As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cado Security
  • How to be IR Prepared in AWS
  • How to be IR prepared in Azure
    
    
• DCSO CyTec
  Overview: Evidence Collection of Ivanti Connected Secure Appliances
  
  
• Forensafe
  Investigating iOS TikTok
  
  
• Passware
  From FileVault to T2: How to Deal with Native Apple Encryption
  

THREAT INTELLIGENCE/HUNTING

• Phill Moore, Zach Stanford and Ross Brittain at CyberCX
  NetScalers are under attack. Or… they were…
  
  
• Bill Stearns at Active Countermeasures
  Problems With Packet Capture
  
  
• Adam Goss
  Netlas.io: A Powerful Suite of Tools for Threat Hunting
  
  
• PhishLabs
  Phishing-as-a-Service Profile: LabHost Threat Actor Group
  
  
• Anton Chuvakin
  Blueprint for Threat Intel to Detection Flow (Part 7)
  
  
• Ilay Goldman at Aqua
  Snap Trap: The Hidden Dangers Within Ubuntu’s Package Suggestion System
  
  
• AttackIQ
  • Emulating the Ever-Evolving Loader DarkGate
  • Response to an Unknown Threat Actor Who Leveraged a Compromised Account to Access State Government Organization
    
    
• Christine Barry at Barracuda
  Royal ransomware: a threat actor you should know
  
  
• Bitdefender
  • North Korean Hackers Turn Profit from Malware-Laced Gambling Websites
  • Bitdefender Threat Debrief | February 2024
    
    
• Tyler Cubarney at Blumira
  How To Detect File Changes in Windows Server
  
  
• Brad Duncan at Malware Traffic Analysis
  2024-02-14 – Danabot infection from Italian malspam
  
  
• CERT-AGID
  • Il gruppo TA544 cambia ancora strategia sfruttando il malware Danabot
  • Sintesi riepilogativa delle campagne malevole nella settimana del 10 – 16 Febbraio 2024
    
    
• Chainalysis
  Money Laundering Activity Spread Across More Service Deposit Addresses in 2023, Plus New Tactics from Lazarus Group
  
  
• Check Point
  • 12th February – Threat Intelligence Report
  • The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture
    
    
• CISA
  Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization
  
  
• Cybereason
  From Cracked to Hacked: Malware Spread via YouTube Videos
  
  
• Cyfirma
  Weekly Intelligence Report – 16 Feb 2024
  
  
• EclecticIQ
  • DarkGate: Opening Gates for Financially Motivated Threat Actors
  • Advanced Cybercriminals Rapidly Diversify Cyberattack Channels Following Public Vulnerability Disclosure
    
    
• Eclypsium
  Flatlined: Analyzing Pulse Secure Firmware and Bypassing Integrity Checking
  
  
• Flare
  • Initial Access Broker Landscape in NATO Member States on Exploit Forum
  • Modern Cyber Warfare: Crowdsourced DDoS Attacks
    
    
• Flashpoint
  COURT DOC: Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU)
  
  
• GuidePoint Security
  GRIT Ransomware Report: January 2024
  
  
• Hornet Security
  Monthly Threat Report Februar 2024: Ein Monat voller Sicherheitsverletzungen und Ransomware-Angriffen
  
  
• HP Wolf Security
  HP Wolf Security Threat Insights Report Q4 2023
  
  
• Huntress
  • RATs! Remote Management Software from the Hacker’s Perspective
  • Threat Intel Accelerates Detection and Response
    
    
• whoisDJ at InfoSec Write-ups
  • The magic of MITRE ATT&CK Framework for noobs
  • How to navigate MITRE ATT&CK®
    
    
• Intel471
  How Discord is Abused for Cybercrime
  
  
• KELA Cyber Threat Intelligence
  More than Data: Ransomware Groups are Now Selling Network Access Directly
  
  
• Kim Zetter at ‘Zero Day’
  • Sophisticated StripedFly Spy Platform Masqueraded for Years as Crypto Miner
  • How North Korean Workers Tricked U.S. Companies into Hiring Them and Secretly Funneled Their Earnings into Weapons Programs
    
    
• Bert-Jan Pals at KQL Query
  Incident Response PowerShell V2
  
  
• Malachi Walker at DomainTools
  Thwarting State-Sponsored Threats: Four Ways to Give Bad Actors More Bad Days
  
  
• Malwarebytes
  • Ransomware review: February 2024
  • Remote Monitoring & Management software used in phishing attacks
  • How ransomware changed in 2023
  • Massive utility scam campaign spreads via online ads
    
    
• MalwareTech
  Bypassing EDRs With EDR-Preloading
  
  
• MatheuZ
  Linux Threat Hunting Persistence
  
  
• MDSec
  Active Directory Enumeration for Red Teams
  
  
• Microsoft Security
  • Staying ahead of threat actors in the age of AI
  • Hunting for QR Code AiTM Phishing and User Compromise
    
