As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• David Spreadborough at Amped
  CCTV – The Beginners Guide
  
  
• Matt Danner at Cyber Social Hub
  3 Ways Programming Skills Can Help You Succeed In DFIR
  
  
• Dr. Tristan Jenkinson at ‘The eDiscovery Channel’
  The Importance of Data that Doesn’t Exist – Part Three (Missing Metadata – A Case Study)
  
  
• Forensafe
  • Investigating Windows 1Password
  • Investigating Windows Unigram
    
    
• Jerry Chang
  Mason TCTF – Writeups
  
  
• Antoine Cervoise at Last Blog Article
  Hardware investigation of wireless keyloggers
  
  
• Sumuri
  POSIX vs Extended Attribute: Which Timestamps Should You Use?
  
  
• Zawadi Done at Hunt & Hackett
  Scalable forensics timeline analysis using Dissect and Timesketch
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Newly-Discovered WinorDLL64 Backdoor Has Code Similarities with Lazarus GhostSecret, Atharvan Backdoor Can Be Restricted to Communicate on Certain Days
  
  
• AttackIQ
  • A Year of Impact: AttackIQ’s Applied Research in Threat-Informed Defense
  • Attack Graph Response to CISA Advisory (AA23-061A): #StopRansomware: Royal Ransomware
  • Emulating the Cybercriminal Initial Access Broker TA551
    
    
• Augusto Barros at Securonix
  Blue Team Debriefing: PY#RATION Edition
  
  
• Avertium
  Cyber Threats Unveiled: SSH Scanning and XorDDos Propagation
  
  
• Bitdefender
  • Bitdefender Threat Debrief | February 2023
  • Bitdefender Releases Decryptor for MortalKombat Ransomware
    
    
• Blackberry
  Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia’s Judiciary, Financial, Public, and Law Enforcement Entities
  
  
• Bill Toulas at BleepingComputer
  New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-03-02 – Rig EK –> malware loader –> Redline Stealer
  • 2023-02-27 – Files for ISC Diary: BB17 Qakbot
    
    
• BushidoToken
  Tips for Investigating Cybercrime Infrastructure
  
  
• Matt Muir at Cado Security
  Redis Miner Leverages Command Line File Hosting Service
  
  
• CERT-AGID
  • Sintesi riepilogativa delle campagne malevole nella settimana del 18 – 24 febbraio 2023
  • Sintesi riepilogativa delle campagne malevole nella settimana del 25 febbraio – 03 marzo 2023
    
    
• Check Point Research
  27th February – Threat Intelligence Report
  
  
• Yehuda Gelb at Checkmarx Security
  Pyramid of Pain — Evolving our Defenses to Combat Supply Chain Attackers
  
  
• CISA
  • CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks
  • #StopRansomware: Royal Ransomware
    
    
• Cisco’s Talos
  • Threat Source newsletter (March 2, 2023) — Little victories in the fight against ransomware
  • Threat Roundup (Feb. 24 – March 3)
    
    
• George Kurtz at CrowdStrike
  CrowdStrike 2023 Global Threat Report: Resilient Businesses Fight Relentless Adversaries
  
  
• CTF导航
  来自 LOLbins 的 Ursnif
  
  
• CyberCX
  Cyber Adviser Newsletter – February 2023
  
  
• Cyble
  • Critical Vulnerability in FortiNAC (CVE-2022-39952) Exposes Multiple Organizations to Cyberattacks
  • Growing Data Breaches – Illicit Data Lookup Services Exacerbating Privacy Issues
  • R3NIN Sniffer Toolkit – An Evolving Threat to E-commerce Consumers
  • Ransomware Attack on IL&FS
  • Blue Screen of Death Scams Target Users Visiting Fake Adult Sites
  • Over 2 Million Cards Leaked By BidenCash
    
    
• Cyfirma
  Weekly Intelligence Report – 03 Mar 2023
  
  
• Dr Josh Stroschein
  Yara Basics – Exploring the Differences between Wide and ASCII Strings
  
  
• Josh Hanrahan at Dragos
  Instant Messaging-Based Adversarial C2 Techniques and How to Detect Them 
  
  
• EclecticIQ
  Multi-Year Spearphishing Campaign Targets the Maritime Industry Likely for Financial Gain 
  
  
• Eric Capuano
  Live Incident Response with Velociraptor
  
  
• Eric Ooi
  Secure and Monitor Microsoft 365 with Elastic
  
  
• Erik Hjelmvik at Netresec
  • TLS Redirection and Dynamic Decryption Bypass in PolarProxy
  • QakBot C2 Traffic
    
