As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Emi Polito at Amped
  Deblur a Moving Car
  
  
• Joseph Moronwi at Digital Investigator
  Linux Web Server Forensics: Dr. Ali Hadi’s Web Server Case
  
  
• Forensafe
  Investigating iOS Telegram
  
  
• Nik Alleyne at ‘Security Nik’
  • Packet Crafting – Tearing down a connection with TCP Reset
  • Solving the CTF challenge – Network Forensics (packet and log analysis), USB Disk Forensics, Database Forensics, Stego
    
    
• Théo Letailleur at Synacktiv
  Forensic Aspects of Microsoft Remote Access VPN
  
  
• The DFIR Report
  HTML Smuggling Leads to Domain Wide Ransomware
  

THREAT INTELLIGENCE/HUNTING

• Adam Goss
  Threat Profiling: How to Understand Hackers and Their TTPs
  
  
• Alex Teixeira
  Five lessons I learned from building anomaly-based threat detection
  
  
• Alexander Tasse
  EnrichIP V1.0: Automated Threat Intelligence Reporting for IP Addresses
  
  
• Anindo Mukherejee at InQuest
  An Introduction to Deep File Inspection
  
  
• Nitzan Yaakov and Assaf Morag at Aqua
  Kinsing Malware Exploits Novel Openfire Vulnerability
  
  
• Arctic Wolf
  1H 2023 Ransomware Landscape Overview
  
  
• Irfan Shakeel at AT&T Cybersecurity
  Battling malware in the industrial supply chain
  
  
• AWS Security
  • Improve your security investigations with Detective finding groups visualizations
  • Two real-life examples of why limiting permissions works: Lessons from AWS CIRT
    
    
• Brendan Chamberlain at InfosecB
  An Object-Oriented Approach to Threat Detection Engineering
  
  
• CERT Ukraine
  • UAC-0173: органи юстиції та нотаріат "під прицілом" (CERT-UA#7372)
  • Кібератака UAC-0057: експлойт для CVE-2023-38831, JavaScript-варіація PicassoLoader, алгоритм Rabbit та Cobalt Strike Beacon (CERT-UA#7435)
    
    
• CERT-AGID
  • Il ransomware Knight distribuito in Italia tramite falsa fattura
  • Sintesi riepilogativa delle campagne malevole nella settimana del 26 Agosto – 01 Settembre 2023
    
    
• Check Point
  • 28th August – Threat Intelligence Report
  • Check Point Shares Analysis of Qakbot Malware Group
  • From Hidden Bee to Rhadamanthys – The Evolution of Custom Executable Formats
  • How companies can get a grip on ‘business email compromise’
    
    
• CISA
  • CISA Releases IOCs Associated with Malicious Barracuda Activity
  • CISA and FBI Publish Joint Advisory on QakBot Infrastructure
  • Identification and Disruption of QakBot Infrastructure
    
    
• Max Gannon at Cofense
  The Lure of Subject Lines in Phishing Emails
  
  
• Cyfirma
  Weekly Intelligence Report – 01 Sep 2023
  
  
• Matt Edmondson at Digital Forensics Tips
  Automating Domain Squatting Detection with DNSTwist and Python
  
  
• Joe St Sauver at DomainTools
  Classic DNSDB API Version 1 vs the Newer DNSDB API Version 2 (DNSDB APIv2): What Are YOU Using?
  
  
• Jörg Abraham at EclecticIQ
  Flax Typhoon targeting Taiwan, Ransomware Emphasizing Linux-Centric Payloads
  
  
• Aaron Walton and Ben Brigida at Expel
  Cyberattackers evolve: the Quarterly Threat Report for Q2 2023
  
  
• Eyad M
  T1055.001 — Process Injection: DLL Injection
  
  
• Faan Ross
  Threat Hunting for Beginners: Hunting Standard Dll-Injected C2 Implants (Practical Course)
  
