As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni
  Check out @AlexisBrignoni’s Tweet
  
  
• Brian Maloney
  Your AV is Trying to Tell You Something: VBN’s Part 3
  
  
• Brendan Mccreesh
  Data Exfiltration via ConnectWise Control (formerly ScreenConnect)
  
  
• James Smith at DFIR Madness
  Triage Disk Analysis Case 001
  
  
• Lukasz Olszewski at Cyberush
  Super timeline initial triage with Jupyter and Pandas
  
  
• Meisam Eslahi at Cyber Security Hub
  Blue Team-System Live Analysis [Part 6]- Windows: User Account Forensics -Road Map
  
  
• The DFIR Report
  Bazar Drops the Anchor
  
  

THREAT INTELLIGENCE/HUNTING

• More Exchange posts!
  • Product Update: Detect Microsoft Exchange Attacker Activity
  • Microsoft Exchange 0-day Vulnerability Analysis
  • All You Need to Know: The Four Zero Days in Microsoft Exchange Servers
  • Hafnium Update: Continued Microsoft Exchange Server Exploitation
  • CyberDefenses and InfoForense Join Forces Against HAFNIUM Assault on Exchange Server
  • HAFNIUM and SolarWinds Attacks Highlight Lack of Accountability
  • Chinese APT Attack On-Premises Version of Microsoft Exchange
  • Hafnium Leveraging Multiple Zero-Days to Attack Microsoft Exchange
  • Quickpost: “ProxyLogon PoC” Capture File
  • Examining Exchange Exploitation and its Lessons for Defenders
  • New DearCry Ransomware Targets Microsoft Exchange Server Vulnerabilities
  • Spying on your Exchange Server
  • Microsoft Exchange Logging – Hafnium and other Attack Scenarios
  • Analysis – Post-Exploitation from Microsoft Exchange HAFNIUM
  • How businesses are responding to the attack on Microsoft Exchange
  • Attacks on Microsoft Exchange servers | Kaspersky official blog
  • Microsoft Exchange & the HAFNIUM Threat Actor
  • Hafnium Hacks Microsoft Exchange: Who’s at Risk?
  • Microsoft Exchange attacks cause panic as criminals go shell collecting
  • Ransomware is targeting vulnerable Microsoft Exchange servers
  • Protecting on-premises Exchange Servers against recent attacks
  • Analyzing Attacks Against Microsoft Exchange Server With China Chopper Webshells
  • Attackers Won’t Stop With Exchange Server. You Need a New Playbook
  • Microsoft Exchange Server Attack Timeline
  • Threat Assessment: DearCry Ransomware
  • Reproducing the Microsoft Exchange Proxylogon Exploit Chain
  • Microsoft Exchange server exploitation: how to detect, mitigate, and stay calm
  • Protecting Sophos customers from HAFNIUM
  • Detecting Microsoft Exchange Vulnerabilities – 0 + 8 Days Later…
  • How Symantec Stops Microsoft Exchange Server Attacks
  • Finding Proxylogon and Related Microsoft Exchange Vulnerabilities: How Tenable Can Help
  • Is your Exchange Hybrid Server internet-facing? You have likely already been hacked
  • Microsoft Exchange Attack: Am I affected and what do I do next?
  • Tracking Microsoft Exchange Zero-Day ProxyLogon  and HAFNIUM
  • TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits
  • Exchange servers under siege from at least 10 APT groups
    
    
• Abuse ch
  Introducing ThreatFox
  
  
• Amit Meggido at AWS Security
  How you can use Amazon GuardDuty to detect suspicious activity within your AWS account
  
  
• Azure Sentine
  • Whats new: Azure Sentinel and Microsoft 365 Defender incident integration
  • Monitoring the Software Supply Chain with Azure Sentinel
  • What’s new: Alert Enrichment – Custom Details and Entity Mapping
    
    
• Victor Vrabie and Bogdan Botezatu at Bitdefender Labs
  Fin8 Group is Back in Business with Improved BADHATCH Kit
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-03-08 – Spelevo Exploit Kit (EK) pushes ZLoader malware
  • 2021-03-11 – IcedID (Bokbot) from Excel spreadsheet macro
  • 2021-03-12 – TA551 (Shathak) Italian template Word docs push Ursnif/Gozi/ISFB
  • 2021-03-12 – Quick post: IcedID malware/artifacts
    
