As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• David Spreadborough at Amped
  The Creation of Master and Working Copies after CCTV Acquisition
  
  
• Andrew Skatoff at ‘DFIR TNT’
  RMM – Xeox: Client Side Evidence
  
  
• AT&T Cybersecurity
  RAM dump: Understanding its ­­­importance and the process
  
  
• Cellebrite
  Unveiling the Modern Approach to Digital Investigations through Remote Collection of Androids and Workplace Apps
  
  
• Derek Eiri
  Disk Toggling, Validating WinFE
  
  
• Geraldine Blay and Alexis Brignoni at DFIR Review
  Peeking at User Notification Events in iOS 15
  
  
• Elcomsoft
  • Best Practices in Mobile Forensics: Separating Extraction and Analysis
  • Breaking into iOS 16.5: Extracting the File System and Keychain
  • Open-Sourcing Orange Pi R1 Plus LTS Software for Firewall Functionality: Secure Sideloading of Extraction Agent
    
    
• Forensafe
  Investigating Android Bluetooth
  
  
• Google
  DFIQ (Digital Forensics Investigative Questions)
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Recent items, property lists, Bookmarks and resolvers
  
  
• NixIntel
  Digging Into Russian Disinfo Infrastructure
  
  
• Salvation DATA
  [Case Study]Three Ingenious Methods for Bitlocker Recovery under Encryption State
  
  
• System Weakness
  • TFC CTF 2023 — List (Forensics)
  • SOC163 EventID:113 — Suspicious Certutil.exe Usage — letsdefend.io
    
    
• Tony Lambert
  Timelining a Malicious VHD for More Intelligence
  
  
• John Patzakis at X1
  Special Master Determines Microsoft Purview Does Not Comply With FRCP 26(g) Due to Unreliable and Incomplete Search Results
  

THREAT INTELLIGENCE/HUNTING

• Alex Teixeira
  What’s missing before the ‘One Metric That Matters’ in Threat Detection?
  
  
• Any.Run
  • Malware Analysis News: July 2023 
  • Top 3 Prevalent Malware of Q2 2023: an Overview 
    
    
• Yaara Shriki and Ofek Itach at Aqua
  Three Years Later: The Meow Campaign Reaches Jupyter
  
  
• Australian Cyber Security Centre
  2022 Top Routinely Exploited Vulnerabilities
  
  
• Jeremy Fuchs at Avanan
  Phishing via SharePoint
  
  
• Matěj Krčma at Avast Threat Labs
  Unpacking the Threats Within: The Hidden Dangers of .zip Domains
  
  
• Avertium
  The Double Extortion Group, 8Base
  
  
• Dylan Souvage at AWS Security
  How to Receive Alerts When Your IAM Configuration Changes
  
  
• Fleming Shi at Barracuda
  Threat Spotlight: Reported ransomware attacks double as AI tactics take hold
  
  
• Tim Thorne at Binalyze
  Automated Compromise Assessment with DRONE
  
  
• Martin Zugec at Bitdefender
  Bitdefender Threat Debrief | July 2023
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-08-01 – Bandook infection
  • 2023-08-03 – Google ad –> TurboTax site –> DanaBot
    
    
• BushidoToken
  Hacktivists: Liars and Morons
  
  
• Cado Security
  • 2023 Cloud Threat Findings Report
  • Cado Security Labs Encounter Novel Malware, Redis P2Pinfect
  • Cado Security Labs Releases 2023 Cloud Threat Findings Report 
    
    
• CERT Ukraine
  MerlinAgent: новий open-source інструмент для здійснення кібератак у відношенні державних організацій України (CERT-UA#6995, CERT-UA#7183)
  
  
• Check Point Research
  31st July – Threat Intelligence Report
  
  
• Yehuda Gelb at Checkmarx Security
  Lazarus Group Launches First Open Source Supply Chain Attacks Targeting Crypto Sector
  
  
• CISA
  Threat Actors Exploiting Ivanti EPMM Vulnerabilities
  
  
• Cisco’s Talos
  • The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
  • Threat Source newsletter (Aug. 3, 2023) — Previewing Talos at BlackHat 2023
  • Half-Year in Review: Recapping the top threats and security trends so far in 2023
    