  
• Fatih Yilmaz
  Powershell and Obfuscation
  
  
• Flashpoint
  • Cyber Threat Intelligence Index: 2023 Midyear
  • The Emergence of Ransomed: An Uncertain Cyber Threat in the Making
  • COURT DOC: Qakbot Malware Disrupted in International Cyber Takedown
  • Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware
    
    
• Florian Roth
  Emerging Cybersecurity Threats: What to Watch Out For in Q4 2023
  
  
• Fortinet
  • Multiple Threats Target Adobe ColdFusion Vulnerabilities
  • Ransomware Roundup – Rhysida
    
    
• Dwayne McDaniel at GitGuardian
  Defending your castle: Raising walls versus detecting intruders
  
  
• Huntress
  • Threat Hunting and Tactical Malware Analysis
  • Qakbot Malware Takedown and Defending Forward
  • How Huntress Transformed Its Detection Engine
    
    
• Intel471
  Cryptocurrency Malware: An Ever-Adapting Threat
  
  
• Paul Kimayong at Juniper Networks
  DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability
  
  
• Koen Van Impe
  MISP to Microsoft Sentinel integration with Upload Indicators API
  
  
• MagicSword
  Introducing sigconverter.io: The Community-Driven Sigma Translation Tool
  
  
• Mandiant
  • Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868)
  • Revisiting Traditional Security Advice for Modern Threats
    
    
• Microsoft Security
  • Flax Typhoon using legitimate software to quietly access Taiwanese organizations
  • Defender Experts Chronicles: A Deep Dive into Storm-0867
    
    
• MITRE-Engenuity
  • Our TRAM Large Language Model Automates TTP Identification in CTI Reports
  • Threat-informed Defense Is Hard, So We Are Still Not Doing It!
    
    
• Vincas Čižiūnas at Nisos
  Trickbot in Light of Trickleaks Data
  
  
• Obsidian Security
  • The Power of Audit Logs: Critical Lessons from the Recent Storm-0558 Threat
  • Behind The Breach: Self-Service Password Reset (SSPR) Abuse in Azure AD
  • SSPM to the Rescue: Accelerating SaaS Incident Response by 90%
    
    
• Jessica Ellis at PhishLabs
  QBot Operations Peak Pre-Takedown, O365 Attacks Increase in Q2
  
  
• Adam Crosser at Praetorian
  ZeroQlik: Achieving Unauthenticated Remote Code Execution via HTTP Request Tunneling and Path Traversal
  
  
• Nayeem Islam at Qualys
  Risk Fact #4: Malware in your Cloud means Exploitation is underway
  
  
• Rapid7
  • Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs
  • Fake Update Utilizes New IDAT Loader To Execute StealC and Lumma Infostealers
    
    
• Red Canary
  • How AI will affect the malware ecosystem and what it means for defenders
  • Global coalition of law enforcement agencies take down Qbot
  • Remote control: Detecting RMM software and other remote admin tools
    
    
• ReliaQuest
  3 Malware Loaders You Can’t (Shouldn’t) Ignore
  
  
• Resecurity
  “Smishing Triad”; Targeted USPS and US Citizens for Data Theft
  
  
• Matt Saunders and Scott Nyberg at Salesforce Engineering
  Data Enrichment and Automation: Helping Salesforce Security Overcome the Threat Identification Challenge
  
  
• Will Thomas at SANS
  Evolution of Cybercriminal Operations in 2023
  
  
• SANS Internet Storm Center
  • Analysis of RAR Exploit Files (CVE-2023-38831), (Mon, Aug 28th)
  • Survival time for web sites, (Tue, Aug 29th)
  • Home Office / Small Business Hurricane Prep, (Mon, Aug 28th)
  • The low, low cost of (committing) cybercrime, (Thu, Aug 31st)
  • Potential Weaponizing of Honeypot Logs [Guest Diary], (Thu, Aug 31st)
  • What is the origin of passwords submitted to honeypots?, (Sat, Sep 2nd)
    
