As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Kevin Ripa at SANS
  The Truth About USB Device Serial Numbers – (and the lies your tools tell)
  
  
• Kibaffo33
  Decoding Vaulty
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Information Warfare
  
  
• Forensafe
  Investigating ThumbCache
  
  
• Forensic-Research
  VirtualBox 가상머신의 메모리 덤프 추출
  
  
• Magnet Forensics
  • Analysis of Hikvision Date/Time
  • DFIR in Zero-Trust Environments: Utilizing AXIOM Cyber for Remote Collection with Zscaler
  • Data Recovery with DVR Examiner: Accessible, Inaccessible, and VERY Inaccessible
  • Finding the Best Data Recovery Workflow in DVR Examiner 3
  • Recovering Deleted DVR Video with DVR Examiner
  • Advanced Admin-Level Scan for macOS: Magnet OUTRIDER
  • What is a Filesystem?
    
    
• Bex Nitert at ParaFlare
  Luci Spools the Fun with Phobos Ransomware
  
  
• Russ Taylor at Hats Off Security
  AnyDesk Forensic Analysis and Artefacts
  
  
• Nicholas Lang at Sysdig
  Triaging A Malicious Docker Container
  
  
• Pieces0310
  如何检视USB存储设备的使用记录 – Pieces0310
  

THREAT INTELLIGENCE/HUNTING

• And more coverage of the escalation in cyberspace for Russia-Ukraine.
  • Exclusive in-depth analysis: directly attack the key technical details of Ukraine’s cyber warfare
  • Russia Ukraine Cyber War, How to Prepare Yourself?
  • Help for Ukraine: Free decryptor for HermeticRansom ransomware
  • Dark Web Reactions to Russia’s Invasion of Ukraine
  • How To Defend Against Russian-Sponsored Cyberattacks
  • Cyber Attack Trends In The Midst Of Warfare – The numbers behind the first days of the conflict
  • How the Eastern Europe Conflict Has Polarized Cyberspace
  • Fake News of Cyber Attacks Fast-Spreads, as Conflict between Russia and Ukraine Escalates
  • Crowd-sourced attacks present new risk of crisis escalation
  • Russia-Ukraine Conflict Leverages Phishing Themes
  • Acting on CISA’s advice for detecting Russian cyberattacks
  • IOCs from the Attacks on Ukrainian Government Infrastructure
  • Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
  • Curated Intelligence Stands With Ukraine
  • Threat Advisory Update. Russia/Ukraine conflict: Impacts for Australian and New Zealand organisations
  • CEO Blog Series: Ukraine Conflict Confirms Russian Cybercrime Connection
  • Cybereason vs. HermeticWiper and IsaacWiper
  • 2022 Russia-Ukraine war — Cyber group tracker. Update 1.
  • 2022 Russia-Ukraine war — Cyber group tracker. Update 2.
  • 2022 Russia-Ukraine war — Cyber group tracker. Update 3.
  • Update 4. 2022 Russia-Ukraine war — Cyber group tracker.
  • Update 5. 2022 Russia-Ukraine war — Cyber group tracker.
  • Update 6. 2022 Russia-Ukraine war — Cyber group tracker.
  • What is HermeticWiper – An Analysis of the Malware and Larger Threat Landscape in the Russian Ukrainian War
  • Threat Monitoring Newly Created Ukraine-Related Domain Names
  • The Analyst Prompt #03 – SPECIAL EDITION: A Look at Cyber as a Tool of War in the Russia-Ukraine Conflict
  • Elastic protects against data wiper malware targeting Ukraine: HERMETICWIPER
  • What the Russia Sanctions Mean for Crypto Compliance
  • HermeticWiper Analysis (in-depth)
  • How Telegram Became a Critical Source of Intelligence in the Ukraine-Russia War
  • Russian APT and Ransomware Groups: Vulnerabilities and Threat Actors Who Exploit Them
  • Cybersecurity Threat Advisory: Malware and ransomware attacks against Ukrainian organizations continue
  • HermeticRansom used as a smokescreen for wiper attacks | Kaspersky official blog
  • HermeticWiper: A detailed analysis of the destructive malware that targeted Ukraine
  • DiskKill/HermeticWiper and NotPetya (Dis)similarities
  • Cyber threat activity in Ukraine: analysis and resources
  • Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement
  • Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware
  • Cyber Attacks and Threats Amidst the Russian Invasion of Ukraine
  • Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
  • The Top 5 Russian Cyber Threat Actors to Watch
  • Russia-Ukraine Cybersecurity Updates
  • HermeticWiper and PartyTicket Targeting Computers in Ukraine
  • Elections GoRansom – a smoke screen for the HermeticWiper attack
  • Secureworks FAQ: Russian Activity in Ukraine, Part 2
  • Domains Linked to Phishing Attacks Targeting Ukraine
  • New Wiper Malware Used Against Ukranian Organizations
  • DanaBot Launches DDoS Attack Against the Ukrainian Ministry of Defense
  • Digging into HermeticWiper
  • Cyberattacks are Prominent in the Russia-Ukraine Conflict
  • Dark Web Insights: Evolving Cyber Tactics Aim to Impact the Russia-Ukraine Conflict
  • Destructive Wipers: What You Need To Know
  • Shields Up: Prepare for Destructive Cyberattacks
  • Beware of charity scams exploiting war in Ukraine
  • IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine
    