    
• FIRST
  DNS Abuse Techniques Matrix
  
  
• GreyNoise
  • Introducing IP Timeline
  • Introducing IP Similarity
    
    
• Darren Spruell at InQuest
  You’ve Got Malware: The Rise of Threat Actors Using Microsoft OneNote for Malicious Campaigns
  
  
• Intel471
  Malvertising Surges to Distribute Malware
  
  
• Kelvin Ling
  Using Threat Intelligence Tools to Investigate Cyber Attacks
  
  
• Marius Sandbu
  Part One: Analyzing the Anatomy of a Ransomware Attack
  
  
• Mehmet Ergene
  Advanced KQL for Threat Hunting: Window Functions — Part 2
  
  
• Sowmya  Mahadevaiah at Microsoft Azure
  Azure WAF guided investigation Notebook using Microsoft Sentinel for automated false positive tuning
  
  
• Matt Zorich at ‘Microsoft Security Experts’
  Total Identity Compromise: DART lessons on securing Active Directory
  
  
• Microsoft Security Response Center
  • Azure Kubernetes Service (AKS) Threat Hunting
  • Configuring host-level audit logging for AKS VMSS
    
    
• Mitiga
  • Mitiga Security Advisory: Insufficient Forensic Visibility in GCP Storage
  • Google Cloud Platform Exfiltration: A Threat Hunting Guide
    
    
• Nicholas Dhaeyer at NVISO Labs
  OneNote Embedded file abuse
  
  
• Phylum
  A PyPI typosquatting campaign post-mortem
  
  
• Tom Caiazza at Rapid7
  A Shifting Attack Landscape: Rapid7’s 2022 Vulnerability Intelligence Report
  
  
• Recorded Future
  2022 Annual Report
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, January 2023 (KOR)
  
  
• Red Canary
  Intelligence Insight: Tax-themed phishing emails delivering GuLoader
  
  
• ReliaQuest
  Russia-Ukraine War: 3 Cyber Threat Effects, 1 Year In
  
  
• Resecurity
  Resecurity Disrupts Investment Scam Network – Digital Smoke
  
  
• S2W Lab
  • The Future of Cyber Threat Intelligence
  • Lumma Stealer targets YouTubers via Spear-phishing Email
    
    
• Safebreach
  Introducing the Inaugural Hacker’s Yearbook
  
  
• SANS Internet Storm Center
  • Phishing Again and Again, (Mon, Feb 27th)
  • oledump & MSI Files, (Sun, Feb 26th)
  • Crypto Inside a Browser, (Sat, Feb 25th)
  • BB17 distribution Qakbot (Qbot) activity, (Tue, Feb 28th)
  • Python Infostealer Targeting Gamers, (Wed, Mar 1st)
  • YARA: Detect The Unexpected …, (Thu, Mar 2nd)
    
    
• Tatyana Shishkova at Securelist
  The mobile malware threat landscape in 2022
  
  
• Security Scorecard
  One Year of Cyberwarfare: Russia-Ukraine Conflict
  
  
• Shinigami
  An Uncomfortable Reality: Occupational Hazards Associated with Thought Leadership in CTI
  
  
• SOCRadar
  • Security Misconfigurations Caused 35% of All Time Cyber Incidents
  • Educational Institutions Face 234% Increase in Ransomware Attacks
    
    
• Sean Gallagher at Sophos
  Sour Grapes: stomping on a Cambodia-based “pig butchering” scam
  
  
• Ben Martin at Sucuri
  Magbo Spam Injection Encoded with hex2bin
  
  
• Symantec Enterprise
  Blackfly: Espionage Group Targets Materials Technology
  
  
• Sysdig
  • SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft
  • Aligning Falco’s Cloudtrail Rules with MITRE ATT&CK
  • MITRE ATT&CK and D3FEND for Cloud and Containers
    
    
• Tenable
  Tenable 2022 Threat Landscape Report: Reduce Your Exposure by Tackling Known Vulnerabilities
  
  
• Threatmon
  • Behind the Breaches | Mapping Threat Actors and Their CVE Exploits
  • Threat Actors, Phishing Attacks and 2022 Phishing Preview
    
    
• Trend Micro
  • A Deep Dive into the Evolution of Ransomware Part 3
  • Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks
  • Managed XDR Exposes Spear-Phishing Campaign Targeting Hospitality Industry Using RedLine Stealer
  • Phishing as a Service Stimulates Cybercrime
    
    
• Uptycs
  Cryptocurrency Entities at Risk: Threat Actor Uses Parallax RAT for Infiltration
  
  
• WeLiveSecurity
  • BlackLotus UEFI bootkit: Myth confirmed
  • MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
    

