As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrew Malec
  Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  
  
• Monica Harris at Cellebrite
  Key Takeaways and Highlights from Legalweek 2023
  
  
• Chris at AskClees
  Importing NSRL V3 hashsets into legacy tools
  
  
• Derek Eiri
  Getting SMART(er) with Information
  
  
• Elcomsoft
  • HomePod Forensics III: Analyzing the Keychain and File System
  • Perfect Acquisition Part 3: Perfect HFS Acquisition
    
    
• Forensafe
  Investigating Android Wi-Fi Information
  
  
• Ian D
  Leaky Notifications from Windows 11
  
  
• Joshua Hickman at ‘The Binary Hick’
  Wipeout!  Part Deux – Determining How an Android Was Setup
  
  
• MII Cyber Security
  • Live Forensicator — PowerShell | Bash Script To Aid Incidence Response And Live Forensics
  • Jupyter Notebook: Log Parsing and Regex Utilization
    
    
• The DFIR Report
  Malicious ISO File Leads to Domain Wide Ransomware
  
  
• Avigayil Mechtinger at Wiz
  Intro to forensics in the cloud: A container was compromised. What’s next?
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Clipboard-injectors, Infostealers, Malvertising, Pay-per-install, Supply chain, and Vulnerabilities
  
  
• Jack Zalesskiy at Any.Run
  Malware Analysis Digest: March 2023 
  
  
• AT&T Cybersecurity
  Chinese fraudsters: evading detection and monetizing stolen credit card information
  
  
• Atomic Matryoshka
  Threat Groups Series: APT 41
  
  
• Francis Guibernau and Ken Towne at AttackIQ
  Emulating Recent Malicious Activity from the Iranian Adversary OilRig
  
  
• Jeremy Fuchs at Avanan
  Phishing From QuickBooks
  
  
• Avertium
  An In-Depth Look at Mirai & HinataBot
  
  
• AWS Security
  • Logging strategies for security incident response
  • Reduce triage time for security investigations with Amazon Detective visualizations and export data
    
    
• BleepingComputer
  • New Money Message ransomware demands million dollar ransoms
  • IRS-authorized eFile.com tax return software caught serving JS malware
    
    
• Bobby Rauch
  Malicious Microsoft Teams Invite: NTLM Relay and Drive By Download Attack
  
  
• Brad Duncan at Malware Traffic Analysis
  2023-04-03 – IoC update: Qakbot (Qbot) TCP port 65400 traffic changes IP address
  
  
• CERT Ukraine
  Використання неліцензійних програм Microsoft Office як вектор первинної компрометації ІКС (CERT-UA#6322)
  
  
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 1 – 7 aprile 2023
  
  
• Check Point Research
  3rd April – Threat Intelligence Report
  
  
• Checkmarx Security
  • Who Broke NPM?: Malicious Packages Flood Leading to Denial of Service
  • Security Alert: 3CX desktop app weaponized to target company’s customers
    
    
• Cisco’s Talos
  • Threat Source newsletter (April 6, 2023) — Another friendly reminder about supply chain attacks
  • Threat Roundup for March 31 to April 7
    
    
• Amy Hogan-Burney at Cobalt Strike Research and Development
  Stopping Cybercriminals From Abusing Security Tools 
  
  
• CyberProof
  How the first UEFI bootkit, BlackLotus, bypassed Windows security
  
  
• Cyble
  • Cl0p Ransomware: Active Threat Plaguing Businesses Worldwide
  • Demystifying Money Message Ransomware 
  • New Cylance Ransomware with Power-Packed CommandLine Options
    
    
• Cyborg Security
  ROI Unlocked: Metrics & Reporting in Threat Hunting Success
  
  
• Cyfirma
  Weekly Intelligence Report – 07 Apr 2023
  
  
• Jake Keast and Aiden Gall at Cyjax
  The (near) impossibility of tracing Monero
  
  
• Daniel Feichter at Red Ops
  Meterpreter vs Modern EDR(s)
  
  
• Darktrace
  • Tackling the Soft Underbelly of Cyber Security – Email Compromise
  • QakNote Infections: A Network-Based Exploration of Varied Attack Paths
    
