As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Lagging for the Win: Querying for Negative Evidence in the sms.db
  
  
• David Spreadborough at Amped
  CCTV Acquisition – Search and Trawl
  
  
• eForensics
  • The Lockbit 3 Black Forensics Analysis: Memory Forensics Modern Approach (Part III)
  • How to Better Prepare for a Memory Forensics Investigation
  • Rooting Androids for Forensics
  • iPhone Forensics
  • Analyzing Malware Mobile Apps with VirusTotal Enterprise Online and Kali Linux Locally
  • Digital Forensics Analysis in DeepFake
  • Interview with Paulo Henrique Pereira
  • A Technical Analysis of Brazilian Electronic Voting Machines
  • Unusual Emails: Investigating
  • The Challenges of Collecting Evidence
  • Imaging an Android Smartphone Logically
  • All You Need to Know About Mobile Forensics
    
    
• Oleg Afonin at Elcomsoft
  HomePod Forensics I: Pwning the HomePod
  
  
• Forensafe
  • Investigating Windows BitComit
  • Investigating Windows imo
    
    
• Emma Sousa at Forgotten Nook
  Magnet Forensics Virtual Summit 2023 CTF  – Windows 11
  
  
• John Lukach at 4n6ir
  AArch64 Memory Acquisition for Linux
  
  
• Kelvin Ling
  Investigate a Compromised Exchange Server using SIEM and Sysmon
  
  
• Magnet Forensics
  Getting Started With Magnet RESPONSE
  
  
• Nicolas Bareil at ‘Just Another Geek’
  Investigation scenario: New SQLServer on an AWS Webserver
  
  
• Megan Roddie at SANS
  Google Cloud Log Extraction
  
  
• Seth Enoka
  Alternate Data Streams
  
  
• Jonathan Johnson at SpecterOps
  Uncovering Windows Events
  

THREAT INTELLIGENCE/HUNTING

• CVE-2023-23397
  • Threat Advisory: Microsoft Outlook privilege escalation vulnerability being exploited in the wild
  • Microsoft Outlook Zero Day Vulnerability CVE-2023-23397 Actively Exploited In The Wild
  • Detecting CVE-2023-23397: How to Identify Exploitation of the Latest Microsoft Outlook Vulnerability
  • CVE-2023-23397: Exploitations in the Wild – What You Need to Know
  • Everything We Know About CVE-2023-23397
  • Critical Outlook Vulnerability: In-Depth Technical Analysis and Recommendations (CVE-2023-23397)
    
    
• Lauren Fievisohn, Brad Pittack, and Danny Quist at [redacted]
  BianLian Ransomware Gang Continues to Evolve
  
  
• Akamai
  Attack Superhighway: A Deep Dive on Malicious DNS Traffic
  
  
• Chad Seaman, Larry Cashdollar & Allen West at Akamai
  Uncovering HinataBot: A Deep Dive into a Go-Based Threat
  
  
• Alex Teixeira
  Threat Detection Bad Trips: Log Everything!
  
  
• Andrea Fortuna
  Essential Tools for Gathering and Analyzing IOCs
  
  
• Anomali
  Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam
  
  
• Antonio Formato
  Microsoft Sentinel — Get actionable Threat Intelligence from Twitter
  
  
• James Liolios at Arctic Wolf
  Potential BEC & Phishing Activity due to Recent Banking Events in the United States
  
  
• AttackIQ
  • Hiding in Plain Sight: Monitoring and Testing for Living-Off-the-Land Binaries
  • Attack Graph Response to CISA Advisory (AA23-075A): #StopRansomware: LockBit 3.0
  • Attack Graph Response to CISA Advisory (AA23-074A): Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server
    
    
• Blackberry
  • NOBELIUM Uses Poland’s Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine
  • Shining a Light on Malware Beaconing
    
    
• BleepingComputer
  • Medusa ransomware gang picks up steam as it targets companies worldwide
  • Alleged BreachForums owner ‘Pompompurin’ arrested on cybercrime charges
    
    
• CERT-AGID
  • Il fenomeno Ursnif in Italia: i numeri dell’ultima ondata di campagne
  • Sintesi riepilogativa delle campagne malevole nella settimana del 11 – 17 marzo 2023
    
