As always, thanks to those who give a little back for their support!

Jason Jordaan, one of my FOR308 co-authors, needs your help! Please fill out the survey on DFIR fundamentals below (and go in the draw to win a $250 Amazon voucher).
Survey Now Open: 2021 SANS Digital Forensics Survey: Digital Forensics Essentials and Why Foundations Matter

FORENSIC ANALYSIS

• Abhiram Kumar
  What App Is On Fire? – Securinets Quals 2021
  
  
• Marco Fontani at Amped
  Screen Capture: It’s Not the Evidence, It’s a Video of the Evidence
  
  
• Atropos4n6
  An iOS Acquisition Guide
  
  
• Brian Maloney
  Your AV is Trying to Tell You Something: Submission Engine
  
  
• Cheeky4n6Monkey
  Monkey Test Drives a Honda Accord
  
  
• Eva Mendis at Data Forensics
  MBOX File Forensics – Carving The Evidences
  
  
• Didier Stevens
  FileZilla Uses PuTTY’s Registry Fingerprint Cache
  
  
• Doug Metz at Baker Street Forensics
  Questions from the Webcast
  
  
• Kevin Pagano at Stark 4N6
  Belkasoft 2021 CTF
  
  
• Kyle Song
  Blog #26: Importance of Drive Trim in Forensic Imager part 2. [EN]
  
  
• Nextron Systems
  Antivirus Event Analysis Cheat Sheet v1.8
  
  
• Jared Barnhart at Mac4n6
  Part 3: Step-by-step Tooling for iOS Research (via @bizzybarney)
  
  

THREAT INTELLIGENCE/HUNTING

• Tom McElroy at Azure Sentinel
  Web Shell Threat Hunting with Azure Sentinel
  
  
• Amanda Berlin at Blumira
  Detecting Breaches in the Cloud
  
  
• Brad Duncan at Malware Traffic Analysis
  2021-03-25 – Medical reminder service trial ending scam emails
  
  
• Roger Cheeks at Corelight
  Maximize your Splunk ES investment with Corelight
  
  
• Csaba Fitzl at ‘Theevilbit’
  • Beyond the good ol’ LaunchAgents – Introduction
  • Beyond the good ol’ LaunchAgents – 1 – shell startup files
  • Beyond the good ol’ LaunchAgents – 2 – iTerm2 startup command
  • Beyond the good ol’ LaunchAgents – 3 – Login Items
  • Beyond the good ol’ LaunchAgents – 4 – cron jobs
  • Beyond the good ol’ LaunchAgents – 5 – Pluggable Authentication Modules (PAM)
  • Beyond the good ol’ LaunchAgents – 8 – Hammerspoon
  • Beyond the good ol’ LaunchAgents – 7 – xbar plugins
  • Beyond the good ol’ LaunchAgents – 6 – SSHRC
  • Beyond the good ol’ LaunchAgents – 9 – Preference Pane
    
    
• Cyberint
  Black Kingdom Ransomware
  
  
• David Masson at Darktrace
  SANS ICS Security Summit 2021 recap: Industry on the move
  
  
• Tim Helming at DomainTools
  How To Build a Human Analyst’s Hunting List With SOAR Playbooks
  
  
• Dragos
  New ICS Threat Activity Group: STIBNITE
  
  
• Thomas Grabowski at Elastic
  Detecting rare and unusual processes with Elastic machine learning
  
  
• Igor Bogdanov
  APT Encounters of the Third Kind
  
  
• Pratyaksh Singh at InfoSec Write-ups
  Let’s have a SAML talks!
  
  
• Jiří Vinopal
  Check out @vinopaljiri’s Tweet
  
  
• Tim Schulz at Scythe
  SCYTHE Presents: Threat Thursday – Lazarus
  
  
• Koen Van Impe
  Staying in control of MISP correlations
  
  
• Lee Holmes at ‘Precision Computing’
  Using Bloom Filters to Efficient Filter Out “Known Good”
  
  
• Mehmet Ergene
  Threat Hunting with Data Science: Registry Run Keys
  
  
• Microsoft 365 Security
  Start having visibility in service accounts with defender for identity
  
  
• Microsoft Security
  • Secure containerized environments with updated threat matrix for Kubernetes
  • Analyzing attacks taking advantage of the Exchange Server vulnerabilities
    
    
• William Lowe at Panther
  Advanced Detections with Scheduled Queries
  
  
• Recorded Future
  Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
  
  
• RiskIQ
  Agent Tesla: Software-as-a-Service Enables Trend Analysis
  
  
• Greg Iddon at Sophos
  Patching alone is not enough: Investigate your exposure windows
  
  

UPCOMING EVENTS

• Institute of Data
  Cyber Security Industry Webinar APAC – 30 March 2021
  
  
• MSAB
  XAMN Investigates: Part Two (AIPAC)
  
  
• NW3C
  Listen UP! Our next challenge will begin on April 26th at 1300 EDT and run in partnership with the 2021 National Cyber Crime Conference.
  