    
• Jon Baker and Denise Davenport at MITRE-Engenuity
  2023 Impact Report: Advancing Threat-Informed Defense Globally
  
  
• Monty Security
  Analyzing a Suspected AgentTesla Sample with ChatGPT
  
  
• Nasreddine Bencherchali
  SigmaHQ Rules Release Highlights — r2024–02–12
  
  
• Northwave Cyber Security
  Investigating A Possible Ivanti Compromise
  
  
• NSB Cyber
  #NSBCS.013 – Ransomware Payments on the Rise
  
  
• Patrick Garrity at VulnCheck
  Reimagining How We Think About Threat Actors
  
  
• Prodaft
  Understanding The Cyber Kill Chain: Staying Ahead of Cyber Threats
  
  
• Proofpoint
  Bumblebee Buzzes Back in Black 
  
  
• Saeed Abbasi at Qualys
  Ransomware Reality Check: Deciphering Priorities in a Sea of Cyber Extortion
  
  
• Rapid7
  RCE to Sliver: IR Tales from the Field
  
  
• Recorded Future
  • Navigating 2024’s Geopolitical Fault Lines
  • Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign
    
    
• Red Alert
  2023 The First Half Activities Summary of Ransomware Threat Actors (JPN)
  
  
• ReliaQuest
  New SocGholish Infection Chain Discovered
  
  
• Resecurity
  Global Malicious Activity Targeting Elections is Skyrocketing
  
  
• Rootdevsec
  Updated: Adversary Simulation using Azure CLI and Microsoft Graph PowerShell
  
  
• SANS Internet Storm Center
  • Exploit against Unnamed “Bytevalue” router vulnerability included in Mirai Bot, (Mon, Feb 12th)
  • [Guest Diary] Learning by doing: Iterative adventures in troubleshooting, (Thu, Feb 15th)
    
    
• SentinelOne
  • China’s Cyber Revenge | Why the PRC Fails to Back Its Claims of Western Espionage
  • Kryptina RaaS | From Underground Commodity to Open Source Threat
  • SNS Sender | Active Campaigns Unleash Messaging Spam Through the Cloud
    
    
• Simone Kraus
  Development of an NLP Burden of Proof Program — Example: Propaganda for Russian Interests
  
  
• SOCRadar
  • Threat Actor Profile: ScarCruft / APT37
  • Dark Web Profile: 3AM Ransomware
    
    
• Jonas Bülow Knudsen at SpecterOps
  ADCS ESC13 Abuse Technique
  
  
• Splunk
  • Add to Chrome? – Part 1: An Analysis of Chrome Browser Extension Security
  • Hunting M365 Invaders: Navigating the Shadows of Midnight Blizzard
    
    
• Steven Lim
  Defending against CVE-2024-21413 Outlook MonikerLink Bug Abuse
  
  
• Symantec Enterprise
  Alpha Ransomware Emerges From NetWalker Ashes
  
  
• David Merian at System Weakness
  Hack/Defend Fortinet FortiOS and FortiProxy
  
  
• Thomas Joos at 4sysops
  Analyzing Windows Event Logs with Security Onion
  
  
• Trellix
  • RansomHouse am See
  • Cyberattack on Democracy: Escalating Cyber Threats Immediately Ahead of Taiwan’s 2024 Presidential Election
    
    
• Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun at Trend Micro
  CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
  
  
• Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash at Volexity
  CharmingCypress: Innovating Persistence
  
  
• Jamie Tolles at ZeroFox
  MFA Bypass Attacks: Why MFA is Not a CYA
  
  
• Wesley Neelen at Zolder B.V.
  Microsoft 365 AiTM detection: the lessons learned
  

UPCOMING EVENTS

• Andreas Sfakianakis at ‘Tilting at windmills’
  FIRST CTI 2024 agenda is out!
  
  
• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2024-02-12
  
  
• Cyber Triage
  [Workshop] Investigating Insider Threats
  
  
• Emsisoft
  The Cyber Insider with Ryan Chapman
  
  
• Gerald Auger at Simply Cyber
  How to Pivot from SOC Analyst to Thriving Business Owner: The Quinnlan Varcoe Story
  
  
• Insane Forensics
  They Spared Many Expenses: A Catastrophic Industrial Cybersecurity Review of Jurassic Park
  
  
• Kroll
  Q4 2023 Cyber Threat Landscape Virtual Briefing
  
  
• Magnet Forensics
  • Responding at Scale with Magnet RESPONSE
  • DFIR Lab Automation Made Easier with Magnet AUTOMATE
    

