As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Adam at Hexacorn
  Excelling at Excel, Part 3
  
  
• Emi Polito at Amped
  Measuring in a Scene: What Filters to Use in Amped FIVE?
  
  
• Cado Security
  Case Study: Responding to an Attack in AWS
  
  
• Craig Ball at ‘Ball in your Court’
  Not So Fine Principle Nine
  
  
• Dany at Digitella
  CyberDefenders PCAP Or It Didn’t Happen Challenge Write Up
  
  
• Domiziana Foti
  LetsDefend-SOC163 — Suspicious Certutil.exe Usage
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Six Million Pictures
  
  
• Fabian Mendoza at AboutDFIR
  The Key to Identify PsExec
  
  
• Leonardo M. Falcon at Falcon Guard
  Cognitive Biases in Digital Forensics
  
  
• Forensafe
  Investigating Android uTorrent
  
  
• Kevin Pagano at Stark 4N6
  Gabbing about Garmin Connect for Android
  
  
• Lordx64
  Multiple Linux Backdoors Discovered Targeting Bitcoin Core Developer — Technical Analysis
  
  
• Manjesh Shetty
  Uncovering Hidden Clues: How Windows Artifact Prefetch Can Help in Digital Forensics Investigations in Windows 11 Machine
  
  
• Brad Duncan at Palo Alto Networks
  Unit 42 Wireshark Quiz, January 2023
  
  
• RJM at Anchored Narratives
  • The Trojan did it defence is real!
  • The Trojan solved the Bhima Koregaon case!
    
    
• Paolo Dal Checco at Studio d’Informatica Forense
  La Cassazione sui ricorsi via PEC inviati alle ore 00:00:00 della mezzanotte del giorno di scadenza
  
  
• System Weakness
  LetsDefend Challenge: Remote Working
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  Yara rules pageant
  
  
• Andrea Fortuna
  My own list of tools to perform incident response against Azure AD and Microsoft 365
  
  
• Anomali
  Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting
  
  
• Assume-breach
  • Home Grown Red Team: Using LNK Files To Bypass Applocker
  • Home Grown Red Team: Bypassing Applocker, UAC and Getting Administrative Persistence
    
    
• Jeremy Fuchs at Avanan
  The Blank Image Attack
  
  
• Bank Security
  Attribution in Cyber Threat Intelligence: Techniques and Challenges
  
  
• Blackberry
  • Emotet Returns With New Methods of Evasion
  • Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2023-01-16 – Google ad –> Fake 7-Zip page –> Malicious .msi file
  • 2023-01-12 – IcedID (Bokbot) infection with Cobalt Strike
  • 2023-01-16 – IcedID (Bokbot) with Backconnect and VNC and Cobalt Strike
  • 2023-01-18 – Google ad –> Fake Libre Office page –> IcedID (Bokbot) –> Cobalt Strike
    
    
• CERT Ukraine
  Кібератака на інформаційно-комунікаційну систему Укрінформ (CERT-UA#5850)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 gennaio 2023
  
  
• Check Point Research
  • 16th January – Threat Intelligence Report
  • Russia Affiliated NoName057(16) Hacktivist Group Puts 2023 Czech Presidential Election on the Spot
    
    
• Cisco’s Talos
  • Threat Source newsletter (Jan. 19, 2023): Talent retention and institutional knowledge
  • Following the LNK metadata trail
  • Threat Round up for January 13 to January 20
    
    
• Cofense
  Top Malware Trends of December: Cofense Phishing Defense Center (PDC)
  
  
• Countercraft
  Cybersecurity in Banking: Global Bank Uses CounterCraft to Detect Lateral Movement in a SWIFT Network
  
  
• CTF导航
  idek 2022* Forensics Writeup by r3kapig
  
  
• Cybereason
  Sliver C2 Leveraged by Many Threat Actors
  
  
• Cyble
  • Aurora – A Stealer Using Shapeshifting Tactics
  • Gigabud RAT: New Android RAT Masquerading as Government Agencies
    
    
• Terry Mayer at Cyjax
  Cyber threats and the energy sector: an overview
  
  
• Esentire
  eSentire Threat Intelligence Malware Analysis: Raspberry Robin
  
  
• Financial Security Institute
  • Masscan Ransomware Threat Analysis – 2022 Cyber Intelligence Report
  • Malicious APK deforming ZIP file format found under experiment in the wild(English version)
  • Voice Phishing App Distribution Group Profiling(English Version)
  • Present and Future of Financial Mobile Malware(English Version) – FSI Intelligence Report
  • TA505 Threat Group Profiling(English Version) – FSI Intelligence Report
  • Profiling a Threat Group Targeting Korea – Campaign RIFLE(English Version)
    
