As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Jessica Hyde at Magnet Forensics
  Android Motion Photos in Magnet AXIOM
  
  
• Aditya Pratap
  Windows Triaging with Powershell — Part 1: Parsing Event Logs
  
  
• Blake’s R&D
  Extracting Cobalt Strike from Windows Error Reporting
  
  
• Cyber Social Hub
  Understanding Tox Chat
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Where’s My Stuff?
  
  
• Jess Garcia at DS4N6
  [BLOG]  ODSC East 2022 – “Data Science for Digital Forensics & Incident Response (DFIR)” – Wrap-Up & Community Resources Announced, by  Jess Garcia and  David Contreras
  
  
• Oleg Afonin at Elcomsoft
  Preventing BitLocker Lockout and Recovering Access to Encrypted System Drive
  
  
• Forensafe
  Investigating AmCache
  
  
• The Incidental chew toy
  Decrypting the ‘AVG’ Photo Vault
  
  
• Kevin Pagano at Stark 4N6
  What’s the Buzz – Bumble on iOS
  
  
• Kyle Song
  Blog #33: Dumping Data from Spycam with ADB
  
  
• Mike Cohen at Velocidex
  • Dead Disk Forensics
  • Paths And Filesystem Accessors
    
    
• Olaf Schwarz at NVISO Labs
  Investigating an engineering workstation – Part 3
  
  
• Oxygen Forensics
  Huawei Devices: Encryption and Data Extraction
  
  
• Patrick J. Siewert at ‘Pro Digital Forensic Consulting’
  Pretty Maps & Plea Bargains: Tips on Handling Cellular Records Analysis in Criminal Defense Cases
  
  
• The Citizen Lab
  CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru
  

THREAT INTELLIGENCE/HUNTING

• 0ut3r Space
  Ransomware simulation
  
  
• Bill Stearns at Active Countermeasures
  Threat Hunting in Azure with AC-Hunter
  
  
• Vitali Kremez & Yelisey Boguslavskiy at Advanced Intelligence, LLC
  Enter KaraKurt: Data Extortion Arm of Prolific Ransomware Group
  
  
• Anomali
  Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More
  
  
• Avertium
  Russia vs. Ukraine Part ii
  
  
• Awake Security
  Threat Hunting for Active Directory Attacks: AS-REP Roasting
  
  
• Blackberry
  • Threat Thursday: BlackGuard Infostealer Rises from Russian Underground Markets
  • BlackCat Ransomware Brings Halloween Horrors to World Organizations
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2022-04-19 – Files for an ISC diary (Qakbot with DarkVNC)
  • 2022-04-14 – aa distribution Qakbot with Cobalt Strike
  • 2022-04-19 – Infection from Brazil malspam
    
    
• BushidoToken
  Lessons from the Conti Leaks
  
  
• CERT Ukraine
  • Онлайн-шахрайство з використанням тематики “грошової допомоги від країн ЄС” (CERT-UA#4492)
  • Кібератака на державні організації України з використанням теми “Азовсталі” та шкідливої програми Cobalt Strike Beacon (CERT-UA#4490)
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 16 – 22 aprile 2022
  
  
• Check Point Research
  • 18th April – Threat Intelligence Report
  • Social Networks Most Likely to be Imitated by Criminal Groups, with LinkedIn Now Accounting for Half of all Phishing Attempts Worldwide
    
    
• CISA
  • Alert (AA22-108A) TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
  • Alert (AA22-110A) Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
    
    
• Cisco
  Cisco Secure Endpoint Shines in the 2022 MITRE® Engenuity ATT&CK Evaluation
  
  
• Cisco’s Talos
  • TeamTNT targeting AWS, Alibaba
  • Threat Source newsletter (April 21, 2022) — Sideloading apps is as safe as you make it
  • Threat Roundup for April 15 to April 22
    
    
• Greg Darwin at Cobalt Strike Research and Development
  Cobalt Strike 4.6: The Line In The Sand
  
  
• Corelight
  • Sidecars for network monitoring
  • Detecting Windows NFS Portmap vulnerabilities
    
    
• CrowdStrike
  LemonDuck Targets Docker for Cryptomining Operations
  
  
• Cybereason
  • Ransomware Attacks: Can Cyber Insurance Protect Your Organization?
  • Leveraging Cybereason DFIR to Contain Attacks in Minutes
  • How Strategic Detections Set XDR Apart
    
    
• Cyble
  • Prynt Stealer Spotted In the Wild
  • Malicious App Targets Turkish Ministry of Justice
    