    
• Jon Natkins at Corelight
  Getting the most out of your NIDS
  
  
• DomainTools
  • SolarWinds Aftermath Threat Hunting Survey Yields Mixed News
  • Caught in the Act: A Phishing Expedition
    
    
• Aaron Boyd at Dragos
  Defending SOGARD: Behind the Scenes at the 2021 SANS ICS Summit CTF
  
  
• Elastic
  • Detecting threats in AWS Cloudtrail logs using machine learning
  • Validating Elastic Common Schema (ECS) fields using Elastic Security detection rules
    
    
• Flashpoint
  CL0P and REvil Escalate Their Ransomware Tactics
  
  
• InfoSec Write-ups
  TryHackMe: THREAT INTELLIGENCE
  
  
• Luke Leal at Sucuri
  Magento 2 PHP Credit Card Skimmer Saves to JPG
  
  
• Huy at Microsoft 365 Security
  Incident Response Series: Collecting and analyzing logs in azure ad
  
  
• Microsoft Azure
  Azure Defender for Storage powered by Microsoft threat intelligence
  
  
• Ram Pliskin at Microsoft Security
  Azure LoLBins: Protecting against the dual use of virtual machine extensions
  
  
• Recorded Future
  • Introduction to Sigma Rules and Detection of Credential Harvesting
  • Using Intelligence to Prioritize AWS Guard Duty Alerts
  • Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
    
    
• SANS
  • A Visual Summary of SANS ICS Security Summit
  • Rekt Casino Revisited: Operational Series Part 1
    
    
• SANS Internet Storm Center
  • PCAPs and Beacons, (Sun, Mar 7th)
  • YARA and CyberChef, (Mon, Mar 8th)
  • Piktochart – Phishing with Infographics, (Thu, Mar 11th)
  • SharpRDP – PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)
  • Microsoft DHCP Logs Shipped to ELK, (Fri, Mar 12th)
    
    
• Dave McMillen and Limor Kessem at Security Intelligence
  Dridex Campaign Propelled by Cutwail Botnet and Poisonous PowerShell Scripts
  
  
• Yotam Gutman at SentinelOne
  Hiding Among Friends | How To Beat The New Breed of Supply Chain Attacks
  
  
• Strategic Cyber
  Simple DNS Redirectors for Cobalt Strike
  
  
• Diana Lopera at Trustwave SpiderLabs
  Image File Trickery Part II: Fake Icon Delivers NanoCore
  
  

UPCOMING EVENTS

• Andrew Lister at Detego
  Automation with Detego Analyse
  
  
• Belkasoft
  March 15-16: BelkaDay Europe 2021 – virtual digital forensics conference. Register now!
  
  
• Cellebrite
  • Catching the Latest Capabilities of Cellebrite Forensic Solutions
  • Remote Collection of Endpoints for Investigations
  • More than a Makeover: MacQuisition is now Digital Collector
    
    
• CFATI3 2021
  1st International Workshop on Cyber Forensics and Advanced Threat Investigations in Emerging Technologies
  
  
• Cybereason
  Webinar: The State of Ransomware
  
  
• Forensic Focus
  Register For Webinar: Let’s Talk About The State of Corporate Digital Forensics
  
  
• iNPUT-ACE
  Excitement Brewing for the 2021 Symposium
  
  
• WSDF 2021
  The 14th International Workshop on Digital Forensics (WSDF 2021)
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.41 – Katie Nickels
  
  
• Kevin Ripa at SANS
  • Episode 181: When Forensicators Screw Up – Part 1
  • Episode 182: When Forensicators Screw Up – Part 2
  • Episode 183: When Forensicators Screw Up – Part 3
    
    
• AccessData
  FTK Feature Focus – Episode 3 –  Searching Email
  
  
• Andreas Sfakianakis at ‘Tilting at windmills’
  Top 25 CTI Presos for 2020 (pandemic version)
  