    
• James Slaughter at Fortinet
  Ransomware Roundup – Playing Whack-a-Mole with New CrySIS/Dharma Variants
  
  
• Haircutfish
  TryHackMe Zeek Exercises — Task 3 Phishing, Task 4 Log4J, & Task 5 Conclusion
  
  
• James Horseman at Horizon3
  ManageEngine CVE-2022-47966 Technical Deep Dive
  
  
• Patrick Schläpfer at HP Wolf Security
  IcedID and Infostealers Spread Through Adverts Mimicking Popular Tools
  
  
• Dray Agha at Huntress
  The Methods Behind a Huntress Managed Antivirus Investigation
  
  
• Dheeraj Yadav at InfoSec Write-ups
  Phishing Email Analysis: A complete guide
  
  
• Jon DiMaggio at Analyst1
  Ransomware Diaries: Volume 1
  
  
• Jouni Mikkola at “Threat hunting with hints of incident response”
  Hunting for msbuild based execution
  
  
• Mandiant
  • Gone Phishing: Hunting for Malicious Industrial-Themed Emails to Prevent Operational Technology Compromises
  • Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475)
    
    
• Emily Parrish at ‘Microsoft Security Experts’
  Good UAL Hunting
  
  
• Nextron Systems
  Antivirus Event Analysis Cheat Sheet v1.12.0
  
  
• Nozomi Networks
  Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape
  
  
• OSArmor
  Microsoft OneNote (.One File Extension) Attachment Delivers AsyncRAT
  
  
• Palo Alto Networks
  Chinese Playful Taurus Activity in Iran
  
  
• PhishLabs
  QBot Campaigns Overwhelmingly Lead Reported Payloads in Q4
  
  
• Grace Chi at Pulsedive
  Enriched, real-time phishing management
  
  
• Glenn Thorpe at Rapid7
  CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability
  
  
• Recorded Future
  Annual Payment Fraud Intelligence Report: 2022
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, November 2022 (ENG)
  
  
• Red Canary
  • The power of threat intelligence at your fingertips
  • Intelligence Insights: January 2023
    
    
• SANS Internet Storm Center
  • Elon Musk Themed Crypto Scams Flooding YouTube Today, (Sun, Jan 15th)
  • PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th)
  • Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th)
  • Malicious Google Ad –> Fake Notepad++ Page –> Aurora Stealer malware, (Wed, Jan 18th)
  • SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th)
  • Importance of signing in Windows environments, (Fri, Jan 20th)
  • DShield Sensor JSON Log to Elasticsearch, (Sat, Jan 21st)
    
    
• Sansec
  Vendors defeat Magento security patch (+ simple check)
  
  
• John Dwyer, James Kainth, Joseph Lozowski, and Philip Pedersen at Security Intelligence
  Self-Checkout This Discord C2
  
  
• Securonix
  Securonix 2022 Threat Report, Part 3: Detecting Ransomware
  
  
• SentinelOne
  • Gotta Catch ‘Em All | Understanding the NetSupport RAT Campaigns Hiding Behind Pokemon Lures
  • Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results
    
    
• SOCRadar
  Hydra Aftermath and the Future of Dark Web Marketplaces
  
  
• Jonathan Johnson at SpecterOps
  The Defender’s Guide to Windows Services
  
  
• Splunk
  From Registry With Love: Malware Registry Abuses
  
  
• Scott J Roberts
  Effective Tagging in Synapse
  
  
• Kayleigh Martin at Sucuri
  Vulnerable WordPress Sites Compromised with Different Database Infections
  
  
• Team Cymru
  Darth Vidar: The Dark Side of Evolving Threat Infrastructure
  
  
• Teri Radichel
  • Privilege Escalation Via a Cloud Compute Resource
  • Backdoors and Privilege Escalation Via Cloud Account Users
    
    
• Trend Micro
  • Abusing a GitHub Codespaces Feature For Malware Delivery
  • Earth Bogle: Campaigns Target the Middle East with Geopolitical Lures
  • Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks
  • “Payzero” Scams and The Evolution of Asset Theft in Web3
    
    
• Lior Sonntag at Wiz
  Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident
  

UPCOMING EVENTS

• CBIT Digital Forensics Services
  Linux Webinar- by Hal Pomeranz
  
  
• Cellebrite
  Learn How Cellebrite’s Latest Updates Can Help You Excel In 2023
  
  
• Cyborg Security
  Threat Hunting Workshop: Hunting for Credential Access
  
  
• Erik Hjelmvik at Netresec
  Online Network Forensics Class
  
  
• Insane Forensics
  How To Write a Cybersecurity Incident Response Plan
  
  
• Magnet Forensics
  • Integrate, Automate, and Scale DFIR Investigations With Magnet AUTOMATE Enterprise
  • Magnet REVIEW: Collaborate on Digital Evidence Review from Anywhere
  • Tips & Tricks // Ingesting Mobile Extractions into AXIOM
    

