As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Ahmed Belhadjadji
  Windows Forensics Challenge Walkthrough (LETSDEFEND)
  
  
• Emma Sousa at Forgotten Nook
  • CyberDefenders – Insider
  • CyberDefenders – L’espion
    
    
• Eric Capuano
  • Find Threats in Event Logs with Hayabusa
  • A “Thank You” to Paid Subscribers
  • So you want to be a SOC Analyst? Part 4
    
    
• Forensafe
  • Investigating Windows BitTorrent
  • Investigating Windows Avira Antivirus
    
    
• Khris Tolbert at MaverisLabs
  HTB: CA2023 — Forensics Interstellar C2
  
  
• Oleg Afonin at Elcomsoft
  • HomePod Forensics II: checkm8 and Data Extraction
  • Sideloading the Extraction Agent using a Firewall
    
    
• Angel Garrow at tcdi
  The Hidden Dangers of Entrusting Forensic Data Collections to Your Internal IT Team
  
  
• Andrew Case at Volatility Labs
  Memory Forensics R&D Illustrated: Detecting Hidden Windows Services
  

THREAT INTELLIGENCE/HUNTING

• 0xRob
  Threat Hunting with Jupyter Notebooks To Detect Advanced Threats: Part 2 – Setting up Custom Queries and a Example Host Investigation Notebook
  
  
• Alex Teixeira
  Detection Surface & the role of Endpoint Telemetry
  
  
• Amr Ashraf
  AveMariaRAT_Mass_Detection
  
  
• Anomali
  Anomali Cyber Watch: APT, China, Data leak, Injectors, Packers, Phishing, Ransomware, Russia, and Ukraine
  
  
• Arctic Wolf
  Arctic Wolf Labs 2023 Threat Report
  
  
• AttackIQ
  • Emulating the Politically Motivated Chinese APT Mustang Panda
  • Emulating the Infamous Modular Banking Trojan BokBot
    
    
• BI.Zone
  BI.ZONE detects destructive attacks against by the Key Wolf group
  
  
• Lindsay Von Tish at Bishop Fox
  What the Vuln: EDR Bypass with LoLBins
  
  
• Derek Banks at Black Hills Information Security
   Ssh… Don’t Tell Them I Am Not HTTPS: How Attackers Use SSH.exe as a Backdoor Into Your Network
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2023-03-16 – Epoch 5 activity: Emotet now also using OneNote files
  • 2023-03-17 – Emotet Epoch 5 activity
  • 2023-03-22 – Emotet Epoch 4 activity
    
    
• Check Point Software
  • Detecting Malicious Packages on PyPI: Malicious package on PyPI use phishing techniques to hide its malicious intent
  • 20th March – Threat Intelligence Report
  • Beware of Phishing Scams 3.0- The email you receive might not be from who you think it is
    
    
• Yehuda Gelb at Checkmarx Security
  New Attack Vector Observed, Targeting .NET Developers in A Software Supply Chain Attack
  
  
• Cisco’s Talos
  • Emotet resumes spam operations, switches to OneNote
  • Threat Source newsletter (March 23, 2023) — Meta is threatening to ban news sharing in Canada. Good.
  • Threat Roundup for March 17 to March 24
    
    
• CTF导航
  • 攻击技术研判 | 借助OneNote笔记进行MoTW规避新姿势
  • Velociraptor实践-GUI基础操作
  • Bloodhound 工具杂记
    
    
• Cyber Incident Response Operations Center of the State Cyber Protection Center
  Growing Mass Credential Harvesting Campaigns against Ukrainians — Report
  
  
• Cyble
  • Wave of Arrests Hits Cybercriminals
  • Notorious SideCopy APT group sets sights on India’s DRDO
  • Cinoshi Project and the Dark Side of Free MaaS
    
    
• Cyborg Security
  • Medusa Ransomware
  • HyperBro RAT
    
    
• Cyfirma
  Weekly Intelligence Report – 24 Mar 2023
  
  
• Cyjax
  • Cryptocurrency Threat Landscape Report –  A Year in Review 2022
  • Cryptocurrency Threat Landscape Report: A Year in Review 2022
    
    
• Darktrace
  Amadey Info-Stealer: Exploiting N-Day Vulnerabilities to Launch Information Stealing Malware
  
  
• EclecticIQ
  Cybercriminals Exploit SVB’s Collapse; Emotet Returns & BatLoader Abuses Google Ads 
  