    
• Check Point Research
  • 13th March – Threat Intelligence Report
  • South Korean Android Banking Menace – FakeCalls
  • DotRunpeX – demystifying new virtualized .NET injector used in the wild
    
    
• CISA
  • Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server
  • #StopRansomware: LockBit 3.0
    
    
• Cisco’s Talos
  • Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency
  • Threat Source newsletter (March 16, 2023) — A deep dive into Talos’ work in Ukraine
  • Threat Round up for March 10 to March 17
    
    
• John Cosgrove and Peter Foster at Cloudflare
  Detecting API abuse automatically using sequence analysis
  
  
• Cobalt Strike Research and Development
  Revisiting the User-Defined Reflective Loader Part 1: Simplifying Development
  
  
• Cofense
  • The Evolution of Emotet Malware
  • Top Malware Trends of February
  • IPFS Abuse Continues as Attackers Mix and Match Techniques
  • How Threat Actors Embed Files in OneNote Documents
    
    
• Cyrill Brunschwiler at Compass Security
  Compass Incident Handling and Forensics Number Crunching
  
  
• Nir Aharon at CyberProof
  Threat hunter’s arsenal: The mindset and tools for proactive hunting
  
  
• Cyble
  • GoatRAT: Android Banking Trojan Variant Targeting Brazilian Banks
  • SVB Collapse Triggers Heightened Cybersecurity Concerns
  • Unmasking MedusaLocker Ransomware
  • Recent Emotet Spam Campaign Utilizing New Tactics
    
    
• Cyborg Security
  • Unveiling the Shadow AI: The Rise of AI Reliance in Cybersecurity
  • 50 Threat Hunting Hypothesis Examples
  • Why You Need a Team of Ninja Threat Hunters to Protect Your Data
  • Thwarting Threats in Healthcare: The Art of Threat Hunting
  • Threat Hunting in Retail: How it Improved Security and Detection Time
  • 7 Reasons to Hold Off on the HUNTER: Why It Might Not Be For You (Yet)!
    
    
• Cyfirma
  Weekly Intelligence Report – 17 Mar 2023
  
  
• Darktrace
  Laplas Clipper: Defending against crypto-currency thieves with DETECT + RESPOND
  
  
• David Burkett at Signalblur
  Using LimaCharlie and ChatGPT to Perform Malware Anomaly Detection
  
  
• Dragos
  • New Knowledge Pack Released (KP-2023-002)
  • OT Cybersecurity Best Practices for SMBs: Communication Channels to Use During Cyber Incident Response
    
    
• EclecticIQ
  Enabling File Integrity Monitoring on Windows with Osquery and EclecticIQ Endpoint Response
  
  
• Falcon Guard
  Top 10 LoL Binaries and Techniques Used by Cyber Threat Actors
  
  
• Flashpoint
  • What You Need to Know About the Cyber Threat Landscape in 2023
  • COURT DOC: Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer that Processed Over $3 Billion of Unlawful Transactions
  • COURT DOC: Two Men Charged for Breaching Federal Law Enforcement Database and Posing as Police Officers to Defraud Social Media Companies
  • COURT DOC: US Federal Agents Arrest Alleged Administrator of Breach Forums “pompompurin”
    
    
• Fortinet
  • Ransomware Roundup — HardBit 2.0
  • Microsoft OneNote File Being Leveraged by Phishing Campaigns to Spread Malware
    
    
• Benoit Sevens at Google Threat Analysis Group
  Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
  
  
• GuidePoint Security
  GRIT Ransomware Report: February 2023
  
  
• Harlan Carvey and Dray Agha at Huntress
  Addressing Initial Access
  
  
• HP Wolf Security
  HP Wolf Security Threat Insights Report Q4 2022
  
  
• InfoSec Write-ups
  How to Master in Real Cyber Threat Intelligence? Build Military-Grade Intelligence Skills!
  