    
• Securelist
  • IT threat evolution in Q2 2023. Non-mobile statistics
  • IT threat evolution in Q2 2023. Mobile statistics
  • IT threat evolution in Q2 2023
    
    
• Aaron Beardslee and Tim Peck at Securonix
  Improving Your Blue Team’s Ability To Detect Threats With Enhanced Siem Telemetry
  
  
• Sekoia
  Engineering detection around Microsoft Defender
  
  
• SentinelOne
  • Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak
  • Endpoint, Identity and Cloud | Top Cyber Attacks of 2023 (So Far)
    
    
• Simone Kraus
  Top RATs analyzed for August 2023
  
  
• SOCRadar
  Chain Reactions: Footprints of Major Supply Chain Attacks
  
  
• Matt Wixey at Sophos
  For the win? Offensive research contests on criminal forums
  
  
• Mauricio Velazco at Splunk
  Sharing is Not Caring: Hunting for Network Share Discovery
  
  
• Symantec Enterprise
  Qakbot: Takedown Operation Dismantles Botnet Infrastructure
  
  
• System Weakness
  • SOC134 EventID:81 — Suspicious WMI Activity — letsdefend.io
  • EDR Simulation — Hunting for Process Injection with API Monitoring
    
    
• Trellix
  • ICYMI: Emotet Reappeared Early This Year, Unfortunately
  • Decoding the DNA of Ransomware Attacks: Unveiling the Anatomy Behind the Threat
    
    
• Trend Micro
  • Stealthy Android Malware MMRat Carries Out Bank Fraud Via Fake App Stores
  • Earth Estries Targets Government, Tech for Cyberespionage
  • Revisiting 16shop Phishing Kit, Trend-Interpol Partnership
  • Qakbot Takedown: The Road Ahead is Long and Winding
    
    
• Luke Bremer at TrustedSec
  Crafting Emails with HTML Injection
  
  
• Andre Rall at Uptycs
  Cloud Security: Decoding Threat Actor Tactics & Strengthening Defenses
  
  
• Vishal Thakur
  Vovk — Advanced Yara rule generator
  
  
• Sudeep Singh and Naveen Selvan at ZScaler
  A Look Into DuckTail
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2023-09-11
  
  
• Magnet Forensics
  • Internal Investigations – Get the Evidence You Need to Safeguard Your Business
  • Logical+ iOS Extractions
    
    
• SANS
  Tackling Cyber Threats in Healthcare | 2023 SANS Healthcare Forum
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  MFE 0 – ALEAPP – Image Manager Cache & Glide
  
  
• Black Hills Information Security
  • Talkin’ About Infosec News – 8/21/2023
  • Talkin’ About Infosec News – 8/28/2023
    
    
• Breaking Badness
  165. Gorillas in the NIST
  
  
• Cellebrite
  The Digital Forensics Series – EP 3  [Recorded]
  
  
• cloudyforensics
  Google Compute Engine Forensics & Incident Response
  
  
• Cyborg Security
  Episode 11
  
  
• DEFCON
  DEF CON 31 – Demystifying (& Bypassing) macOS’s Background Task Management – Patrick Wardle
  
  
• Digital Forensic Survival Podcast
  DFSP # 393 – Linux Subsystems for Windows
  
  
• Gerald Auger at Simply Cyber
  Red and Blue Cyber Learning LIVE (Play Along Free!)
  
  
• Huntress
  ThreatOps Stories: Rouge ScreenConnect
  
  
• InfoSec_Bret
  SA – SOC146 EventID: 93 (Phishing Mail Detected – Excel 4.0 Macros) [June 13, 2021, 2:13 p.m.]
  
  
• John Dwyer
  Analyzing PowerShell Payloads Episode 10
  
  
• John Hammond
  The FBI Disrupted a HUGE Malware Strain
  
  
• LaurieWired
  Do This When Your Android Decompiler Fails
  
  
• LetsDefend
  LetsTalk Blue Team #1: Fireside Chat
  
  
• Magnet Forensics
  • Introducing Case Sharing and Collaboration in Magnet IGNITE
  • Ep. 8 // Figuring Out File Explorers – Part 2
    
    
• MSAB
  How to Exclude Hash Lists in XAMN?
  