UPCOMING EVENTS

• Cellebrite
  • Identifying and Triaging Security Risks in your Organization
  • The Investigations Room Webinar SeriesEpisode 1:The Paradox of Digital Abyss
  • Identifying and Triaging Security Risks in your Organization
    
    
• Cyborg Security
  Hybrid Hunting: Threat hunting in the managed security battlespace
  
  
• Doug Burks at Security Onion
  Save the Date for 10th Annual Security Onion Conference 2023 with Dave Kennedy as Keynote Speaker
  
  
• Dragos
  Webinar: 2022 ICS/OT Cybersecurity Threat Landscape
  
  
• Exterro
  Tracking User Behavior using the Windows Registry
  
  
• Gerald Auger at Simply Cyber
  Test Your Cybersecurity Skills (Live Cyber Range Action with Haiku Pro!)  March 6
  
  
• Magnet Forensics
  Internal Data Exfiltration – Getting to the Bottom of IP Theft
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  Talkin’ About Infosec News – 3/3/2023
  
  
• Cellebrite
  New Forensic Challenges with iOS 16
  
  
• Chris Sienko at the Cyber Work podcast
  Breaking down digital forensics certifications | Cyber Work Hacks
  
  
• Cloud Security Podcast by Google
  EP110 Detection and Response in a High Velocity and High Complexity Environment
  
  
• Detections by SpectreOps
  DCP Live – Session 4
  
  
• Digital Forensic Survival Podcast
  DFSP # 367 – Shimcache Amcache
  
  
• InfoSec_Bret
  CyberDefenders –  BlackEnergy
  
  
• Insane Forensics
  How To Use FTK Imager To Take Disk And Memory Images For Free
  
  
• John Hammond
  • Carving Exfiltrated Network Data from a Hack (Python & Scapy)
  • Strange File in Downloads Folder? Gootloader Malware Analysis
    
    
• Justin Tolman at AccessData
  • Upgrade from Imager to FTK – Video Analysis
  • Upgrade from Imager to FTK – Graphics Analysis
    
    
• LetsDefend
  • More Details About Document File Analysis 2
  • More Details About Document File Analysis 1
  • Analysis with Sandboxes
  • Static Malicious Document Analysis
  • Introduction to Malicious Document File Analysis
    
    
• Magnet Forensics
  • Magnet Spotlight: Metro Nashville Police Department
  • How Magnet Forensics Products Help the MNPD Solve Violent Crime
  • Metro Nashville Police Department Focuses Their Investigations Using Magnet AUTOMATE
  • Magnet Virtual Summit 2023 Replays
    
    
• MSAB
  • Forensic Fix – Episode 1
  • How to Export a Wordlist with XAMN Pro
  • How to Solve Device Connectivity Issues with XRY
  • How to minimize the intrusion to a victim’s or witness’s device with XRY’s File Selection function
    
    
• Nuix
  Matthew Geaghan of Nuix talks about dealing with the rise of mobile data
  
  
• Richard Davis at 13Cubed
  It’s About Time – Timestamp Changes in Windows 11
  
  
• Security Weekly
  Supply Chain Breaches and Hacking the Cloud: Lessons Learned from IR – Lina Lau – ASW #230
  

MALWARE

• Amr Ashraf
  • Malicious Documents
  • Advanced Imports Obfuscation
    
    
• Any.Run
  XLoader/FormBook: Encryption Analysis and Malware Decryption 
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (February 12th, 2023 – February 18th, 2023)
  • ASEC Weekly Malware Statistics (February 20th, 2023 – February 26th, 2023)
    
    
• c3rb3ru5d3d53c
  [61] LiveStream – Reversing The DUMBEST HACK I’ve Ever Seen (Redline Stealer Part 6)
  
  
• CTF导航
  Malware Dev 01 – 免杀之 PPID Spoofing 原理解析
  
  
• Cybereason
  Variant Payload Prevention: Applying Data Science to Stop the Stealthiest Threats
  
  
• Félix Guyard at ForensicXlab
  🧬 Malware Analysis with VISION-ProcMon
  
  
• James Slaughter at Fortinet
  Just Because It’s Old Doesn’t Mean You Throw It Away (Including Malware!)
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #130: Source line numbers
  
  
• Marco Ramilli
  Malware Families CheatSheet
  
  
• OALABS Research
  PikaBot
  
  
• Palo Alto Networks
  • Subdomain Reputation: Detecting Malicious Subdomains of Public Apex Domains
  • Spike in LokiBot Activity During Final Week of 2022
    
    
• Prodaft
  [RIG] RIG Exploit Kit: In-Depth Analysis
  
  
• Aniruddha Dolas at Quick Heal
  Coronavirus-themed Campaign delivers Agent Tesla Malware
  