  
• Bukar Alibe at INKY
  Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear
  
  
• Intel471
  A Look at NLBrute, the RDP Attack Tool
  
  
• JPCERT/CC
  • TSUBAME Report Overflow (Oct-Dec 2022)
  • JSAC2023 -Day 1-
    
    
• Omar Alrawi at Juniper Networks
  Uncovering the Dark Side of Email Traffic
  
  
• L M
  Makop: The Toolkit of a Criminal Gang
  
  
• Alexander Marvi, Brad Slaybaugh, Dan Ebreo, Tufail Ahmed, Muhammad Umair, and Tina Johnson at Mandiant
  Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
  
  
• Microsoft Security
  • DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit
  • KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks
    
    
• Mike at “CyberSec & Ramen”
  Serverless Domain Hunting: Track Newly Registered Domains With Ease
  
  
• MITRE-Engenuity
  • MITRE Engenuity and the National Cybersecurity Strategy
  • MITRE Engenuity ATT&CK® Evaluations: Managed Services — Round 2 (2023) Call for Participation
    
    
• Nextron Systems
  Private Sigma Rule Feed in Valhalla and Partnership with SOC Prime
  
  
• Nisos
  Malicious Merchants: the Evolution of the Chargeback Scam
  
  
• Gijs Hollestelle at Falcon Force
  Deploying Detections at Scale — Part 0x01 use-case format and automated validation
  
  
• Penetration Testing Lab
  Persistence – Context Menu
  
  
• Justin Schoenfeld at Red Canary
  Diary of a Detection Engineer: Exposing and shutting down an inbox heist in action
  
  
• ReliaQuest
  • Email Threats: HTML Smuggling on the Dark Web
  • QBot: Laying the Foundations for Black Basta Ransomware Activity
  • Cyber Threats in the Wake of the SVB Collapse
    
    
• SANS Internet Storm Center
  • AsynRAT Trojan – Bill Payment (Pago de la factura), (Sun, Mar 12th)
  • Incoming Silicon Valley Bank Related Scams, (Mon, Mar 13th)
  • IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th)
  • Simple Shellcode Dissection, (Thu, Mar 16th)
  • Old Backdoor, New Obfuscation, (Sat, Mar 18th)
    
    
• Sekoia
  Peeking at Reaper’s surveillance operations
  
  
• Charlie Clark at Semperis
  AD Security Research: Breaking Trust Transitivity
  
  
• SentinelOne
  • CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking
  • Winter Vivern | Uncovering a Wave of Global Espionage
  • BlackMamba ChatGPT Polymorphic Malware | A Case of Scareware or a Wake-up Call for Cyber Security?
    
    
• Splunk
  Threat Advisory: SwiftSlicer Wiper STRT-TA03
  
  
• Team Cymru
  • Threat Intelligence: A CISO ROI Guide  – Automate to Increase Productivity
  • Threat Intelligence: A CISO’s ROI – Avoid Inheriting a Security Problem with M&A Acquisitions
  • Threat Intelligence: A CISO ROI Guide  – Elite Threat Hunters Prevent Supply Chain Breaches
  • Threat Intelligence: A CISO ROI Guide  – Focus on Real-Time Threat Intelligence
  • Threat Intelligence: A CISO ROI Guide – Prevent Data Breaches
    
    
• Satnam Narang at Tenable
  OpenAI’s ChatGPT and GPT-4 Used as Lure in Phishing Email, Twitter Scams to Promote Fake OpenAI Tokens
  
  
• Threatmon
  Beyond Bullets and Bombs: An Examination of Armageddon Group’s Cyber Warfare Against Ukraine
  
  
• Andrew Schwartz at TrustedSec
  Red vs. Blue: Kerberos Ticket Times, Checksums, and You!
  
  
• Uptycs
  • HookSpoofer: The Modified Open Source Stealer Bundlers Making the Rounds
  • Hunting BatLoader Malware with Uptycs
    
    
• Daniel Pascual at VirusTotal
  Introducing VT4Splunk – The official VirusTotal App for Splunk
  
  
• Tatiana Vollbrecht, Dana Behling, Deborah Snyder, and Kyle Shafto at VMware Security
  Unveiling the Evolution of Royal Ransomware
  
  
• Facundo Muñoz at WeLiveSecurity
  The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia
  