    
• Anomali
  Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More
  
  
• Arnaud Zobec
  Analyzing conti-leaks without speaking russian — only methodology
  
  
• Awake Security
  Detecting Remote Execution of Staged Binaries
  
  
• Nicholas Parks and Brian Tang at AWS Security
  Streamlining evidence collection with AWS Audit Manager
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-03-01 – Emotet epoch 4 infection with Cobalt Strike and spambot traffic
  • 2022-03-03 – Brazil-targeted malware infection from email
  • 2022-03-03 – Emotet epoch 4 infection with Cobalt Strike
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 26 febbraio – 04 marzo 2022
  
  
• Check Point Research
  28th February – Threat Intelligence Report
  
  
• Cisco’s Talos
  Threat Roundup for February 25 to March 4
  
  
• Cleafy
  How TeaBot is evolving its distribution
  
  
• Cluster25
  RuRAT used in spear-phishing attacks against media organisations in United States
  
  
• Jenny Mankin at CrowdStrike
  CrowdStrike Falcon Enhances Fileless Attack Detection with Accelerated Memory Scanning Feature
  
  
• Curated Intelligence
  Curated Intel Threat Report: Adobe Document Cloud credential harvesting campaign
  
  
• Cybereason
  • What’s Next in the Evolution of Complex RansomOps?
  • Cybereason and MITRE Engenuity Center for Threat-Informed Defense Launch the Attack Flow Project
    
    
• Eyal Aharoni at Cymulate
  Cymulate’s Februrary 2022 Cyberattacks Wrap-up
  
  
• Shimon Noam Oren at Deep Instinct
  Cyber Threat Landscape Report 2022: Summary & Predictions
  
  
• Dragos
  New Knowledge Pack Released (KP-2022-002-J)
  
  
• John Stevenson at Forcepoint
  Critical Infrastructure in the Crosshairs
  
  
• Douglas Jose Pereira dos Santos at Fortinet
  MITRE Sightings Report Provides Guidance on Key Cyberattack Techniques
  
  
• Fox-IT
  SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
  
  
• Google Workspace Updates
  • See Google Drive events involving external users in your audit logs
  • More information included in comment notifications to help avoid phishing and malware
  • New intelligent, content based detection and additional regional security detectors for data loss prevention
    
    
• Harshit Rajpal at Hacking Articles
  Windows Persistence: Shortcut Modification (T1547)
  
  
• John Hammond at Huntress
  Targeted APT Activity: BABYSHARK Is Out for Blood
  
  
• Dusty Miller at Hurricane Labs
  Starting a Threat Intelligence Program? Here’s what you need to know
  
  
• Intezer
  • Boost Your SOC Skills: How to Detect Good Apps Gone Bad
  • URL Analysis 101: Machine Learning What and How?
    