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Check out @AlexisBrignoni’s Tweet
  
  
• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.43 – Ali Hadi
  
  
• Kevin Ripa at SANS
  • Episode 187: When to Stop Looking for Evidence – Part 3
  • Episode 188: When to Stop Looking for Evidence – Part 4
  • Episode 189: Formatting a Drive as HFS+
    
    
• AccessData
  FTK Feature Focus Episode 5 Optimized Processing Part 2
  
  
• Andrew Malec
  BelkaDay Forensics CTF (Part 1) with Magnet AXIOM
  
  
• Archan Choudhury at BlackPerl
  • How to Create Yara || Learn from Scratch within 30 mins, write your first Yara Rue || YarGen Demo
  • Thank You Everyone 🔥🔥1500 Crew Member onboarded 🔥🔥 Subscribe FAST for more exciting DFIR Topics
    
    
• Basis Technology
  RecuperaBit: Present and Future of NTFS Reconstruction (OSDFCon Webinar)
  
  
• Black Hills Information Security
  • BHIS | OPSEC Fundamentals for Remote Red Teams – Michael Allen – 1-Hour
  • Talkin’ About Infosec News – 3/22/2021
  • BHIS – Talkin’ Bout News – 2021-03-24
  • Webcast: OPSEC Fundamentals for Remote Red Teams
    
    
• Breaking Badness podcast
  79. Speak of the REvil
  
  
• Cellebrite
  • How to search for similar images in Cellebrite Pathfinder
  • How to speed up processing time with Selective Decoding in Cellebrite Physical Analyzer
    
    
• Cybereason
  • Malicious Life Podcast: Inside NotPetya, Part 2
  • Malicious Life Podcast: Inside the HAFNIUM Microsoft Exchange Attacks
    
    
• Digital Forensic Survival Podcast
  DFSP # 266 – Windows non-core processes
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 207
  
  
• Magnet Forensics
  New in Magnet ATLAS 2.0: Measuring Lab Efficiency
  
  
• Rasta Mouse
  SharpC2 – Stream 5
  
  
• SANS
  • Will they Read my Reports? – Creating Value Driven Reports | Christopher Lopez | SANS CTI Summit
  • SANS Technology Institute Graduate Program: An Insider’s View
  • Day 2 Wrap-Up Panel | SANS CTI Summit 2-21
  • Skilling the Gap: Creative Ways to Recruit Top Cyber Talent
    
    
• TimeSketch Summit
  TS 2021 Summit
  
  
• Watson Infosec
  Wazuh Build Overview | Elasticsearch
  
  

MALWARE

• 360 Netlab
  Microsoft Exchange 漏洞（CVE-2021-26855）在野扫描分析报告
  
  
• 360 Core Security Technology
  RemRAT：潜伏在中东多年的Android间谍软件
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Didier Stevens: finding Metasploit & Cobalt Strike URLs
  
  
• CISA
  • MAR-10329496-1.v1: China Chopper Webshell
  • MAR-10329499-1.v1: China Chopper Webshell
    
    
• Cyberint Research
  Dearcry Ransomware Microsoft Exchange Exploited
  
  
• Niall Newman and Mark Shelhart at Foregenix
  ModPipe Malware has a new module that siphons Credit Card Data
  
  
• Robert Neumann and Kurt Natvig at Forcepoint
  Advancements in Invoicing – A highly sophisticated way to distribute ZLoader
  
  
• Hasherezade
  malware_training_vol1
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #32: Running scripts
  
  
• Dinidhu Jayasinghe at InfoSec Write-ups
  Analyzing Malware and Other Attacks
  
  
• Intezer
  Accelerate Incident Response with Intezer Analyze Volatility Plugin
  
  
• Shusei Tomonaga at JPCERT/CC
  Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
  
  
• Malwarebytes Labs
  Perkiler malware turns to SMB brute force to spread
  
  
• Morphisec
  How Ransomware Techniques Have Changed
  
  
• Nikhil Rathor at 0xthreatintel
  Internals of DearCry Ransomware !
  
