As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Ahmed Belhadjadji
  Examine the Cache, Cookies, and History Recorded in Web Browsers
  
  
• Belkasoft
  • Walkthrough: Sigma Rules in Belkasoft X
  • Basic but significant legal issues in the Casey Anthony Case
    
    
• Doug Metz at Baker Street Forensics
  NSRL Query from the Command Line
  
  
• Eric Capuano
  Mounting E01 Forensic Images in Linux
  
  
• Foxton Forensics
  Analysing Safari browser history
  
  
• InfoSec Write-ups
  Windows Forensic 101: How to Perform Forensic Investigation of Windows Machine?
  
  
• Kelvin Ling
  Investigate Attack Patterns using SIEM, Sysmon Utility and MITRE ATT&CK
  
  
• Kevin Pagano at Stark 4N6
  • Magnet Virtual Summit 2023 CTF – Windows 11
  • Magnet Virtual Summit 2023 CTF – Cipher
  • Magnet Virtual Summit 2023 CTF – Windows Server
  • Magnet Virtual Summit 2023 CTF – iOS 16 iPhone
    
    
• Lina Lau at Inversecos
  Azure Command Line Forensics – Host Based Artifacts
  
  
• Magnet Forensics
  The Meaning of Messages
  
  
• Mark Spencer at Arsenal Recon
  • BK Case – Stanislaus Lourduswamy, SJ – Report V
  • BitLocker for DFIR – Part I
    
    
• MII Cyber Security
  • Writeup SQLite Forensic from Belkasoft
  • Network Forensic — SMUX Protocol
  • Memory Forensic — Linux Kernel Confusion
    
    
• MSAB
  • Android 13
  • How Did That Photo Get on That iPhone? – Deep Dive into the iOS “Photos.sqlite” database
    
    
• Nicolas Bareil at ‘Just Another Geek’
  Investigation scenario: No User-Agent in the proxy logs
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Threat Hunting – localization issues
  • List of clean mutexes and mutants
    
    
• Alex Teixeira
  A Research-Driven process applied to Threat Detection Engineering Inputs
  
  
• Anomali
  Anomali Cyber Watch: Mustang Panda Adopted MQTT Protocol, Redis Miner Optimization Risks Data Corruption, BlackLotus Bootkit Reintroduces Vulnerable UEFI Binaries
  
  
• Anton Chuvakin
  New Report “State of Cloud Threat Detection and Response”
  
  
• Ari Novick at Cyberark
  Persistence Techniques That Persist
  
  
• Avanan
  BEC 3.0 – Legitimate Sites for Illegitimate Purposes 
  
  
• Avertium
  2023 Ransomware Group Trends
  
  
• Bitdefender
  Targeted Threat Intelligence for Security Operations
  
  
• Black Hills Information Security
  Parsing Sysmon Logs on Microsoft Sentinel
  
  
• Blackberry
  News B!te: APT-C-36 Targets Colombia With New Spear-Phishing Campaign
  
  
• BleepingComputer
  • Core DoppelPaymer ransomware gang members targeted in Europol operation
  • Police seize Netwire RAT malware infrastructure, arrest admin
    
    
• Erica Mixon at Blumira
  Blumira By The Numbers in 2022
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-03-07 – Emotet infection with spambot traffic
  • 2023-03-06 – Gozi (ISFB/Ursnif) activity targeting Italy
  • 2023-03-08 – IcedID (Bokbot) infection with BackConnect and VNC traffic
    
    
• Censys
  Potential Chinese Influence on African IT Infrastructure
  
  
• CERT-AGID
  • Il malware Emotet riprende a colpire l’Italia
  • Sintesi riepilogativa delle campagne malevole nella settimana del 04 – 10 marzo 2023
    
    
• Marc Nimmerrichter at Certitude
  Scan against accounting
  
  
• Check Point
  • 6th March – Threat Intelligence Report
  • Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities
  • February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government
    
    
• Yehuda Gelb at Checkmarx Security
  The “Skeleton Squad” — Tracing the Origins and Scope of 5000+ Malicious Packages on Pypi
  
