Class mode: VIRTUAL LIVE STREAM
DATE: 22-23 October 2020
TIME: 09:00 to 17:00 CDT
This training gets you hands-on into reverse engineering malware. Using tools such as IDA Pro, Ghidra, x32/x64dbg, PE Studio and more, you will learn how to perform deep technical analysis of today’s most prevalent threats. You will develop effective strategies for reverse engineering using both static and dynamic techniques and tools. You will also learn how to identify and unravel prevalent packing techniques, anti-analysis techniques and other prevalent forms of obfuscation such as control-flow obfuscation and hiding string and API calls.
By the end of this course you will have the insight to understand and anticipate where malware authors will employ these techniques to disrupt your analysis and how to unravel their obfuscation.
Obfuscation, packing and other forms of anti-analysis are often used by malware authors to disrupt or even prevent detailed analysis. This helps the threat actors to avoid detection by even the most advanced security products deployed in your enterprise.
The skills covered in this training will ultimately allow you to generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.
This is a fast-paced course designed to take you deep into malware reverse engineering! Each day will end with comprehensive analysis activities and exercises to test and reaffirm key learning objectives. This course is designed to not just simply be 2 days of lecture, but an immersive and interactive learning experience. This is an ideal course for security analysts, malware analysts/researchers and blue teams that need to get hands-on diving deep into malicious software.
Students will be provided with all of the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This course will also utilize several live classroom sharing resources, such as chat and notes to ensure that students have access to all material discussed throughout the training. Comprehensive lab guides will also be provided to ensure that students have the ability to continue learning after the course ends and maximize the knowledge gained from this course.
Why should you take this course?
This course will take students through key phases of malware operations, providing deep technical analysis and hands-on labs to gain experience detecting, analyzing and reverse engineering malware. This is an ideal course for security analysts, threat researchers, malware researchers and anyone tasked with defending an organization to get hands-on diving deep into malware.
Key Learning Objectives
- Understand different attack methods used by malicious actors and how they map to attack frameworks such as MITRE ATTACK
- Perform exhaustive analysis on native code binaries (PE files) and shellcode
- Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
- Learn how malware authors dynamically construct import tables for function calls
- Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behavior (PE file format)
- Learn how to use reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
- Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes
The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:
- Basic malware analysis
- An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage
- Ability to read assembly for Intel 32 and 64 bit architectures
- Proficiency with a Windows-based debugger such as WinDbg, x64dbg or Immunity
To help prepare for this course, it is recommended that students be familiar with information from the following sources:
- A brief overview of malicious office documents
- Hack-in-the-Box CommSec Track 2018: https://youtu.be/Ii0ENuigBSM
- Assembly and Intel’s 32/64-bit architecture
- Specifically concepts from chapters 1 – 5: https://pacman128.github.io/pcasm/
- Getting started with reverse engineering
- YouTube playlist: https://www.youtube.com/playlist?list=PLHJns8WZXCdvaD7-xR7e5FJNW_6H9w-wC
Hardware / Software Requirements
- Linux/Windows/Mac desktop environment
- A laptop with the ability to run virtualization software such as VMWare or VirtualBox
- Access to the system BIOS to enable virtualization, if disabled via the chipset
- Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
- A laptop that the attendee is comfortable handling live malware on
- Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used
Day 1: Reverse Engineering Malware
• Identifying signs of packing and obfuscation in native code formats (PE files)
• Developing strategies for detecting known and custom packers
• Unpacking malware using reversing tools and debuggers
• Identifying anti-analysis techniques and developing mitigations
• Process hollowing and other code injection techniques
Day 2: Analyzing Modular Malware
• Malware use of shellcode – extracting and analyzing
• Digging deep into the PE file format
• Dynamically constructing import tables and other methods for calling Windows APIs
• Identifying string obfuscation through hashes, encryption and other techniques
• Dissecting modular malware such as TrickBot
• Identifying malware C2 patterns