    
• Esentire
  • Pulse Check on OneNote for Malware Delivery
  • eSentire Threat Intelligence Malware Analysis: BatLoader
    
    
• Florian Roth at Sigma HQ
  Quarterly Sigma Project Update Q1/2023
  
  
• Will Francillette at French365Connection
  MDE: Windows disconnected environment – decision tree
  
  
• Adam Weidemann at Google Threat Analysis Group
  How we’re protecting users from government-backed attacks from North Korea
  
  
• GreyNoise
  Work Smarter, Not Harder: How to Upgrade Your Threat Intel Program in 2023
  
  
• IronNet
  IronNet Monthly Global Threat Update
  
  
• John Fokker, Ernesto Fernández Provecho and Max Kersten at Trellix
  Genesis Market No Longer Feeds The Evil Cookie Monster
  
  
• Kevin Beaumont at DoublePulsar
  Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response.
  
  
• Koen Van Impe
  MISP to Sentinel integration
  
  
• Malwarebytes Labs
  2023 State of Malware Report: What the channel needs to know to stay ahead of threats
  
  
• Jason Deyalsingh, Nick Smith, Eduardo Mattos, and Tyler Mclellan at Mandiant
  ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
  
  
• Michael Haag
  Living Off The Land Drivers
  
  
• Microsoft Security
  • DevOps threat matrix
  • MERCURY and DEV-1084: Destructive attack on hybrid environment
  • Fuzzy hashing logs to find malicious activity
    
    
• Alvin Gitonga at Moran Cybersecurity Group
  LaZagne: Perform Post-exploitation on any OS like a Queen
  
  
• No Logs No Breach
  ESXArgs Ransomware
  
  
• Veronika Senderovych, Amer Elsad and Anthony Galiette at Palo Alto Networks
  CryptoClippy Speaks Portuguese
  
  
• Recorded Future
  Joker DPR and the Information War
  
  
• Red Alert
  Phishing Attack Activities: Threat Actors in Sheep’s Clothing (KOR)
  
  
• Corey Carter at ReliaQuest
  Threat Detection Tips: To See More, Log More
  
  
• Resecurity
  STYX Marketplace emerged in Dark Web focused on Financial Fraud
  
  
• Ryan Kovar at Splunk
  Using Workflow Actions & OSINT for Threat Hunting in Splunk
  
  
• SANS Internet Storm Center
  • Tax Season Risks, (Mon, Apr 3rd)
  • Supply Chain Compromise or False Positive: The Intriguing Case of efile.com [updated – confirmed malicious code], (Mon, Apr 3rd)
  • Analyzing the efile.com Malware “efail”, (Tue, Apr 4th)
  • Exploration of DShield Cowrie Data with jq, (Wed, Apr 5th)
  • Security headers you should add into your application to increase cyber risk protection, (Thu, Apr 6th)
  • Detecting Suspicious API Usage with YARA Rules, (Fri, Apr 7th)
  • Microsoft Netlogon: Potential Upcoming Impacts of CVE-2022-38023, (Sat, Apr 8th)
  • Chrome’s Download Tab: Dangerous Files, (Sun, Apr 9th)
    
    
• Christopher Peacock at Scythe
  The Truth About Ransomware
  
  
• Secureworks
  Clop Ransomware Leak Site Shows Increased Activity
  
  
• Securonix
  • Securonix Threat Labs Security Advisory: 3CX Smooth Operator Supply Chain Attack Business Impact and Detections
  • Securonix Threat Labs Monthly Intelligence Insights – March 2023
    
    
• Pedro Tavares at Segurança Informática
  Threat Report Portugal: Q3 & Q4 2022
  
  
• Sekoia
  The Energy sector 2022 cyber threat landscape
  
  
• Sucuri
  • Hacked Website Threat Report – 2022
  • Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign
    
    
• Symantec Enterprise
  Mantis: New Tooling Used in Attacks Against Palestinian Targets
  
  
• Threatmon
  IT Army of Ukraine: Analysis of Threat Actors In The Ukraine-Russia War
  
  
• David Sancho and Mayra Rosario Fuentes at Trend Micro
  Unpacking the Structure of Modern Cybercrime Organizations
  
  
• Trustwave SpiderLabs
  • Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
  • Deobfuscating the Recent Emotet Epoch 4 Macro
    