    
• David Burkett at Signalblur
  Wireshark’s little known Snort post-dissector
  
  
• DomainTools
  Stop Crypto Kleptos in Their Tracks
  
  
• Dragos
  Software in the Supply Chain: The Newest Insider Threat to ICS Networks
  
  
• EclecticIQ
  • The Analyst Prompt #07: Ukraine War Related Cyberattack Risk Increases Outside the Main Conflict And Fluid Cybercriminal Marketplaces Maintain Strong User Bases
  • 5 Questions to ask About Your EDR – “Visibility”
    
    
• Elliptic
  Further Sanctions Against North Korea’s Lazarus Group for Laundering Stolen Ronin Funds
  
  
• Flashpoint
  Taking Action With Flashpoint Finished Intelligence: A Cornerstone of Effective Decision-Making
  
  
• Hacking Articles
  • A Detailed Guide on HTML Smuggling
  • A Detailed Guide on Hydra
    
    
• Mike Vizard at Barracuda
  Pipedream malware bodes ill for OT security
  
  
• Koen Van Impe
  MISP and Microsoft Sentinel
  
  
• Jurgen Kutscher at Mandiant
  M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines
  
  
• Menasec
  Auditing Protected Lsass (RunAsPPL) Access using Sysmon
  
  
• Michael Koczwara
  Server-Side Request Forgery (SSRF)- PortSwigger Labs
  
  
• Microsoft Security
  Discover the anatomy of an external cyberattack surface with new RiskIQ report
  
  
• MITRE Engage™
  Operationalizing MITRE Engage: Deception Opportunities with APT Cyber Tools Targeting ICS/SCADA…
  
  
• Okta
  Okta Concludes its Investigation Into the January 2022 Compromise
  
  
• Palo Alto Networks
  Threat Assessment: BlackByte Ransomware
  
  
• Qualys
  Implications of Windows Subsystem for Linux for Adversaries & Defenders (Part 2)
  
  
• Recorded Future
  The Role of Civil Society and the United Front in China’s Evacuation From Ukraine
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, February 2022 (KOR)
  
  
• Red Canary
  Intelligence Insights: April 2022
  
  
• ReversingLabs
  Emotet’s back. Here’s how to keep from getting hacked
  
  
• RiskIQ
  RiskIQ Threat Intelligence Roundup: Trickbot, Magecart, and More Fake Sites Targeting Ukraine 
  
  
• SANS
  • Російсько-український конфлікт. Кіберресурсний центр
  • Попередження про загрозу російських кібератак. Що робити зараз, щоб посилити стійкість роботи своїх систем
    
    
• SANS Internet Storm Center
  • Video: Office Protects You From Malicious ISO Files, (Sun, Apr 17th)
  • Sysmon’s RegistryEvent (Value Set), (Mon, Apr 18th)
  • “aa” distribution Qakbot (Qbot) infection with DarkVNC traffic, (Wed, Apr 20th)
  • Resetting Linux Passwords with U-Boot Bootloaders, (Tue, Apr 19th)
  • Multi-Cryptocurrency Clipboard Swapper, (Thu, Apr 21st)
  • Are Roku Streaming Devices Safe from Exploitation?, (Sat, Apr 23rd)
  • Analyzing a Phishing Word Document, (Sun, Apr 24th)
    
    
• Jake Williams at Scythe
  SCYTHE Presents: A Lesson from the Okta Incident: Scaling Purple Teaming for Better Controls Validation
  
  
• Secureworks
  GOLD ULRICK Continues Conti Operations Despite Public Disclosures
  
  
• Security Art Work
  Ataques a Exchanges de Criptomonedas
  
  
• Security Investigation
  • Security Researchers Revealed the Infrastructure of Karakurt Linked to Conti Hacking Group
  • Microsoft Cloud Security Architecture with Integrated Security Solutions
  • Espionage Group Continues to hit Ukraine with new malware variants
  • BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide
    
    
• James Haughom at SentinelOne
  From the Front Lines | Peering into A PYSA Ransomware Attack
  
  
• SOC Fortress
  • CVE 2022–26809: MS-RPC VULNERABILITY
  • Understanding Wazuh Decoders
  • Data Exfiltration using ICMP (and how to detect it).
    
