As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Brian Maloney
  Your AV is Trying to Tell You Something: VBN’s Part 1
  
  
• Doug Metz at Baker Street Forensics
  CSIRT-Collect
  
  
• Flynn Weeks at ‘The What2Log Blog’
  EventRecordID: A Hidden XML Tag
  
  
• Gabriele Zambelli at ‘Forense nella Nebbia’
  Building a Linux profile for Volatility 2 and 3
  
  
• Kyle Song
  Blog #25: Importance of Drive Trim in Forensic Imager part 1. [KR]
  
  
• Marko Rogge
  Forensik Guide Digitale Ermittlungen
  
  
• Mr. Hobbits
  Quick tip: GIMP Recent Files Artifact
  
  
• Nasreddine Bencherchali
  Forensics Artifacts — Parsing Symantec EDR “localdatastore” LevelDB Files
  
  
• Said Eid at Open Source DFIR
  What I wish someone had told me when I started learning about File System Forensics
  
  
• Oxygen Forensics
  Take It One Step Further with App Activity Analysis
  
  
• Daniel Wesemann at SANS Internet Storm Center
  Forensicating Azure VMs, (Thu, Feb 25th)
  
  
• Mitch Impey at Security Distractions
  Forensic Ramblings
  
  
• Warlock
  Exploring the Hive- Deep inside the Windows Registry. pt 2
  
  
• Zach Stanford
  Windows User Access Logs (UAL)
  
  

THREAT INTELLIGENCE/HUNTING

• Hannah Cartier at Active Countermeasures
  Malware of the Day – Indicators of Compromise: Lateral Movement and Backup C2
  
  
• Adam at Hexacorn
  • Beyond good ol’ Run key, Part 132
  • Event ID 7039 – out…pid a pid
    
    
• Sheldon Sides and Gagan Prakash at AWS Security
  Analyze and understand IAM role usage with Amazon Detective
  
  
• Azure Sentinel
  • Handling false positives in Azure Sentinel
  • Jupyter Notebook Pivot Functions
    
    
• Brian Henneberry at Blumira
  Anatomy of the SolarWinds Attack: Five Types of Malware
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-02-22 – IcedID (Bokbot) from same type of URL that normally delivers Qakbot
  • 2021-02-02 – Hancitor infection with Ficker Stealer, Cobalt Strike, and NetSupport RAT
  • 2021-02-24 – Qakbot (Qbot) infection with spambot traffic
  • 2021-02-25 – TA551 (Shathak) back to pushing IcedID (Bokbot)
    
    
• Oliver Rochford at Brim Security’s Knowledge Funnel
  Visualizing Network Cyber Attacks with Suricata and Zeek using Brim and NetworkX
  
  
• Check Point Research
  The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day
  
  
• CrowdStrike
  • 2021 Global Threat Report: Analyzing a Year of Chaos and Courage
  • Explore the Adversary Universe
  • Who Needs Another Alert? CrowdScore Hunts Attackers Hidden in the Data
    
    
• CyberArk
  The Anatomy of the SolarWinds Attack Chain
  
  
• Cysiv
  • MITRE ATT&CK + Cysiv: A Match Made for Gap Detection
  • Going Beyond the Status Quo MITRE ATT&CK Coverage
    
    
• Max Heinemeyer at Darktrace
  LockBit ransomware analysis: Rapid detonation using a single compromised credential
  
  
• DomainTools
  • Lessons Learned from SUNBURST for Threat Hunters
  • The Continuous Conundrum of Cloud Atlas
    
    
• Dragos
  • The Dragos Platform – Achieving Asset Visibility in Industrial Environments
  • 2020 ICS Cybersecurity Year in Review
    
    
• Jack Crook at ‘DFIR and Threat Hunting’
  More Behavioral Hunting and Insider Data Theft
  