    
• Cofense
  • Google AMP – The Newest of Evasive Phishing Tactic
  • HTML Attachments Used in Malicious Phishing Campaigns Skyrocket: Increase 168% from 2022 and 450% from 2021
    
    
• Corelight
  • Detecting Storm-0558 using Corelight evidence | Corelight
  • Detections and Findings using Corelight in the Black Hat Asia NOC | Corelight
    
    
• Cyberdom
  Persistence via App Registration in Entra ID
  
  
• Cyfirma
  Weekly Intelligence Report – 04 Aug 2023
  
  
• Daniel Chronlund
  Microsoft Entra ID Honeypot Accounts with Microsoft Sentinel
  
  
• Tim Helming at DomainTools
  Ramnit, Jim, I’m a threat hunter, not a doctor!
  
  
• Abdulrahman H. Alamri at Dragos
  Dragos Industrial Ransomware Attack Analysis: Q2 2023
  
  
• Yuzuka Akasaka at Flare
  • Threat Intelligence Sharing: 5 Best Practices
  • Actioning Threat Intelligence Data: The Definitive Guide
  • Actionable Threat Intelligence: Generating Risk Reduction from CTI
    
    
• Fortinet
  Ransomware Roundup – DoDo and Proton
  
  
• Guardio
  “PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing…
  
  
• Nic Finn at GuidePoint Security
  Tunnel Vision: CloudflareD AbuseD in the WilD
  
  
• Huntress
  • Breaking Down the Threat Hunting Process
  • Legitimate Apps as Traitorware for Persistent Microsoft 365 Compromise
    
    
• Pierre Noujeim at InfoSec Write-ups
  Implementing MITRE D3FEND for ATT&CK Technique T1059: Command and Scripting Interpreter
  
  
• KELA Cyber Threat Intelligence
  • Akira Ransomware Gang Evades Decryptor, Exploiting Victims Uninterruptedly
  • Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates
  • Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets
    
    
• Malwarebytes Labs
  Global ransomware attacks at an all-time high, shows latest 2023 State of Ransomware report
  
  
• Mandiant
  • Transcending Silos: Improving Collaboration Between Threat Intelligence and Cyber Risk
  • August 2023 Threat Horizons Report Provides Cloud-Focused Cybersecurity Insights and Recommendations
    
    
• Lakshya Mathur and Yashvi Shah at McAfee Labs
  The Season of Back to School Scams
  
  
• Michael Haag
  • LOLDrivers 2.0: Pioneering Progress
  • Unmasking Malicious Bootloaders with Bootloaders.io
    
    
• Microsoft Security
  Midnight Blizzard conducts targeted social engineering over Microsoft Teams
  
  
• Ariel Szarf and Or Aspir at Mitiga
  Uncovering a New Potential Abuse of AWS Systems Manager (SSM) Agent
  
  
• Monty Security
  A Practical Guide to Threat Hunting in Process Data
  
  
• Nextron Systems
  How to scan Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core for CVE-2023-35078 Exploitation
  
  
• Obsidian Security
  Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD
  
  
• Nir Chako at Pentera
  The LOL Isn’t So Funny When It Bites You in the BAS
  
  
• Recorded Future
  BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023
  
  
• Dave Bogle at Red Canary
  Look beyond processes with Linux EDR
  
  
• ReversingLabs
  • WormGPT: Business email compromise amplified by ChatGPT hack
  • VMConnect: Malicious PyPI packages imitate popular open source modules
    
    
• Riccardo Ancarani at ‘Red Team Adventures’
  • Mockingjay – What is old is new again
  • Attacking an EDR – Part 1
    
    
• S-RM Insights
  • Nation state actors: what’s next on the cyber threat landscape horizon?
  • Cyber Intelligence Briefing: 4 August 2023
    
    
• SANS Internet Storm Center
  • USPS Phishing Scam Targeting iOS Users, (Sun, Jul 30th)
  • Zeek and Defender Endpoint, (Wed, Aug 2nd)
  • Summary of DNS over HTTPS requests against our honeypots., (Tue, Aug 1st)
  • Are Leaked Credentials Dumps Used by Attackers?, (Fri, Aug 4th)
  • From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd)
    
