As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  Investigating AWS ECS with Cado Response
  
  
• Chris Vance at ‘D20 Forensics’
  [Air]Tag You’re It!
  
  
• DFIR Review
  • Ain’t That a Kik in the Head: Kik Messenger iOS Analysis
  • Case Study: Forensic Analysis of TikTok on iOS
    
    
• Oleg Afonin at Elcomsoft
  Decrypting Password-Protected DOC and XLS Files in Minutes
  
  
• Forensafe
  Investigating Foxit Reader
  
  
• Erik Schamper at NCC Group
  A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
  
  
• Pavel Yosifovich
  Mysteries of the Registry
  
  
• Shaquib Izhar
  Extracting digital evidence using memory imaging and bulk extractor
  
  
• Andrew Brandt and Angela Gunn at Sophos
  Attackers linger on government agency computers before deploying Lockbit ransomware
  
  
• Neil Fox at Varonis
  How to Use Volatility for Memory Forensics and Analysis | Varonis
  

THREAT INTELLIGENCE/HUNTING

• Andy Piazza
  Cyber Threat Intelligence Study Plan
  
  
• Anomali
  Anomali Cyber Watch: Zyxel Patches Critical Firewall Bypass Vulnerability, Spring4Shell (CVE-2022-22965), The Caddywiper Malware Attacking Ukraine and More
  
  
• Anton Chuvakin
  SOC is Not Dead Yet It May Be Reborn As Security Operations Center of Excellence
  
  
• Avertium
  An In-Depth Look at Iranian APT “MuddyWater”
  
  
• Chris Pacenza at Breachquest
  Malware can be tricky: HermeticWiper Hidden in Plain Sight
  
  
• CERT Ukraine
  • Кібератака групи Sandworm (UAC-0082) на об’єкти енергетики України з використанням шкідливих програм INDUSTROYER2 та CADDYWIPER (CERT-UA#4435)
  • Кібератака на державні організації України з використанням шкідливої програми IcedID (CERT-UA#4464)
  • Кібератака на державні організації України з використанням експлойту для XSS вразливості в Zimbra Collaboration Suite (CVE-2018-6882) (CERT-UA#4461)
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 9 – 15 aprile 2022
  
  
• Check Point Research
  • 11th April – Threat Intelligence Report
  • March 2022’s Most Wanted Malware: Easter Phishing Scams Help Emotet Assert its Dominance
  • Check Point Research detects Vulnerability in the Rarible NFT Marketplace, Preventing Risk of Account Takeover and Cryptocurrency Theft
    
    
• CISA
  Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices
  
  
• Claroty
  • Industroyer2 Variant Surfaces in Foiled Attack Against Ukraine Electricity Provider
  • Blinding Snort: Breaking the Modbus OT Preprocessor
    
    
• Cluster25
  DPRK-NEXUS ADVERSARY TARGETS SOUTH-KOREAN INDIVIDUALS IN A NEW CHAPTER OF KITTY PHISHING OPERATION
  
  
• Cofense
  • Three Highlights from the Cofense 2022 Annual State of Phishing Report 
  • COVID-19 Phish Targeting Companies
    
    
• Vijit Nair at Corelight
  Deeper visibility into Kubernetes environments with network monitoring
  
  
• Countercraft
  Deception-Powered Threat Intelligence for Financial Services {Data Sheet}
  
  
• Anthony M. Freed at Cybereason
  White Paper: Inside Complex RansomOps and the Ransomware Economy
  
  
• Cyberknow
  Update 12. 2022 Russia-Ukraine war — Cyber group tracker. April 11.
  
