As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Ali Hadi
  Anit-Forensics
  
  
• Brian Carrier at Cyber Triage
  Analyzing KAPE DFIR Artifacts in Cyber Triage
  
  
• Dany at Digitella
  CyberDefenders HoneyBOT Challenge Write-up
  
  
• Derek Eiri
  Retrieving Registry Values to Decrypt Files Protected with DDPE
  
  
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  An Itty Midi Mystery
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  The Importance of Data that Doesn’t Exist – Part Two (Missing Data Sources)
  
  
• Oleg Afonin at Elcomsoft
  Apple Releases iOS 12.5.7, iOS 15.7.3. What About Low-Level Extraction?
  
  
• Howard Oakley at ‘The Eclectic Light Company’
  Log literacy: an essential skill for advanced users
  
  
• Jerry Chang
  PCAP analysis report – Nitroba University
  
  
• Oxygen Forensics
  Supported Vault Apps in Oxygen Forensic® Detective
  
  
• Jorge Coronado at Security Art Work
  Introducción a Zigbee
  
  
• System Weakness
  • The TOR Forensics
  • Packet Analysis of an Intrusion using Brim & Network Miner
    
    
• Terryn at chocolatecoat4n6
  Investigation Framework | Part 6  – Intelligence Correlation
  
  
• The DFIR Report
  ShareFinder: How Threat Actors Discover File Shares
  
  
• ThinkDFIR
  Timestamps in INDX Entries
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Roaming Mantis Changes DNS on Wi-Fi Routers, Hook Android Banking Trojan Has Device Take-Over Capabilities, Ke3chang Targeted Iran with Updated Turian Backdoor
  
  
• Adriano Bybyk at Aon
  AgentVX and Taurus
  
  
• Francis Guibernau and Ken Towne at AttackIQ
  Emulating the Constantly Evolving Cybercrime Malware QakBot
  
  
• Avertium
  Flash Notice: Zoho ManageEngine Vulnerability Exploited in the Wild
  
  
• AWS Security
  • How to improve security incident investigations using Amazon Detective finding groups
  • Visualize AWS WAF logs with an Amazon CloudWatch dashboard
    
    
• Bill Stearns at Active Countermeasures
  Threat Hunting Resources
  
  
• Martin Zugec at Bitdefender
  Technical Advisory: Proxy*Hell Exploit Chains in the Wild 
  
  
• Lawrence Abrams at BleepingComputer
  Bitwarden password vaults targeted in Google ads phishing attack
  
  
• Brad Duncan at Malware Traffic Analysis
  2023-01-23 – Google ad –> Fake AnyDesk page –> possible TA505 activity
  
  
• Cado Security
  Leopard Tank Announcement Prompts Cyber Retaliation
  
  
• CERT Polska
  Artemis – CERT Polska verifies the cybersecurity of Polish organizations
  
  
• CERT Ukraine
  Кібератака на інформаційно-комунікаційну систему Укрінформ (CERT-UA#5850)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 21 – 27 gennaio 2023
  
  
• Check Point Research
  • 23rd January – Threat Intelligence Report
  • Brand Phishing report – Q4 2022
    
    
• CISA
  AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software
  
  
• Cisco’s Talos
  • Threat Landscape Topic Summary Report: Cisco Talos Year in Review 2022
  • State Sponsored Attacks in 2023 and Beyond
  • Quarterly Report: Incident Response Trends in Q4 2022
  • What Old is New Again and What’s Old is Me?
  • 2022 Year in Review: Threat Landscape Livestream Replay
  • Threat Round up for January 20 to January 27
    
    
• CTF导航
  Black Basta最近一次的攻击事件分析
  
  
• Niels Groeneveld at Cyber Threat Intelligence Training Center
  • Expanding the Use Cases of STIX and TAXII: Leveraging Threat Intelligence Frameworks for National Security and Intelligence Analysis
  • Expanding the Use Cases for STIX and TAXII in Law Enforcement Threat Intelligence Sharing
    
    
• Cyble
  • Cybersecurity Certifications For Sale – An Open Secret
  • Cyble’s Q4-2022 Ransomware Analysis
  • The Rise of Amadey Bot: A Growing Concern for Internet Security
  • Titan Stealer: The Growing Use of GoLang Among Threat Actors
    