    
• Jason Hill at Varonis
  ContiLeaks: Ransomware Gang Suffers Data Breach | Varonis
  
  
• Jeffrey Appel
  Protecting Microsoft Teams with Microsoft Sentinel
  
  
• Kostastsale
  TRANSLATED Conti Leaked Comms
  
  
• Malwarebytes Labs
  • TrickBot takes down server infrastructure after months of inactivity
  • Unusual sign-in activity mail goes phishing for Microsoft account holders
    
    
• Malwarebytes Labs
  • The Conti ransomware leaks
  • Nvidia, the ransomware breach with some plot twists
  • Beware of malware offering “Warm greetings from Saudi Aramco”
    
    
• James Sadowski and Ryan Hall at Mandiant
  Responses to Russia’s Invasion of Ukraine Likely to Spur Retaliation
  
  
• Marius Sandbu
  Samsung hacked by Lapsus
  
  
• Mattias Wahlen at Truesec
  TeamTNT Gang is Part of FIN12/Conti Syndicate
  
  
• Microsoft Sentinel 101
  Detecting malware kill chains with Defender and Microsoft Sentinel
  
  
• MITRE
  • Dive into the MITRE Engage™ Official Release
  • Attack Flow — Beyond Atomic Behaviors
    
    
• NVISO Labs
  • Cortex XSOAR Tips & Tricks – Execute Command Function
  • Drilling down on phishing campaigns with UrlClickEvents
    
    
• Pete Cowman at Hatching
  New Family Detections and MHT File Support
  
  
• Rapid7
  Graph Analysis of the Conti Ransomware Group Internal Chats
  
  
• Red Alert
  • Threat Actor targeted attack against Finance and Investment industry (ENG)
  • Hacking activity of SectorC Group in 2021
    
    
• Gerry Johansen at Red Canary
  IR in focus: Isolating & containing a confirmed threat
  
  
• ReversingLabs
  Ransomware Intelligence that Drives Operations
  
  
• SANS Internet Storm Center
  • TShark & Multiple IP Addresses, (Mon, Feb 28th)
  • Geoblocking when you can’t Geoblock, (Tue, Mar 1st)
  • Attackers Search For Exposed “LuCI” Folders: Help me understand this attack, (Thu, Mar 3rd)
  • Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th)
  • oledump’s Extra Option, (Sat, Mar 5th)
  • Video: TShark & Multiple IP Addresses, (Sun, Mar 6th)
    
    
• Securelist
  Threat landscape for industrial automation systems, H2 2021
  
  
• Sean Gallagher at Sophos
  Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
  
  
• Symantec Enterprise
  Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
  
  
• The DFIR Report on Conti leaks
  Check out @TheDFIRReport’s tweet
  
  
• TheParmak
  conti-leaks-englished
  
  
• Esteban Rodriguez at TrustedSec
  Manipulating User Passwords Without Mimikatz
  

UPCOMING EVENTS

• Griffeye
  Webinar: Creating and customizing reports
  
  
• Magnet Forensics
  • Enhancing Digital Investigations Using Cloud and Endpoint Collections
  • Tips & Tricks // Streamline Investigations with Triage: From OUTRIDER to AXIOM
  • Magnet Summit 2022
    

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Security Engineer Day  in the Life, Old VS Modern, Choose the RIGHT Product!
  