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  • ATRIO: How to create a live boot Linux USB drive
  • ATRIO: Forensically wiping a drive
  • ATRIO: How to update
  • Easy – Recover/Carve Deleted Files
  • carving files
  • Easy NSRL matching and filtering
  • Match Your MD5 Hash List
  • Filter out your MD5 list
  • Never miss hashing a file
  • ATRIO How To: Create an MD5 hash list
  • January 20, 2023
  • ATRIO How To: Custom MD5 Hash List Matching
    
    
• Black Hills Information Security
  • Part 3: Shellcode Execution with Python | Joff Thyer
  • Talkin’ About Infosec News – 1/17/2023
    
    
• Breaking Badness
  145. Me, Myself, and API
  
  
• Chris Sienko at the Cyber Work podcast
  How SOCs are changing: Location, remote work and more | Guest A.N. Ananth
  
  
• Code Blue
  Code Blue 2022
  
  
• Cybereason
  Cyberbunker, Part 2
  
  
• Cyborg Security
  Episode 5
  
  
• Dark Mode
  Fighting Against Ransomware and Helping Ukraine to Develop Cyber Capabilities
  
  
• Day Cyberwox
  The Anatomy of a Google Cloud (GCP) Cryptomining Attack – Default Service Account Compromise
  
  
• Detections by SpectreOps
  DCP Live – Session 1
  
  
• Digital Forensic Survival Podcast
  DFSP # 361 – Powershell Breakdown
  
  
• Gerald Auger at Simply Cyber
  Setup and Getting Started with Haiku Pro Cyber Ranges
  
  
• Grzegorz Tworek
  Exfiltrating the data through audio
  
  
• InfoSec_Bret
  CyberDefenders –  TeamSpy – Part One
  
  
• James Spiteri at ‘Oh My Malware!’
  • Oh My Malware – Episode 1 – Sofacy/Fancybear
  • Oh My Malware – Episode 2 – REvil/Sodinokibi
    
    
• Karsten Hahn at Malware Analysis For Hedgehogs
  Does Writing Malware Help With Malware Analysis?
  
  
• Magnet Forensics
  • Mobile Unpacked // Rethinking Mobile Forensics
  • Leveraging AXIOM Cyber to Accelerate Corporate Investigations
    
    
• Richard Davis at 13Cubed
  A New Program Execution Artifact – Windows 11 22H2 Update!
  
  
• RickCenOT
  BREAKDOWN Pentest/Hacking of a Siemens Industrial Control System S7-1200 PLC (open Source Tools)
  
  
• SANS Cloud Security
  SANS SEC540 ContainerImageScanning
  
  
• SANS Cyber Defense
  Packet Tuesday – IPv6 Router Advertisements
  
  
• The Defender’s Advantage Podcast
  Threat Trends: APT by USB
  

MALWARE

• Alexander Adamov at ‘Malware Research Academy’
  Analysis of Whispergate – Ep 4: Dynamic analysis of stage2.exe with FakeNet-NG
  
  
• Any.Run
  WannaCry: The Most Preventable Ransomware is Still at Large
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (January 1st, 2023 – January 7th, 2023)
  • Malware Disguised as a Manuscript Solicitation Letter (Targeting Security-Related Workers)
  • Phishing Web Server Identified Through an Impostor National Tax Service Email
  • ASEC Weekly Malware Statistics (January 9th, 2023 – January 15th, 2023)
    
    
• Avast Threat Labs
  Decrypted: BianLian Ransomware
  
  
• CTF导航
  Raccoon家族之卷土重来
  
  
• Bar Block at Deep Instinct
  ChatGPT and Malware: Making Your Malicious Wishes Come True
  
  
• Eli Salem
  Dancing With Shellcodes: Analyzing Rhadamanthys Stealer
  
  
• Jacob Pimental at GoggleHeadedHacker
  Intro to Cutter
  
  
• Hex Rays
  • Plugin focus: Diaphora
  • Igor’s Tip of the Week #124: Scripting examples
    
    
• Natalie Zargarov at Minerva Labs
  New version of Remcos RAT uses direct syscalls to evade detection. 
  