PRESENTATIONS/PODCASTS

• Adversary Universe Podcast
  The Dark Personality Traits Fueling Cybercrime
  
  
• Alexis Brignoni
  Digital Forensics Now Podcast – Episode 12
  
  
• Black Hat
  • Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation
  • IRonMAN: InterpRetable Incident Inspector Based ON Large-Scale Language Model and Association miNing
  • I Watched You Roll the Die: Unparalleled RDP Monitoring Reveal Attackers’ Tradecraft
    
    
• Black Hills Information Security
  • RECAST – Talkin’ Bout [infosec] News 2024-01-29
  • RECAST – Talkin’ Bout [infosec] News 2024-02-05
    
    
• Breaking Badness
  Breaking Badness Cybersecurity Podcast – 178. Volt Typhoon Lagoon | DomainTools
  
  
• CactusCon
  • CC12 – Track 2, Friday 2/16/23
  • CC12 – Track 3, Friday 2/16/23
  • CC12 – Track 1, Saturday 2/17/24
  • CC12 – Track 2, Saturday 2/17/24
  • CC12 – Track 3, Saturday 2/17/24
  • CC12 – Track 2, Saturday 2/17/24 B
  • CC12 – Track 1, Saturday 2/17/24 B
    
    
• Cellebrite
  How to Take Down Explicit Images Online with TakeItDown – Tip Tuesdays
  
  
• Digital Forensic Survival Podcast
  DFSP # 417 – Unlocking Linux Secrets
  
  
• Hardly Adequate
  Hardly a Week 6 February 13, 2024
  
  
• Hyun Yi
  forensic-study-2023winter
  
  
• Insane Forensics
  Unpacking MITRE ATT&CK: Common Ports and Protocols [T1071, T0869, T0885]
  
  
• Jai Minton
  This is an EASY to BYPASS, DUMB, Endpoint Detection and Response (EDR) Tool
  
  
• Justin Tolman at AccessData
  FTK Trial Download and Activation Instructions (Re-Upload)
  
  
• LaurieWired
  Reverse Engineering 101: How to Dissect and Master Any Platform
  
  
• Lee Whitfield at MacAdemia
  • Using the macOS Terminal – Part 3
  • Using the macOS Terminal – Part 4
  • Using the macOS Terminal – Part 5
    
    
• Magnet Forensics
  Introducing Magnet AUTOMATE Essentials
  
  
• Magnet Forensics
  Investigate Malware & Ransomware with Speed and Efficiency
  
  
• Malwarebytes
  If only you had to worry about malware, with Jason Haddix: Lock and Code S05E04
  
  
• Microsoft Security Insights Show
  Microsoft Security Insights Show Episode 190 – Andre Camillo
  
  
• Microsoft Threat Intelligence Podcast
  Iran’s Influence Operations
  
  
• MSAB
  Similar Pictures Filter in XAMN Pro
  
  
• MyDFIR
  Cybersecurity SOC Analyst Lab – Network Analysis (Exfiltration)
  
  
• Open Threat Research
  • Infosec Jupyterthon 2024 Day 2
  • Infosec Jupyterthon 2024 Day 1
    
    
• Paraben Corporation
  New Paraben Zone Downloads and Licenses
  
  
• Sandfly Security
  • Find malware & ransomware on Synology NAS DSM appliances with Sandfly’s agentless drift detection.
  • Find Linux intrusions rapidly with agentless drift detection from Sandfly Security.
  • Linux agentless drift detection for Incident Response. Find intruders and malware instantly.
    

MALWARE

• Any.Run
  • A deep dive into .NET malware obfuscators: Part 1
  • ANY.RUN TI Lookup: a Phishing Case Study
  • RSPAMD: Analyze Emails in Depth in ANY.RUN 
    
    
• Artem Baranov
  GMER – the art of exposing Windows rootkits in kernel mode
  
  
• ASEC
  • Fileless Revenge RAT Malware
  • Kimsuky Group’s Spear Phishing Detected by AhnLab EDR (AppleSeed, AlphaSeed)
    
    
• Avast Threat Labs
  Decrypted: Rhysida Ransomware
  
  
• Asheer Malhotra, Holger Unterbrink, Vitor Ventura, and Arnaud Zobec at Cisco’s Talos
  TinyTurla Next Generation – Turla APT spies on Polish NGOs
  
  
• Donato Onofri and Emanuele Calvelli at CrowdStrike
  HijackLoader Expands Techniques to Improve Defense Evasion
  
  
• Elastic Security Labs
  Introduction to Hex-Rays decompilation internals
  
  
• Esentire
  Technical Analysis of DarkVNC
  
  
• Fortinet
  • TicTacToe Dropper
  • Android/SpyNote Moves to Crypto Currencies
    
    
• Harfanglab
  Hamas-linked Samecoin Campaign Malware Analysis
  
  
• Hex Rays
  • Plugin focus: Frinet
  • Igor’s Tip of the Week #175: IDB work directory
    