    
• Andy Robbins at SpecterOps
  Abusing Azure Container Registry Tasks
  
  
• Silas Cutler at Stairwell
  The ink-stained trail of GOLDBACKDOOR
  
  
• Joe at Stranded on Pylos
  Industroyer2 in Perspective
  
  
• Symantec Enterprise
  Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine
  
  
• Mattias Wåhlén at Truesec
  Ransomware Attacks Linked to Russian Sanctions
  
  
• Uptycs
  Q1 ’2022 Quarterly Threat Bulletin
  
  
• Nadav Ovadia at Varonis
  Hive Ransomware Analysis
  
  
• Vincent Van Mieghem
  A blueprint for evading industry leading endpoint protection in 2022
  
  
• VMware Security
  Modern Bank Heists 5.0: The Escalation from Dwell to Destruction
  

UPCOMING EVENTS

• Gerald Auger at Simply Cyber
  🔴 Conti Ransomware Gang Analysis
  
  
• SANS Cloud Security
  SANS CloudSecNext 2022 Annual Summit – FREE!
  
  
• SANS Institute
  Criminal Justice & National Cyber Security
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Threat Hunting Tutorial- Day 4, Malicious Macro Executed- What’s Next?
  
  
• ArcPoint Forensics
  UNALLOCATED SPACE S1: EP06: Brian Moran
  
  
• Atola
  Video: TaskForce 2022.4 new functionality walkthrough
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2022-04-18
  • BHIS | Atomic Red Team Hands on Getting Started Guide | Carrie & Darin Roberts | 1 Hour
  • BHIS | UN-EDITED – Atomic Red Team Hands-on Getting Started Guide | Carrie & Darin Roberts | 1-Hour
    
    
• Brakeing Down Security Podcast
  Mick Douglas discusses What2Log, and guidance in light of Okta incident
  
  
• Breaking Badness
  118. Don’t Let Ransomware You Down
  
  
• Cisco’s Talos
  Beers with Talos, Ep. #120: How attackers are finding ways around MFA
  
  
• Cyber Secrets
  CSI Linux 2021.2 Walkthrough with Jeremy Martin
  
  
• Cyberspatial
  This Powerful Cyber Security Tool Will Save You Hours of Work Every Day
  
  
• Day Cyberwox
  Exploiting AWS: Flaws.Cloud | Level 2
  
  
• Digital Forensic Survival Podcast
  DFSP # 322 – Live evidence integrity
  
  
• Hacker Valley Blue
  • Behind The Scenes of CrowdStrike’s MITRE ATT&CK Evaluation
  • Hacker Valley Blue – Human-centric Security With McKenna Yeakey
    
    
• InfoSec_Bret
  IR – SOC171-121 – Spring4Shell Activity
  
  
• John Hammond
  WRITE BASH SCRIPTS for CTF Solutions (PicoCTF 08 ‘file-run1’)
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 40 – Project VIC
  
  
• Lee Reiber’s Forensic Happy Hour
  Forensic Happy Hour Episode 304
  
  
• OALabs
  • How Does a Debugger Work – Debug Events Explained
  • x64dbg System Breakpoint Explained
    
    
• Paraben Corporation
  • Converting OST Email to EML
  • Converting OST to PST
  • Converting OST to EMX
  • Reviewing iOS App Permissions
    
    
• SANS Institute
  • CVE-2022-26809 MS-RPC Vulnerability Analysis – SANS Institute
  • Reality Check: An Honest Look at Cybersecurity Jobs
  • Fast-Track Your Cybersecurity Career
  • Finding Cybersecurity: A Practitioner’s Path to Success
  • From Rookie to Rockstar: Kickstart Your Career as a SOC Analyst
  • Cómo los Efectos Visuales me empujan a la ciberseguridad
  • Hacking Your Mind: Como começar e continuar a evoluir
  • Networking 101: Introverts Only
  • 5 Things in 20 Minutes
    
    
• Sumuri
  RECON ITR + RECON LAB: Utilizing Use Counts in Your Investigations
  
  
• The ./havoc Podcast
  Jon DiMaggio: Ransom Mafia, Absolute Ransom
  
  
• The Defender’s Advantage Podcast
  Threat Trends: Breaking Down the 2022 M-Trends Report
  

MALWARE

• 0verfl0w_ at 0ffset
  BAZARLOADER: Unpacking an ISO File Infection
  
  
• 360 Netlab
  公有云网络安全威胁情报（202203）
  
  
• Avast Threat Labs
  Warez users fell for Certishell
  
  
• Cerbero
  Suite 5.5 and Engine 2.5 are out!
  
