More links only, sorry Vico 🙂 But there’s over 200 of them!

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Azeemnow
  What your CMD command line security is missing

• BlueteamerAU
  Evidence of file execution

• Dr. Ali Hadi at ‘Binary Zone’
  • No Drive Letter, No USB Evidence? Think Again!
  • Investigating USB Drives using Mount Points Not Drive Letters

• Elcomsoft
  • macOS, iOS and iCloud updates: forensic consequences
  • Breaking VeraCrypt containers
  • Tally ERP 9 Vault: How to Not Implement Password Protection
  • Using Microsoft Azure to Break Passwords
  • Password Reuse vs. Master Password: Two Sides of Password Managers
  • Accelerating Password Recovery: GPU Acceleration, Distributed and Cloud Attacks

• Ian Whiffin at DoubleBlak
  • Primary Key / Date Stamp Fallacy
  • iOS MailBox

• Lee Holmes at ‘Precision Computing’
  Client IP Address Disclosure in smtp.gmail.com

• Mike Williamson at Magnet Forensics
  Exploring Signal: An Unprecedented Look Under the Hood of a Production App

• Maxim Suhanov
  Tracking Log

• Mr. Hobbits
  Master Boot Record – Decoding BPB

• NixIntel
  The Secret Life Of JPEGs

• Oxygen Forensics
  • Bypassing screen lock and decrypting physical dumps of Huawei devices based on Android OS v. 9 and 10.
  • Tracking the pandemic thread with Oxygen Forensic Detective

• Amber Schroader at Paraben Corporation
  AirWatch MDM and E3 Forensic Platform iOS Acquisitions

• Peter Stewart
  13Cubed Mini Memory CTF Write-up

• Yogesh Khatri at ‘Swift Forensics’
  Parsing unknown protobufs with python
  

THREAT INTELLIGENCE/HUNTING

• Stan Hegt at Outflank writes about some nuances with ZoneId’s and how to get around detections for files that have been downloaded
  Mark-of-the-Web from a red team’s perspective

• Examiners who usually don’t focus on malware will be interested in this tricky shortcut (LNK) activity from Jan Kopriva at SANS ISC
  Crashing explorer.exe with(out) a click, (Mon, Mar 30th)

• Active Countermeasures
  • Threat Simulation – Long Connections
  • Threat Simulation – Client Signatures (User Agent)
  • AI-Hunter v3.7.0 Is in the Wild!

• Adam at Hexacorn
  • Blue ink, Red ink… Purple Heart
  • Da Li’L World of DLL Exports and Entry Points, Part 4
  • API Monitoring under Windows 10

• Andreas Hunkeler
  malware-persistence

• Anomali Blog
  Weekly Threat Briefing: APT41, Exploits, lightSpy, TA505 and More

• Black Hills Information Security
  Messing With Web Attackers With SpiderTrap (Cyber Deception)

• Brad Duncan at Malware Traffic Analysis
  • 2020-03-31 – Ursnif (Gozi/IFSB) infection
  • 2020-03-31 – Material for an ISC diary (Qakbot malspam)
  • 2020-04-02 – VBS-based malware infection
  • 2020-03-30 – Invoice-themed malspam pushes Kpot info stealer

• Corelight
  Watch over DNS traffic with Corelight & Splunk

• Cyber Security
  Cyber Economics (1) – Development of a security control baseline

• Cyberbit
  Remote Cyber Range Training, Our Commitment to the Cyber Community

• Darknet
  Memhunter – Automated Memory Resident Malware Detection

• Dragos
  A Matter of Trust: Remote Access for ICS

• Graceful is Noforce
  openssl s_client … but in PowerShell?

• Hacking Articles
  • Credential Dumping: Wireless
  • Command & Control: PoshC2
  • Credential Dumping: Windows Credential Manager
  • Persistence: RID Hijacking

• JPCERT/CC
  • Attacks Exploiting Vulnerabilities in Pulse Connect Secure Vulnerabilities
  • Trends of Phishing Sites Reported to JPCERT/CC

• Kris Oosthoek
  • From Hodl to Heist (Abstract): Analysis of Cyber Security Threats to Bitcoin Exchanges
  • From Hodl to Heist (Full Paper): Analysis of Cyber Security Threats to Bitcoin Exchanges

• LMG Security
  How to Spot Phishing Email Fraud

• Lucideus
  Hunting Session Overloading

• Microsoft Security
  Attack matrix for Kubernetes

• MITRE ATT&CK
  ATT&CK with Sub-Techniques — What You Need to Know

• NirBlog
  View Windows Defender threats on local and remote computer

• NVISO Labs
  Report sightings from Kibana to MISP

• Olaf Hartong
  The ATT&CK Rainbow of Tactics

• One Night in Norfolk
  A New Look at Old Dragonfly Malware (Goodor)

• Palo Alto Networks
  5 Reasons Why Threat Intel Management Needs to SOAR!