    
• Secureworks
  Sniffing Out SharpHound on its Hunt for Domain Admin
  
  
• Antonio Villalón at Security Art Work
  De la inteligencia a la detección de amenazas
  
  
• Security Intelligence
  • MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis
  • Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub
    
    
• SentinelOne
  • The Nightmare Of Destructive Malware | From Wiper To SwiftSlicer
  • Illicit Brand Impersonation | A Threat Hunting Approach
    
    
• SOCRadar
  • Top 10 Ransomware Demands
  • Living Off the Land (LOTL): The Invisible Cyber Threat Lurking in Your System
  • Threat Profile: Rhysida Ransomware
    
    
• Sophos
  • The State of Ransomware in State and Local Government 2023
  • Sha zhu pan scam uses AI chat tool to target iPhone and Android users
    
    
• SpecterOps
  • Your new best friend: Introducing BloodHound Community Edition
  • Challenges In Post-Exploitation Workflows
  • BloodHound Enterprise Learns Some New Tricks
    
    
• Michael Clark at Sysdig
  2023 Global Cloud Threat Report: Cloud Attacks are Lightning Fast
  
  
• Third Eye intelligence
  Into the world of Phishing-as-a-Service Providers operating on Telegram targeting Australia
  
  
• Trustwave SpiderLabs
  • Honeypot Recon: New Variant of SkidMap Targeting Redis
  • New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3
    
    
• Alexandra Martin at VirusTotal
  Actionable Threat Intel (V) – Autogenerated Livehunt rules for IoC tracking
  
  
• VMRay
  VirusTotal 101: How to use responsibly.
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-07-31
  
  
• Cellebrite
  Tips and Tricks for Collecting Employee Chat Data
  
  
• Exterro
  Tracking User Behavior using the Windows Registry
  
  
• SANS
  • Rule-Breakers Unite: Reimagining SANS HackFest
  • Join us for the SANS Open-Source Intelligence (OSINT) Summit 2023 – September 22!
    

PRESENTATIONS/PODCASTS

• Anuj Soni
  Identifying Code Reuse in Malware with Ghidra and BinDiff
  
  
• Black Hills Information Security
  • SCCM Exploitation: The First Cred Is the Deepest II w/ Gabriel Prud’homme | 1-Hour
  • Talkin’ About Infosec News – 7/31/2023
    
    
• Breaking Badness
  163. Phisherman’s Wharf
  
  
• Cellebrite
  • The Digital Forensics Series – EP 2  [Recorded]
  • Mobile Device Forensics: Import and Export Cases of Interest in PA ULTRA – Heather Mahalik
    
    
• cloudyforensics
  Azure Forensics
  
  
• Cyber Secrets
  • CSI Linux 2023.2 – Setting up KVM Qemu Image
  • CSI Linux 2023.2 – Updating the Platform
  • CSI Linux 2023.2 Whatismyip
    
    
• Cyber Social Hub
  Tech Hunt: Unleashing Digital Investigation Tools & Training
  
  
• Digital Forensic Survival Podcast
  DFSP # 389 – $Usnrl
  
  
• Huntress
  Episode 2: Know Thy Enemy
  
  
• InfoSec_Bret
  IR -SOC191-141 – Scr Hijack Detected
  
  
• John Hubbard at ‘The Blueprint podcast’
  Bonus Episode: What does it take to author a cybersecurity book?
  
  
• Mandiant
  Assume Breached!
  
  
• MSAB
  How to Exclude Known Data Library and System Files in XAMN Pro?
  
  
• SANS
  • Unpacking the New SEC Regulations with John Pescatore
  • No Experience Required – Gaining Clarity for a Career in Cybersecurity
  • Hands-On Workshop: Building Better Detections | AWS Edition
    
    
• Sofia Marin
  • Incident Response Series:  Chapter #1 Phishing and cookie stolen with Evilginx.
  • Incident Response Series:  Chapter #3 The Impact and Subscription Theft as Exfiltration
    
    
• The Cyber Mentor
  Hacking Active Directory for Beginners (over 5 hours of content!)
  