  
• Archan Choudhury at BlackPerl
  INCIDENT RESPONSE TRAINING FREE || How to Sign in InfoSec Industry, ft. JatinderPal Singh|| Day 3
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-03-08
  • Infosec Job Hunting (Part 5 of 5): Keeping Opportunities Organized, Hunt for Entry Level Position
  • BHIS | Sacred Cash Cow Tipping 2021 – John Strand & BHIS Testers
  • Talkin’ About Infosec News – 3/8/2021
  • Webcast: Sacred Cash Cow Tipping 2021
  • BHIS | Virtual Backdoors & Breaches! – 2021-03-10
    
    
• Breaking Badness podcast
  78. License To Shill
  
  
• Bret Witt
  • SOC129 EventID: 63 (Successful Local File Inclusion) [Feb. 21, 2021, 5:02 p.m.]
  • SOC126 EventID: 61 (Suspicious New Autorun Value Detected) [Feb. 14, 2021, 6:40 p.m.]
  • Malware Analysis – Work from Home
    
    
• Cellebrite
  Learn how to best utilize Log entries in Cellebrite Physical Analyzer
  
  
• Digital Forensic Survival Podcast
  • DFSP # 263 – Threat Hunt with Statistics
  • DFSP # 264 – Golden SAML
    
    
• Hurricane Labs
  Designing a SOC: Internal or External? Part 1
  
  
• Kengo Teramoto at JPCERT/CC
  Japan Security Analyst Conference 2021 -1st Track-
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 205
  
  
• Paraben Corporation
  E3 Forensic Platform Overview
  
  
• Positivity Blue Team
  Better Defense Through Offense
  
  
• SANS
  • STAR Webcast: Making sense of SolarWinds through the lens of MITRE ATT&CK(R)
  • Cyber-Espionage: Out of the shadows. Into the digital crosshairs | John Grim | SANS CTI Summit 2021
  • Not That Kind of Vulnerability! – Human Trafficking During Coronavirus
  • Jackpotting ESXi Servers For Maximum Encryption | Eric Loui & Sergei Frankoff | SANS CTI Summit 2021
  • SANS ICS Security Summit Keynote:  Anne Neuberger
  • The CTI Shadow Army: Tales from the Trenches – Small Business Owner/Solopreneur Edition | CTI Summit
  • The Cognitive Stairways of Analysis | Nicole Hoffman | SANS CTI Summit 2021
  • Spooky RYUKy: Chapter 2 | Van Ta & Aaron Stephens | SANS CTI Summit 2021
  • SANS Institute Celebrates International Women’s Day
  • Making sense of SolarWinds through the lens of MITRE ATT&CK | STAR Webcast
  • SANS OnDemand Cyber Security Courses
  • Part 2: Rekt Casino Hack – What?! There are Critical Security Controls We Should Follow?
  • Keynote Speaker Anne Neuberger at SANS ICS Summit 2021
    
    
• Security Conversations
  Ron Brash on the water plant hacks and the state of ICS security
  
  
• Sumuri
  Exciting News with SUMURI | Digital Forensics
  
  
• Teymur Kheirkhabarov
  Hunting For PowerShell Abuse
  
  

MALWARE

• 360 Netlab
  • Threat Alert: z0Miner Is Spreading quickly by Exploiting ElasticSearch and Jenkins Vulnerabilities
  • 新威胁：ZHtrap僵尸网络分析报告
    
    
• Adam at Hexacorn
  ELF sections stats
  
  
• Aneesh Dogra
  Reversing libfuse malware
  
  
• James Quinn at Binary Defense
  IcedID GZIPLOADER Analysis
  
  
• Thu Pham at Blumira
  An Analysis of the Most Active Ransomware Variants
  
  
• Check Point Research
  • Clast82 – A new Dropper on Google Play Dropping the AlienBot Banker and MRAT
  • Playing in the (Windows) Sandbox
    
    
• CISA Analysis Reports
  • MAR-10328877-1.v1: China Chopper Webshell
  • MAR-10328923-1.v1: China Chopper Webshell
  • MAR-10329107-1.v1: China Chopper Webshell
  • MAR-10329297-1.v1: China Chopper Webshell
  • MAR-10329298-1.v1: China Chopper Webshell
  • MAR-10329301-1.v1: China Chopper Webshell
  • MAR-10329494-1.v1: China Chopper Webshell
    