  
• Ken Sajo at JPCERT/CC
  Emotet Disruption and Outreach to Affected Users
  
  
• Katie Nickels at ‘Katie’s Five Cents’
  A Cyber Threat Intelligence Self-Study Plan: Part 1
  
  
• Gijs Hollestelle at Falcon Force
  FalconFriday — Recognizing Beaconing Traffic— 0xFF0D
  
  
• Proofpoint
  TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, December 2020
  
  
• Vyacheslav Kopeytsev and Seongsu Park at Securelist
  Lazarus targets defense industry with ThreatNeedle
  
  
• Cisco
  • Gamaredon – When nation states don’t pay all the bills
  • How Does Triton Attack Triconex Industrial Safety Systems?
  • Detecting and Responding to SolarWinds Infrastructure Attack with Cisco Secure Analytics
    
    
• Tim Schulz at Scythe
  SCYTHE Presents: #ThreatThursday – menuPass
  
  
• Kevin Haubris at TrustedSec
  COFFLoader: Building your own in memory loader or how to run BOFs
  
  
• Sudeep Singh and Sahil Antil at ZScaler
  Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures
  
  

UPCOMING EVENTS

• AceLab
  he ACE Lab Online Technology Conference on Data Recovery & Digital Forensics 2021
  
  
• Andrea Lazzarotto
  Webinar su RecuperaBit e l’analisi forense di NTFS — 3 marzo 2021
  
  
• Belkasoft
  BelkaDay Europe conference: the CTF competition
  
  
• Cellebrite
  • Catching the Latest Capabilities of Cellebrite Forensic Solutions
  • How to Collect Data from MDM Devices
  • How to Collect Data from MDM Devices
    
    
• CyberWatch
  Diana Initiative CFP Now Open! It’s YOUR year!
  
  
• Magnet Forensics
  Easy Early Case Assessment Tool with Magnet IGNITE
  
  
• Sophos
  Become a Sophos EDR-certified admin
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.39 – Eric Katz
  
  
• Kevin Ripa at SANS
  • Episode 175: Digital Acquisition & Selecting Destination Media
  • Episode 176: Apple Device Tooling
  • Episode 177: Tools & Techniques: Opening an iPhone
    
    
• AceLab
  A Video from the ACE Lab Webinar on Flash Data Recovery for Beginners
  
  
• Archan Choudhury at BlackPerl
  INCIDENT RESPONSE TRAINING FREE || Incident Response Process || Day 2
  
  
• Black Hat
  • You have No Idea Who Sent that Email: 18 Attacks on Email Sender Authentication
  • Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
    
    
• Black Hills Information Security
  • Talkin’ About Infosec News – 2/22/2021
  • Talkin’ About Infosec News – 2/24/2021
  • Infosec Job Hunting (Part 2 of 5): Reverse Engineering Job Descriptions & Building Custom Resumes
  • Infosec Job Hunting (Part 1 of 5): How to Locate the Work You Want
    
    
• Breaking Badness
  76. Hardware…Software…There’s a Hack for Everything
  
  
• Bret Witt
  SOC101 EventID: 59 (Phishing Mail Detected) [Feb. 14, 2021, 3 a.m.]
  
  
• Cellebrite
  • Time conversions in Cellebrite Physical Analyzer.
  • Policing 2025: Where is Policing Headed?
  • Policing 2025: Is Your Organization Digital Intelligence Ready?
  • Policing 2025: Importance of Training
  • Policing 2025: Importance of a Digital Intelligence Strategy
  • Policing 2025: Top Challenges for Law Enforcement Agencies
  • Policing 2025: Collaboration Across Agencies
  • Policing 2025: Envisioning a New Framework for Digital Investigations – the full version
  • Gallery View in Cellebrite Physical Analyzer
    
    
• Cisco’s Talos
  Talos Takes Ep. #42: Seriously folks, save your logs
  
  
• Didier Stevens
  oledump and YARA DDE Rules
  
  
• Digital Forensic Survival Podcast
  DFSP # 262 – Security Theatre
  
  
• Gerald Auger at Simply Cyber
  Cybersecurity’s Dirty Little Secret (How to handle it)
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 204
  