    
• DomainTools
  No Blocking, No Issue: The Curious Ecosystem of Financial Advisor Impersonation Scams
  
  
• Dr Nestori Syynimaa at AADInternals
  Elevation of Privilege from Local Admin to gMSA
  
  
• Abdulrahman H. Alamri at Dragos
  Dragos Industrial Ransomware Analysis: Q4 2022
  
  
• EclecticIQ
  The Godfather Banking Trojan Expands Application Targeting to Affect More Europe-Based Victims
  
  
• Elastic
  • Easily analyze AWS VPC Flow Logs with Elastic Observability
  • Detect data exfiltration activity with Kibana’s new integration
    
    
• Fortinet
  • The Year of the Wiper
  • Ransomware Response Checklist: A Guide for CISOs
    
    
• Zak Butler and Jonas Taege at Google Threat Analysis Group
  Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022
  
  
• GuidePoint Security
  Annual GRIT Ransomware Report – 2022
  
  
• Haircutfish
  TryHackMe Brim — Task 1 Introduction, Task 2 What is Brim?, & Task 3 The Basics
  
  
• James Horseman at Horizon3
  VMware vRealize Log Insight VMSA-2023-0001 IOCs
  
  
• Human Security
  • Traffic signals: The VASTFLUX Takedown
  • How the VASTFLUX Takedown Benefits Programmatic Players
    
    
• Intel471
  Cyber Threats Facing the Automotive Industry
  
  
• Ismael Valenzuela at Blackberry
  Announcing the New BlackBerry Global Threat Intelligence Report
  
  
• Jeffrey Appel
  Microsoft Defender for Endpoint series – Advanced hunting and custom detections – Part8
  
  
• Josh Liburdi
  Elevating Security Alert Management Using Automation
  
  
• Andrew Shelton at K7 Labs
  Information Stealers going Incognito on Google Ads
  
  
• Karthickkumar Kathiresan and Shilpesh Trivedi at Uptycs
  The Titan Stealer: Notorious Telegram Malware Campaign – Uptycs
  
  
• Luke Leal
  Who is Mister Spy? ☠️
  
  
• Bill Cozens at Malwarebytes Labs
  5 facts about Vice Society, the ransomware group wreaking havoc on the education sector
  
  
• Govand Sinjari and Andy Morales at Mandiant
  Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations
  
  
• Matt Suiche at Magnet Forensics
  UNC1142: Bitcoin Core Developer Targeted With Multiple Linux Backdoors
  
  
• Fernando Ruiz at McAfee Labs
  The Rise and Risks of AI Art Apps
  
  
• Nati Tal at Guardio
  “StreamJacking” – Hijacking Hundreds of YouTube Channels Per Day Propagating Elon Musk Branded…
  
  
• Mike Harbison and Jen Miller-Osborn at Palo Alto Networks
  Chinese PlugX Malware Hidden in Your USB Devices?
  
  
• Proofpoint
  TA444: The APT Startup Aimed at Acquisition (of Your Funds)
  
  
• Daniel Smith at Radware
  Exploring Killnet’s Social Circles
  
  
• Recorded Future
  • I, Chatbot
  • BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware
    
    
• SANS Internet Storm Center
  • Wireshark 4.0.3 Released, (Sun, Jan 22nd)
  • Who’s Resolving This Domain?, (Mon, Jan 23rd)
  • And yet another packet Tuesday. Sticking with IPv6 for this episode: Neighbor Discovery! https://www.youtube.com/watch?v=CoaZjuuY1do #ipv6 #packetlife #pcaps #inpcapswetrust #packettuesday, (Tue, Jan 24th)
  • Apple Updates (almost) Everything: Patch Overview, (Tue, Jan 24th)
  • A First Malicious OneNote Document, (Wed, Jan 25th)
  • Live Linux IR with UAC, (Thu, Jan 26th)
    
