As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Ahmed Musaad
  Analyse Large Log Files Using ELK
  
  
• Andrew Malec
  AnyDesk Remote Access
  
  
• Benjamin Bruppacher at Compass Security
  VPN Appliance Forensics
  
  
• Dr Brian Carrier at Cyber Triage
  Cyber Triage Lite – Analyzing User Activity
  
  
• Oleg Afonin at Elcomsoft
  Simplifying Digital Triage with Bootable Forensic Tools
  
  
• Forensafe
  Investigating Page File URL’s
  
  
• Forensic-Research
  [논문리뷰] 이메일 원격지 압수·수색의 적법성에 관한 소고 – 대법원 2017.11.29. 선고 2017도9747 판결의 비판적 분석
  
  
• Oxygen Forensics
  Mi Fit against misfits
  
  
• Plainbit Co., Ltd.
  • PowerShell – (1) 파워셸의 개요 및 파워셸을 활용한 공격
  • PowerShell – (2) 파워셸 버전에 따른 로깅 차이
  • PowerShell – (3) 스크립트 로깅 블록 활성화 시 로깅 차이
    
    
• The DFIR Report
  APT35 Automates Initial Access Using ProxyShell
  

THREAT INTELLIGENCE/HUNTING

• Okta breach
  • Special Newscast –Okta and Microsoft: Everything’s not burning down
  • Lapsus$ Claims To Breach Okta Customer Data
  • LAPSUS$ & OKTA: The Cyber Attacks Continue
  • OKTA breached by Lapsus$ Ransomware Gang
  • Cloudflare’s investigation of the January 2022 Okta compromise
  • Authentication Platform Okta Investigates Alleged Breach
  • Okta and LAPSUS$: What you need to know
  • First Things First – Going Deep – Okta Breach Analysis
  • Okta admits 366 customers may have been impacted by LAPSUS$ breach
  • DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
  • Okta’s Investigation of the January 2022 Compromise
  • Sygnia Advisory: Potential Okta Breach
  • Detect malicious activity in Okta logs with Falco and Sysdig okta-analyzer
  • TrustedSec Okta Breach Recommendations
  • Lapsus$ Attack on Okta: How to Evaluate the Impact to your Organization
    
    
• Anton Chuvakin
  How to Measure Threat Detection Quality for an Organization?
  
  
• Bitdefender
  Bitdefender Threat Debrief | March 2022
  
  
• Hector Diaz at Blackberry
  Threat Alert: LAPSUS$ – Real Threat or Minor Menace?
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2022-03-21 – Infection from Brazil malspam
  • 2022-03-21 – Traffic analysis exercise – Burnincandle
  • 2022-03-21 – Hancitor infection with Cobalt Strike and Mars Stealer
  • 2022-03-24 – Emotet E4 with Cobalt Strike
    
    
• BushidoToken
  One Way Or Another: Initial Access Vectors
  
  
• Censys
  Deadbolt Ransomware is Back
  
  
• CERT Ukraine
  • Кібератака на українські підприємства з використанням програми-деструктора DoubleZero (CERT-UA#4243)
  • Кібератака групи UAC-0026 з використанням шкідливої програми HeaderTip (CERT-UA#4244)
  • Кібератака на державні організації України з використанням шкідливої програми Cobalt Strike Beacon (CERT-UA#4227)
    
    
• CERT-AGID
  sLoad torna a colpire le PEC
  
  
• Check Point Research
  21st March – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Threat Source newsletter (March 24, 2022) — Channelling productive worry to help Ukraine
  • Threat Advisory: DoubleZero
  • Threat Roundup for March 18 to March 25
    
    
• Cofense
  Emotet Spoofs IRS in Tax Season-Themed Phishing Email Campaign
  
  
• Coveware
  How the Russian/Ukraine war may lead to an explosion in Ransomware attacks
  
  
• CrowdStrike
  Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack
  
  
• CyberCX
  Change and disruption: How the Russia-Ukraine conflict is reshaping cyber crime
  
  
• Cyborg Security
  • 6 More Threat Hunting Tools Everyone in the Industry Should Be Using!
  • Cyber Threat Hunting: 4 More Videos to Make You an (Even) Better Threat Hunter!
  • The Threat Hunter’s Hypothesis
    
