A Practical Approach To Malware Analysis, Hunting And Memory Forensics
3-Day Training | Virtual
| 21-23 November 2021

A Practical Approach To Malware Analysis, Hunting And Memory Forensics

This hands-on training teaches concepts, techniques and tools to understand the behavior and characteristics of malware by combining two powerful techniques, malware analysis and memory forensics. This course will introduce attendees to basics of malware analysis,reverse engineering, Windows internals and memory forensics, it then gradually progresses deep into more advanced concepts of memory forensics.
Security Researcher and Trainer

Available seats

TBA

Difficulty

Beginner
US$ 3,299

Attend in-person

TBA

Attend online

via livestream

Date

21-23 November 2021

Time

09:00 to 17:00 GST/GMT+4
This hands-on training teaches concepts, techniques and tools to understand the behavior and characteristics of malware by combining two powerful techniques, malware analysis and memory forensics.

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics and incident response. Adversaries are becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations. This makes detecting, responding and investigating such intrusions increasingly critical for information security professionals. Malware analysis and memory forensics have become a must-have skill for fighting advanced malwares, targeted attacks and security breaches.

This course will introduce attendees to basics of malware analysis,reverse engineering, Windows internals and memory forensics. It will then gradually progress deeper into more advanced concepts of memory forensics.

This course uses hands-on labs using real world malware samples and infected memory images (Crimewares, APT malwares, Rootkits etc) to help attendees gain better understanding of the subject. The training also shows how these techniques can be incorporated in a sandbox to automate malware analysis. After taking this course attendees will be equipped with skill to analyze, investigate and respond to malware related incidents.

Students will be provided with:

- Course material
- Lab solution material
- Videos used in the course
- Malware samples used in the course/labs
- Memory Images used in the course/labs
- Custom Scripts
- Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples

This course is intended for anyone interested in learning malware analysis and memory forensics.

This includes:

  • forensic practitioners
  • incident responders
  • cyber security investigators
  • malware analysts
  • system administrators
  • software developers
  • students and
  • curious security professionals new to this field

The course assumes no prior knowledge of the subject and starts from the basics and slowly progresses towards advanced topics.

- Students Should be familiar with using Windows/Linux
- Students Should have an understanding of programming concepts, while programming experience is not mandatory.
- Students Should have basic understanding of malware and its role in cyber attacks

  • How malware and Windows internals work
  • How to create a safe and isolated lab environment for malware analysis
  • What are the techniques and tools to perform malware anlaysis
  • How to perform static analysis to determine the metadata associated with malware
  • How to perform dynamic analysis of the malware to determine its interaction with process,filesystem, registry and network
  • How to perform code analysis to determine the malware functionality
  • How to debug a malware using tools like IDA pro, Ollydbg/Immunity debugger
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking etc)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • How to incorporate malware analysis and memory forensics in sandbox
  • How to determine the network and host based indicators (IOC)
  • Techniques to Hunt Malwares

- Laptop with minimum 6GB RAM and 40GB free hard disk space
- Laptop with USB ports - lab samples, and custom Linux VM will be shared via USB sticks
- VMware Workstation or VMware Fusion (even trial versions can be used).
- Windows Operating system (preferably Windows 10 64-bit, even Windows 8 and Windows 7 versions are fine) installed inside the VMware Workstation/Fusion. Students must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware Player or VirtualBox is not suitable for this training.

+Testimonials

Great course. Next time I would like to be on site.

Particularly appreciative of how the course materials were well-prepared, and how informative [the] explanations were

Well organised & run

It is an excellent Malware introductory course which helps me to learn basic ideas and provide a guideline for further study in the future

+agenda

Title

Details

Date

Introduction to Malware Analysis

– What is Malware
– What they do
– Why malware analysis
– Types of malware analysis
– Setting up an isolated lab environment

21-23 November 2021
Static Analysis

– Fingerprinting the malware
– Extracting strings
– Determining File obfuscation
– Pattern matching using YARA
– Fuzzing hashing & comparison
– Understanding PE File characteristics
– Disassembly
– Demo – Static analysis of real malware sample
– Hands-on lab exercise involves analzying real malware sample

21-23 November 2021
Dynamic Analysis/Behavioral Analysis

– Dynamic Analysis Steps
– Understanding Dynamic Analysis tools
– Simulating services
– Performing Dynamic Analysis
– Monitoring process, filesystem, registry and network activity
– Determining the Indicators of compromise (host and network indicators)
– Demo – Showing the analysis of real malware sample
– Hands-on lab exercise involves analzying real malware sample