• Patrick Wardle at ‘Objective-See’
  The ‘S’ in Zoom, Stands for Security

• Pixis at Hackndo
  NTLM Relay

• Red Canary
  2020 Threat Detection Report: the conversation continues

• Richard Bejtlich at TaoSecurity
  Seeing Book Shelves on Virtual Calls

• Sandfly Security
  Detecting Linux Kernel Process Masquerading with Command Line Forensics

• Scott Piper at ‘Summit Route’
  Isolated networks on AWS

• Security Intelligence
  How Relevance Scoring Can Make Your Threat Intelligence More Actionable

• SentinelOne
  Is SearchMine Adware Teeing Up Your Endpoints For Other Threat Actors?

• Josh Liburdi
  • Structured & Task-Driven Threat Hunting
  • Creating & Tracking Threat Hunting Metrics

• Sucuri Blog
  Multi-Step Phishing Kit Targeting Credit Union

• TrustedSec
  Tricks for Weaponizing XSS

• Trustwave SpiderLabs
  Windows Debugging & Exploiting Part 5: SMBGhost CVE-2020-0796 Technical Review

• ZecOps Blog
  Exploiting SMBGhost (CVE-2020-0796) for a Local Privilege Escalation: Writeup + POC
  

UPCOMING WEBINARS/CONFERENCES

• Sarah Hargreaves and Sam Holt at AccessData
  Ready to find your new forensic investigator soulmate? Meet Quin-C.

• CQURE Academy
  LIVE WEBINAR – How to Become Windows Forensics Master 2.0

• Heather Mahalik at Smarter Forensics
  “Life Has no ctrl+Alt+Del” – The New DFIR online Meetup

• Matt Graeber
  Check out @mattifestation’s tweet

• OPCDE
  Cyber security vir(tu)al summit

• Robert O’Leary at Nuix
  Nuix Digital Investigations Solutions: From ECA to Deep Dive Forensics
  

PRESENTATIONS/PODCASTS

• Forensic Lunch!
  Daily Blog #662: Forensic Lunch 4/3/20

• Cellebrite
  Ask the Expert: How to Detect Unparsed Apps in UFED Physical Analyzer by Heather Mahalik – Part 1

• Crisiscon
  Crisiscon

• Detections Podcast
  OpenSOC’s Ghost Recon

• Didier Stevens
  YARA: Ad Hoc Rules

• Digital Forensic Survival Podcast
  DFSP # 215 – CMSTP Forensics

• Kevin Ripa at ‘3 Minutes Max’
  • 3MinMax 6
  • 3MinMax 5
  • 3MinMax 4
  • 3MinMax 7
  • 3MinMax 8
  • 3MinMax 9

• Magnet Forensics
  From the Training Team: Magnet AXIOM Examinations (AX200)

• Lee Reiber at Mobile Forensic Investigations
  • Oxygen Forensics Episode 101
  • Oxygen Forensics Episode 102
  • Oxygen Forensics 103

• Paraben Corporation
  • Reviewing Email Headers with E3 Forensics
  • Skip Lists in the E3 Forensic Platform
  • Using FTK Imager with Paraben
  • E3 Forensic Platform Email Data Review Report
  • Importing Cellebrite data into the E3 Forensic Platform
  • Processing Google Takeout Data with the E3 Forensic Platfrom

• Robert O’Leary at Red Canary
  Webinars for one, webinars for all

• This Month In 4n6
  This Month In 4n6 – March – 2020
  

MALWARE

• Didier Stevens took April 1st to heart, sharing tricks with detections and EICAR files
  • mimikatz Is My New EICAR
  • FlashPix File With VBA Code

• 0xdf hacks stuff
  Jar Files: Modification Cheat Sheet

• AlienVault Security Essentials Blog
  Stories from the SOC- RIG Exploit Kit

• Bitdefender Labs
  A Malware Researcher’s Guide to Reversing Maze Ransomware

• Blog – Volexity
  Storm Cloud Unleashed: Tibetan Focus of Highly Targeted Fake Flash Campaign

• Click All the Things!
  LokiBot: Getting Equation Editor Shellcode

• Cofense
  Phish Fryday – Threat Intelligence in Phishing Defense

• Colin Cowie
  Chrome Extension Analysis

• FireEye
  Kerberos Tickets on Linux Red Teams

• Forcepoint
  Reframing Insider Threat: What Does it Mean When Everyone’s Working from Home?