    
• Darktrace
  Autonomous Response stops a runaway Trickbot intrusion
  
  
• EclecticIQ
  The Analyst Prompt #05: Russo-Ukrainian Cyberattacks, and Updates on Lapsus$ and Conti Ransomware Operations
  
  
• Elastic
  Elastic Security Research Roundup
  
  
• Esentire
  • Conti Affiliate Exposed: New Domain Names, IP Addresses and Email Addresses Uncovered
  • Analysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)
  • eSentire Threat Intelligence Malware Analysis: HermeticWiper & PartyTicket
    
    
• Flashpoint
  • Your Data, Their Gain: How Threat Actors Leverage Tax Season to Commit Fraud
  • All About LAPSUS$: What We Know About the Extortionist Group
    
    
• Jakub Pitha at Fortinet
  From the Shotgun Approach to Triple Extortion: The Evolving Ransomware Threat
  
  
• Gabor Matuz
  Testing EDRs for Linux — Things I wish I knew before getting started
  
  
• Adam Weidemann at Google Threat Analysis Group
  Countering threats from North Korea
  
  
• Nicole Fishbein at Intezer
  SOC Level Up: Introduction to Sigma Rules
  
  
• Jeffrey Appel
  What happens without RDP protection after 24+ hours in Microsoft Sentinel & other Microsoft security products
  
  
• Lina Lau at Inversecos
  Windows Event Log Evasion via Native APIs
  
  
• Lumen
  Windows Subsystem for Linux (WSL): Threats Still Lurk Below the (Sub)Surface
  
  
• Michael Barnhart, Michelle Cantos, Jeffery Johnson, Elias Fox, Gary Freas, and Dan Scott at Mandiant
  Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations
  
  
• Menasec
  Structured Approach to Triage New Detection Ideas
  
  
• Yun Zheng Hu at NCC Group
  Mining data from Cobalt Strike beacons
  
  
• NVISO Labs
  • Cobalt Strike: Overview – Part 7
  • Hunting Emotet campaigns with Kusto
    
    
• Palo Alto Networks
  • 2022 Unit 42 Ransomware Threat Report Highlights: Ransomware Remains a Headliner
  • Threat Brief: Lapsus$ Group
    
    
• pfpt-andrew
  Rapid-Response-Reporting
  
  
• Huseyin Can Yuceel at Picus Security
  How Attackers Inhibit System Recovery — Four Methods with Red Team Scenarios
  
  
• Joseph Henry at Praetorian
  Always Be Modeling: How to Threat Model Effectively
  
  
• Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson at Proofpoint
  Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain
  
  
• Akshat Pradhan at Qualys
  Implications of Windows Subsystem for Linux for Adversaries & Defenders (Part 1)
  
  
• Recorded Future
  • Ghostwriter in the Shell: Expanding on Mandiant’s Attribution of UNC1151 to Belarus
  • IsaacWiper Continues Trend of Wiper Attacks Against Ukraine
  • 2021 Third-Party Intelligence Threat Landscape
  • Russian State-Sponsored Amplification of Bio Lab Disinformation Amid War in Ukraine
    
    
• Anna Seitz at Red Canary
  Unwrapping the 2022 Threat Detection Report
  
  
• S2W Lab
  Footsteps of the LAPSUS$ hacking group
  
  
• Jorge Orchilles at SANS
  Cyber Kill Chain, MITRE ATT&CK, and Purple Team
  
  
• SANS Internet Storm Center
  • Maldoc Cleaned by Anti-Virus, (Mon, Mar 21st)
  • Statement by President Biden: What you need to do (or not do), (Tue, Mar 22nd)
  • Arkei Variants: From Vidar to Mars Stealer, (Wed, Mar 23rd)
  • Malware Delivered Through Free Sharing Tool, (Thu, Mar 24th)
  • XLSB Files: Because Binary is Stealthier Than XML, (Fri, Mar 25th)
  • Is buying Cyber Insurance a Must Now?, (Sat, Mar 26th)
    
    
• Secureworks
  Incident Response Lessons Learned in 2021
  
  
• Anusthika Jeyashankar at Security Investigation
  IOC vs IOA: Indicators of Threat Intelligence
  