    
• Jaeson Schultz at Cisco’s Talos
  Domain dumpster diving
  
  
• Elmer Hernandez at Cofense
  AutoHotKey Leveraged by Metamorfo/Mekotio Banking Trojan
  
  
• Cyber_00011011
  New Kid on The Block
  
  
• Gradiant
  Analizando el depurador de Ghidra
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #30: Quick views
  
  
• InfoSec Write-ups
  CC: Radare2- TryHackMe Walkthrough
  
  
• InfoSec Write-ups
  Analyzing a malicious site
  
  
• Avigayil Mechtinger and Joakim Kennedy at Intezer
  New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
  
  
• Hossein Jazi at Malwarebytes Labs
  New steganography attack targets Azerbaijan
  
  
• Marco Ramilli
  0-Day Malware (2020)
  
  
• Alon Groisman at Morphisec
  MineBridge Is on the Rise, With a Sophisticated Delivery Mechanism
  
  
• NTCore
  • 2-Minutes QakBot Excel Malware Analysis
  • 1.5-Minutes QakBot Excel Malware Analysis (2nd sample)
    
    
• Proofpoint
  NimzaLoader: TA800’s New Initial Access Malware
  
  
• Robert Simmons at ReversingLabs
  DotNET Loaders
  
  
• Securelist
  • Ad blocker with miner included
  • Good old malware for the new Apple Silicon platform
    
    
• Secureworks
  SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group
  
  
• SentinelLabs
  • HelloKitty Ransomware Lacks Stealth, But Still Strikes Home
  • Top 15 Essential Malware Analysis Tools
    
    
• Echo Duan, Zhengyu Dong, Jesse Chang, and Neo Ma at Trend Micro
  No Laughing Matter: Joker’s Latest Ploy
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 3/12/2021
  
  
• Amped
  • Cell Phone Snaps: Bad Quality and Reliability
  • Photo Geek Measurement Experiments
    
    
• Olga Milishenko at Atola
  Imaging RAID 5 with a missing device
  
  
• Belkasoft
  Belkasoft X review by Davide Gabrini
  
  
• Digit Oktavianto at MII Cyber Security
  Leveraging Adversary Emulation / Simulation to Improve Security Posture in Organization
  
  
• Oxygen Forensics
  Data Export in OFD
  
  
• Rare Breed 4N6
  My Long Shot: 2021 Forensic 4:cast Awards
  
  
• Kelley Wilds, Whitney Champion, Samuel Kimmons, Eric Capuano, and Brian Greunke at Recon InfoSec
  SOC X 2021 – A Recap
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — March 7 to March 13
  
  
• Ryan Hausknecht
  Creating a Red & Blue Team Homelab
  
  
• SANS
  • Accessing Web APIs with PowerShell
  • SANS + HBCU Cyber Range Winners
    
    
• Selena Larson
  How I Moved from Journalism to Cyber Threat Intelligence
  
  

SOFTWARE UPDATES

• Antoine Cailliau
  YadaMail
  
  
• Capa
  v1.6.0
  
  
• Cellebrite
  How Apple’s Big Sur Impacts Your Analysis
  
  
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage 2.14.3 Upload DFIR Artifacts to S3 Using Temporary Credentials
  
  
• Didier Stevens
  Update: 1768.py Version 0.0.5
  
  
• Eric Zimmerman
  ChangeLog
  
  
• F-Response
  Newest F-Response (CE, CE+C, EE, Univ) release now with Agentless Connection Support
  
  
• Malwoverview
  Malwoverview 4.3
  
  
• Manabu Niseki
  mihari
  
  
• Mente Binária
  Reverse Engineer’s Toolkit 2021c
  
  
• MISP
  MISP 2.4.140 released (OpenID support, cross object references in extended events and many improvements)
  
  
• Myrtus
  SMAT v1.1
  
  
• Xways
  • X-Ways Forensics 19.9 SR-15
  • X-Ways Forensics 20.0 SR-12
  • X-Ways Forensics 20.1 SR-10
  • X-Ways Forensics 20.2 Beta 5
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!