    
• K7 Labs
  • Zloader Strikes Back
  • Unveiling Crypto Miner’s Stealthy Tactics: The Rise of Indirect Syscalls for Evasion
    
    
• Luke Leal
  wss://qetbootstrap.com skimmer
  
  
• MALCAT
  Writing a Qakbot 5.0 config extractor with Malcat
  
  
• Colton Gabertan, Mike Hunhoff, Moritz Raabe, and Willi Ballenthin at Mandiant
  Riding Dragons: capa Harnesses Ghidra
  
  
• Lior Rochberger and Dan Yashnik at Palo Alto Networks
  Diving Into Glupteba’s UEFI Bootkit
  
  
• Paolo Luise
  Unpacking .NET malware with C# emulation
  
  
• PetiKVX
  • Bazaar Library
  • VS Library
    
    
• Ayush Anand at Securityinbits
  Unpack RedLine stealer using dnSpyEx – Part 3
  
  
• Ben Martin at Sucuri
  Remote Access Trojan (RAT): Types, Mitigation & Removal
  
  
• Nikolaos Pantazopoulos at ZScaler
  The (D)Evolution of Pikabot
  

MISCELLANEOUS

• Fabian Mendoza at AboutDFIR
  AboutDFIR Site Content Update – 02/16/2024
  
  
• Andrew Rathbun and Eric Zimmerman at Kroll
  KAPE Quarterly Update – Q4 2023
  
  
• Cellebrite
  Key Takeaways from Legalweek 2024
  
  
• Michael Karsyan at Event Log Explorer
  Extra power of custom columns
  
  
• Forensic Focus
  • Podcast Ep. 77 Recap: Picture Perfect – Using Screenshots And Screen Recording In Mobile Device Investigations
  • Binalyze AIR From Binalyze
  • Magnet Forensics Announces Magnet AUTOMATE Essentials, An Easier Way To Start With DFIR Automation
  • Digital Forensics Round-Up, February 14 2024
  • Detego Global Unveils Game-Changing Xpress HashScan Mode For Faster Forensic Triage
  • Forensic Focus Digest, February 16 2024
  • The 5th Annual Digital Forensics For National Security Symposium
  • From FileVault To T2: How To Deal With Native Apple Encryption
    
    
• Kasada
  Credential Stuffing: Who Owns the Risk?
  
  
• Magnet Forensics
  Introducing Magnet AUTOMATE Essentials
  
  
• Oxygen Forensics
  Remote data extraction from iOS
  
  
• Sandfly Security
  Sandfly 5.0 – Agentless Drift Detection, New UI, and Wider Linux Coverage
  
  
• Ronald Beiboer at Splunk
  Are You Forensic Ready?
  
  
• The Security Noob.
  The Art of Cyberwarfare: An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime by Jon DiMaggio (REVIEW)
  
  
• Lucas Paus and Mario Micucci at WeLiveSecurity
  The art of digital sleuthing: How digital forensics unlocks the truth
  

SOFTWARE UPDATES

• Atola
  TaskForce 2 Changelog – 2024.2
  
  
• Belkasoft
  What’s new in Belkasoft X v.2.3
  
  
• Costas K
  LNK & Jumplist Browser
  
  
• Datadog Security Labs
  GuardDog v1.5.5
  
  
• Digital Sleuth
  winfor-salt v2024.3.1
  
  
• Doug Metz at Baker Street Forensics
  CyberPipe version 5.0
  
  
• ExifTool
  ExifTool 12.77
  
  
• F-Response
  F-Response 8.7.1.19 Released
  
  
• Falco
  Blog: Introducing Falco 0.37.1
  
  
• Federico Lagrasta
  PersistenceSniper v1.15.1
  
  
• GCHQ
  CyberChef v10.8.1
  
  
• Hex Rays
  Introducing IDA 8.4: Key Features and Enhancements
  
  
• Security Joes
  MasterParser-v2.3.1
  
  
• Mazars Tech
  AD_Miner v1.1.0
  
  
• Microsoft
  msticpy v2.10.0
  
  
• MobilEdit
  Huawei Decryption & Bluetooth Smartwatch Analysis with MOBILedit Forensic 9.3
  
  
• MSAB
  Now released – XRY 10.8.1
  
  
• OpenCTI
  5.12.32
  
  
• Passmark Software
  OSForensics V11.0 build 1004 13th February 2024
  
  
• Sandfly Security
  Sandfly Version 5.0 Is Now Available!
  
  
• Sigma
  Release r2024-02-12
  
  
• James McGee at The Metadata Perspective
  Google Location History Data Parser
  
  
• Xways
  X-Ways Forensics 21.1 Preview 3
  
  
• YARA
  YARA v4.5.0
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!