tips and tricks
    
    
• SANS
  SANS Threat Analysis Rundown (STAR) with Katie Nickels
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  • 1,000 IR Labs at the Same Time; What Could Go Wrong? | John, Kent, & Jordan | 1-Hour
  • Talkin’ About Infosec News – 6/27/2023
    
    
• BlueMonkey 4n6
  findmnt – find a filesystem. How this is different than the mount command
  
  
• Breaking Badness
  159. Do or Do Not…There is No Triangulation
  
  
• Cellebrite
  The Digital Forensics Series – EP 1
  
  
• Jonathan Munshaw at Cisco’s Talos
  New video provides a behind-the-scenes look at Talos ransomware hunters
  
  
• cloudyforensics
  Azure Kubernetes Service (AKS) Forensics & Incident Response
  
  
• CYBERWARCON
  SLEUTHCON 2023
  
  
• Detection: Challenging Paradigms
  Episode 34: Ryan Hausknecht (Again)
  
  
• Digital Forensic Survival Podcast
  DFSP # 384 – Cloud Talk with SUMURI
  
  
• Exterro
  Breaking Down SQLite Databases
  
  
• InfoSec_Bret
  IR – SOC178-128 – WannaCry Ransomware Detected
  
  
• John Hammond
  • How Hackers Use netsh.exe For Persistence & Code Execution (Sliver C2)
  • MOVEit Transfer Exploitation (my API presentation recording)
    
    
• John Hubbard at ‘The Blueprint podcast’
  Strategy 8: Leverage Tools and Support Analyst Workflow
  
  
• Magnet Forensics
  • Moble Unpacked Ep. 6 // Watching the Watchers: Using Device Metrics for User Attribution
  • The Growing Importance of Digital Forensics and Incident Response (DFIR) in Corporate Environments
    
    
• MSAB
  • How to automate your keyword searching in XAMN Pro?
  • XRY 10.6: Breakthroughs in Data Extraction and Decoding Capabilities
  • XEC: Modernizing Mobile Forensics Management
  • XAMN 7.6: Enhancing Forensic Data Analysis Processes
  • What’s new in XRY 10.6, XAMN 7.6, XEC 7.6 & KTE
    
    
• SANS
  SANS New NetWars Core Version 9
  
  
• Semantics 21
  Semantics 21 Overview
  
  
• Sumuri
  SUMURI Podcast Episode 019 – Fast, Accurate, and Compassionate
  

MALWARE

• 0x70RVS
  • QuasarRAT Analysis pt1
  • QuasarRAT Analysis pt2
    
    
• Any.Run
  Monthly Updates: New Detection Rules, Increased Threat Coverage, and More 
  
  
• ASEC
  • Malware Execution Method Using DNS TXT Record
  • ASEC Weekly Phishing Email Threat Trends (June 11th, 2023 – June 17th, 2023)
  • Malware Disguised as HWP Document File (Kimsuky)
    
    
• Avast Threat Labs
  Decrypted: Akira Ransomware
  
  
• Michal Ziv, Or Mizrahi, and Danil Golubenko at Check Point
  Don’t be fooled by app-earances: Check Point Researchers spot hidden malwares behind legitimate looking apps
  
  
• Cyber Geeks
  A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation
  
  
• Fred Gutierrez, James Slaughter, and Shunichi Imano at Fortinet
  New Fast-Developing ThirdEye Infostealer Pries Open System Information
  
  
• Igor Skochinsky at Hex Rays
  • Rust analysis plugin tech preview
  • Igor’s Tip of the Week #146: Graph printing
    
    
• LockBoxx
  About False Positives in Detection Engineering
  
  
• Malware Hell
  • ANGR Python Scripting Cheatsheet
  • Malware Questions and Answers
    
    
• Nextron Systems
  Hunting Ducks – A Threat Hunters Take on Ducktail Stealer
  
  
• OALABS Research
  XORSTR Generic String Decryption
  
  
• PhishLabs
  Understanding how Polymorphic and Metamorphic malware evades detection to infect systems
  
  
• Security Joes
  Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution
  
  
• Security Scorecard
  Android Malware Outbreak: Unmasking the RAT Inside a Screen Recording App
  
  
• Zhassulan Zhussupov
  Malware AV/VM evasion – part 18: encrypt/decrypt payload via modular multiplication-based block cipher. Simple C++ example.
  

MISCELLANEOUS

• Andrew Gorham at ADF Solutions
  6 Tips For Proving Your iOS 16 Investigation with Screen Recordings and Screenshots
  
  
• dabeersboys
  Forensic Reports
  
  
• Forensic Focus
  • Mitre Att&ck Scanning And Mapping Added To DRONE
  • Types Of Devices Examined In Digital Forensics Investigations
  • Digital Forensics Round-Up, June 29 2023
    
    
• Christa Miller at Forensic Horizons
  Can a Statistical Technique Improve Digital Forensics’ Credibility?
  
  
• The Sleuth Sheet
  SOC Puppet Creation Guide
  
  
• Xavier Mertens at /dev/random
  BSides Athens 2023 Wrap-Up
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv Update 29658: New Format Variations and Timestamp Support
  
  
• ANSSI DFIR-ORC
  v10.2.1
  
  
• Canadian Centre for Cyber Security
  Assemblyline v4.4.0.stable32
  
  
• Cyber Triage
  3.7 Release – Custom Artifacts & Mitre ATT&CK
  
  
• Elcomsoft
  Low-level extraction supported for last-gen iPhones with iOS 16
  
  
• Eric Conrad
  Introducing DeepBlueCLI v3
  
  
• Eric Kutcher
  • Thumbcache Viewer
  • Thumbcache Viewer (command-line)
    
    
• ExifTool
  ExifTool 12.64
  
  
• Alexandre Borges
  Malwoverview 5.3
  
  
• Mark Mckinnon
  lLeapp Version 1.2
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – 3.88.0.12
  
  
• MSAB
  New release: XRY 10.6, XAMN 7.6 and XEC 7.6
  
  
• OpenCTI
  Version 5.8.7
  
  
• Paraben Corporation
  Innovations are shining with the 3.6 release of the E3 Forensic Platform
  
  
• Serviço de Perícias em Informática – IPED
  Minor Release
  
  
• Timesketch
  20230628
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!