  
• Cyble
  Q1-2022 Global Ransomware Report
  
  
• Cyborg Security
  • The Threat Hunter’s Hypothesis
  • Blackmatter
    
    
• Dragos
  • CHERNOVITE’s PIPEDREAM Malware Targeting Industrial Control Systems (ICS)
  • New Knowledge Pack Released (KP-2022-004)
    
    
• EclecticIQ
  Detect and Remediate Process Hollowing with EclecticIQ Endpoint Response
  
  
• Ivan Pisarev at Group-IB
  Old Gremlins, new methods
  
  
• Harshit Rajpal at Hacking Articles
  • Defense Evasion: Process Hollowing (Mitre:T1055.012)
  • Process Doppelganging (Mitre:T1055.013)
    
    
• Roger Kay at Inky
  Fresh Phish: Supreme Court Lure Follows Phishing Precedent
  
  
• Will MacArthur and Nick Chalard at InQuest
  Ukraine CyberWar Overview
  
  
• Malwarebytes Labs
  • Ransomware: March 2022 review
  • Conti ransomware offshoot targets Russian organizations
  • Malwarebytes Evaluation of the MITRE ENGENUITY ATT&CK Round 4 Emulations 
    
    
• Mandiant
  • Metrics are the Drivers of CTI Value
  • INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems
    
    
• Matt Zorich at Microsoft Sentinel 101
  Monitoring Active Directory with Microsoft Sentinel – the agent deep dive.
  
  
• McHughSecurity
  An Introduction to Threat Intelligence
  
  
• Microsoft Security
  • Tarrask malware uses scheduled tasks for defense evasion
  • Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
    
    
• Roy Golombick at Minerva Labs
  Malware Evasion – Detecting Security and Forensic Tools
  
  
• MITRE Engage™
  • Stop Training the Adversary with Authentic, Fine-Grained, Denial-Type Policy Enforcement
  • #cyberdeceptionday and the Kickoff of Denial, Deception, and Drinks
    
    
• Ashwin Radhakrishnan at MITRE-Engenuity
  • How to Leverage ATT&CKⓇ Evaluations Results + Announcing Our First Ever Community Advisory Board
  • ATT&CK Evaluations: Managed Services Welcomes 17 Participants
    
    
• Prodaft
  [PYSA] Ransomware Group In-Depth Analysis
  
  
• Red Alert
  Hacking activity of SectorB Group in 2021
  
  
• Jorge Orchilles at SANS
  Building an Internal Red Team? Go Purple First
  
  
• SANS Internet Storm Center
  • Spring: It isn’t just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too., (Mon, Apr 11th)
  • Microsoft April 2022 Patch Tuesday, (Tue, Apr 12th)
  • How is Ukrainian internet holding up during the Russian invasion?, (Wed, Apr 13th)
  • An Update on CVE-2022-26809 – MSRPC Vulnerabliity – PATCH NOW, (Thu, Apr 14th)
  • Office Protects You From Malicious ISO Files, (Sat, Apr 16th)
    
    
• Jake Williams at Scythe
  SCYTHE Presents: Why is SCYTHE Building a CTI Team?
  
  
• Security Research
  Bypassing Cortex XDR
  
  
• Symantec Enterprise
  Lazarus Targets Chemical Sector
  
  
• Drew Kirkpatrick at TrustedSec
  Persisting XSS With IFrame Traps
  
  
• Jason Reaves and Joshua Platt at Walmart
  Revisiting BatLoader C2 structure
  

UPCOMING EVENTS

• Belkasoft
  [Webinar] Viber Forensics With Belkasoft
  
  
• Brad Stowers at ADF
  5 Digital Forensic Conferences You Don’t Want to Miss
  
  
• Daniel Bogdanoff at Keysight
  Keysight Live from the Lab!
  
  
• SANS
  • Inside FOR710 Reverse-Engineering Malware: Advanced Code Analysis
  • The New GIAC MacOS and iOS Examiner Certification (GIME)
  • Prevent, Detect, Respond: An Intro to Google Workspace Security and Incident Response
    
    
• VMware Security
  Deconstructing Destructive Attacks to Separate Fiction from Facts: Webinar Exclusive 5/3
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  Talkin’ About Infosec News – 4/12/2022
  
  
• Cloud Security Podcast by Google
  EP60 Impersonating Service Accounts in GCP and Beyond: Cloud Security Is About IAM?
  
