Links only again, probably will be for a few more weeks. Being stuck at home doesn’t make me less busy apparently 🙂
No Lodrina this week, so links only for her sections too.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Joakim Schicht at Arsenal Recon
  An Inside View of Office Document Cache Exploitation

• Korstiaan Stam at Cloud Response
  Everything you need to know about MailItemsAccessed and more

• Marco Fontani at Amped
  Unity Is Strength! In Challenging Cases, Amped Authenticate’s Compare CRP Makes Source Device Identification More Accurate

• Francesco Picasso at Zena Forensics
  teleparser

• Maxim Suhanov
  BAM internals

• Oleg Afonin at Elcomsoft
  • Breaking LastPass: Instant Unlock of the Password Vault
  • Cloudy Times: Extracting and Analyzing Location Evidence from Cloud Services
  • Extracting Passwords from Microsoft Edge Chromium

• Ryan Benson at dfir.blog
  Unfurling Unknown Protobufs

• Sami Laiho at 4sysops
  How to capture a network trace from a remote computer
  

THREAT INTELLIGENCE/HUNTING

• Active Countermeasures
  • Threat Simulation – DNS
  • Threat Simulation – Beacons

• Adam at Hexacorn
  • ProcMon as… an API Monitor
  • Code Injection everyone forgets about
  • Tag me if you can… driver
  • PDBs… from the the good sauce…

• David Fletcher at Black Hills Information Security
  Backdoors & Breaches: Logon Scripts

• Blackberry
  Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android

• Brad Duncan at Malware Traffic Analysis
  • 2020-04-07 – Pcap and malware for an ISC diary (ZLoader)
  • 2020-04-03 – German and English malspam pushing ZLoader
  • 2020-04-08 – Qakbot (Qbot) zip file info

• Check Point Research
  Threat Actors Migrating to the Cloud

• Ashley Tran at Cofense
  New Phishing Campaign Spoofs WebEx to Target Remote Workers

• Richard Bejtlich at Corelight
  Enabling SOHO Network Security Monitoring

• Michael Savitz and Donnie Tindall at Crypsis
  Lessons Learned from the CVE-2019-19781 NetScaler Vulnerability

• Mike Talon at Cymulate
  What is Breach and Attack Simulation (BAS)?

• Deriving Cyber Threat Intelligence and Threat Hunting
  LogonTracer during forensic investigations

• Jason D. Christopher at Dragos
  Threat Management and NERC CIP: Own it Before You Get Owned

• Brent Murphy and David French at Elasticsearch
  Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

• Mor Rubin at Microsoft’s Enterprise Mobility + Security
  Azure ATP now detects SMBGhost

• Kathleen Metrick, Parnian Najafi, and Jared Semrau at Fire Eye Threat Research
  Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather
  than Skill — Intelligence for Vulnerability Management, Part One

• Foregenix
  • Red Teaming: Command and Control protocols
  • Introducing RETURNINGPATIENT

• Raj Chandel at Hacking Articles
  • Credential Dumping: WDigest
  • Credential Dumping: Security Support Provider (SSP)
  • Credential Dumping: Applications

• Harshit Sharma at Lucideus
  Hunting Path Traversal | Everything you need to know! | Harshit Sharma | Lucideus

• Huseyin Rencber
  Malware Hash- Fuzzy Hashing

• Shusei Tomonaga at JPCERT/CC
  Attacks Simultaneously Exploiting Vulnerability in IE (CVE-2020-0674) and Firefox (CVE-2019-17026)

• Herbie Zimmerman at ‘Lost in Security’
  2020-04-06 Qealler RAT Malspam

• Tom Sellers at Rapid7
  Phishing for SYSTEM on Microsoft Exchange (CVE-2020-0688)

• SANS
  Introducing Slingshot C2 Matrix Edition

• Costin Raiu at Securelist
  YARA webinar follow up

• Joshua Deacon and Lloyd Macrohon at Trustwave SpiderLabs
  • An In-depth Look at MailTo Ransomware, Part Two of Three
  • An In-depth Look at MailTo Ransomware, Part Three of Three

• Xavier Mertens at /dev/random
  Hey Scanners, Say “Cheese!”

• Yoroi
  Yoroi Annual CyberSecurity Report 2019
  

UPCOMING WEBINARS/CONFERENCES

• Evan Kohlmann at Flashpoint
  Leveraging Chat Services to Detect and Address Threats

• MSAB
  • Investigating Unsupported Apps – Presented by Hatem Tammam – MSAB Trainer
  • Metadata & Location Data – Presented by Rozaili Idris – MSAB Trainer

• OSDFCon
  2020 Call For Presentations & Workshops
  

PRESENTATIONS/PODCASTS

• Kevin Ripa at 3MinMax
  Introducing New SANS 3MinMax Series with Certified Instructor Kevin Ripa
  • Episode 10: Checking for disk encryption prior to imaging
  • Episode 11: What does “forensically sound” actually mean? Part 1
  • Episode 12:  What does “Forensically Sound” Actually Mean? Part 2
  • Episode 13:  What are the top 5 “Quick Win” files in Battlefield Forensics?