  
• Esentire
  Analysis of Microsoft Outlook Elevation of Privilege Vulnerability CVE-2023-23397
  
  
• Derek Manky at Fortinet
  The Latest Intel on Wipers
  
  
• German Bundesamt für Verfassungsschutz (BfV) and the National Intelligence Service of the Republic of Korea (NIS)
  킴수키1 해킹조직의 구글 브라우저 및 앱 스토어 서비스 악용 공격 주의
  
  
• Nick Roy at GreyNoise
  Don’t Let Your Team Drown in Netflow
  
  
• Stuart Ashenbrenner at Huntress
  macOS (Not)ifications
  
  
• Intel471
  New loader on the bloc – AresLoader
  
  
• Jouni Mikkola at “Threat hunting with hints of incident response”
  Analysis of the current malware – Icedid
  
  
• Keith McCammon
  The top initial access vectors in 2022
  
  
• Lexfo
  Cobalt Strike Investigation – Part 2
  
  
• Louis Mastelinck
  Insider Threat: Malicious admin reading your emails!
  
  
• Mandiant
  • Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace
  • We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems
  • UNC961 in the Multiverse of Mandiant: Three Encounters with a Financially Motivated Threat Actor
    
    
• Microsoft Security
  Guidance for investigating attacks using CVE-2023-23397
  
  
• Nasredding Bencherchali at Nextron Systems
  Demystifying SIGMA Log Sources
  
  
• NTT Communications
  Internship experience ~ Tracking Cobalt Strike’s C2 server ~
  
  
• Maxime Thiebaut at NVISO Labs
  IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole
  
  
• Palo Alto Networks
  • Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise
  • Malicious JavaScript Injection Campaign Infects 51k Websites
    
    
• Penetration Testing Lab
  Persistence – Service Control Manager
  
  
• Recorded Future
  Russian Sanctions Evasion Puts Merchants and Banks at Risk
  
  
• Red Canary
  • A guided tour of the 2023 Threat Detection Report
  • Intelligence Insights: March 2023
    
    
• ReliaQuest
  • BreachForums Is Down as FBI Arrests Alleged Founder
  • Threat Hunting: The Intel Needle in the Haystack
    
    
• S2W Lab
  • Detailed Analysis of Cryptocurrency Phishing Through Famous YouTube Channel Hacking
  • Scarcruft Bolsters Arsenal for targeting individual Android devices
    
    
• SANS Internet Storm Center
  • From Phishing Kit To Telegram… or Not!, (Mon, Mar 20th)
  • String Obfuscation: Character Pair Reversal, (Tue, Mar 21st)
  • Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files, (Wed, Mar 22nd)
  • Cropping and Redacting Images Safely, (Thu, Mar 23rd)
  • Microsoft Released an Update for Windows Snipping Tool Vulnerability, (Sat, Mar 25th)
  • CyberChef Version 10 Released, (Sun, Mar 26th)
  • Extra: “String Obfuscation: Character Pair Reversal”, (Sun, Mar 26th)
    
    
• Securelist
  • Bad magic: new APT found in the area of Russo-Ukrainian conflict
  • Developing an incident response playbook
    
    
• Security Scorecard
  Royal Ransomware on the Rise: Everything You Need to Know
  
  
• SentinelOne
  • Session Cookies, Keychains, SSH Keys and More | 7 Kinds of Data Malware Steals from macOS Users
  • Operation Tainted Love | Chinese APTs Target Telcos in New Attacks
    
    
• Snyk
  The rising trend of malicious packages in open source ecosystems
  
  
• SOCRadar
  • LockBit and AlphVM Announce New Victims
  • Attackers Exploit Adobe Acrobat Sign to Distribute RedLine Stealer Malware
  • APT Profile: Sandworm
    
    
• Splunk
  Breaking the Chain: Defending Against Certificate Services Abuse
  
  
• Ben Martin at Sucuri
  • WooCommerce Credit Card Skimmer Reveals Tampered Gateway Plugin
  • Critical Vulnerability Discovered in WooCommerce Payments
    
    
• The Sleuth Sheet
  The Adversarial Mindset: Think Like The APT’s of The Future
  
  
• Threatmon
  • Cybergun: Technical Analysis of the Armageddon’s Infostealer
  • KillNet: In-Depth Analysis on The Roles of Threat Actors and Attacks In The Ukraine-Russia War
  • The Roles of Threat Actors in The Ukraine-Russian War: Noname057(16)
    
    
• Pham Duy Phuc, Max Kersten and Tomer Shloman at Trellix
  Shining Light on Dark Power: Yet Another Ransomware Gang
  
  
• Mattias Wåhlén at Truesec
  What Is Anonymous Sudan?
  