UPCOMING EVENTS

• CCL Solutions
  Webinar Week
  
  
• DFRWS
  DFRWS APAC 2023 Call For Papers
  
  
• Amped Software
  UPCOMING WEBINAR – Video Evidence in 2023: Trends, Challenges, Potentials
  
  
• Gerald Auger at Simply Cyber
  LIVE CLASS – Network Packet Analysis through Haiku Pro Range “PCAP RECAP” 3/20/23
  
  
• Magnet Forensics
  • Missing Data? Build Back Better with Biomes!
  • Tips & Tricks // Managing the Noise With Magnet Hash Sets Manager
  • Tips & Tricks // Remotely Collect From Off-Network Endpoints Using AWS and AXIOM Cyber
    
    
• Microsoft Security Experts’
  Catch Defender Experts for Hunting on the Ninja Show
  
  
• SANS
  • The Top 5 Misconceptions About Ransomware
  • Cloud-Powered DFIR: Harnessing the cloud to improve investigator efficiency
    
    
• SANS
  SANS DFIR Summit 2023 – Call for Presentations
  
  
• Techno Security & Digital Forensics Conference
  Call For Speakers Is Now Open
  

PRESENTATIONS/PODCASTS

• ArcPoint Forensics
  A convenient way to backup and restore drives. Recreate the original drive from an E01 #dfir #police
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 3/16/2023
  
  
• BlueMonkey 4n6
  Magnet Virtual Summit Capture The Flag 2023 – iOS walk through
  
  
• Breaking Badness
  150. Thrifty, Nifty, Never Shifty (Part II)
  
  
• Cellebrite
  • How to establish a crime narrative in Cellebrite Pathfinder’s investigative analytics solution
  • Use Graph View to find connections and interactions between multiple parties in Pathfinder
  • How to plot social circles in Cellebrite Pathfinder’s investigative analytics solution
  • Digital forensics resources section on the Cellebrite website
  • How to use Cloud forensics tools in Physical Analyzer
  • How to use the Malware Scanner in Physical Analyzer’s digital forensics tools
  • 2 ways to get Cellebrite Reader and share findings with the investigative team
    
    
• Cloud Security Podcast by Google
  EP112 Threat Horizons – How Google Does Threat Intelligence
  
  
• cloudyforensics
  • Digital Forensics & Incident Response Fundamentals for the Cloud
  • Cloud Security Fundamentals for Forensics & Incident Response
    
    
• Dark Mode
  Stories from Tracers in the Dark (Silk Road, AlphaBay, Welcome To Video)
  
  
• Digital Forensic Survival Podcast
  DFSP # 369 – Linux Malware
  
  
• Gerald Auger at Simply Cyber
  What Does a Cyber Security Analyst Do? (Land your First Job)
  
  
• InfoSec_Bret
  CyberDefenders – Mr.Gamer (Part 1)
  
  
• John Hammond
  Elon Musk Crypto Scams
  
  
• Magnet Forensics
  • Getting Started with Magnet RESPONSE
  • Incident Response – Deep Forensic Analysis of the Cyberattacks Targeting Your Business
  • Magnet AUTOMATE: Streamline Your Digital Investigation Workflows
    
    
• MSAB
  How to tailor your extractions with XRY?
  
  
• RickCenOT
  I pwn your Siemens Simatic ICS in 93 Seconds!
  
  
• SANS Cloud Security
  Building Better Detections By Hacking…AWS Edition
  
  
• Sumuri
  RECON Imager’s Logical Imager Interface
  

MALWARE

• Adepts of 0xCC
  VBA: resolving exports in runtime without NtQueryInformationProcess or GetProcAddress
  
  
• Amr Ashraf
  EvilQuest macOS Ransomware
  
  
• ASEC
  • CHM Malware Disguised as North Korea-related Questionnaire (Kimsuky)
  • ASEC Weekly Phishing Email Threat Trends (February 26th, 2023 – March 4th, 2023)
  • Mallox Ransomware Being Distributed in Korea
  • 2022 Threat Trend Report on Kimsuky
  • Unique characteristics of Kimsuky group’s spear phishing emails
  • Threat Trend Report on Region-Specific Ransomware
  • ASEC Weekly Malware Statistics (March 6th, 2023 – March 12th, 2023)
  • ShellBot Malware Being Distributed to Linux SSH Servers
  • Malware Distributed Disguised as a Password File
    