• Fortinet
  • New Agent Tesla Variant Spreading by Phishing
  • Offense and Defense – A Tale of Two Sides: Bypass UAC
  • Steps for Adopting a Proactive Approach to Data Breaches
  • Preparing for the Surge in Attacks Targeting Remote Workers

• G Data Security
  Pekraut – German RAT starts gnawing

• Intezer
  • Search for revealing strings in Intezer Analyze
  • Fantastic payloads and where we find them

• Kaspersky Lab
  Enumeration attack dangers

• Malware Musings
  Creating a Citrix Gateway Honeypot

• MalwareInDepth
  Nanocore & CypherIT

• Microsoft Security
  • Microsoft Defender ATP can help you secure your remote workforce
  • Full Operational Shutdown—another cybercrime case from the Microsoft Detection and Response Team

• Morphisec
  GuLoader: The RAT Downloader

• Netskope
  Threat Management In The Cloud

• Palo Alto Networks
  • SilverTerrier: 2019 Nigerian Business Email Compromise Update
  • Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
  • GuLoader: Malspam Campaign Installing NetWire RAT

• SANS Internet Storm Center
  • Qakbot malspam sent from an infected Windows host, (Wed, Apr 1st)
  • Kwampirs Targeted Attacks Involving Healthcare Sector, (Tue, Mar 31st)
  • Obfuscated Excel 4 Macros, (Sun, Mar 29th)
  • Obfuscated with a Simple 0x0A, (Fri, Apr 3rd)
  • New Bypass Technique or Corrupt Word Document?, (Sat, Apr 4th)

• Kaspersky Securelist
  • Holy water: ongoing targeted water-holing attack in Asia
  • Loncom packer: from backdoors to Cobalt Strike

• Cisco Blogs
  • Trickbot: A primer
  • Stealing passwords with credential dumping
  • AZORult brings friends to the party

• Security Intelligence
  Breaking the Ice: A Deep Dive Into the IcedID Banking Trojan’s New Major Version Release

• TrendMicro
  • Raccoon Stealer’s Abuse of Google Cloud Services and Multiple Delivery Techniques
  • Zoomed In: A Look into a Coinminer Bundled with Zoom Installer

• Trustwave SpiderLabs
  An In-depth Look at MailTo Ransomware, Part One of Three

• Virus Bulletin
  VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

• Xavier Mertens at /dev/random
  Handling Malware Delivered Into .daa Files

• Yoroi
  Closing the “Yomi Hunting” Challenge: Top Hunters 2020

• ZScaler
  Targeted Attack on Indian Financial Institution Delivers Crimson RAT

• The COVID-related threat actors continue:
  • AlienVault Labs
    The Power of Community to Fight COVID-19 Cyber Threats
  • Awake Security
    Network Threat Hunting to Detect Covid-19 Cyber Attacks
  • Check Point Software
    Coronavirus update: In the cyber world, the graph has yet to flatten
  • Check Point Software
    COVID-19 Impact: Cyber Criminals Target Zoom Domains
  • Cloudmark Security Blog
    COVID-19 SMS Spam Attacks Shift from Panic to Stimulus
  • Cofense
    Threat Actors Evade Proofpoint and Microsoft 365 ATP Protection to Capitalize on COVID-19 Fears
  • COVID-19 CTI League
    COVID-19 CTI-League Services
  • CyberCrime & Doing Time
    Covid-19 / CoronaVirus Domains: a looming threat?
  • Elasticsearch
    Share your COVID-19 Elastic Stack stories on #ElasticStories
  • Insinuator
    ERNW SecTools, Active Directory Security and the Corona Pandemic
  • Josh Moulin
    Work From Home Cybersecurity During COVID-19
  • Journey Notes
    Ensure business continuity during COVID-19 uncertainty
  • Journey Notes
    COVID-19 chatter on dark web bodes Ill for cybersecurity
  • Koen Van Impe
    COVID-19 Blocklists
  • Logzio
    Launching the Community COVID-19 Dashboard Project
  • Microsoft Security
    Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do
  • Morphisec
    Malware Authors Playing on COVID-19 Fears to Achieve Their Goals
  • NVISO Labs
    To Zoom or Not to Zoom
  • Radware
    Here’s How Bots Are Exploiting Coronavirus Fears
  • SANS Blog
    Top Three COVID-Related Risks
  • Cisco Blogs
    COVID-19 relief package provides another platform for bad actors
  • Symantec
    COVID-19 Outbreak Prompts Opportunistic Wave of Malicious Email Campaigns
  • Symantec
    Malicious Android Apps Exploit Coronavirus Panic
  • The PhishLabs Blog
    COVID-19 Phishing Update: Email Posing as Scam Guidance Delivers Malware Instead
  • The PhishLabs Blog
    COVID-19 Phishing Update: Nigerian Prince Lures Evolve with Crisis
  • Trustwave SpiderLabs
    COVID-19 Malspam Activity Ramps Up
  • VMware Carbon Black
    Threat Analysis Unit (TAU) Threat Intelligence Notification: CoronaVirus Ransomware
  • WeLiveSecurity
    Coronavirus con artists continue to spread infections of their own
  • ZScaler
    COVID-19: A Call for Compassion
  • Cyber Triage
    How to Execute During Incident Response: OODA for DFIR 2020

