Links only this week, we needed a break!

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

The SANS DFIR Summit CFP closes at the beginning of this week, get your talk proposals in soon!

The 4Cast Awards closes soon, get your nominations in here

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’
  So you have a DAR file…

• Marco Fontani at Amped
  The Truth Will Come Out: Easily Verify Time and Location Metadata With Amped Authenticate and Avoid Being Deceived by Them!

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  • RECmd: command line tool for Windows Registry analysis
  • Cold Boot attack in Digital Forensics

• Mark Spencer at Arsenal Consulting
  Accessing Protected Content using Windows Domain Controllers and Workstations

• Sarah Edwards at Blackbag Technologies
  Apple’s (Not Quite) Secure Notes

• Heather Mahalik at Cellebrite
  • How to Detect Malware—Expert Answers to the 5 Most Common Questions
  • Part 1: Data Quality and Quantity – How to Get the Best of Both Worlds

• Cheeky4n6Monkey
  A Monkey Forays Into USB Flashdrives

• Michael Moore at LawDawg4n6
  Is it deleted deleted?

• Mike Cohen at Velocidex
  • Velociraptor Post-processing with Jupyter Notebook and Pandas
  • Extending VQL plugins

• Teru Yamazaki at Forensicist
  MSSQL Forensics Series (2)
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Beyond good ol’ Run key, Part 124

• Andrew Skatoff at ‘DFIR TNT’
  “Find Evil” in 5 easy steps!! (Part 1)

• Ben Bornholm at HoldMyBeer
  • Operation cleanup: Eradicating malware with Osquery and Kolide
  • Adventures of the Sherlock Holmes Memory Gopher: Dumping and analyzing memory with Osquery and Kolide

• John Strand at Black Hills Information Security (blog + 8 min video)
  Detecting Malware Beacons With Zeek and RITA

• Check Point Software
  Update: Coronavirus-themed domains 50% more likely to be malicious than other domains

• Brian Carrier at Cyber Triage
  How to Make Data-Based Decisions During Incident Response: OODA for DFIR 2020

• David Rowe at SecFrame
  Invoke-Badblood.ps1 Update: New Features and Speed Increase

• Malte at Insinuator
  DNS exfiltration case study

• Dexter Shankle at LMG Security
  Common Antivirus Bypass Techniques

• Mark Johnson and Charu Puhazholi at Microsoft
  Use Advanced Audit to investigate compromised accounts

• Blake Strom at MITRE ATT&CK
  2020 ATT&CK Roadmap

• Wouter Stinkens at NVISO Labs
  Windows Server Hardening with PowerShell DSC

• Penetration Testing Lab
  Persistence – DLL Hijacking

• Carl Petty at Red Canary
  Unlocking Heaven’s Gate on Linux

• Cedric Owens at Red Teaming with a Blue Team Mentaility
  Helpful Red Team Operation Metrics

• Linu Varghese at Security Intelligence
  Leverage ATT&CK for ICS to Secure Industrial Control Systems

• Cody Thomas at SpecterOps
  Abusing Slack for Offensive Operations

• Adam Todd at TrustedSec
  Intro to Macros and VBA for Script Kiddies

• Trustwave SpiderLabs
  • Windows Debugging and Exploiting Part 4: NTQuerySystemInformation
  • Monster Lurking in Hidden Excel Worksheet

• Yoroi
  • The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs
  • Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
    

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • Coming Soon: UFED Physical Analyzer Video Series
  • Technical Webinar: Reviewing the Physical Analyzer 7.29 and 7.30 updates

• Red Canary
  2020 Threat Detection Report sneak peak: watch it live!
  

PRESENTATIONS/PODCASTS

• Dr. Joe Sylve at Blackbag Technologies
  Ask the Expert: The Importance of APFS Snapshots in Investigations

• Heather Mahalik at Cellebrite
  How to Properly Handle Phones Seized for Investigation

• Digital Forensic Survival Podcast
  DFSP # 211 – Mac Forensics with Steve Whalen

• OA Labs
  BinDiff and IDA Pro – Reverse Engineering Speed Hacks

• Richard Davis at 13Cubed
  Mini Memory CTF – A Memory Forensics Challenge

• Ring3API
  Check out @rimpq’s tweet

• Heather Mahalik and Domenica Crognale at SANS
  Skip This Webinar – It’s Just Everything You Need To Know About Smartphones
  

MALWARE

• 0verfl0w_ at 0ffset
  Statically Reverse Engineering Shellcode: Emulation

• Binary Defense
  Emotet Wi-Fi Spreader Upgraded

• Volexity
  Microsoft Exchange Control Panel (ECP) Vulnerability CVE-2020-0688 Exploited

• Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
  • 2020-03-03 – German malspam pushes Ursnif
  • 2020-03-03 – IcedID (Bokbot) infection
  • 2020-03-02 – Quick post: 4 examples of Magnitude EK

• Brian Laskowski at Laskowski-Tech
  Remco’s RAT, AMSI killing in the wild and defender evasion.