  
• TrustedSec
  • Situational Awareness BOFs for Script Kiddies
  • Disabling AV With Process Suspension
    
    
• Oleg Boyarchuk at VMware Security
  How to Detect PoshC2 PowerShell Implants
  

UPCOMING EVENTS

• Jared Luebbert at Belkasoft
  SQLite Forensics with Belkasoft
  
  
• Magnet Forensics
  Internal Investigations – Get the Evidence You Need to Safeguard Your Business
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2023-03-20
  • Part1-How to Live like a Criminal – Privacy Tips for the Non-Criminal | Ean Meyer & John Strand
  • Part 2-How to Live like a Criminal – Privacy Tips for the Non-Criminal | Ean Meyer & John Strand
    
    
• BlueMonkey 4n6
  Triage with Sumuri PALADIN – the Find menu
  
  
• Breaking Badness
  151. Epic Bail: The Collapse of Silicon Valley Bank and Its Impact on Infosec
  
  
• BSides
  BSides Sydney 2022
  
  
• cloudyforensics
  Continuing our series on Cloud Forensics & Incident Response, we’ve now posted the third video in…
  
  
• Cyber Security Interviews
  #124 – Douglas Brush (Part 2): Words of Advice
  
  
• Detections by SpectreOps
  Episode 31: Maxime Lamothe-Brassard (Part 2)
  
  
• Digital Forensic Survival Podcast
  DFSP # 370 – UserAssist
  
  
• Gerald Auger at Simply Cyber
  • So You Want To Be a SOC Analyst? With Eric Capuano
  • Uncover the Secrets of a Home SOC Analyst Lab! [Step-by-Step Walkthrough]
    
    
• InfoSec_Bret
  CyberDefenders – Mr.Gamer (Part 2 – FINAL)
  
  
• John Hammond
  So Linus Tech Tips Got Hacked…
  
  
• JPCERT/CC
  JSAC2023 -Day 2-
  
  
• Magnet Forensics
  • Missing Data? Build Back Better with Biomes!
  • Tips & Tricks // Managing the Noise With Magnet Hash Sets Manager
  • Tips & Tricks // Remotely Collect From Off-Network Endpoints Using AWS and AXIOM Cyber
    
    
• MSAB
  • How to Search and Filter in XAMN Pro?
  • Forensic Fix – Episode 2 – Andrew Lister
    
    
• Neil Fox
  How to extract the NTDS.dit from a Domain Controller without Administrator privileges
  
  
• Paraben Corporation
  E3 Forensic Platform OSINT Options Twitter
  
  
• RickCenOT
  BREAKING DOWN “I pwn your Siemens Simatic ICS in 93 Seconds!”
  
  
• SANS
  SANS Cyber Threat Intelligence Summit 2023
  
  
• Sumuri
  • How to Update your RECON ITR
  • SUMURI Podcast Episode 015 – TALINO Servers: What’s New?
    
    
• The Defender’s Advantage Podcast
  Threat Trends: A Retrospective on Zero-Days in 2022 with Project Zero and Mandiant
  

MALWARE

• 0day in {REA_TEAM}
  [QuickNote] Decrypting the C2 configuration of Warzone RAT
  
  
• ASEC
  • Warning for Microsoft Office Outlook Privilege Escalation Vulnerability (CVE-2023-23397)
  • Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation
  • Warning for Certification Solution (VestCert) Vulnerability and Update Recommendation
  • MDS’ Evasion Feature of Anti-sandboxes That Uses Pop-up Windows
  • ASEC Weekly Malware Statistics (March 13th, 2023 – March 19th, 2023)
  • ASEC Weekly Phishing Email Threat Trends (March 5th, 2023 – March 11th, 2023)
  • Nevada Ransomware Being Distributed in Korea
  • ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers
  • OneNote Malware Disguised as Compensation Form (Kimsuky)
    
    
• Shanice Jones at Bitdefender
  What Is Dynamic Malware Analysis?
  
  
• Cleafy
  Nexus: a new Android botnet?
  