  
• Richard Davis at 13Cubed
  Old School MS-DOS Commands for DFIR
  
  
• SANS
  FEATURE SEGMENT: Inside SANS Holiday Hack Challenge 2023 | Host: Ed Skoudis
  
  
• SANS Cloud Security
  • Open Source Tool: The DeRF (Detection Replay Framework)
  • Cloud Threat Detection: Snooping in Storage
  • Hands On Workshop: Multi Cloud Data Security
  • Beware! Encryption Jedi Mind Trick
    

MALWARE

• ASEC
  Analysis of Andariel’s New Attack Activities
  
  
• Australian Cyber Security Centre
  Infamous Chisel
  
  
• Bitdefender
  The Differences Between Static and Dynamic Malware Analysis
  
  
• Yehuda Gelb at Checkmarx Security
  An Ongoing Open Source Attack Reveals Roots Dating Back To 2021
  
  
• CISA
  Infamous Chisel Malware Analysis Report
  
  
• Edmund Brumaghin at Cisco’s Talos
  SapphireStealer: Open-source information stealer enables credential and data theft
  
  
• Cyber Geeks
  A Deep Dive into Brute Ratel C4 payloads
  
  
• Hendrik Eckardt at cyber.wtf
  QakBot Takedown Payload Analysis
  
  
• Didier Stevens
  • Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs
  • Quickpost: PDF/ActiveMime Maldocs YARA Rule
    
    
• Ali Paşa Turhan at Docguard
  The New AV Bypass Technique: Embedded Malicious Word in PDF File
  
  
• Doug Burks at Security Onion
  Quick Malware Analysis: 2023-05-24 OBAMA264 QAKBOT
  
  
• Dr Josh Stroschein
  • What are PE File Forwarded Exports?
  • The Basics of Analyzing and Creating Structures in IDA Pro – Part 1
    
    
• Arda Büyükkaya at EclecticIQ
  Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang
  
  
• Emanuele De Lucia
  Under the shellcode of the ‘Operation Duck Hunt’. Analysis of the FBI’s ducks killer.
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #155: Splitting stack variables in the decompiler
  
  
• Jay Vadhaiya at InfoSec Write-ups
  Reverse Engineering: Injection Series Part 4 — Blue Team Labs
  
  
• Yuma Masubuchi at JPCERT/CC
  MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file –
  
  
• Preksha Saxena at McAfee Labs
  Peeling Back the Layers of RemcosRat Malware
  
  
• MDSec
  Leveraging VSCode Extensions for Initial Access
  
  
• Nsfocus
  APT34使用SideTwist变种木马开展新一轮网络钓鱼活动
  
  
• OALABS Research
  Attack Crypter
  
  
• Brad Duncan at Palo Alto Networks
  RedLine Stealer: Answers to Unit Wireshark Quiz
  
  
• Phylum
  • Cryptocurrency Miner Masquerading as GCC Compiler Found in NPM Package
  • Dormant npm Package Update Targets Ethereum Private Keys
    
    
• Digvijay Mane at Quick Heal
  Battling the Death Trap of Malicious Loan Apps
  
  
• Karlo Zanki at ReversingLabs
  VMConnect supply chain attack continues, evidence points to North Korea
  
  
• Phil Stokes at SentinelOne
  Bloated Binaries | How to Detect and Analyze Large macOS Malware Files
  
  
• Ben Martin at Sucuri
  Compromised OpenCart Payment Module Steals Credit Card Information
  
  
• VMRay
  Understanding BumbleBee: BumbleBee’s malware configuration and clusters
  
  
• Jason Reaves and Joshua Platt at Walmart
  Gazavat / Expiro DMSniff connection and DGA analysis
  