  
• Cisco’s Talos
  • Threat Source newsletter (March 9, 2023) — Stop freaking out about ChatGPT
  • Prometei botnet improves modules and exhibits new capabilities in recent updates
    
    
• Greg Darwin at Cobalt Strike Research and Development
  Cobalt Strike 4.8: (System) Call Me Maybe
  
  
• Cofense
  Emotet Sending Malicious Emails After Three-Month Hiatus
  
  
• CyberCX
  Holding a Mirror to Medusa: A New and Voracious Threat Actor
  
  
• Cyborg Security
  • Revealing the Power of Keylogging: Hunting for the Revealer Keylogger
  • Threat Hunting: The Talent Search That’s More Complicated Than The Bachelor
    
    
• Cyfirma
  Weekly Intelligence Report – 10 Mar 2023
  
  
• Simon Kenin at Deep Instinct
  • DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection
  • Emotet Again! The First Malspam Wave of 2023
    
    
• DomainTools
  Update: Financial Advisor Impersonation Ring Targets FINRA
  
  
• Dragos
  New Knowledge Pack Released (KP-2023-002)
  
  
• EclecticIQ
  Dark Pink APT Group Strikes Government Entities in South Asian Countries
  
  
• Paul Asadoorian at Eclypsium
  BlackLotus – A Threat Coming To A System Near You
  
  
• Esentire
  • BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif
  • Qakbot Returns to ISO Delivery (For Now)
  • Digital Forensics Round-Up, March 09 2023
    
    
• Fortinet
  • Ransomware Roundup – Sirattacker and ALC Ransomware
  • Old Cyber Gang Uses New Crypter – ScrubCrypt
  • Analysis of FG-IR-22-369
    
    
• Google
  Fog of War
  
  
• Haircutfish
  TryHackMe Brim — Task 6 Exercise: Threat Hunting with Brim | Malware C2 Detection
  
  
• InfoSec Write-ups
  Unconventional Threat Intelligence: Leveraging Discord for News Feed
  
  
• Bukar Alibe at INKY
  Fresh Phish: Ring Customers Find Themselves at the Front Door of a Data Harvesting Scheme
  
  
• Intel471
  A Ransomware Forecast for 2023
  
  
• IronNet
  IronNet Monthly Global Threat Update
  
  
• Magnet Forensics
  2023 State of Enterprise DFIR Report: More Threats, Complexity, and Need for DFIR
  
  
• Malwarebytes Labs
  • Ransomware review: March 2023
  • DeepStreamer: Illegal movie streaming platforms hide lucrative ad fraud operation
    
    
• Mandiant
  • Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices
  • Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW
  • Stealing the LIGHTSHOW (Part One) — North Korea’s UNC2970
    
    
• Andrea Michael at Microsoft Azure
  Monitor Azure Virtual Network Manager changes with event logging
  
  
• Andrea Fisher at Microsoft Security Insights Show
  What should I log in my SIEM?
  
  
• MikeCyberSec
  Starting your ransomware detection journey: Detection Engineering approaches
  
  
• Netskope
  • Threat Labs News Roundup: February 2023
  • Attackers Increasingly Abusing DigitalOcean to Host Scams and Phishing
    
    
• Proofpoint
  Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, January 2023 (ENG)
  
  
• Dean Murphy at ReliaQuest
  Email Threats: Exotic Lily
  
  
• SANS Internet Storm Center
  • Scanning s3 buckets, (Mon, Mar 6th)
  • Hackers Love This VSCode Extension: What You Can Do to Stay Safe, (Tue, Mar 7th)
  • Today I Learned .. a new thing about GREP, (Thu, Mar 9th)
  • Increase in exploits agains Joomla (CVE-2023-23752), (Wed, Mar 8th)
  • Multi-Technology Script Leading to Browser Hijacking, (Fri, Mar 10th)
  • Overview of a Mirai Payload Generator, (Sat, Mar 11th)
    
    
• Securelist
  • Threat landscape for industrial automation systems for H2 2022
  • The state of stalkerware in 2022
    
    
• Secureworks
  COBALT ILLUSION Masquerades as Atlantic Council Employee
  
  
• Securonix
  • Securonix Threat Research Knowledge Sharing Series: New Ransomware, Old Tricks: Detecting Reliable, Real-World Ransomware Indicators of Compromise
  • Securonix Threat Labs Monthly Intelligence Insights – February 2023
    