21-23 November 2021
Automating Malware Analysis(sandbox)

– Custom Sandbox Overview
– Working of Sandbox
– Sandbox Features
– Demo – Analyzing malware in the custom sandbox

21-23 November 2021
Code Analysis

– Code Analysis Overview
– Disassmbler & Debuggers
– Code Analysis Tools
– Basics of IDA Pro
– Basics of Ollydbg/Immunity Debugger
– Understanding Windows API calls
– Understanding Malware functionalities(Downloader, dropper, keylogger, code injection, http backdoor)
– Demo – Dissecting the APT Malware
– Hands-on lab exercise involves analzying real malware sample

21-23 November 2021
Introduction to Memory Forensics

– What is Memory Forensics
– Why Memory Forensics
– Steps in Memory Forensics
– Memory acquistion and tools
– Acquiring memory From physical machine
– Acquiring memory from virtual machine
– Hands-on excercise involves acquiring the memory

21-23 November 2021
Volatility Overview

– Introduction to Volatility Advanced Memory Forensics Framework
– Volatility Installation
– Volatility basic commands
– Determining the profile
– Volatiltiy help options
– Running the plugin

21-23 November 2021
Investigating Process

– Process(EPROCESS) Structure
– Process organization
– Process Enumeration by walking the double linked list
– process relationship (parent child relationship)
– Understanding DKOM attacks
– Process Enumeration using pool tag scanning
– Volatililty plugins to enumerate processes
– Identifying malware process
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

21-23 November 2021
Investigating Process handles & Registry

– Objects and handles overview
– Enumerating process handles using Volatility
– Understanding Mutex
– Detecting malware presence using mutex
– Understanding the Registry
– Investigating common registry keys using Volatility
– Detecting malware persistence
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

21-23 November 2021
Investigating Network Activities

– Understanding malware network activities
– Volatiltiy Network Plugins
– Investigating Network connections
– Investigating Sockets
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

21-23 November 2021
Investigation Process Memory

– Process memory Internals
– Listing Dll’s using Volatility
– Identifying hidden Dll’s
– Dumping malicious executable from memory
– Dumping Dll’s from memory
– Scanning the memory for patterns(yarascan)
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

21-23 November 2021
Investigating User Mode Rootkits

– Code Injection
– Types of Code injection
– Remote DLL injection
– Remote Code injection
– Reflective DLL injection
– Hollow process injection
– Demo – Case Study
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

21-23 November 2021
Memory Forensics in Sandbox technology

– Sandbox Overview
– integrating Memory Forensics in sandbox
– Demo – showing use of memory forensics in custom sandbox

21-23 November 2021
Investigating Kernel Mode Rootkits

– Understanding Rootkits
– Understanding Functional call traversal in Windows
– Level of Hooking/Modification on Windows
– Kernel Volatility plugins
– Hands-on lab exercise(scenario based) involves investigating malware infected memory
– Demo – Rootkit Investigation

21-23 November 2021
Memory Forensic Case Studies

– Hunting an APT malware from Memory
– Rouge process hunting (covers various samples)

21-23 November 2021

Book your spot for this training

+TRAINERS

Monnappa K A
Security Researcher and Trainer

Monnappa K A is a Security professional with over 15 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter mainly focusing on threat hunting, investigation, and research of advanced cyber attacks.

He is the author of the best-selling book "Learning Malware Analysis."He is the review board member for Black Hat Asia, Black Hat USA, Black Hat Europe. He is the creator of Limon Linux sandbox and the winner of the Volatility plugin contest 2016. He is the co-founder of the cybersecurity research community "Cysinfo" (https://www.cysinfo.com).

He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis.  He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com

+OTHER COURSES YOU MIGHT BE INTERESTED IN

x86-64 All You Can Learn Buffet!
US$ 4,299
x86-64 All You Can Learn Buffet!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.


Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 Reset Vector Firmware class.
4-Day Training Hybrid
x86-64 Reset Vector Firmware
US$ 2,299
x86-64 Reset Vector Firmware

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 OS Internals
US$ 2,299
x86-64 OS Internals

This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 Assembly
US$ 2,299
x86-64 Assembly

This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.

 

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

 
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.  
2-Day Training Hybrid