    
• Kristen Cotten at Scythe
  AWS CLI & S3 Buckets
  
  
• Secureworks
  Abraham’s Ax Likely Linked to Moses Staff
  
  
• Security Intelligence
  • Too Much Caffeine? Phishing-as-a-Service Makes Us Jittery
  • Kronos Malware Reemerges with Increased Functionality
  • 5 Golden Rules of Threat Hunting
    
    
• Anusthika Jeyashankar at Security Investigation
  Malicious JQuery & JavaScript – Threat Detection & Incident Response
  
  
• Securonix
  • Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection
  • Detecting Python-Based PY#RATION Attack Campaign with Securonix
    
    
• Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich at SentinelLabs
  DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
  
  
• Ahmed Khlief at Shells.Systems
  APT-HUNTER V3.0 : Rebuilt with Multiprocessing and new cool features
  
  
• SOC Fortress
  Part 12. SIGMA rules for the OpenSource SIEM
  
  
• SOCRadar
  • From Zero to Adversary: APTs
  • Malicious Actors in Dark Web: December 2022 Ransomware Landscape
    
    
• Splunk
  All the Proxy(Not)Shells
  
  
• Stefan P. Bargan at System Weakness
  Uncovering the Threat: A Deep Dive into the Top 3 Cybercrime Groups Targeting Organizations Today
  
  
• Team Cymru
  A Blog with NoName
  
  
• Tenable
  Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
  
  
• Teri Radichel
  Mitigating CreateUser Privilege Escalation and Back Doors
  
  
• Ieriz Nicolle Gonzalez, Paul Pajares, Arianne Dela Cruz, and Warren Sto.Tomas at Trend Micro
  Vice Society Ransomware Group Targets Manufacturing Companies
  
  
• Kevin Clark at TrustedSec
  Operator’s Guide to the Meterpreter BOFLoader
  
  
• Unveiled Security
  Threat Intelligence Requirements
  
  
• WeLiveSecurity
  SwiftSlicer: New destructive wiper malware strikes Ukraine
  

UPCOMING EVENTS

• Amped
  Digital Forensics Events for 2023: Register Now to Join Us!
  
  
• Cellebrite
  Collecting Custodian Data to Prepare for Review
  
  
• Kroll
  Q4 2022 Threat Landscape Virtual Briefing
  
  
• Magnet Forensics
  • Keeping Up With the Changing Cybersecurity Landscape using Magnet IGNITE and YARA Rules
  • Optimizing your Agency’s Cyber Intrusion and Internal Investigations with AXIOM Cyber
    
    
• Mark Morowczynski
  Real World Incident Response with Microsoft DART #MicrosoftSecurity
  
  
• Metaspike
  Email Forensics Training
  
  
• Recorded Future
  Proactively Identify, Investigate, and Hunt for Cyber Threats
  
  
• Robert M. Lee at SANS
  2022 ICS/OT Cybersecurity Year in Review Executive Briefing
  
  
• Stairwell
  Upcoming Webinar: EDR + Continuous Intelligence: Better Together
  

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  • EASY DATA RECOVERY – Automated mail .mbox extraction, parsing, and review. #leo #dfir #forensics
  • WRITE BLOCKER AND ATRIO?
  • Hardware Write Blocker and ATRIO?
  • Rip an Android Phone. #lawenforcement #dfir #digitalforensics #computerforensics #sheriff #police
  • ATRIO quick overview #lawenforcement #dfir #digitalforensics #police #sheriff #forensics #leo #tech
  • BLOOPERS PART 1: Happy Friday and have a great weekend y’all 😉
  • ATRIO: QUICK OVERVIEW
    
    
• Belkasoft
  SQLite Forensics with Belkasoft Free Training Announce
  
  
• Black Hills Information Security
  • Get Your Head in the Clouds w/ Sean Verity | 1-Hour
  • Talkin’ About Infosec News – 1/25/2023
  • Part 2 | Future Red Team Rants A breakdown in three parts | John Strand
  • Part 1 | Future Red Team Rants: A breakdown in three parts | John Strand
  • Part 3 | Future Red Team Rants A breakdown in three parts | John Strand
    
    
• BlueMonkey 4n6
  What’s my IP address- wait which IP? Private or Public?
  