  
• Zach Reichert
  CrytoxTools
  
  
• Zhassulan Zhussupov
  Malware and cryptography 20: encrypt/decrypt payload via Skipjack. Simple C++ example.
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  Trojan.Android.Wroba.Roamingmantis
  

MISCELLANEOUS

• ADF Solutions
  How to Preview Evidence on a Mobile Device
  
  
• Autopsy
  4.21.0 Release with Faster Search and Malware Scanning
  
  
• Jonathan Tanner at Barracuda
  Malware 101: Trojans as an infection method
  
  
• Brett Shavers
  The DFIR Investigative Mindset
  
  
• Monica Harris at Cellebrite
  • Detect, Analyze, Mitigate: Endpoint Inspector’s Impact on Incident Response
  • Charting the Course of Data Collection and Investigations: Trends and Considerations
  • Data in the Cloud: Strategies for Smart Collection from Workplace Applications
    
    
• Doug Burks at Security Onion
  Top 5 Reasons to Sign Up for our 4-day Security Onion Training
  
  
• Forensic Focus
  • Prioritization At Binalyze
  • Sergio Tenreiro de Magalhaes, Associate Professor of Cybersecurity and Digital Forensics, Champlain College
  • UPCOMING WEBINAR: Empower Your SOC With Modern DFIR
  • Digital Forensics Round-Up, August 31 2023
  • Forensic Focus Digest, September 01 2023
    
    
• Christa Miller at Forensic Horizons
  August 2023: Summer Break? Not for Technology or Justice
  
  
• Kaido Järvemets at Kaido Järvemets
  Streamlining Identity Investigations: Real-Time Responses with Defender for Identity and Beyond
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (9/1/2023)
  
  
• Kim Zetter at Kim Zetter at ‘Zero Day’
  Interview with the ETSI Standards Organization That Created TETRA "Backdoor"
  
  
• Korstiaan Stam at ‘Invictus Incident Response’
  5 Tips to prevent or limit the impact of an incident in Azure
  
  
• Plainbit
  2023년 마그넷 DFIR 현황 보고서
  
  
• Salvation DATA
  How to Recover Formatted Data with Partition Recovery Software?
  
  
• SANS
  • FOR589: Cybercrime Intelligence
  • Defending Against Ransomware in Industrial Control Systems
  • SEC568: Approaching the Software Supply Chain like Jack Byrnes
  • Next Generation FOR508
    
    
• John Patzakis at X1
  Best Evidence Rule Requires Post-Level Collection for Social Media Evidence
  
  
• Zain ul Abidin
  How to install SPLUNK Enterprise and ingest logs using SPLUNK Universal forwarder
  

SOFTWARE UPDATES

• Apache
  28 August 2023: Apache Tika Release
  
  
• Cyber Triage
  3.8 Includes Autopsy Integration and Malware Scanning Boosts
  
  
• Didier Stevens
  • Update: sortcanon.py Version 0.0.3
  • Update: emldump.py Version 0.0.12
    
    
• k1nd0ne
  VolWeb 1.3.2-beta
  
  
• Magnet Forensics
  • Introducing Case Sharing and Collaboration in Magnet IGNITE
  • Introducing Magnet OUTRIDER 4.0: Now with iOS Support
    
    
• Ninoseki
  Azuma v0.3.1
  
  
• Juan Leaniz at Open Source DFIR
  An update on the latest Turbinia features
  
  
• OpenCTI
  5.10.1
  
  
• Mike Cohen at Rapid7
  Velociraptor 0.7.0 Release: Dig Deeper With Enhanced Client Search, Server Improvements and Expanded VQL Library
  
  
• Sandfly Security
  Sandfly 4.6.1 – Microsoft Active Directory Support and Default Linux Password Auditing
  
  
• SigmaHQ
  pySigma v0.10.5
  
  
• Sleuthkit
  • The Sleuth Kit 4.12.1 is available
  • Autopsy 4.21.0 is available
    
    
• Yamato Security
  Hayabusa v2.8.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!