  
• Life has no CTRL ALT DEL with Heather Mahalik
  • How to Get Started the Right way with SQLite Queries
  • Using SQLite Gaps to Recover More Data in Digital Investigations
    
    
• Magnet Forensics
  • Enterprise Pulse: An Industry Speaker Series (Register to receive recordings as they’re available)
  • Tips & Tricks // Decrypting Application Data Using the iOS Keychain and GrayKey
  • Leveraging the Chrome Media History Artifact in Magnet AXIOM
    
    
• SANS
  • Pivoting from Art to Science | SANS CTI Summit 2021
  • Analyzing Chinese Information Operations with Threat Intelligence | SANS CTI Summit 2021
  • Encuentros de dia cero: Relatos desde la trinchera
  • Collections and Elections: How The New York Times built an intel collections program in 2020
  • ICS Hot Take: Oldsmar, FL Water Facility Event
  • Riding the WAVE to Better Collaboration and Security | SANS CTI Summit 2021
  • Part 4: Rekt Casino Hack – Pulling It All Together
    
    
• Shannon Brazil
  Check out @4n6lady’s Tweet
  
  
• The Digital Forensics Files Podcast
  Former FBI Digital Forensics Trainer, Nelson Eby of Open Text Joins Tyler Hatch
  
  
• Ronnie Watson at Watson Infosec
  Channel Update | WatsonInfoSec
  
  

MALWARE

• 0xthreatintel
  • Assertion on APTs recent activities
  • Uncovering APT29 tool: Trojan PolyGlot Duke — (unpacking)
  • Uncovering APT29 tool: Trojan PolyGlot Duke — (analysis)
    
    
• 360 Total Security
  • DarkWorld Ransomware
  • SilentFade virus strikes, Cyberstalking and Ransom user
    
    
• Anity at Blackorbird
  Analysis report on the attack activities of the “Baby Elephant” organization against Pakistani defense manufacturers
  
  
• Anh Ho at Avast Threat Labs
  MassLogger v3: a .NET stealer with serious obfuscation
  
  
• Patrick Schläpfer at HP
  Hancitor Infection Chain Analysis: An Examination of its Unpacking Routine and Execution Techniques
  
  
• CISA
  • MAR-10322463-7.v1 – AppleJeus: Ants2Whale
  • MAR-10322463-3.v1 – AppleJeus: Union Crypto
  • MAR-10322463-4.v1 – AppleJeus: Kupay Wallet
  • MAR-10322463-5.v1 – AppleJeus: CoinGoTrade
  • MAR-10322463-2.v1 – AppleJeus: JMT Trading
  • MAR-10322463-6.v1 – AppleJeus: Dorusio
  • MAR-10322463-1.v1 – AppleJeus: Celas Trade Pro
  • MAR-10318845-1.v1 – SUNBURST
  • MAR-10320115-1.v1 – TEARDROP
  • MAR-10319053-1.v1 – Supernova
  • MAR-10325064-1.v1 – Accellion FTA
    
    
• Colin Hardy
  Remcos Config – Using RC4 to Get Command & Control from CyberChef
  
  
• Cyber_00011011
  A Malware Firehose
  
  
• Fire Eye Threat Research
  • Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion
  • So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #28: Functions list
  
  
• InQuest
  Cracking Password Protected Payloads
  
  
• Intezer
  • 2020 Set a Record for New Linux Malware Families
  • Year of the Gopher: 2020 Go Malware Round-Up
    
    
• John Hammond
  • NahamCon is COMING BACK!
  • FAKE Antivirus? Malware Analysis of Decoy ‘kaspersky.exe’
    
    
• Malwarebytes Labs
  • The mystery of the Silver Sparrow Mac malware
  • LazyScripter: From Empire to double RAT
    