  
• Palo Alto Networks
  • 20 Million Miners: Finding Malicious Cryptojacking Images in Docker Hub
  • Threat Assessment: Matrix Ransomware
    
    
• Jeff Gardner at Rapid7
  Attack vs. Data: What You Need to Know About Threat Hunting
  
  
• SANS Internet Storm Center
  • March 2021 Traffic Analysis Quiz, (Tue, Mar 23rd)
  • Nim Strings, (Mon, Mar 22nd)
  • Analysis from March 2021 Traffic Analysis Quiz, (Wed, Mar 24th)
  • The 2021 SANS Security Awareness Report is out.  Learn data-driven lessons learned how organizations around the world are effectively managing their human risk  https://www.sans.org/security-awareness-training/sareport-2021, (Tue, Mar 23rd)
  • Submitting pfSense Firewall Logs to DShield, (Thu, Mar 25th)
  • Office macro execution evidence, (Fri, Mar 26th)
  • Apple releases iOS 14.4.2 to address “universal cross site scripting” in Webkit https://support.apple.com/en-us/HT212256, (Fri, Mar 26th)
  • Malware Analysis with elastic-agent and Microsoft Sandbox, (Fri, Mar 26th)
    
    
• Sebdraven
  A .NET rat target Mongolia
  
  
• Roman Rusetsky at SentinelLabs
  Keep Malware Off Your Disk With SentinelOne’s IDA Pro Memory Loader Plugin
  
  
• Mark Loman at Sophos
  Black Kingdom ransomware begins appearing on Exchange servers
  
  
• Jaromir Horejsi and Joseph C Chen at Trend Micro
  Websites Hosting Cracks Spread Malware, Adware
  
  
• Vicente Díaz at VirusTotal
  Leveraging adversarial data for security control validation
  
  
• VMRay
  Malware Classification Case Study: Raccoon Stealer
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 3/27/2021
  
  
• Atropos4n6
  My Forensic 4cast (@4cast) nominations
  
  
• Brett Shavers at DFIR Training
  Button pushing in DFIR
  
  
• Craig Ball at ‘Ball in your Court’
  • Don’t BE a Tool, GET a Tool!
  • Can a Producing Party Refuse to Produce Linked Attachments to E-Mail?
  • Life Lessons from E-Discovery
    
    
• Cyber5W
  Cyber5W
  
  
• Dfir.com.br
  Integridade
  
  
• Lesley Carhart at Dragos
  Preparing for Industrial Cyber Response: What to Have in Your Incident Response Toolkit
  
  
• Forensic Focus
  • What Changes Do We Need To See In eDiscovery? Part VII
  • Industry Roundup: Mobile Field Triage Solutions
  • How To Use Facial Recognition In Oxygen Forensic Detective
  • Research Roundup: New Digital Forensic Insights And Opportunities
  • Blaine Davison,Technical Sales and Support Specialist, Amped Software
    
    
• Tom Kopchak at Hurricane Labs
  Deploying the Splunk Universal Forwarder on Windows
  
  
• Mitchell Impey at Security Distractions
  Forensic Community And FOSS Tools
  
  
• MuSecTech
  AChoirX – Building Your Own Custom Version(s)
  
  
• Alisha Cales at Paraben Corporation
  E3 Empowers Small Police Departments with Free Digital Forensic Software and Training Grant
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — March 21 to March 27
  
  
• SANS
  • Rekt Casino Revisited: Operational Series Part 3
  • Skilling the Gap: Creative Ways to Recruit Top Cyber Talent
  • ICS Hot Take – Coors and Verkada Events
  • A One-Year Review of SANS Live Online
  • Cyber Heroines: African Women in Cyber Defense
    
    

SOFTWARE UPDATES

• ALEAPP
  Chromium based browser support
  
  
• ANSSI DFIR-ORC
  • v10.0.18
  • V10.1.0-rc5
    
    
• Belkasoft
  What’s new in Belkasoft X v.1.5
  
  
• CyberChef
  v9.28.0
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Griffeye
  • New Griffeye solution to streamline the workflow between examiners and investigators
  • Release of Analyze 21.0
    
    
• horsicq
  XELFViewer
  
  
• Hex Rays
  IDA 7.6 released
  
  
• Magnet Forensics
  New in AXIOM & AXIOM CYBER 4.11: Get More Data from Instagram, Chromebooks, and More
  
  
• Malfrats Industries
  xeuledoc
  
  
• Malwoverview
  Malwoverview 4.3.2
  
  
• dfir_ntfs
  1.0.9
  
  
• Nils Kuhnert
  yaramanager
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.13.4
  
  
• Regipy
  1.9.0
  
  
• Security Onion
  Security Onion 2.3.40 now available!
  
  
• Autopsy
  Yara, Android (aLEAPP), Domains, and More in 4.18.0
  
  
• Sleuthkit
  Autopsy 4.18.0 and The Sleuth Kit 4.10.2 Are Out
  
  
• MemProcFS
  Version 3.9
  
  
• USB Detective
  Version 1.6.2 (03/23/2021)
  
  
• Xways
  X-Ways Forensics 20.2
  
  
• YARA
  YARA v4.1.0-rc2
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!