  
• Resha Chheda at SentinelOne
  Decoding the Fourth Round of MITRE Engenuity ATT&CK® Enterprise (Wizard Spider and Sandworm) Evaluations
  
  
• Carlos Perez at ‘Shell is Only the Beginning’
  Sysmon for Linux PowerShell Module
  
  
• Chester Wisniewski at Sophos
  Russia-Ukraine war: related cyberattack developments
  
  
• Scott Roberts
  The Difficulty of Saying Nothing
  
  
• Ben Martin at Sucuri
  The Mystery Admin User
  
  
• Sygnia
  Sygnia Advisory: Key takeaways from leak of Conti crime group internal communications
  
  
• Brian Eckman, Josh Hopkins, Andy Kraus, and Paul Welte at Team Cymru
  Raccoon Stealer – An Insight into Victim “Gates”
  
  
• Satnam Narang at Tenable
  ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware – How Tenable Can Help
  
  
• Trend Micro
  • An Investigation of Cryptocurrency Scams and Schemes
  • Cyber Threat Intelligence: Risk Management Strategies
  • Purple Fox Uses New Arrival Vector and Improves Malware Arsenal
    
    
• Ant Ducker, Chad Skipper, and Frederick Verduyckt at VMware Security
  What We Know: Threat Intelligence for GRU-backed Cyber Attacks
  
  
• WeLiveSecurity
  • Sandworm: A tale of disruption told anew
  • Mustang Panda’s Hodur: Old tricks, new Korplug variant
  • Is a nation‑state digital deterrent scenario so far‑fetched?
  • Crypto malware in patched wallets targeting Android and iOS devices
    
    
• ZScaler
  • Midas Ransomware : Tracing the Evolution of Thanos Ransomware Variants
  • Conti Ransomware Attacks Persist With an Updated Version Despite Leaks
  • What You Need to Know About the LAPSUS$ Software Supply Chain Attacks
    

UPCOMING EVENTS

• Cybereason
  Webinar April 7th: 2021 MITRE ATT&CK Evaluations Explained
  
  
• Cyborg Security
  Begin Your Hunt: The Threat Hunting Workshop
  
  
• Cyborg Security
  Hunting for Conti: TTPs Not IOCs
  
  
• Gerald Auger at Simply Cyber
  🔴 Modern SOC Analyst Workflows
  
  
• Magnet Forensics
  • Hiding in Plain Sight
  • What’s New in Magnet AUTOMATE 3.0
    

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  • SOC Open Source, Add Elastic EDR, Part 3
  • Threat Hunting Tutorial- Day1
    
    
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2022-03-21
  
  
• BlueMonkey 4n6
  Logical Volume Manager (LVM) – imaging and forensics
  
  
• Breaking Badness
  115. A Ransomware for the Dramatic
  
  
• Cellebrite
  • Cellebrite Reader Overview
  • How to Participate in the DFIRFIT Challenge 2022
  • Warrant Returns: What They Are, Challenges Involved, and How to Leverage Their Data
    
    
• Chris Sienko at the Cyber Work podcast
  What makes a good cyber range? | Cyber Work Podcast
  
  
• Cloud Security podcast
  Threat Hunting in AWS
  
  
• Cybereason
  Malicious Life Podcast: Cyber PTSD
  
  
• Detections by SpectreOps
  Episode 21: Anton Ovrutsky
  
  
• Digital Forensic Survival Podcast
  DFSP # 318 – Rust and Chainsaw
  
  
• Down the Security Rabbithole Podcast
  DtSR Episode 493 – Breaches: Is Anyone Learning Anything
  
  
• InfoSec_Bret
  SA – SOC170-120 – Passwd Found in Requested URL – Possible LFI Attack
  
  
• John Hammond
  • SANS Holiday Hack Challenge: Intro and Grepping for Gold
  • SANS Holiday Hack Challenge 002: Exiftool and OSINT
  • SANS Holiday Hack Challenge 003: Logic
  • SANS Holiday Hack Challenge 004: IPv6 and Rubber Duckies
  • SANS Holiday Hack Challenge 005: JavaScript Hacking
  • SANS Holiday Hack Challenge 006: Shellcode Primer
    