    
• Alexandre Mundo, Thibault Seret, Thomas Roccia, John Fokker and Valentine Mairet at McAfee Labs
  Babuk Ransomware
  
  
• McHugh Security
  • External Analysis with VirusTotal
  • Cuckoo Dynamic Malware Analysis
  • Building a parallel-analysis Cuckoo server
    
    
• Patrick Wardle at Objective-See
  Arm’d & Dangerous
  
  
• SANS Internet Storm Center
  • DDE and oledump, (Sun, Feb 21st)
  • Unprotecting Malicious Documents For Inspection, (Mon, Feb 22nd)
  • Qakbot in a response to Full Disclosure post, (Tue, Feb 23rd)
  • Malspam pushes GuLoader for Remcos RAT, (Wed, Feb 24th)
  • So where did those Satori attacks come from?, (Thu, Feb 25th)
  • Pretending to be an Outlook Version Update, (Fri, Feb 26th)
    
    
• Phil Stokes at SentinelOne
  5 Things You Need to Know About Silver Sparrow
  
  
• Janus Agcaoili and Byron Gelera at Trend Micro
  An Analysis of the Nefilim Ransomware
  
  
• Virus Bulletin
  New article: Decompiling Excel Formula (XF) 4.0 malware
  
  
• Yoroi
  Yes, Cyber Adversaries are still using Formbook in 2021
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 2/21/2021
  
  
• Yulia Samoteykina at Atola
  Imaging 15+ TB/hour with Atola TaskForce
  
  
• Belkasoft
  Belkasoft X review by Francois H. Putter (Deep Truth)
  
  
• Cellebrite
  Axon to Integrate Video Evidence Platform With Cellebrite
  
  
• CrowdStrike
  University Recruiter Julie Slater on how to make entry-level hiring more equitable
  
  
• Didier Stevens
  re-search.py And Custom Validations
  
  
• Rodrigo Sagastegui at DME Forensics
  DVR Examiner Install blocked by Windows Defender
  
  
• Forensic Focus
  • Multi-Region Webinar: Smart Policing In The Twenty-Twenties
  • What Changes Do We Need To See In eDiscovery? Part VII
  • Digital Forensics Research Looks To The Future
  • The Auxtera Project Launches To Make Justice More Accessible To Vulnerable Populations
    
    
• Christa Miller at Forensic Horizons
  The Third Party Doctrine Is Under Scrutiny. Will It Hold Up?
  
  
• Griffeye
  How can we support the mental health of CSA investigators?
  
  
• Yuta Fuchikami at JPCERT/CC
  Japan Security Analyst Conference 2021 -2nd Track-
  
  
• Patrick J. Siewert at ‘Pro Digital Forensic Consulting’
  Keys To Success in Digital Forensics:  Incident Response vs. Litigation Support
  
  
• SANS
  Instructor Spotlight: Jonathan Kirby
  
  
• Teri Radichel
  Cybersecurity Book Review: The Cuckoo’s Egg
  
  
• The Leahy Center for Digital Forensics & Cybersecurity
  • Interview with New Professional Services Director Jason Ehlers
  • Interview with Champlain Adjunct Professor Kevin Eaton
    
    

SOFTWARE UPDATES

• CyberChef
  v9.27.5
  
  
• Didier Stevens
  Update: re-search.py Version 0.0.16
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.21
  
  
• Foxton Forensics
  Browser History Viewer — Version History
  
  
• Magnet Forensics
  Get More Insight with New and Updated Artifacts in Magnet AXIOM and AXIOM Cyber 4.10
  
  
• Philippe Paquet
  pe2json
  
  
• Chris Hoff at ReversingLabs
  A1000 Version 6.0
  
  
• Timesketch
  20210224
  
  
• Xways
  • X-Ways Forensics 20.1 SR-7
  • X-Ways Forensics 20.2 Beta 2
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!