    
• Atomic Matryoshka
  Basic Static Analysis of Raccoon Stealer
  
  
• Corey Ham at Black Hills Information Security
  Your Browser is Not a Safe Space
  
  
• Check Point Software
  Check Point Research conducts Initial Security Analysis of ChatGPT4, Highlighting Potential Scenarios For Accelerated Cybercrime
  
  
• G Data Security
  ChatGPT: The real Evil Twin
  
  
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #132: Finding “hidden” cross-references
  
  
• Tzlil Amar at Intezer
  Infected: Understanding a Malicious Result from an Endpoint Scan
  
  
• Lab52
  APT-C-36: from NjRAT to LimeRAT
  
  
• Malwarebytes Labs
  Emotet adopts Microsoft OneNote attachments
  
  
• Matt Muir at Cado Security
  Previously Undiscovered TeamTNT Payload Recently Surfaced
  
  
• OALABS Research
  • QvoidStealer
  • Healer AVKiller
  • CryptBot
    
    
• Frank Lee and Scott Roland at Palo Alto Networks
  Bee-Ware of Trigona, An Emerging Ransomware Strain
  
  
• S2W Lab
  Kimsuky group appears to be exploiting OneNote like the cybercrime group
  
  
• Sonatype
  Top 8 Malicious Attacks Recently Found On PyPI
  
  
• Nicholas Lang at Sysdig
  Chaos Malware Quietly Evolves Persistence and Evasion Techniques
  
  
• Ian Kenefick at Trend Micro
  Emotet Returns, Now Adopts Binary Padding for Evasion
  
  
• VMRay
  CatB Ransomware: A New Threat Exploiting DLL Side-Loading
  

MISCELLANEOUS

• Adam Flatley at [redacted]
  The Ransomware Dilemma: How to Avoid Paying
  
  
• Alex at Subtlystoic
  How I managed to get 92% on the GIAC GREM CyberLive exam!
  
  
• Jonathan Munshaw at Cisco’s Talos
  Researcher Spotlight: How David Liebenberg went from never having opened Terminal to hunting international APTs
  
  
• Greg Day at Cybereason
  5 Steps to More Effective Ransomware Response
  
  
• Forensic Focus
  • Digital Forensics Round-Up, March 16 2023
  • ADF Solutions Offers Complimentary Mobile Forensics Training On March 22nd
    
    
• Christa Miller at Forensic Horizons
  10 Things I Didn’t Know About How Prosecutors Use (or Don’t Use) Digital Evidence
  
  
• Journal of Computers & Security
  Between a rock and a hard(ening) place: Cyber insurance in the ransomware era
  
  
• Salvation DATA
  Catching Crooks and Keeping Tabs: The Power of Motion Detection in Video Investigation
  
  
• SANS
  A Visual Summary of SANS New2Cyber Summit 2023
  
  
• Security Scorecard
  4 Main Takeaways from the SANS Institute’s Survey on Ransomware and Malware Intrusions
  
  
• Seth Enoka
  Unlocking the DFIR Job Market: Strategies for Landing Your Dream Role29 min read
  
  
• Teri Radichel
  Numbering systems (base 2, base 10, etc)
  
  
• Ryan Shockling at War Room
  Managed Vs. Federated Office 365: What’s the Difference?
  

SOFTWARE UPDATES

• Costas K
  • PrefetchBrowser
  • JumplistBrowser
    
    
• ExifTool
  ExifTool 12.58
  
  
• Kevin Pagano at Stark 4N6
  Introducing SQLiteWalker
  
  
• Magnet Forensics
  Magnet RESPONSE: New Free Tool for IR Investigations
  
  
• Manabu Niseki
  Mihari v5.1.2
  
  
• MISP
  MISP 2.4.169 released with various improvements and bug fixes.
  
  
• radare2
  5.8.4
  
  
• Velociraptor
  Velociraptor Release 0.6.8-rc3
  
  
• Xways
  X-Ways Forensics 20.8 Preview 5
  
  
• Yamato Security
  Hayabusa v2.3.1 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!