    
• Matt Green at the Velociraptor Blog
  Automating Qakbot detection at scale
  
  
• Vikas Singh
  SentinelOne – Module/DLL & Driver Load Activity
  

UPCOMING EVENTS

• Cyborg Security
  • Top Cover – Threat Hunting Management Workshop: From KPIs to Metrics
  • Threat Hunting Workshop: Hunting for Impact
    
    
• Jan Hoff and Tim Ennis at Dragos
  Incident Response for ICS: You Are Not Alone! Critical Controls for Consequence-Driven Incident Response
  
  
• Gerald Auger at Simply Cyber
  Unlock the Full Potential of Cybersecurity Learning! (Haiku World Building)
  
  
• James Robinson and Matt Zorich
  April 2023 – M365 Security & Compliance User Group
  

PRESENTATIONS/PODCASTS

• Digital Forensics Future (DFF)
  • Digital Forensics Future (DFF) (Trailer)
  • S4:E1 Where is Jessica Hyde?
  • Season 4 Trailer
    
    
• ArcPoint Forensics
  • Run AI against your files to translate documents or identify photos of people and objects
  • Convert RAW (.dd) to E01 and back. Linux and Windows.
    
    
• Black Hills Information Security
  • Talkin’ About Infosec News – 4/3/2023
  • Talkin’ About Infosec News – 4/5/2023
  • BHIS – Talkin’ Bout [infosec] News 2023-04-10
  • Genymotion – Proxying Android App Traffic Through Burp Suite | Cameron Cartier
    
    
• BlueMonkey 4n6
  CAINE 13.0 new release – review and installation tutorial
  
  
• Brakeing Down Security Podcast
  3CX supply chain attack, Mark Russinovich and Sysinternals, CISA ransomware notifications, and emotional intelligence
  
  
• Breaking Badness
  153. It’s Pillar Time
  
  
• Cellebrite
  Georgia Bureau of Investigations: Ahmaud Arbery murder solved with help of digital forensics
  
  
• CQURE Academy
  Hacks Weekly #51 Investigating Risky Events Azure AD
  
  
• Cyber Security Interviews
  #125 – Douglas Brush (Part 3): What is a Special Master?
  
  
• Digital Forensic Survival Podcast
  DFSP # 372 – Windows Non-Core Processes
  
  
• Gerald Auger at Simply Cyber
  Threat Actors Updating Their Pig Butchering Scams – Be Aware!
  
  
• Hacker Valley Blue
  • What is Threat Intelligence? #cybersecurity #threatintel #shorts
  • What Is Cyber Threat Intelligence and How To Stand Out As Threat Intelligence Analyst
  • What a Makes A Threat Intel Analyst Successful? #cybersecurity #threat intel #shorts
  • How To Find A Threat Intel Job #cybersecurity #threatintel #shorts
    
    
• InfoSec_Bret
  DFIR Challenge – AWS CloudTrail Part 1
  
  
• John Hammond
  The Latest YouTube Malware Scam
  
  
• Karsten Hahn at Malware Analysis For Hedgehogs
  • Malware Analysis – 3CX SmoothOperator ffmpeg.dll with Binary Ninja
  • Malware Analysis – 3CX SmoothOperator Authenticode Abuse
  • Malware Analysis – Creating a C2 URL decrypter for 3CX SmoothOperator Icons
    
    
• Magnet Forensics
  How to Use the New Magnet OUTRIDER Licensing Model
  
  
• MSAB
  How to run Python Scripts in XAMN Pro?
  
  
• Richard Davis at 13Cubed
  Two Thumbs Up – Thumbnail Forensics
  
  
• RickCenOT
  BREAKING DOWN “I pwn your Beckhoff CX9001 ICS with open Source Tools in 68 seconds!”
  