    
• Aleksandar Milenkoski at SentinelOne
  DBatLoader and Remcos RAT Sweep Eastern Europe
  
  
• SOC Fortress
  Free SOCFortress Provided DFIR-IRIS Modules
  
  
• SOCRadar
  • Major Cyberattacks in Review: February 2023
  • Evolution of Ransomware: So Far and Hereafter
    
    
• Gabor Szappanos at Sophos
  A border-hopping PlugX USB worm takes its act on the road
  
  
• M’hirsi Hamza at System Weakness
  Detect FIN6 on Azure Sentinel Part 2: Threat Hunting using KQL | by M’hirsi Hamza
  
  
• Terry Mayer at Cyjax
  • Cyjax White Paper on Russia-Ukraine War: Synopsis
  • Ukraine in extremis
    
    
• The DFIR Report
  2022 Year in Review
  
  
• Pham Duy Phuc, Raghav Kapoor, John Fokker J.E., Alejandro Houspanossian and Mathanraj Thangaraju at Trellix
  Qakbot Evolves to OneNote Malware Distribution
  
  
• Vladimir Kropotov, Matsukawa Bakuei, Robert McArdle, Fyodor Yarochkin, and Shingo Matsugaya at Trend Micro
  Examining Ransomware Payments From a Data-Science Lens
  
  
• TrustedSec
  • Getting Analysis Practice from Windows Event Log Sample Attacks
  • Changes in the Beacon Object File Landscape
    
    
• Jason Hill at Varonis
  • HardBit 2.0 Ransomware
  • VMware ESXi in the Line of Ransomware Fire
    
    
• Alexey Firsh at VirusTotal
  Threat Hunting with VirusTotal – Episode 2
  
  
• Paul Rascagneres at Volexity
  Using Memory Analysis to Detect EDR-Nullifying Malware
  
  
• Jason Reaves and Joshua Platt at Walmart
  From Royal with Love
  
  
• Lukas Stefanko at WeLiveSecurity
  Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials
  

UPCOMING EVENTS

• Cellebrite
  • Identifying and Triaging Security Risks in your Organization
  • Cellebrite APAC Corrections Virtual Conference
    
    
• Grayshift
  ArtifactIQ Now Available in United Kingdom to Accelerate Digital Forensic Investigations and Drive Collaboration
  
  
• Griffeye
  Webinar: Top 10 Griffeye Analyze features
  
  
• Kroll
  Remote Data Triage with F-Response and KAPE
  
  
• Magnet Forensics
  • Incident Response – Deep Forensic Analysis of the Cyberattacks Targeting Your Business
  • Magnet AUTOMATE: Streamline Your Digital Investigation Workflows
    
    
• Alisha Cales at Paraben Corporation
  PFIC 2023 Agenda Live
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2023-03-06
  • Part 2-Azure Console Pivoting 101 | Steve Borosh
    
    
• BlueMonkey 4n6
  Magnet Virtual Summit Capture The Flag 2023 – Cipher
  
  
• Breaking Badness
  150. Thrifty, Nifty, Never Shifty (Part I)
  
  
• Cellebrite
  • Episode 20: I BEG TO DFIR – How to Leverage Samsung Rubin Data with Mobile Device Forensic Tools
  • 2 ways to get Cellebrite Reader and share findings with the investigative team
    
    
• Cyber Security Interviews
  #123 – Douglas Brush (Part 1): Guess Who’s Back, Dougie’s Back
  
  
• Detections by SpectreOps
  Episode 30: Maxime Lamothe-Brassard (Part 1)
  
  
• Digital Forensic Survival Podcast
  DFSP # 368 – SVCHOST
  
  
• Gerald Auger at Simply Cyber
  5 “Insider” SOC Analyst Resources (🔥 Be Better, Faster, Stronger)
  
  
• InfoSec_Bret
  Business Email Compromise, A Discussion and Walkthrough
  
  
• James Spiteri at ‘Oh My Malware!’
  Oh My Malware – Episode 5 – BPFDoor
  
  
• Lee Reiber’s Forensic Happy Hour
  Forensic Happy Hour Episode 401
  
  
• Magnet Forensics
  Internal Data Exfiltration – Getting to the Bottom of IP Theft
  
  
• MSAB
  How to Save a Subset with XAMN Pro?
  