  
• Pedro Tavares at Segurança Informática
  Campanha personificando a Segurança Social Direta em curso
  
  
• Sekoia
  Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2
  
  
• Phil Stokes at SentinelOne
  Hunting for Honkbox | Multistage macOS Cryptominer May Still Be Hiding
  
  
• Sonatype
  • Attacker floods PyPI with 1000s of malicious packages that drop Windows trojan via Dropbox
  • How Stolen Information Stealers are Fueling an Underground Market
    
    
• Threatray
  Linking and tracking UAC-0056 tooling through code reuse analysis
  
  
• ZScaler
  • Snip3 Crypter Reveals New TTPs Over Time
  • OneNote: A Growing Threat for Malware Distribution
    

MISCELLANEOUS

• Jessica Hyde at Hexordia
  Growing in Digital Forensics – Practical Mentorship and Resources
  
  
• SANS
  DFIR Origin Stories – Kevin Ripa
  
  
• Belkasoft
  • How to Choose the Right Belkasoft X Configuration
  • Download your free e-book on ChatGPT in DFIR!
    
    
• CybeReady
  • Top 9 Threat Hunting Tools for 2023
  • 8 Best Threat Intelligence Feeds to Monitor in 2023
  • 6 Essentials Every Threat Intelligence Team Should Have
    
    
• Derek Eiri
  Forensic Hard Drive Data Recovery with Scott Moulton
  
  
• Domiziana Foti
  Unpacking the Power of Intelligence-Driven Incident Response: Lessons from Scott.
  
  
• Oleg Afonin at Elcomsoft
  • Building a Password Recovery Queue
  • A Word About Dictionaries
    
    
• Eric Ooi
  • How To Deploy Elastic Agent on Windows with Microsoft Intune
  • How To Deploy Elastic Agent on macOS with Microsoft Intune
    
    
• Forensic Focus
  • Mariya Shafat Kirmani, Ph.D. Scholar, University of Kashmir
  • Digital Forensics Round-Up, March 02 2023
  • Mamoqenelo Morolong, Senior Lecturer, Lesotho Agricultural College
    
    
• Ravishanka Silva at InfoSec Write-ups
  Unleashing the Power of Purple Team: Why Collaborative Security Strategies are the Future of…
  
  
• Keith McCammon
  The future of cybersecurity might be insurance
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (3/1/2023)
  
  
• Koen Van Impe
  Migrating your MISP database from a local MySQL to Azure Database for MySQL
  
  
• Magnet Forensics
  • Meet the Magnet Forensics Training Team: Scott Saul
  • Highlights From Magnet Virtual Summit 2023 
    
    
• Jasper Rowe at OpenText
  The EnCase Evidence Viewer
  
  
• ReliaQuest
  SANS Cyber Threat Intelligence Summit Recap
  

SOFTWARE UPDATES

• Amped
  Amped Authenticate Update 27947: Introducing New Color Styles, Improvements to Reports, Annotations, and More!
  
  
• Belkasoft
  Belkasoft X v.1.16: Drone Forensics Support Is Added! Agent-based iOS acquisition, decryption, Mega cloud acquisition, and other significant updates.
  
  
• Breakpoint Forensics
  Bulk Forensic Image Processor – V4.3
  
  
• c3rb3ru5
  binlex v1.1.1
  
  
• Costas K
  JumplistBrowser
  
  
• Crowdstrike
  Falconpy Version 1.2.12
  
  
• Datadog Security Labs
  GuardDog v1.1.2
  
  
• Didier Stevens
  Update: oledump.py Version 0.0.72
  
  
• Digital Detective
  NetAnalysis® v3.4 and HstEx® v5.4 Released
  
  
• Doug Burks at Security Onion
  • Security Onion 2.3.220 now available including Elastic 8.6.2, Grafana 9.2.10, FleetDM 4.27.1, Zeek 5.0.7, and more!
  • Security Onion 2.3.220 Hotfix 20230301 Now Available!
    
    
• IntelOwl
  v4.2.2
  
  
• Maxim Suhanov
  dfir_ntfs 1.1.17
  
  
• Passcovery
  Passcovery Update 23.03 Is Out Now: NVIDIA GeForce RTX 40/AMD RX 7000, Advanced GPU Acceleration And Other Benefits
  
  
• StrangeBee
  • TheHive v5.1 Elevates Cybersecurity Incident Response to a New Level
  • TheHive v5.1: New features
  • TheHive v5.1: Improved features
    
    
• Ulf Frisk
  MemProcFS Version 5.4
  
  
• Xways
  X-Ways Forensics 20.8 – Preview 3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!