  
• SANS
  • SANS Cyber Threat Intelligence Summit 2023
  • A Visual Summary of SANS Neurodiversity in Cybersecurity Summit 2023
  • The New OSINT Cheat Code: ChatGPT
  • ICS Security with Dean Parsons | LastPass Breach with Moses Frost | Host Dean Parsons | Apr 11, 2023
  • Developing CISO Leadership Skills with Frank Kim | ChatGPT for OSINT with Matt Edmondson | April 18
    
    
• Sumuri
  SUMURI Podcast Episode 016 – Memory Analysis for User Investigations
  
  
• Laura Kenner at Uptycs
  MITRE ATT&CK Framework and osquery: Scientific Detection – Uptycs
  

MALWARE

• 0day in {REA_TEAM}
  [QuickNote] Uncovering Suspected Malware Distributed By Individuals from Vietnam
  
  
• 0xToxin Labs
  LummaC2 BreakDown
  
  
• Ann Fam
  PSWSTEALER Analysis
  
  
• ASEC
  • ASEC Weekly Phishing Email Threat Trends (March 19th, 2023 – March 25th, 2023)
  • Caution When Using 3CX DesktopApp (CVE-2023-29059)
  • Initech Product (INISAFE CrossWEB) Security Update Recommendation
  • ASEC Weekly Malware Statistics (March 27th, 2023 – April 2nd, 2023)
    
    
• Cameron Cartier at Black Hills Information Security
  Field Guide to the Android Manifest File
  
  
• Jiri  Vinopal, Dennis Yarizadeh and Gil Gekker at Check Point Research
  Rorschach – A New Sophisticated and Fast Ransomware
  
  
• Edmund Brumaghin at Cisco’s Talos
  Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities
  
  
• Flashpoint
  • Crypto, Cash-outs, and Closures: Surveying the Darknet Ecosystem in the Wake of Hydra Market
  • Popular Illicit Shop Genesis Market Seized by Law Enforcement
  • Criminal Marketplace Disrupted in International Cyber Operation
    
    
• Igor Skochinsky at Hex Rays
  Igor’s Tip of the Week #135: Exporting disassembly from IDA
  
  
• Itai Tevet at Intezer
  5 Ways to Use ChatGPT in Your SOC: Real-World AI Applications to Streamline Alert Triage
  
  
• Faishol Hakim at MII Cyber Security
  Investigating Malicious Document File
  
  
• Suraj Malhotra
  • A Tale of .Net Deobfuscation – VirtualGuard Devirtualization
  • A Tale of .Net Deobfuscation – VirtualGuard Basics
    
    
• OALABS Research
  • AresLoader
  • PhotoLoader ICEDID
    
    
• Patrick Wardle at Objective-See
  Ironing out (the macOS) details of a Smooth Operator (Part II)
  
  
• Akshat Pradhan at Qualys
  3CXDesktopApp Backdoored in a Suspected Lazarus Campaign  
  
  
• Georgy Kucherin, Vasily Berdnikov, Vilen Kamalov at Securelist
  Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack
  
  
• Security Intelligence
  • New Generation of Phishing Hides Behind Trusted Services
  • How to Defend Against Extortion Groups Like Lapsus$
    
    
• Priyadharshini Balaji at Security Investigation
  How to Perform Static Code Analysis on Packed Malware ?
  
  
• Uptycs
  3CX Supply Chain Cyber Attack: Analysis of Windows and macOS – Uptycs
  

MISCELLANEOUS

• Kevin Ripa at SANS
  Where are My Keys?
  
  
• ADF Solutions
  Uncovering Hidden Evidence: A Brief Guide to E-Discovery
  
  
• Alex Teixeira
  Detection cannot be outSOARced
  
  
• Alican Kiraz
  • My Blue Team Certification Journey and Creating Your Own Blue Team Certification Roadmap
  • Cyber Security -Incident Response Part 4: Post-Incident Activity| EN
    
    
• ArcPoint
  Unlocking the Power of Digital Forensics | ArcPoint Forensics
  
  
• Belkasoft
  ChatGPT in DFIR Quiz
  
  
• Businesswire
  Magnet Forensics Announces Closing of Plan of Arrangement
  
  
• Cado Security
  XDR is Great, but Only if it’s Rolled out Everywhere
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 04/08/2023
  