  
• Cyber Secrets
  Quick demo of the CSI Linux training site
  
  
• Cybereason
  Malicious Life Podcast: The Russia-Ukraine Cyberwar
  
  
• Detections by SpectreOps
  Episode 22: Nasreddine Bencherchali
  
  
• Digital Forensic Survival Podcast
  DFSP # 321 – URL Leaks
  
  
• Dump-Guy Trickster
  .NET Reversing Get-PDInvokeImports – Dealing with PInvoke, DInvoke and Dynamic PInvoke
  
  
• HackDefend Labs
  • 1. Security Detection and Threat Hunting
  • 2. Security Detection and Threat Hunting
  • 3. Security Detection and Threat Hunting
    
    
• Hacker Valley Blue
  • April 13, 2022
  • CrowdStrike 2022 Global Threat Report: APTs
  • Hacker Valley Blue – One team One Fight With Christopher Peacock
  • CrowdStrike 2022 Global Threat Report: Cloud Security
    
    
• InfoSec_Bret
  SA – SOC165-115 – Possible SQL Injection Payload Detected
  
  
• John Hammond
  • PrintNightmare CVE (PicoCTF 2022 #06)
  • SVG Internals (PicoCTF 2022 #07 enhance)
    
    
• Magnet Forensics
  • YARA Rule Processing in Magnet AXIOM Cyber
  • Using Queued Remote Collections in Magnet AXIOM Cyber
  • Magnet AXIOM Cloud Authenticator: Chrome Browser Extension
  • Cloud Forensics: Faster, Better, Easier with Magnet AXIOM and the Cloud Insights Dashboard
  • An Overview of Magnet IGNITE
  • Magnet AXIOM – Modernizing Digital Forensics Investigations
  • Cloud-Based Triage With Magnet IGNITE
    
    
• OALabs
  The Thread Context – Debugging Explained
  
  
• Paraben Corporation
  Analysis of Linux Data in E3
  
  
• Richard Davis at 13Cubed
  Windows Hibernation Files – A Look Back in Time
  
  
• Sumuri
  • 011 – Partner with us to grow your DFIR business
  • Utilizing Snap Compare In CARBON for Malware Analysis!
    
    
• Watson Infosec
  ElasticXDR 8.1.2 Upgrade Overview
  

MALWARE

• Hui Wang, Alex Turing, and Yang Xu at 360 Netlab
  新威胁：闷声发大财的Fodcha僵尸网络
  
  
• Adam at Hexacorn
  The Anti-VM trick that is kinda… personal
  
  
• ASEC
  • SystemBC Being Used by Various Attackers
  • [Caution] Virus/XLS Xanpei Infecting Normal Excel Files
  • ASEC Weekly Malware Statistics (April 4th, 2022 – April 10th, 2022)
    
    
• Vladimir Martyanov at Avast Threat Labs
  Zloader 2: The Silent Night
  
  
• Blackberry
  Threat Thursday: HeaderTip Backdoor Shows Attackers from China Preying on Ukraine
  
  
• Cisco’s Talos
  • Threat Spotlight: “Haskers Gang” Introduces New ZingoStealer
  • Threat Source newsletter (April 14, 2022) — It’s Tax Day, and you know what that means
  • Threat Roundup for April 8 to April 15
    
    
• Krzysztof Gajewski at CyberDefNerd
  Let me show you how to bite AutoIt scripts!
  