  
• Mohamed Adel
  OriginLogger Loader
  
  
• OALABS Research
  • Dumpulator VEH
  • Rhadamanthys
    
    
• petikvx
  Analyze of 23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
  
  
• Securelist
  Roaming Mantis implements new DNS changer in its malicious mobile app in 2022
  
  
• Sonatype
  • Malware Monthly – December 2022
  • Intro to Malware Analysis: Analyzing Python Malware
    
    
• Melusi shoko at System Weakness
  Ransomware Simulation with PowerShell: Psransom
  
  
• ThreatFabric
  Hook: a new Ermac fork with RAT capabilities
  
  
• Zhassulan Zhussupov
  Malware development: persistence – part 21. Recycle Bin, My Documents COM extension handler. Simple C++ example.
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  Spy.Win32.SecondEye
  

MISCELLANEOUS

• Jessica Hyde from Hexordia
  Capture The Flag Contests at MVS & MUS 2023
  
  
• Ben Heater
  Proxmox: Running OpenCTI
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 01/15/23
  
  
• Albert Robinson at Cellebrite
  Android Forensics, Smart Flow, Selective File System Extraction – Part 2 of Cellebrite Solutions 2022 Update Summary
  
  
• Robert B. Fried at Sandline Global and Ryan Parthemore at Cellebrite
  Perspectives on Electronic Evidence Management
  
  
• Ariel Watson at Cellebrite
  Physical Analyzer, PA Ultra, Cryptocurrency Enrichment and Location Data – Part 3 of Cellebrite Solutions 2022 Update Summary
  
  
• Consultancy.com.au
  Why human threat hunting is essential for cyber protection
  
  
• Bret at Cyber Gladius
  Top PowerShell Commands for Beginners
  
  
• Doug Burks at Security Onion
  Security Onion Documentation printed book now updated for Security Onion 2.3.200!
  
  
• Forensic Focus
  • Bringing Digital Forensics into the Field with Portable DFIR tools from Detego Global
  • 2022 Recap on GMDSOFT ‘MD-Series’
    
    
• Aamir Lakhani at Fortinet
  Types of Ransomware Attacks and Cyber-Hygiene Best Practices
  
  
• Grayshift
  Magnet Forensics Inc. Enters into Definitive Agreement to be Acquired by Thoma Bravo
  
  
• Johann Hofmann at Griffeye
  Do more of what you do best
  
  
• Harlan Carvey at Huntress
  Why Having Backups Isn’t Enough
  
  
• Ismail Tasdelen at InfoSec Write-ups
  How to Create Incident Response Plan?
  
  
• Lisa Forte at Red Goat
  Monero and the rise of privacy coins in ransom demands
  
  
• RJM at Anchored Narratives
  Course Review – Zero2Automated Advanced Malware Analysis Course
  
  
• Sam Sabin at Axios
  Ransomware gangs are starting to ditch encryption
  
  
• Anusthika Jeyashankar at Security Investigation
  Overview Of Modern And Future SOC
  
  
• Jason Roslewicz at Sumuri
  A.I it’s not just for term papers anymore!
  
  
• The Security Noob.
  Cybersecurity-Attacks and Defenses Strategies 3rd Edition by Yuri Diogenes & Dr Erdal Ozkaya REVIEW
  
  
• Trail of Bits
  Introducing RPC Investigator
  
  
• Fawaz Rasheed at VMware Security
  Requirements for Cyber Insurance are Changing…Fast! 
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv Update 27228: Hardware Acceleration and Adding New Extensions
  
  
• Jordan Wiens at Binary Ninja
  3.3: The Bytes Must Flow
  
  
• Costas K
  • JumplistBrowser (x64)
  • WinEDB_Browser
    
    
• dnSpyEx
  dnSpy v6.3.0
  
  
• Doug Burks at Security Onion
  Security Onion 2.3.200 now available including Sysmon Improvements, Dashboard Updates, and Elastic 8.5.3!
  
  
• Elcomsoft
  Advanced PDF Password Recovery and Archive Password Recovery updates
  
  
• John G. Asmussen at Everything DFIR…
  Case_Notes.py Version 1.0 Released
  
  
• ExifTool
  ExifTool 12.55
  
  
• facelessg00n
  clbExtract
  
  
• John Althouse at FoxIO – Medium
  Introducing LogSlash and The End of Traditional Logging
  
  
• Maxim Suhanov
  dfir_ntfs file system parser v1.1.15
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog – v3.86.0.21
  
  
• Nicholas Dubois at Hexordia
  Introducing the Hexordia Sysdiagnose Log Toolkit
  
  
• Oxygen Forensics
  Enhanced Linux support in Oxygen Forensic® Detective
  
  
• Rapid7
  Velociraptor Release 0.6.7-5
  
  
• Ulf Frisk
  MemProcFS Version 5.3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!