  
• Neil Fox
  How to Extract the SAM & SYSTEM HIVE (AD Credential Harvesting)
  
  
• Nick Berrie
  Insecure Direct Object Reference (“IDOR”) Attack & Defense
  
  
• Paraben Corporation
  E3 Forensic Platform Capturing Instagram Cloud Data
  
  
• Richard Davis at 13Cubed
  Interview with Lesley Carhart (hacks4pancakes)
  
  
• RickCenOT
  PROMOCODE FOR PICSPT – Pentesting Industrial Control Systems Penetration Testing Promo Video
  
  
• SANS Institute
  • Meet SANS Senior Instructor: Mark Baggett
  • 100% Scholarship Opportunities in Cybersecurity for Black American College Students
  • Transparency from a CISO’s Perspective
  • Meet SANS Instructor: Terrence Williams
  • Meet SANS Certified Instructor: Lordina Cherne
  • Meet SANS Senior Instructor: John Hubbard
  • Meet SANS Instructor: Jason Nickola
  • Meet SANS Senior Instructor: Ismael Valenzuela
  • Meet SANS Fellow: Heather Mahalik
  • Meet SANS Instructor: Gene McGowan
  • Meet SANS Certified Instructor: Domenica Crognale
  • Meet SANS Principal Instructor: Doc Blackburn
  • Meet SANS Certified Instructor: Dean Parsons
  • Meet SANS Fellow: David Hoelzer
  • Meet SANS Senior Instructor: Bryan Simon
    
    
• Mike Cohen at Rapid7
  Incident Response with Velociraptor
  

MALWARE

• ASEC
  • ASEC Weekly Phishing Email Threat Trends (February 19th, 2023 – February 25th, 2023)
  • Lazarus Group Attack Case Using Vulnerability of Certificate Software Commonly Used by Public Institutions and Universities
  • ASEC Weekly Malware Statistics (February 27th, 2023 – March 5th, 2023)
  • GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP
  • PlugX Malware Being Distributed via Vulnerability Exploitation
  • CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft)
  • Decryptable iswr Ransomware Being Distributed in Korea
  • Netcat Attack Cases Targeting MS-SQL Servers (LOLBins)
    
    
• Boymoder RE
  Brute Ratel – Scandinavian Defence
  
  
• c3rb3ru5d3d53c
  • [62] LiveStream – Reversing The DUMBEST HACK I’ve Ever Seen (Redline Stealer Part 7)
  • [63] Malware Lab – Deobfuscation with VIM Macros
    
    
• Erik Pistelli at Cerbero
  RedLine Stealer Dropper
  
  
• CTF导航
  • CS 4.7 Stager 逆向及 Shellcode 重写
  • Lazarus组织木马化开源软件的加密通信分析
  • APT-C-56（透明部落）部署Android系统RlmRat、Linux系统波塞冬新型组件披露
  • PLAY勒索软件完整分析
  • Malware Dev 04 – 隐匿之 ETW（Event Tracing for Windows）Bypass
    
    
• Cyble
  • ImBetter: New Information Stealer Spotted Targeting Cryptocurrency Users
  • Critical Vulnerabilities in Wago Web-Based Management System
  • BlackSnake Ransomware Emerges from Chaos Ransomware’s Shadow
  • Nexus: The Latest Android Banking Trojan with SOVA Connections
  • Emotet Strikes Again, Resuming Spamming Operations
    
    
• Cyborg Security
  Hunting Emotet: How Behavioural Hunting Trumps IOC Detection Every Time
  
  
• Dosxuz
  Tradecraft Improvement 2 – Module Stomping
  
  
• Dr Josh Stroschein
  • Analyzing Malicious Link Files – Identifying Initial Access Techniques
  • Analyzing Bloated Malware – Trimming Files with a Hex Editor
    