  
• Breaking Badness
  Special Report – Quadrant Security
  
  
• CactusCon
  • CactusCon 11 – Day 1 (1/26) Track 2
  • CactusCon 11 – Day 1 (1/26) Track 2
  • CactusCon 11 – Day 1 (1/26) Track 1
  • CactusCon 11 – Day 2 (1/28) Track 1
  • CactusCon 11 – Day 2 (1/28) Track 2
  • CactusCon 11 – Day 2 (1/28) Track 3
    
    
• Cisco’s Talos
  Talos Takes 126: Year in Review – Threat Landscape Edition
  
  
• Cyber Secrets
  • Join the CSI Linux Community
  • New CSI Linux Intro
  • Case Management System in CSI Linux 2023
  • Installing the CSI Linux 2023 Virtual Appliance in VirtualBox 7
    
    
• Cybereason
  FBI vs. REvil [ML BSide]
  
  
• Detections by SpectreOps
  • DCP Live – Session 2
  • Episode 28: Hosts
    
    
• Digital Forensic Survival Podcast
  DFSP # 362 – Windows Core Processes
  
  
• Gerald Auger at Simply Cyber
  How to Operate a Red Team During a TTX (Like A Boss) 💪
  
  
• InfoSec_Bret
  CyberDefenders –  TeamSpy – Part Two
  
  
• John Dwyer
  Introducing RedRaptor a tool for validating threat hunts using the Open Threat Hunting Framework
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  Malware Theory – How Packers Work, Polymorphism and Misconceptions
  
  
• Magnet Forensics
  • Introducing the Hash Sets Manager Free Tool in Magnet AXIOM
  • Integrate, Automate, and Scale DFIR Investigations With Magnet AUTOMATE Enterprise
  • Magnet REVIEW: Collaborate on Digital Evidence Review from Anywhere
  • Tips & Tricks // Ingesting Mobile Extractions into AXIOM
    
    
• Mossé Cyber Security Institute
  Introduction to Investigating Businesses for OSINT
  
  
• Neil Fox
  How to Enumerate AD Accounts with 4 Easy to Use Tools
  
  
• Nick Berrie
  LetsDefend.io SOC164 Suspicious Mshta Behavior Walkthrough
  
  
• Richard Davis at 13Cubed
  EZ Tools Manuals Interview with Andrew Rathbun
  
  
• RickCenOT
  Realistic Pentest/Hacking of a Schneider Electric Industrial Control System M221 PLC
  
  
• SANS Cyber Defense
  • Packet Tuesday – IPv6 Neighbor Discovery
  • with SEC595 Applied Data Science and Machine Learning for Cybersecurity Professionals
    
    
• Uriel Kosayev
  FluBot Android Malware C2 Communication
  

MALWARE

• Andrea Fortuna
  Static malware analysis: a basic workflow
  
  
• Any.Run
  CryptBot Infostealer: Malware Analysis
  
  
• ASEC
  ASEC Weekly Phishing Email Threat Trends (January 8th, 2023 – January 14th, 2023)
  
  
• CTF导航
  【技术分享】在QQ上检测安卓锁机勒索软件
  
  
• Didier Stevens
  Analyzing Malicious OneNote Documents
  
  
• Dosxuz
  Tradecraft Improvement 1 – Creating PE files with no imports
  
  
• Hex Rays
  • Hands-Free Binary Deobfuscation with gooMBA
  • Igor’s Tip of the Week #125: Structure fields representation
    
    
• Karlo Licudine at AccidentalRebel
  Adding Automation to Blue-Jupyter Malware Notebook
  
  
• Nihar Deshpande at Quick Heal
  AsyncRAT Analysis with ChatGPT
  
  
• Tony Lambert
  BATLoader, Ursnif, and Redline, oh my!
  