MALWARE

• Amged Wageh
  Pillars of Analyzing Malicious MS Office Documents — Part 1–3: Document Format Structures
  
  
• Amr Ashraf
  Amadey Malware Analysis
  
  
• ASEC
  • Sliver C2 Being Distributed Through Korean Program Development Company
  • Reptile Malware Targeting Linux Systems
    
    
• Cleafy
  SpyNote continues to attack financial institutions
  
  
• d01a
  Pikabot deep analysis
  
  
• Esentire
  • BatLoader Continues Signed MSIX App Package Abuse
  • Operation PhantomControl
  • eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2, Part 2
    
    
• Hex Rays
  • Plugin focus: ComIDA
  • Igor’s Tip of the Week #151: Fixing “function frame is wrong”
    
    
• SangRyol Ryu at McAfee Labs
  Invisible Adware: Unveiling Ad Fraud Targeting Korean Android Users
  
  
• Mohamed Adel
  Pikabot deep analysis
  
  
• OALABS Research
  • Bandit Stealer Garbled
  • Golang Garble String Decryption
    
    
• Lior Rochberger at Palo Alto Networks
  NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts
  
  
• Phylum
  Targeted npm Malware Attempts to Steal Company Source Code and Secrets
  
  
• Phylum
  Typosquat of popular Ethereum package on npm sends private keys to remote server
  
  
• Kelsey Merriman and Pim Trouerbach at Proofpoint
  Out of the Sandbox: WikiLoader Digs Sophisticated Evasion  
  
  
• Securelist
  What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
  
  
• Ayush Anand at Securityinbits
  Understanding AsyncRAT: Config Decryption Techniques and Salt Analysis
  
  
• Ax Sharma at Sonatype
  Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module
  
  
• Junestherry Dela Cruz at TrendMicro
  Latest Batloader Campaigns Use Pyarmor Pro for Evasion
  
  
• Zachary Reichert at Aon
  DarkGate Keylogger Analysis: Masterofnone
  

MISCELLANEOUS

• Jon Williams at Bishop Fox
  Breaking Fortinet Firmware Encryption
  
  
• Christopher Elce
  Operating a SOC Analyst Home Lab
  
  
• Forensic Focus
  • How To Use Rapid Hash Matching In The Battle Against CSAM
  • Combating CSAM And Human Trafficking: Digital Forensic Tools For Protecting Vulnerable Individuals
  • Digital Forensics Round-Up, August 03 2023
  • Safeguarding Vulnerable Youth: ADF Solutions Sponsors Crimes Against Children Conference
  • Forensic Focus Digest, August 04 2023
  • Detego Global Announces Webinar To Demonstrate Digital Forensics Innovation
    
    
• Christa Miller at Forensic Horizons – Medium
  July 2023: Certainty, Quality, and Transparency in Justice
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (8/1/2023)
  
  
• Magnet Forensics
  Connect CrowdStrike to Your DFIR Workflows for Instant Collections
  
  
• Malwarebytes Labs
  FAQ: How does Malwarebytes ransomware rollback work?
  
  
• MantaRay Forensics
  /VirusShare_Hash_Sets/Autopsy/VirusShare_0-475_MR4n6_Hash_Sets_Autopsy_2023_Q2.zip
  
  
• N00b_H@ck3r
  What You Need to Know If You Are Thinking of Taking the SANS SEC504: Hacker Tools, Technique, and Incident Handling and the GIAC Certified Incident Handler Certification Exam
  
  
• SANS
  • LDR553: Cyber Incident Management – Now 5 Days!
  • How Purple Team Can Use Continuous Adversary Emulation
  • A Visual Summary of SANS DFIR Summit 2023
    

SOFTWARE UPDATES

• Andrew Rathbun
  KAPE-EZToolsAncillaryUpdater 4.2
  
  
• Doomdie
  ReadFS
  
  
• Drew Alleman
  DataSurgeon 1.2.3
  
  
• Elcomsoft
  Low-level extraction support for iOS 16.5
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Yamato Security
  Hayabusa v2.7.0 🦅
  
  
• MISP
  MISP 2.4.174 released with major workflow enhancements, new features and fixes
  
  
• Rizin Organization
  cutter 2.3.0
  
  
• SigmaHQ
  pySigma v0.10.1
  
  
• Xways
  • X-Ways Forensics 20.8 SR-5
  • X-Ways Forensics 20.9 SR-1
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!