  
• Black Hills Information Security
  • Rogue RDP – Revisiting Initial Access Methods
  • Talkin’ About Infosec News – 3/1/2022
  • Talkin’ About Infosec News – 3/4/2022
    
    
• Brakeing Down Security Podcast
  K12SIX-project-Doug_Levin-Eric_Lankford-threat_intel-edusec-p2
  
  
• Breaking Badness
  112. A Fluid Situation
  
  
• Cellebrite
  • When to Use the Android APK Downgrade Feature in Cellebrite UFED
  • Episode 16: iBeg to DFIR – Back to Basics – Cellebrite UFED Extractions
    
    
• Chewing the FAT
  Episode 10
  
  
• Chris Sienko at the Cyber Work podcast
  • Three foundational cybersecurity certifications | Cyber Work Podcast
  • Working as a digital forensics analyst | Cybersecurity Career Series
    
    
• CyberWarFare Labs
  Detecting-Adversarial-Tradecrafts-Tools-by-leveraging-ETW
  
  
• Day Cyberwox
  • 👨🏽‍💻Breaking Into Cybersecurity EP 1 – Your Why
  • 👨🏽‍💻Breaking Into Cybersecurity EP 2 – Self Assessment🧠
    
    
• DFIRScience
  • What’s in the box? Atola Insight & DiskSense II
  • What’s in the box? Tableau Forensic Imager TX1!
  • What’s in the box? Digital Intelligence UltraBlock Kit!
  • Top skill in digital forensics and #infosec #dfir
    
    
• Didier Stevens
  • Quick & Dirty Shellcode Analysis – CVE-2017-11882
  • TShark & Multiple IP Addresses
    
    
• Digital Forensic Survival Podcast
  • DFSP # 314 – Future of Cybersecurity
  • DFSP # 315 – ARTHIR
    
    
• Exterro
  The 7 Secrets of Digital Forensics
  
  
• Gerald Auger at Simply Cyber
  UNBELIEVABLE Training in Active Defense and Cyber Deception
  
  
• InfoSec_Bret
  • InfoSec_Bret Talking Current Events
  • IR – SOC159-109 – Karma Ransomware Attack
    
    
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 37 – Converting Segmented Images with FTK Imager
  
  
• Logz.io
  AWS Logging at Scale: How to Avoid 3 Common Pitfalls & Drive Efficiency
  
  
• Magnet Forensics
  • Magnet OUTRIDER 3.1 Overview: Even More Triage Support for macOS
  • Responding to Cybersecurity Incidents in Healthcare and Public Health (HPH) Sector
  • The Basics of Digital Image and Video Compression
    
    
• OALabs
  Botleggers Exposed – Analysis of The Conti Leaks Malware
  
  
• Richard Davis at 13Cubed
  Let’s Talk About NTFS Index Attributes
  
  
• Richard Frawley at ADF
  Live Mac Forensics: Round Out Your On-Scene Triage
  
  
• SANS Institute
  Cloud Wars; Episode I – The IAM Menace
  
  
• Sumuri
  • RECON LAB UI Improvements
  • Instant Virtualization with CARBON!
    
    
• This Week In 4n6
  This Month In 4n6 – February – 2022
  

MALWARE

• Adam at Hexacorn
  Good file…  (What is it good for) Part 1
  
  
• ASEC
  • Change in Distribution Method of Malware Disguised as Estimate (VBS Script)
  • CoinMiner Being Distributed to Vulnerable MS-SQL Servers
  • Magniber Disguised as Normal Windows Installer (MSI) Being Redistributed (February 22nd)
  • ASEC Weekly Malware Statistics (February 21st, 2022 – February 27th, 2022)
    
    
• Cluster25
  CONTI’S SOURCE CODE: DEEP-DIVE INTO
  
  
• Cyber Geeks
  How to analyze malicious documents – Case study of an attack targeting Ukrainian Organizations
  
  
• Cybereason
  Cybereason vs. BlackCat Ransomware
  
  
• Stefan Hausotte at G Data Security
  Research Project: SmartVMI
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #79: Handling variable reuse
  