  
• Reza Rafati at Cyberwarezone
  • Phantom Incident Scam in Ransomware Attacks
  • Understanding the Different Types of Threat Intelligence Feed Formats
  • Top Premium Threat Intelligence Feed Providers
  • 5 Key Tips to Consider When Choosing a Premium Threat Intelligence Feed
  • Free vs. Premium Threat Intelligence: Pros and Cons
  • How to Effectively Implement Premium Threat Intelligence Feeds
  • 10 Key Features of a Threat Intelligence Platform (TIP)
  • How to Determine Incident Response Retainer Cost
  • Top 10 Incident Response Tools and Platforms for 2023
    
    
• Devon Ackerman at GRC Outlook
  Incident Response Meets Governance Risk and Compliance (GRC)in Digital Forensics
  
  
• Fabien Bader at Cloudbrothers
  Sentinel Pester Framework
  
  
• Forensic Focus
  • How Amped FIVE Helped To Solve A Murder Investigation In Nottinghamshire
  • ADF Solutions’ Upcoming Webinar: Taking Command Of Forensic Evidence
  • Cellebrite Announces RelativityOne Integration For Quicker, Safer Data Review
  • Digital Forensics Round-Up, April 06 2023
    
    
• Ilias Mavropoulos
  Blue Team Level 1 (BTL1) Training Course / Exam Review and Tips — March 2023
  
  
• Jeffrey Appel
  Microsoft Defender for Cloud– The ultimate blog series (Intro) – P0
  
  
• Morten Knudsen
  • Understanding Azure Data Collection Endpoint
  • AzLogDcrIngestPS – your helper to send data via Azure Pipeline, Azure Log Ingestion API & Azure Data Collection Rules into Azure LogAnalytics table
  • ClientInspector – a cool showcase to demonstrate Log ingestion API, Azure Log Ingestion Pipeline, Azure Data Collection Rules and my new Powershell module AzLogDcrIngestPS
  • Collecting System & Application events using Azure Monitor Agent
  • Collecting Security events using Azure Monitor Agent
  • How to do data transformation using Workspace transformation for legacy upload methods
  • Understanding the fundamentals of log-collection with Azure Monitor Agent & Azure Data Collection Rules
  • Collecting Performance data using Azure Monitor Agent, VMInsights and ServiceMap
  • Collecting IIS logs using Azure Monitor Agent
  • Understanding Azure logging capabilities in depth
    
    
• Nathan McNulty
  • Intune – Block mounting of ISO files
  • Intune – Discover Defender AV exclusions using Proactive Remediation
    
    
• Nextron Systems
  Customer Portal Upgrade – Planned Downtime
  
  
• Rachel Teisch at OpenText
  The Great eDiscovery Reset 
  
  
• SANS
  Cybersecurity Jobs: Malware Analyst (Japanese)
  
  
• SUMURI
  Digital Forensics 101 for Lawyers
  
  
• Teri Radichel
  SANS GSE Renewal
  
  
• Mike Cohen at Velociraptor Blog
  The Velociraptor annual community survey
  

SOFTWARE UPDATES

• Amped
  Amped DVRConv Update 28427: Generating Hash Codes and Setting the Default Video Player
  
  
• Capa
  v5.1.0
  
  
• Cellebrite
  Now Available: Cellebrite Physical Analyzer, Logical Analyzer, Reader, and UFED Cloud v7.61
  
  
• Didier Stevens
  • Update: re-search.py Version 0.0.22
  • Update: 1768.py Version 0.0.18
  • Update: dnsresolver.py Version 0.0.3
    
    
• Grant Cole at DomainTools
  Introducing the New Iris Investigate
  
  
• Elcomsoft
  Elcomsoft tools gain support for NVIDIA Ada Lovelace boards, nearly double password recovery speeds
  
  
• ExifTool
  ExifTool 12.60 (production release)
  
  
• Magnet Forensics
  Magnet OUTRIDER 3.4: Bring Your Own Device and Dark Mode
  
  
• MISP
  MISP to Azure Sentinel integration
  
  
• MSAB
  New release: XRY 10.5, XAMN 7.5 and XEC 7.5
  
  
• Passware
  Passware Kit 2023 v2 Now Available
  
  
• WithSecure Labs
  Chainsaw v2.6.0
  
  
• Xways
  • X-Ways Forensics 20.7 SR-8
  • X-Ways Forensics 20.8 Beta 2
    
    
• Yamato Security
  Hayabusa v2.3.3 🦅
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!