Wrapping Up Windows Forensics

And tools, tips, and some insights into AI/ML and cybersec! [View this email in your browser]( SecPro #90: Wrapping up Windows Forensics. Hello again! Ready for a look into how the world sees you? Just a quick reminder for those of you who haven't had to explain technical issues to nonspecialists in a while... Our multipart guide on how to run digital forensics on both Linux and Windows by [Sai]( is still rolling on with part III down below. Make sure you remember to check your emails for an investigation into Linux forensics next week! And we're launching a two-part investigation into our next APT under the spotlight - if you were working in IT in 2017, you'll probably remember this particular gang. And as usual, don't forget to check out the new infographic and try out the tools we've laid out at the bottom - this week, we've been researching and playing with cryptography tools! This week's highlights: - [Windows Forensic Analysis - Part 3]( - [Exploring APTs - #3]( - [The Machine Learning for Cybersecurity Cookbook]( - [The Gartner Survey]( And with that - on with the show! Cybersecurity Conferences - March 2023 If you've got a bit of spare time and you're looking to expand your knowledge, here are a few Webinars that will give you the upper hand over the adversary. [WATI+ Zscaler Zero Trust Webinar]( March 19, 2023 - You’ve probably been hearing a lot of talk about cloud transformation and zero trust. But has anyone talked to you about what it actually means for your organization? Why does it matter? What does it entail and how do you start? Sign up online and find out how to expand your Zero Trust policy. [Insomni'hack 2023]( March 20-24, 2023 - Insomni’hack 2023 will thus be held from March 20th to 24th(*), at the SwissTech Convention Center, at the heart of Ecole Polytechnique Fédérale de Lausanne (EPFL) campus. Further announcements are expected in the near future. If you're looking for something closer to home, here are some in-person conferences that might appeal to you as well: England - [Noord Infosec Dialogue UK, 2023]( - [Register here]( Spain - [Hackron "X", Carnivals of the 2023]( - [Register here]( Israel - [Bluehat IL, 2023]( - [Register here]( This Week's Editorial Articles [Exploring APTs - #3 - Part 2]( This time, we're taking two weeks to look back at one of my favourite examples of an APT releasing ransomware into the world. Ready to reflect on something that brought the NHS to a halt? [Check it out here]( [Windows Forensic Analysis - Part 3]( [Sai]( back with a breakdown on how to approach forensic analysis and which tools we should be using! Cybersecurity Fundamentals [Machine Learning for Cybersecurity Cookbook]( We're back with another excerpt from the [Machine Learning for Cybersecurity Cookbook]( This time, we're taking a look at how to tackle packed malware. For a full rundown on how to stuck into this problem, check out the book. [LIKE WHAT YOU SEE? CLICK HERE]( Tackling packed malware Since packing obfuscates code, it can often result in a decrease in the performance of a machine learning classifier. By determining which packer was used to pack an executable, we can then utilize the same packer to unpack the code, that is, revert the code to its original, non-obfuscated version. Then, it becomes simpler for both antivirus and machine learning to detect whether the file is malicious. Amber is a reflective PE packer for bypassing security products and mitigations. It can pack regularly compiled PE files into reflective payloads that can load and execute themselves like a shellcode. It enables stealthy in-memory payload deployment that can be used to bypass anti-virus, firewall, IDS, IPS products, and application whitelisting mitigations. The most commonly used packer is UPX. A packer called VMProtect, for example, protects its content from analyst eyes by executing in a virtual environment with a unique architecture, making it a great challenge for anyone to analyze the software. Packing is the compression or encryption of an executable file, distinguished from ordinary compression in that it is typically decompressed during runtime, in memory, as opposed to being decompressed to disk, prior to execution. Packers pose an obfuscation challenge to analysts. Using packers In this recipe, we will show how to obtain a packer, namely UPX, and how to use it. The purpose of having a collection of packers is, firstly, to perform data augmentation as will be detailed in the remainder of the recipe, and, secondly, to be able to unpack a sample once the packer used to pack it is determined. Getting ready There are no packages required for the following recipe. You may find upx.exe in the Packers folder of the repository for this book. How to do it... In this recipe, you will utilize the UPX packer to pack a file: - Download and unarchive the latest version of UPX from - Execute upx.exe against the file you wish to pack by running upx.exe and foofile.exe. The result of a successful packing appears as follows: The file remains an executable, unlike in the case of archives, which become zipped. How it works… As you can see, using a packer is very simple. One of the benefits of most packers is that they reduce the size of the file, in addition to obfuscating its content. Many hackers utilize custom-made packers. The advantage of these is that they are difficult to unpack. From the standpoint of detecting malicious files, a file that is packed using a custom packer is highly suspicious. To find out how to build your own packed sample dataset, check out next week's issue! Have You Tried...? Here are some great tools for understanding APTs. - [CyberMonitor/APT_CyberCriminal_Campagin_Collections]( - APT & CyberCriminal Campaign Collection; everything you need in one place. - [sous-chefs/apt]( - Development repository for the APT cookbook. - [kbandla/APTnotes]( - Various public documents, whitepapers, and articles about APT campaigns. - [NextronSystems/APTSimulator]( - A toolset to make a system look as if it was the victim of an APT attack. - [blackorbird/APT_REPORT]( - Interesting APT report collection with a sample, malware, and intelligence. How did find this week's issue? [👎]( [😐]( [👌]( [👍]( [FORWARDED THIS EMAIL? SIGN UP HERE]( [NOT FOR YOU? UNSUBSCRIBE HERE]( Copyright © 2023 Packt Publishing, All rights reserved. As a GDPR-compliant company, we want you to know why you’re getting this email. The _secpro team, as a part of Packt Publishing, believes that you have a legitimate interest in our newsletter and the products associated with it. Our research shows that you opted-in for communication with Packt Publishing in the past and we think that your previous interest warrants our appropriate communication. If you do not feel that you should have received this or are no longer interested in _secpro, you can opt out of our emails using the unsubscribe link below. Our mailing address is: Packt Publishing Livery Place, 35 Livery StreetBirmingham, West Midlands, B3 2PB United Kingdom [Add us to your address book]( Want to change how you receive these emails? You can [update your preferences]( or [unsubscribe from this list](.