• Warren Mercer, Paul Rascagneres, and Vitor Ventura at Cisco Talos
  Bisonal: 10 years of play

• Cofense
  • Threat Actor Uses OneNote to Learn Credential Phishing and Evade Microsoft and FireEye Detection
  • Threat Actors Capitalize on Global Concern About Coronavirus in New Phishing Campaigns

• Gary Warner at CyberCrime & Doing Time
  What sites is Trickbot targeting?

• Ido Moshe and Liron Zuarets at Cybereason
  Code Integrity in the Kernel: A Look Into ci.dll

• Fortinet
  • Offense and Defense – A Tale of Two Sides: PowerShell
  • Attackers Taking Advantage of the Coronavirus/COVID-19 Media Frenzy
  • Ryuk Revisited – Analysis of Recent Ryuk Attack

• Stefan Karpenstein at G Data Security
  Malware samples threaten PCs and networks every few seconds

• Shusei Tomonaga at JPCERT/CC
  ELF_TSCookie – Linux Malware Used by BlackTech

• Alex Perekalin at Kaspersky Lab
  Collateral damage from APTs

• Pieter Arntz at Malwarebytes Labs
  Are our police forces equipped to deal with modern cybercrimes?

• Palo Alto Networks and Unit42
  • Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations
  • Why Proxy-Based Firewalls Are Not Enough

• Wade Ma at politoinc
  Automated Obfuscation of Windows Malware and Exploits Using O-LLVM

• fG at Reverse Engineering Mac OS X
  FruitFly’s dropper script and its missing tricks

• Marijan Ralasic at ReversingLabs Blog
  Sneaky Tools Infiltrating Your Mac Fortress

• SANS Internet Storm Centre Handler Diaries
  • Secure vs. cleartext protocols – couple of interesting stats, (Mon, Mar 2nd)
  • Introduction to EvtxEcmd (Evtx Explorer), (Tue, Mar 3rd)
  • A Safe Excel Sheet Not So Safe, (Fri, Mar 6th)
  • Chain Reactor: Simulate Adversary Behaviors on Linux, (Sat, Mar 7th)
  • Wireshark 3.2.2 Released: Windows’ Users Pay Attention Please, (Sat, Mar 7th)

• Jason Reaves at SentinelLabs
  Breaking TA505’s Crypter with an SMT Solver

• Sean Gallagher at Sophos News
  TrickBot campaign targets Coronavirus fears in Italy

• Sean Bell at The PhishLabs Blog
  How Threat Actors are Abusing Coronavirus Uncertainty

• Vit Sembera at TrendMicro
  Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks

• Virus Bulletin
  • VB2019 paper: Pulling the PKPLUG: the adversary playbook for the long-standing espionage activity of a Chinese nation state adversary
  • VB2019 paper: Finding drive-by rookies using an automated active observation platform

• Swee Lai Lee at VMware Carbon Black
  VMware Carbon Black Threat Analysis: FTCODE Ransomware

• Yoroi (in Italian)
  Intensificazione degli Attacchi “GhostCat”

• Christopher Louie at Zscaler
  Persistent Threats Pose a Growing Risk in 2020
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 3/2/2020

• David Spreadborough at Amped
  The Power of Projects in Amped FIVE

• Oleg Afonin at Elcomsoft
  Why Mobile Forensic Specialists Need a Developer Account with Apple

• Forensic Focus
  • Android Auto And Google Assistant – How Google Encourages Hands-Free Motoring
  • Forensic Tools For Investigating Child Sexual Abuse Material
  • BlackLight R3 From BlackBag
  • Everything You Ever Wanted To Ask About Checkm8 And Checkra1n
  • What’s Happening In Forensics – Mar 03, 2020

• Magnet Forensics
  Join Us for the DFIR CTF at the 2020 Magnet User Summit

• MantaRay Forensics
  /VirusShare_Hash_Sets/AXIOM/VirusShare_0-376_MR4n6_Hash_Sets_AXIOM_2020_Q1.zip

• Mike Sheward
  Out today, my new book: Security Operations in Practice

• Peter Stewart
  OtterCTF 2018 – Network Challenges – Birdman’s Data Write-up

• Tasha Carl
  iPhone, JTAG and Bonobo

• Charissa Ramia at ADF
  Sparking Interest in Digital Forensic Careers

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — March 1 to March 7

• Harvey Vergara at Sumuri
  I can build my workstation for less than what you guys charge!
  

SOFTWARE UPDATES

• AccessData updated Quin-C
  AccessData Releases Prebuilt Workflows, New Mobile Data Capabilities in Newest Version of Quin-C

• Joe Security
  Joe Lab – the Cloud-based Malware Analysis Lab

• Bill Demirkapi
  Check out @BillDemirkapi’s tweet

• Binalyze
  Version 1.9.15

• Sylvain Peyrefitte
  Check out @citronneur’s tweet

• Cellebrite
  UFED and UFED InField 7.30 provides new support for smartphones with Huawei KIRIN processor

• Eric Zimmerman
  ChangeLog

• ExifTool
  ExifTool 11.91

• GetData
  05 Mar 2020 – 5.1.2.9342

• Intezer
  Accelerate Reverse Engineering with Intezer’s IDA Pro Plugin

• Nextron Systems
  Upcoming ASGARD Version 2

• Passmark Software
  V7.1 build 1007 5th March 2020

• radare2
  4.3.1
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!