  
• JagaimoKawaii at Lab52
  Looking for Penquins in the Wild
  
  
• Mahmoud Morsy
  Phishing Attacks 3_3_2021
  
  
• Michael Taggart
  WTF Bins
  
  
• Roy Golombick at Minerva Labs
  Malware Evasion Techniques – Sandbox Evasion
  
  
• S2W Lab
  Deep Analysis of Redline Stealer: Leaked Credential with WCF
  
  
• Steve Miller at Stairwell
  Quick n’ dirty detection research: Building a labeled malware corpus for YARA testing
  
  
• Stephen Eckels at Mandiant
  Ready, Set, Go — Golang Internals and Symbol Recovery
  
  
• Tenable
  A Backdoor Lockpick
  
  
• Tony Lambert
  Aggah PPAM macros renaming MSHTA
  
  
• VMRay
  Malware Analysis Spotlight: Smoke Loader
  
  
• Amnpardaz
  Trojan.Win32.Andromeda
  

MISCELLANEOUS

• Andrew Rathbun and Eric Zimmerman at Kroll
  KapeTriage MindMap for DFIR Practitioners
  
  
• Jessica Hyde at Hexordia and Magnet Forensics
  Magnet Summit 2022 Capture the Flag Contests
  
  
• Belkasoft
  • [Free On-demand Сourse] Mobile Forensics with Belkasoft X
  • Sneak peek of Belkasoft X v.1.12
    
    
• Cellebrite
  • Case for the cloud
  • Decentralizing Digital Investigations at Small Agencies is the key to Solving More Cases Faster
    
    
• Brian Dye at Corelight
  One SIEM is not enough?
  
  
• Doug Metz at Baker Street Forensics
  DIY Home Network Rack – the Lack Rack
  
  
• Forensic Focus
  • I Can Login Without Your Password: Data Acquisition From Web-Based Server Using Credential Attack
  • Register Now For the Next Amped Software Webinars
  • How Detego Helped One of the Largest Banks in Africa Stop Fraud in Its Tracks
  • How Viable Is Password Cracking In Digital Forensic Investigations?
    
    
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (3/1/2022)
  
  
• Magnet Forensics
  Meet the Magnet Forensics’ Training Team: Nick Bria
  
  
• MuSecTech
  Monitoring Status and Progress with Webhooks
  
  
• Oxygen Forensics
  Google Takeout Import in Oxygen Forensic® Detective
  
  
• Robert Fried
  Forensic Data Collections 2.0
  
  
• Ryan Campbell at ‘Security Soup’
  • Weekly News Roundup — February 20 to February 26
  • Weekly News Roundup — February 27 to March 5
    
    
• Sergio Caltagirone at Threat Intel Academy
  Writing Your First Journal Article and Submitting to the Journal of Threat Intelligence and Incident Response
  
  
• Brett Shavers at X-Ways Forensics Practitioner’s Guide/2E
  • Final reviews being done; in print this month; pre-orders coming up!
  • Is the new edition worth it?
    

SOFTWARE UPDATES

• Brian Maloney
  OneDriveExplorer v2022.03.04
  
  
• Capa
  v3.2.0
  
  
• Cerbero
  Suite 5.4 and Engine 2.4 are out!
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Foxton Forensics
  Browser History Examiner — Version History – Version 1.16.7
  
  
• IntelOwl
  v3.3.1
  
  
• Magnet Forensics
  Enhanced Support for macOS Triage: Magnet OUTRIDER 3.1
  
  
• Manabu Niseki
  Mihari v4.2.0
  
  
• MobilEdit
  App Downgrade
  
  
• radare2
  5.6.4
  
  
• Ryan Benson at dfir.blog
  More Search URL Parsing, MISP Lists, & More in Unfurl v2022.02
  
  
• Security Onion
  Security Onion 2.3.100 20220301 Hotfix Now Available!
  
  
• Xways
  • X-Ways Forensics 20.4 SR-5
  • X-Ways Forensics 20.5 Preview 7
    
    
• Yamato Security
  Hayabusa v1.1.0 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!