  
• Nathaniel Morales, Earle Maui Earnshaw, Don Ovid Ladores, Nick Dai, and Nathaniel Gregory Ragasa at Trend Micro
  New Mimic Ransomware Abuses Everything APIs for its Encryption Process
  
  
• Vicente Díaz at VirusTotal
  Mandiant’s CAPA + GoReSym to reinforce VT’s capabilities
  

MISCELLANEOUS

• Jessica Hyde at Hexordia
  Pathway to Digital Forensics
  
  
• Samuel Abbott at Amped
  Introducing the Amped Gym Challenges 
  
  
• Andrea Fortuna
  Windows 11 build 22H2 breaks recording of 4688 event
  
  
• ArcPoint
  ArcPoint Forensics and Hexordia Join Forces | ArcPoint Forensics
  
  
• Arctic Wolf
  How Manufacturers Can Fight Back Against Ransomeware
  
  
• Jordan Bowen at Cado Security
  Developers and Attackers are There, You Need to be There too!
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 01/28/2023
  
  
• Cellebrite
  • Cellebrite Enterprise Solutions 2023 Industry Trends Report Finds 70 Percent of eDiscovery Professionals State Accessing Data Offsite Is a Major Endpoint Collection Problem
  • Cellebrite’s Latest Industry Trends Survey for the Private Sector Uncovers Challenges Facing Enterprises
    
    
• Sylvain Heiniger at Compass Security
  Level-up your Detection Game
  
  
• Joseph Naghdi at Computer Forensics Lab
  Computer Forensics Services
  
  
• Craig Ball at ‘Ball in your Court’
  ChatGPT Proves a Mediocre Law Student
  
  
• Robert Graham at Errata Security
  I’m still bitter about Slammer
  
  
• Jonathan Greig at The Record
  Ransomware experts laud Hive takedown but question impact without arrests
  
  
• Lacework
  What is threat detection and response?
  
  
• MSAB
  Interim report Q4 2022, October – December 2022
  
  
• Benjamin Danjoux at NVISO Labs
  Cortex XSOAR Tips & Tricks – Dealing with dates
  
  
• Brian Fox at Sonatype
  The Shifting Landscape of Open Source Supply Chain Attacks – Part 3
  
  
• Melusi shoko at System Weakness
  SOC Analyst daily activities
  
  
• John Kristoff at Netscout
  Remembering SQL Slammer
  
  
• The Security Noob.
  [DFIR TOOLS] Hasher, what is it & how to use!
  
  
• Jon Clay at Trend Micro
  Ransomware Recovery Plan for 2023
  
  
• Xavier Mertens at /dev/random
  This Blog Has 20 Years!
  
  
• Peter LaFosse at Binary Ninja
  2023 Reverse Engineering Survey
  
  
• Cyborg Security
  Threat Hunting: The Cost-Effective Way to Protect Your Organization’s Bottom Line (and Keep the Hackers at Bay)
  

SOFTWARE UPDATES

• Arsenal Consulting
  • Hibernation Recon v1.2.2.86
  • Arsenal Image Mounter v3.9.235
    
    
• Autopsy
  Autopsy 4.20.0 is Finally Out With New Pipelines and Fixes
  
  
• Costas K
  JumplistBrowser
  
  
• Crowdstrike
  Falconpy version 1.2.10
  
  
• Didier Stevens
  • Update: process-binary-file Version 0.0.8
  • New Tool: onedump.py
    
    
• Hex Rays
  IDA 8.2 Service Pack 1 released
  
  
• Magnet Forensics
  • New Free Tool Available: MAGNET Hash Sets Manager
  • Magnet AXIOM Cyber 6.10: Updated Filters, Artifacts, and More!
  • Magnet AXIOM 6.10: Updated Date Filters and Support for Google Semantic Location History Data
    
    
• Malcat
  New release: 0.9.0
  
  
• MemProcFS-Analyzer
  MemProcFS-Analyzer-v0.8
  
  
• Passmark Software
  OSForensics V10.0 Build 1007 23rd January 2023
  
  
• radare2
  5.8.2
  
  
• Sandfly Security
  Sandfly 4.3.0 – Key Vault Integration, Process, SSH, and Persistence Attack Detection
  
  
• Sleuthkit
  The Sleuth Kit 4.12.0 is available
  
  
• USB Detective
  Version 1.6.3 (01/16/2023)
  
  
• Volexity
  OneNoteExtractor
  
  
• Xways
  X-Ways Forensics 20.7 SR-4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!