    
• Justin Tolman at AccessData
  Beyond The Button – Episode 3 – Google Drive Forensics
  
  
• Magnet Forensics
  Encore: Moving Digital Forensic Labs to the Cloud
  
  
• MalGamy
  • Analysis Obfuscated RTF
  • Analysis HTA dropper
  • Analysis Excel File
    
    
• NVISO Belgium
  • Cobalt Strike: Dealing With Obfuscated Traffic And Process Memory
  • Cobalt Strike: Decrypting DNS Traffic
  • Cobalt Strike: Using Process Memory To Decrypt Traffic
  • Cobalt Strike: Using Known Private Keys To Decrypt Traffic
    
    
• OALabs
  Control Flow Flattening Obfuscation Explained Practically [ Twitch Clip ]
  
  
• Paraben Corporation
  E3 Trial Walk Through with Founder
  
  
• Prevailion
  IRONSCALES Cyber Security Heroes: The New Cyber Era Post Ukraine Invasion
  
  
• SANS
  • Keynote – Use Your Voice: Why Diversity and Inclusion Matter for Cyber Threat Intelligence
  • Data Sources 2.0: Operacionalizando los nuevos objetos del marco ATT&CK
  • DeadRinger: Three APTs Walk into a Bar…
  • Numeric Conversions | Decimal, Binary & Hexadecimal
  • Cloud Wars: Episode II – Attack of the Packets
  • Usando MITRE dentro del ciclo de inteligencia
  • Technologies Disrupting Financial Audit Process
  • Burnout and Employee Well Being
  • Clip Addiction: A Threat Intelligence Approach to Video-Based Chinese InfoOps
  • Cyber Defense & Threat Hunting – Part 3 of 4 SANS Emerging Cyber Guidance to the Ukraine-Russia War
  • Critical Infrastructure Protection– Part 4 of 4 SANS Emerging Cyber Guidance to Ukraine-Russia War
  • Russia’s Cyber Capabilities – Part 1 of 4 SANS Emerging Cyber Guidance to the Ukraine-Russia War
  • Open Source Intelligence – Part 2 of 4 SANS Emerging Cyber Guidance to the Ukraine-Russia War
  • La Evolución del Ransomware: Previsión de Escenarios Posibles para 2022
    
    
• Securizame
  UNA CAÑA CON LAWWAIT – EPISODIO 3 – PEDRO SÁNCHEZ
  
  
• Sumuri
  Transfer files from your virtual machine using CARBON’s SAMBA Share!
  

MALWARE

• 0day in {REA_TEAM}
  [QuickNote] Analysis of Pandora ransomware
  
  
• ASEC
  • BitRAT Disguised as Windows Product Key Verification Tool Being Distributed
  • APT Attack Being Distributed as Windows Help File (*.chm)
  • Word Document Attack Targeting Companies Specialized in Carbon Emissions
  • Distribution of ClipBanker Disguised as Malware Creation Tool
  • APT Attack Using Word Files About Cryptocurrency (Kimsuky)
    
    
• Luigino Camastra, Igor Morgenstern, and Jan Holman at Avast Threat Labs
  Operation Dragon Castling: APT group targeting betting companies
  
  
• Blackberry
  Threat Thursday: SunSeed Malware Targets Ukraine Refugee Aid Efforts
  
  
• Luca Ebach at cyber.wtf
  What the Pack(er)?
  
  
• Simon Kenin and Asaf Gilboa at Deep Instinct
  What is Arid Gopher? An Analysis of a New, Never-Before-Seen Malware Variant
  
  
• Fortinet
  • MS Office Files Involved Again in Recent Emotet Trojan Campaign – Part II
  • Bad Actors Trying to Capitalize on Current Events via Shameless Email Scams
    
    
• Igor Skochinsky at Hex Rays
  • Igor’s tip of the week #81: Database notepad
  • Igor’s tip of the week #82: Decompiler options: pseudocode formatting
    
    
• Lab52
  Another cyber espionage campaign in the Russia-Ukrainian ongoing cyber attacks
  