• Blackbag Technologies
  • Catalina: A Voyage Through Apple’s New Artifacts
  • BlackBag Tip of the Day: Apollo Integration
  • BlackBag Tip of the Day: Evidence Status Window
  • BlackBag Tip of the Day: Importing .ivx Files

• Heather Mahalik at Cellebrite
  Ask the Expert: How to Detect Unparsed Apps in UFED Physical Analyzer by Heather Mahalik – Part 2

• Detections Podcast Blog
  Episode 20: Tool Time with Detections

• Digital Forensic Survival Podcast
  DFSP # 216 – DHASH

• Jerry Bui at Digital Forensics Future
  S2:E1 My Forensic Take | Predictions for the New Decade

• Mike Williamson
  How to submit a Pull Request on Github – forensicmike1.com

• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Theory – Network Worm Basics

• Jamey Tubbs at Magnet Forensics
  From the Training Team: Magnet AXIOM Advanced Computer Forensics (AX250)

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 104

• MSAB
  • How to Use the Column View in XAMN
  • How to Tag Artifacts in XAMN
  • Find Location Data From Pictures in XAMN
  • How to Use the List View in XAMN
  • Nuix and MSAB Integration: Transferring Mobile Data Has Never Been Easier
  • So markieren Sie Artefakte in XAMN
  • How to Open an Extraction or a Case in XAMN

• Paraben Corporation
  • Processing SQLite Data in the E3 Forensic Platform
  • Data Triage Incident Response Data in the E3 Forensic Platform
  • Data Triage of Windows Activity Timeline, Link Files & Jump Lists in E3 Forensic Platform

• Richard Davis at 13Cubed
  Introduction to iLEAPP – iOS Forensics Made Easy

• SANS
  SANS Live Online – New Online Training Platform
  

MALWARE

• 360 Netlab
  • DDG的新征程——自研P2P协议构建混合P2P网络
  • DDG botnet, round X, is there an ending?

• Andreas Klopsch at ‘Malware and Stuff’
  Diving into Qbot part 1.5 – Cracking string encryption

• Bitdefender Labs
  • New dark_nexus IoT Botnet Puts Others to Shame
  • Who installs Zoom apps outside the Play Store? Well, lots of people.

• Jamie at Click All the Things!
  Qbot – .vbs file full deobfuscation

• Michael Bailey at Fire Eye Threat Research
  Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation

• Malwarebytes Labs
  Copycat criminals abuse Malwarebytes brand in malvertising campaign

• Paul Michaud at Red Canary
  Uncompromised: Unpacking a malicious Excel macro

• SANS Internet Storm Centre Handler Diaries
  • Maldoc XLS Invoice with Excel 4 Macros, (Sun, Apr 5th)
  • Password Protected Malicious Excel Files, (Mon, Apr 6th)
  • Increase in RDP Scanning, (Tue, Apr 7th)
  • PowerShell Sample Extracting Payload From SSL, (Fri, Apr 10th)
  • Wireshark 3.2.3 Released: Mac Users Pay Attention Please, (Sat, Apr 11th)
  • Critical Vuln in vCenter vmdir (CVE-2020-3952), (Fri, Apr 10th)

• Igor Golovin at Securelist
  Unkillable xHelper and a Trojan matryoshka

• Ole Villadsen at Security Intelligence
  ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework

• Jason Reaves at SentinelLabs
  Deep Dive Into TrickBot Executor Module “mexec”: Hidden “Anchor” Bot Nexus Operations

• Cesar Anjos at Sucuri
  Analyzing & Decrypting L4NC34’s Simple Ransomware

• Brian Baskin at VMware Carbon Black
  TAU Threat Analysis: NetWire Variant Leveraging AutoIt Scripts and Windows Shortcut Links

• W3ndige
  Investigating similarities between .NET RATS

• ZScaler
  • New Ursnif Campaign: A Shift from PowerShell to Mshta
  • TrickBot Emerges with a Few New Tricks