  
• Dr Josh Stroschein
  • OneNote Malware Trends – Analyzing Emotet Abuse
  • OneNote Malware Trends – OneNote Leads to AgentTesla
    
    
• Guardio
  “FakeGPT” #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer…
  
  
• Hex Rays
  • Plugin focus: SK3wldbg
  • Igor’s Tip of the Week #133: Alignment items
    
    
• Darren Spruell at InQuest
  Credential Caution: Exploring the New Public Cloud File-Borne Phishing Attack
  
  
• Ryan Robinson at Intezer
  Phishing Campaign Targets Chinese Nuclear Energy Industry
  
  
• Lab52
  Bypassing Qakbot Anti-Analysis
  
  
• Jérôme Segura at Malwarebytes Labs
  A look at a Magecart skimmer using the Hunter obfuscator
  
  
• Marco Ramilli
  Reversing Emotet Dropping Javascript
  
  
• Gustavo Palazolo at Netskope
  Emotet Comeback: New Campaign Using Binary Padding to Evade Detection
  
  
• OALABS Research
  OneNote WSF Malware (Emotet)
  
  
• Ofer Caspi at AT&T Cybersecurity
  BlackGuard stealer extends its capabilities in new variant
  
  
• Phylum
  Malicious Actors Use Unicode Support in Python to Evade Detection
  
  
• John Dwyer at Security Intelligence
  When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule
  
  
• Vickie Su, Nick Dai and Sunny Lu at Trend Micro
  Pack it Secretly: Earth Preta’s Updated Stealthy Strategies
  
  
• Shilpesh Trivedi at Uptycs
  MacStealer: New macOS-based Stealer Malware Identified
  
  
• Zhassulan Zhussupov
  Malware AV/VM evasion – part 14: encrypt/decrypt payload via A5/1. Bypass Kaspersky AV. Simple C++ example.
  

MISCELLANEOUS

• Jessica Hyde from Hexordia on the Magnet Forensics blog
  Announcing the MVS 2023 CTF Winners and a NEW CTF Challenge!
  
  
• SANS
  • What is In a Name?
  • DFIR Origin Stories – Kat Hedley
  • Cloud Attacks and Threat Detections
    
    
• Eddie Bentley at Cado Security
  Automating Response Actions with Cado
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 03/25/2023
  
  
• Forensic Focus
  • Tips And Tricks: Data Collection For Cloud Workplace Applications
  • AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases
  • Digital Forensics Round-Up, March 23 2023
  • UPCOMING WEBINAR – Identifying And Triaging Security Risks In Your Organization
    
    
• Christa Miller at Forensic Horizons
  Towards Better Digital Evidence Training for Prosecutors
  
  
• IntaForensics
  Defence case reviews: the need for deeper digital investigation
  
  
• Mathius Fuchs at CyberFox
  • Welcome back
  • Do we still need memory forensics today?
    
    
• Digit Oktavianto at MII Cyber Security
  A Tale Story of Compromise Assessment — Part 1
  
  
• Amber Schroader at Paraben Corporation
  Why is Triage a good step in Digital Forensics?
  
  
• Seth Enoka
  A Roadmap to Earning Your First (or Next) SANS Certification
  
  
• Teri Radichel
  • Hexadecimal To Binary To Decimal
  • Math in Network Packets
    

SOFTWARE UPDATES

• Amped
  Amped FIVE Update 28265: Validation Tool, Convert DVR Options, Subtitle Auto Loading and much more
  
  
• Cellebrite
  Cellebrite Announces RelativityOne Integration for Quicker, Safer Data Review
  
  
• CISA
  Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments
  
  
• CyberChef
  v10.4.0
  
  
• Didier Stevens
  • Update: oledump.py Version 0.0.73
  • Update: python-per-line.py version 0.0.10
    
    
• Drew Alleman
  DataSurgeon 1.1.0
  
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 8.13 adds checkm8 extraction for first-generation HomePod
  
  
• Grayshift
  Grayshift Introduces VeraKey for eDiscovery and Corporate Investigations
  
  
• IntelOwl
  v4.2.3
  
  
• Kevin Pagano
  SQLiteWalker – v0.0.2
  
  
• Maxim Suhanov
  dfir_ntfs 1.1.18
  
  
• MSAB
  MSAB launches new advanced software to secure evidence from mobile phones
  
  
• Rapid7
  Velociraptor Release 0.6.8
  
  
• Sandfly Security
  Sandfly 4.3.2 – Linux Loadable Kernel Module Rootkit Taint Detection
  
  
• Xways
  • X-Ways Forensics 20.7 SR-7
  • X-Ways Forensics 20.8 Beta 1
    
    
• Yamato Security
  Hayabusa v2.3.2 🦅
  
  
• YARA
  v4.3.0
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!