MISCELLANEOUS

• Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
  Daily Blog #661: New Blog Template, New Blog Entry, New Daily Blog

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 4/4/2020

• Lori Tyler at AccessData
  Image Detection or Image Recognition? Quin-C Does Both!

• Yulia Samoteykina at Atola
  Using segmented hashing in Atola TaskForce for data verification

• Samuel Alonso at Cyber IR
  Cyber Economics (2) – Deployment of advanced targeted security controls with Threat Modelling and Cyber Insurance

• DFIR Training
  Foxton Forensics Giveaway Entry Form

• Elena Shulga at Ace Lab
  ACE Lab Stays Open for Business Despite the COVID-19 Outbreak

• Enisa
  Roadmap on the cooperation between CSIRTS and LE

• John Wu
  Android Booting Shenanigans

• Magnet Forensics
  • Magnet AXIOM Adds Support for .dar Files
  • Identifying Unique Devices and Systems in Magnet AXIOM Investigations

• Magnet Forensics
  Meet Magnet Forensics’ Training Team: Jerry Hewitt

• Satria Ady Pradana at MII Cyber Security Consulting Services
  My Experience on Taking SANS Course (SEC660), The Advance Pentesting Course

• MSAB
  • Now available: Contact tracing technology to assist in fighting the coronavirus pandemic – with data from mobile phones
  • Speed up processes and eliminate errors with standardized digital forensic reports

• Open Source DFIR
  Digital Forensics: Processing at Scale

• Gina Cristiano at ADF
  ADF’s Top 5 Knowledge Base Articles

• Ryan Benson at dfir.blog
  Unfurl… in 3D

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — March 29 to April 4

• SANS
  • Instructor Spotlight: Benjamin Wright, LEG523 Author
  • Instructor Spotlight: Don C. Weber
  • 5 Advantages of Taking Your Next Blue Team Course via SANS OnDemand

• Sumuri
  Sumuri Gives Back With a Little Help from our Friends
  
  
• The Leahy Center for Digital Forensics & Cybersecurity
  Leahy Center Founder Jonathan Rajewski Awarded Leadership Award By FBI Albany

SOFTWARE UPDATES

• Amped
  Amped DVRConv Update 16432: New Formats and Support for the Spanish Language

• ArsenalRecon
  Check out @ArsenalRecon’s tweet

• Belkasoft
  Belkasoft news

• Brim
  v0.6.0

• ComaeIO
  Check out @ComaeIO’s tweet

• DME Forensics
  DVR Examiner Version 2.9.0

• Didier Stevens
  Update: msoffcrypto-crack.py Version 0.0.5

• Elcomsoft
  • ElcomSoft Phone Breaker 9.50 fixes iCloud access, upgrades Home licenses to Pro
  • Elcomsoft System Recovery and Forensic Disk Decryptor updates: macOS encryption and VeraCrypt support
  • Elcomsoft breaks VeraCrypt containers, expands cloud support with Microsoft Azure deployment

• Eric Zimmerman
  ChangeLog

• ExifTool
  ExifTool 11.93

• GetData
  31 Mar 2020 – 5.2.2.9420

• Magnet Forensics
  Magnet AXIOM 3.11 Now Available with Device Identifiers, .DAR File Support and More!

• Mail Xaminer
  Current Challenges in Digital Forensics Investigations

• Metaspike
  Forensic Email Collector (FEC) Changelog

• Oxygen Forensics
  Oxygen Forensic® Detective v.12.3

• Paraben Corp
  E3 2.5 Bronze Edition is now available!

• SOF ELK
  Check out @SOF_ELK’s tweet

• X-ways Forensics
  X-Ways Forensics 20.0 Preview 4
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically, hit us up through the contact page or on the social pipes!