    
• Flashpoint
  • Private Malware for Sale: A Closer Look at AresLoader
  • Bitwarden: The Curious (Use-)Case of Password Pilfering
    
    
• Guardio
  “FakeGPT”: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with…
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #131: Advanced filters in choosers
  
  
• InfoSec Write-ups
  • Shellcodes are dead, long live Fileless Shellcodes
  • Introduction to M4lw@r3 Analysis — What should you know ?
  • hta Malware analysis
  • Reverse Engineering a Native Desktop Application: Tauri Apps
    
    
• John Hammond
  • Unraveling Discord Token Stealer (python MALWARE)
  • a Hacker’s Backdoor: Service Control Manager
    
    
• Lloyd Davies
  Introducing Exphash: Identifying Malicious DLLs With Export Hashing
  
  
• Lumen
  New HiatusRAT router malware covertly spies on victims
  
  
• Arnold Osipov at Morphisec
  SYS01 Stealer Will Steal Your Facebook Info
  
  
• Siddharth Sharma, Yang Ji, Anmol Maurya and Dongrui Zeng at Palo Alto Networks
  GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers
  
  
• Victoria Vlasova, Haim Zigel, and Ilya Tyunkin at Securelist
  Malvertising through search engines
  
  
• Bobby Cooke at Security Intelligence
  Defining the Cobalt Strike Reflective Loader
  
  
• Alex Delamotte at SentinelLabs
  IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks
  
  
• ThreatFabric
  Xenomorph v3: a new variant with ATS targeting more than 400 institutions
  
  
• Reegun Jayapaul at Trustwave SpiderLabs
  OneNote Spear-Phishing Campaign
  
  
• Zhassulan Zhussupov
  Malware AV/VM evasion – part 13: encrypt/decrypt payload via Maldryga. Simple C++ example.
  
  
• Brett Stone-Gross at ZScaler
  Nevada Ransomware: Yet Another Nokayawa Variant
  

MISCELLANEOUS

• Andrea Fortuna
  CERT, CSIRT or SOC?
  
  
• AT&T Cybersecurity
  An assessment of ransomware distribution on darknet markets
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 03/11/23
  
  
• Derek Eiri
  Forensic 4:cast Awards, 2023
  
  
• Eric Capuano at Recon Infosec
  A Tribute to OpenSOC
  
  
• Eric Ooi
  Zeekurity Zen – Part IX: How To Update Zeek
  
  
• Forensic Focus
  • We’re Not in Document Land Anymore: Modern Data Collections for Litigation Technology Professionals
  • Amped FIVE Speed Estimation 2d Filter And Training From Amped Software
  • Learn How To Remove Sensitive Audio In Amped Replay
    
    
• MSAB
  #MSAB Women: Breaking the Bias and Making the World Safer All in a Day’s Work
  
  
• Alisha Cales at Paraben Corporation
  New Mobile Fast Track Training Nashville TN
  
  
• Sam Deckoff at SUMURI
  TALINOs, Video Editing, and You
  

SOFTWARE UPDATES

• Brian Maloney
  OneDriveExplorer v2023.03.10
  
  
• Brim
  v1.0.0
  
  
• Costas K
  • MFTBrowser.exe
  • EvtxLogBrowser
  • JumplistBrowser
  • WinEDB_Browser
    
    
• Datadog Security Labs
  GuardDog v1.1.3
  
  
• Foxton Forensics
  • Browser History Examiner — Version History – Version 1.18.1
  • PageRecon
    
    
• Griffeye
  Release of Analyze 23
  
  
• Hasherezade
  PE-Bear v0.6.5.2
  
  
• Jason Ostrom
  Introducing Edge: A Recon Tool for Cloud Provider Attribution
  
  
• Manabu Niseki
  Mihari v5.1.1
  
  
• Nextron Systems
  THOR Log Conversion to CSV
  
  
• Open Source DFIR
  Plaso 20230226 released
  
  
• OpenCTI
  5.6.2
  
  
• Oxygen Forensics
  Oxygen Analytic Center v.1.0
  
  
• Xways
  • X-Ways Forensics 20.8 Preview 4
  • X-Ways Forensics 20.7 SR-6
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!