  
• Joie Salvio and Roy Tay at Fortinet
  Enemybot: A Look into Keksec’s Latest DDoS Botnet
  
  
• fr3d.hk
  CryptBot – Too good to be true
  
  
• Patrick Schläpfer at HP Wolf Security
  Malware Campaigns Targeting African Banking Sector
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #85: Source-level debugging
  
  
• InfoSec Write-ups
  Pythonic Malware: Evading Detection with Compiled Executables
  
  
• Avigayil Mechtinger at Intezer
  Automate Alert Triage and Response Tasks with Intezer EDR Connect
  
  
• Marco Ramilli
  From a Phishing Page to a Possible Threat Actor
  
  
• OALABS Research
  Symbolic Execution For Deobfuscation The Basics
  
  
• Pete Cowman at Hatching
  UPX Unpacking and Family Updates
  
  
• Securelist
  The State of Stalkerware in 2021
  
  
• Security Investigation
  • SystemBC Malware Being Used by Various Threat Attackers – Initial access to Indicator of Compromise
  • Xanpei Virus Infecting Normal Excel Files
    
    
• Pedro Tavares at Segurança Informática
  Analysis of the SunnyDay ransomware
  
  
• Tony Lambert
  Snip3 Crypter used with DCRat via VBScript
  
  
• Sudhir Devkar at VMware Security
  RuRansom – A Retaliatory Wiper
  
  
• WeLiveSecurity
  Industroyer2: Industroyer reloaded
  
  
• Amnpardaz
  HackTool.Win32.APT- PS
  

MISCELLANEOUS

• Belkasoft
  Stay in Good Physical Shape: Look Past the Screen of a Digital Forensic Examiner
  
  
• Paul Scott at Cado Security
  AWS ECS: Fully Managed but Frustrating to Investigate
  
  
• Greg Day at Cybereason
  SOC Modernization: Measures and Metrics for Success
  
  
• Forensic Focus
  • DFIR Consultant Kat Hedley on Finding the History — and Future — of DFIR at Bletchley Park
  • Register for Webinar: MSAB Frontline Solutions
  • 2022 Q1 MD-Series Release Note Highlights
    
    
• Koen Van Impe
  A simple way to deploy MISP servers with Packer and Terraform
  
  
• Magnet Forensics
  • YARA Rule Processing in Magnet AXIOM Cyber
  • 4 Reasons to Use Queued Remote Collections in Magnet AXIOM Cyber
  • Magnet AXIOM Cloud Authenticator: Chrome Browser Extension
  • Cloud Forensics: Faster, Better, Easier with Magnet AXIOM and the Cloud Insights Dashboard
  • Meet the Magnet Forensics’ Training Team: Luke Smith
  • Meet the Magnet Forensics’ Training Team: Cody Flowers
    
    
• Peri Storey at OpenText
  Accelerating the pace of digital forensic investigations
  
  
• Salvation DATA
  8 Myths and Facts About Digital Forensics Investigations
  
  
• Secureworks
  Why and How to Build a Proactive Incident Response Plan
  
  
• Anusthika Jeyashankar at Security Investigation
  Azure Sentinel and its Components
  
  
• John Patzakis at X1
  Case Law Update: Federal Court Endorses Targeted Search Term Based ESI Collection
  

SOFTWARE UPDATES

• Vitaliy Mokosiy at Atola
  Logical imaging in TaskForce 2022.4
  
  
• CyberChef
  v9.37.3
  
  
• Didier Stevens
  Update: cut-bytes.py Version 0.0.14
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Invictus IR
  Invictus-AWS
  
  
• Magnet Forensics
  • Magnet AXIOM 6.0: Surfacing More Evidence than Ever Before
  • Magnet AXIOM Cyber 6.0: YARA Rules, Queued Collections, Dark Mode, and More!
  • Magnet IGNITE is Now Available!
    
    
• Ninoseki
  Mihari v4.5.0
  
  
• Nextron Systems
  ASGARD v2.13 Release
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.14.4
  
  
• Passware
  Passware Kit 2022 v2 Now Available
  
  
• Xways
  • X-Ways Forensics 20.1 SR-13
  • X-Ways Forensics 20.2 SR-8
  • X-Ways Forensics 20.3 SR-10
  • X-Ways Forensics 20.4 SR-6
  • X-Ways Forensics 20.5 SR-1
    
    
• Yamato Security
  Hayabusa v1.2.0 🦅
  
  
• Maxim Suhanov
  YARP 1.0.33
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!