  
• Hido Cohen at Morphisec
  New JSSLoader Trojan Delivered Through XLL Files
  
  
• Ray Canzanese at Netskope
  Office Documents and Cloud Apps: Perfect for Malware Delivery
  
  
• OALABS Research
  Pandora Ransomware
  
  
• Pavel Yosifovich
  Threads, Threads, and More Threads
  
  
• Olga Svistunova and Anton Yatsenko at Securelist
  Phishing-kit market: what’s inside “off-the-shelf” phishing packages
  
  
• Secureworks
  GOLD ULRICK Leaks Reveal Organizational Structure and Relationships
  
  
• SentinelLabs
  • The Art and Science of macOS Malware Hunting with radare2 | Leveraging Xrefs, YARA and Zignatures
  • Chinese Threat Actor Scarab Targeting Ukraine
    
    
• Tony Lambert
  Formbook Distributed Via VBScript, PowerShell, and C# Code
  
  
• Trustwave SpiderLabs
  • Dissecting a Phishing Campaign with a Captcha-based URL
  • Vidar Malware Launcher Concealed in Help File
  • Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns
    
    
• Neil Fox at Varonis
  How to Use Ghidra to Reverse Engineer Malware | Varonis
  
  
• VMware Security
   SysJoker – An Analysis of a Multi-OS RAT
  
  
• Damien Cash, Steven Adair, and Thomas Lancaster at Volexity
  Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS
  

MISCELLANEOUS

• Brett Shavers
  • Pre-order  the X-Ways Forensic Practitioner’s Guide/2E
  • X-Ways Forensics is EASY to miss evidence.
  • XWF/2E Delayed
    
    
• John Lugton at Cado Security
  Automating Investigations to Turn your Response Pipeline into a Feedback Loop
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 3/26/22
  
  
• Heather Mahalik, Sarah Edwards, and Josh Hickman
  Finding Digital Evidence in Wearable Tech
  
  
• Forensic Focus
  • Finding Important Artifacts in Recycle Bin
  • Leveraging Intel DCI for Memory Forensics
  • Forging Trust in Digital Forensics as Technology Evolves
  • Magnet Forensics Survey Shows Enterprises Expect to Make Major Investments in Digital Forensics
    
    
• Google Workspace Updates
  Updated and improved audit logs experience in the Admin console
  
  
• Dray Agha at Huntress
  A Day in the Life of a Threat Analyst
  
  
• JPCERT/CC
  • JSAC 2022 -Day 1-
  • JSAC 2022 -Day 2-
    
    
• Charlie Klein and Refael Mizrahi at Logzio
  Grok Pattern Examples for Log Parsing
  
  
• Magnet Forensics
  State of Enterprise DFIR
  
  
• Matt Zorich at Microsoft Sentinel 101
  Deception in Microsoft Sentinel with Thinkst Canaries
  
  
• Brittany Roberts at ADF
  The Value of Digital Evidence in Combatting Child Exploitation and Human Trafficking
  
  
• Russ Taylor at Hats Off Security
  Improving Technical Interviews
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — March 20 to March 26
  
  
• SANS
  • What’s New in SEC488: Cloud Security Essentials
  • A Visual Summary of SANS New2Cyber Summit 2022  | SANS Institute
    

SOFTWARE UPDATES

• ANSSI
  DFIR-ORC v10.1.0
  
  
• Arsenal Consulting
  Hibernation Recon v1.2.2.83
  
  
• Cellebrite
  Now Available: Cellebrite Physical Analyzer, Logical Analyzer, Reader, and UFED Cloud v7.54
  
  
• Elcomsoft
  Elcomsoft System Recovery 8.20 adds Windows 11 support, bootable triage tools
  
  
• IntelOwl
  v3.3.2
  
  
• Maxim Suhanov
  dfir_ntfs 1.1.12
  
  
• Ninoseki
  Mihari v4.4.0
  
  
• MISP
  MISP 2.4.157 released including some usability fixes following the large changes of 2.4.156 along with some improvements
  
  
• OSForensics
  V9.1 Build 1010 24th March 2022
  
  
• Radare
  Radare2 5.6.6
  
  
• Xways
  • Excire 
  • X-Ways Forensics 20.5 Beta 1
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!