  
• Cyble
  • Under the lens: Eagle Monitor RAT
  • Fake MetaMask app steals cryptocurrency
    
    
• Emanuele De Lucia
  Industroyer2: The ICS-capable malware re-emerges in order to cause critical services disruption
  
  
• Fortinet
  • Trends in the Recent Emotet Maldoc Outbreak
  • Using Emulation Against Anti-Reverse Engineering Techniques
  • Android/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking
    
    
• G Data Security
  Criminals provide Ginzo stealer for free, now it is gaining traction
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #85: Function chunks
  
  
• Dmitry Melikov at InQuest
  Nobelium – Israeli Embassy Maldoc
  
  
• Intezer
  How to Analyze Malicious PDF Files
  
  
• Juniper Networks
  • AgentTesla
  • Hermetic Wiper
  • Blackbyte Ransomware
  • “Springshell” Vulnerability
    
    
• Pieter Arntz at Malwarebytes Labs
  Why you shouldn’t automate your VirusTotal uploads
  
  
• OALABS Research
  Emotet Deobfuscation Generic Solution
  
  
• Securelist
  How to recover files encrypted by Yanlouwang
  
  
• SentinelLabs
  Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
  
  
• Trend Micro
  • An Investigation of the BlackCat Ransomware via Trend Micro Vision One
  • Analyzing Attempts to Exploit the Spring4Shell Vulnerability CVE-2022-22965 to Deploy Cryptocurrency Miners
    
    
• Vicente Díaz at VirusTotal
  • VirusTotal Multisandbox+= ELF DIGEST
  • VirusTotal’s MISP modules get a fresh upgrade
    

MISCELLANEOUS

• Auth0
  URL, URI, URN: What’s the Difference?
  
  
• Belkasoft
  Preventing burnout in digital forensics
  
  
• Blumira
  Simplifying Security: Detection Rule Management
  
  
• Brett Shavers
  • Been a long time coming, but now comes the second edition of the X-Ways Forensics Practitioner’s Guide.
  • THE X-Ways Forensics Practitioner’s Guide is complete!
    
    
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 4/23/22
  
  
• Cellebrite
  • Conducting Digital Forensics in the Field
  • Transform Your Workflows to Make Investigations More Efficient and Effective
    
    
• CrowdStrike
  • Security Doesn’t Stop at the First Alert: Falcon X Threat Intelligence Offers New Context in MITRE ATT&CK Evaluation
  • CrowdStrike Falcon Spotlight Fuses Endpoint Data with CISA’s Known Exploited Vulnerabilities Catalog
  • Navigating the Five Stages of Grief During a Breach
    
    
• Cyborg Security
  Threat Hunting Certification, Courses, and Materials: A Starting Guide
  
  
• Doug Metz at Baker Street Forensics
  Swag for Charity
  
  
• Forensic Focus
  • Researcher Nina Sunde on Reducing Bias in Digital Forensic Analysis
  • Register for Webinar: Uncovering Windows Registry Data and the Latest Mac Artifacts
  • Huawei Devices: Decryption and Extraction in Oxygen Forensic Detective
    
    
• Md. Abdullah Al Mamun at Intarna
  Investigation: World of Data Leak
  
  
• Magnet Forensics
  Nominate Magnet Forensics in the 2022 Forensic 4:cast Awards!
  
  
• MSAB
  Vote for MSAB in the 2022 Forensic 4:Cast Awards
  
  
• Amber Schroader at Paraben Corporation
  How to get started in the field of digital forensics
  
  
• ADF
  10 Ways Digital Forensics Software can Reduce Your Annual Budget
  
  
• Salvation DATA
  • 15 Industry-Leading Technology Digital Forensics Methods and Technologies
  • What is Drone Forensics?
    
    
• Chad Tilbury at SANS
  SANS FOR500: Windows Forensic Analysis –  Updated for Windows 11 and Beyond
  
  
• VMware Security
  How Not to Build a SOC
  

SOFTWARE UPDATES

• Didier Stevens
  • Update: 1768.py Version 0.0.13
  • New Tool: pngdump.py (Beta)
  • Update: re-search.py Version 0.0.19
    
    
• Michael Karsyan at Event Log Explorer
  Event Log Explorer Forensic Edition
  
  
• Yamato Security
  Hayabusa v1.2.1 🦅
  
  
• Metaspike
  Forensic Email Intelligence 1.6.8147
  
  
• Mihari
  v4.5.1
  
  
• Mike Cohen at Velocidex
  Velociraptor 0.6.4 Release
  
  
• MISP
  MISP 2.4.158 security fix and general improvement release
  
  
• radare2
  5.6.8
  
  
• Velociraptor
  Release 0.6.4
  
  
• Volexity
  Volexity Volcano Server v22.04.08
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!