• COVID-19 related!
  • Check Point Research
    COVID-19 goes mobile: Coronavirus malicious applications discovered
  • Check Point Software
    A Perfect Storm: the Security Challenges of Coronavirus Threats and Mass Remote Working
  • Click All the Things!
    COVID-19, Excel 4.0 Macros, and Sandbox Detection
  • Cofense
    Coronavirus Redefines the Phishing Threat Landscape
  • Cofense
    Coronavirus-Themed Phish Continue to Surge
  • Cyber Threat Coalition
    2020-04-06 Weekly Threat Advisory
  • Fire Eye Threat Research
    Limited Shifts in the Cyber Threat Landscape Driven by COVID-19
  • Flashpoint
    COVID-19 Key Developments: March 28-April 03
  • Malwarebytes Labs
    APTs and COVID-19: How advanced persistent threats use the coronavirus  as a lure
  • Microsoft Security
    Microsoft shares new threat intelligence, security guidance during global crisis
  • Stranded on Pylos
    The Opportunistic Adversary and the Pressure of Events
  • The PhishLabs Blog
    COVID-19 Phishing Update: Promise of Payments Fuel Financial Fraud
  • The PhishLabs Blog
    COVID-19: New Daily Intel Download and Webinar Next Week

MISCELLANEOUS

• Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog
  • Daily Blog #664: Sunday Funday 4/5/20
  • Daily Blog #663: Magnet Virtual Summit 2020
  • Daily Blog #665: Pancake Viewer part 1
  • Daily Blog #666: Pancake Viewer Part 2 with Test Kitchen
  • Daily Blog #667: Pancake Viewer Part 3 with Test Kitchen
  • Daily Blog #668: Pancake viewer part 4
  • Daily Blog #669: Forensic Lunch 4/10/20
  • Daily Blog #670: Solution Saturday 4/11/20

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 4/9/2020

• Olga Milishenko at Atola
  TaskForce imaging speed

• attackd0gz-sec
  OSINT Operation Prep – Tiger King Style

• Basis Technology
  COVID-19 Free Autopsy Training

• Brett Shavers
  Mini-WinFE 10 and WinFE 10 Updated

• Brett Shavers at DFIR.Training
  What’s New at DFIR Training?

• Stephen Burg at Cyberbit
  Improve Remote Cybersecurity Training and Incident Response with a Follow the Sun Model

• Cybereason
  • 3 Straightforward Ways to Build a SOC
  • Insights from a Fireside Chat on Ransomware, Cloud Adoption, & CISOs

• Foxton Forensics
  Cyber Challenge #2 — April 2020

• Magnet Forensics
  • See How Magnet OUTRIDER Can Help You Find CSAM Faster
  • Google G Suite in Magnet AXIOM Cyber
  • Keywords for Personally Identifiable Information (PII) in Magnet AXIOM
  • Snapchat Warrant Returns in Magnet AXIOM
  • Instagram Warrant Returns in Magnet AXIOM
  • Google Warrant Returns in Magnet AXIOM
  • Facebook Warrant Returns in Magnet AXIOM
  • Apple Warrant Returns in Magnet AXIOM
  • Warrant Return Analysis in Magnet AXIOM

• Mail Xaminer
  Outlook PST File Forensics – Examine PST Data without Outlook

• Mathias Fuchs at CyberFox
  LevelUp Labs

• Mission Darkness
  Shielding requirements for digital forensics investigations

• MSAB
  Introducing a new tutorial series

• Oxygen Forensics
  • Live Online Training
  • Remote Collections using Extractor Enterprise

• Paul Cimino
  Security Blue Team Intro to OSINT Review

• ADF
  • Introducing Field Investigator for Teams
  • 7 Tips for Reducing Your Forensic Backlog

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — April 5 to April 11

• The Leahy Center for Digital Forensics & Cybersecurity
  • Remote Student Spotlight: Lenora Batcher
  • Working From Home With Sawyer Zundel

• David Kennedy at TrustedSec
  From the Desk of the CEO: TrustedSec Announces Professional Training Courses Online

• VTO Labs
  • Frozen Forensics: Exploring VTO’s radical new research on water damaged mobile devices
  • Handling Evidence Exposed to Biohazardous Material
    

SOFTWARE UPDATES

• Arsenal Recon
  ODC Recon v1.0.0.55 and AIM v3.1.107

• Binalyze
  Version 1.9.18

• Cellebrite
  Get 3rd Party App Data and Locations Enrichment

• Didier Stevens
  Update XORSearch Version 1.11.3

• Elcomsoft
  Sage and Microsoft SQL update: ready for 2020

• GetData
  9 Apr 2020 – 5.2.2.9444

• IOC Parser
  IOC Parser

• Max Kersten
  MalPull

• MISP
  MISP 2.4.124 released (aka the dashboard, auditing improvements)

• MobilEdit
  Beta of MOBILedit Forensic Express 7.2 now available for download!

• Mount Image Pro
  09 Apr 2020 – v7.1.2.1880

• MSAB
  New versions of XRY, XAMN and XEC are now available

• Passware
  Passware Kit 2020 v2 Now Released

• X-ways
  X-Ways Forensics 20.0 Preview 5

• X-ways
  X-Ways Forensics 19.9 SR-6
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!