Workshop – A Crash Course on Hunting Malware from the Dark Corners of Memory

USD $1,000.00

Duration

1 days

Delivery Method

in-person

Level

beginner / intermediate

Seats Available

20

Duration

1 days

Delivery Method

in-person

Level

beginner / intermediate

ATTEND IN-PERSON: Onsite at Abu Dhabi

DATE: 28 November 2024

TIME: 09:00 to 17:00 GST/GMT+4


The number of cyber attacks is undoubtedly on the rise targeting government, military, public, and private sectors. Most of these cyber attacks use malicious programs (malware) for financial theft, espionage, intellectual property theft, and political motives. These malware programs use various techniques to execute their malicious code and to remain undetected from the security products. With adversaries getting sophisticated and carrying out advanced malware attacks, it is critical for cybersecurity professionals to detect, hunt and respond to such attacks.

Memory forensics is a powerful investigation/threat-hunting technique used in digital forensics and incident response. It has become a must-have skill for fighting advanced malware, targeted attacks, and security breaches. This training focuses on hunting malware using memory forensics, it introduces you to the topic of Windows internals and techniques to perform malware and Rootkit investigations. The training covers analysis and investigation of various malware infected memory images(crimewares, APT malwares, Rootkits, etc.) and contains scenario-based hands-on labs to gain a better understanding of the subject.The training provides practical guidance and attendees should walk away with the following skills:

– Ability to acquire a memory image from suspect/infected systems
– How to use open source advanced memory forensics framework (Volatility)
– Understanding of the techniques used by the malwares to hide from Live forensic tools
– Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
– Investigative steps for detecting stealth and advanced malware
– How memory forensics helps in malware analysis and reverse engineering
– How to incorporate malware analysis and memory forensics in the sandbox

Topics Covered

Introduction to Memory Forensics
– What is Memory Forensics
– Why Memory Forensics
– Steps in Memory Forensics
– Memory acquisition and tools
– Acquiring memory From physical machine
– Acquiring memory from virtual machine
– The hands-on exercise involves acquiring the memory

 

Volatility Overview
– Introduction to Volatility Advanced Memory Forensics Framework
– Volatility Installation
– Volatility basic commands
– Determining the profile
– Volatility help options
– Running the plugin

 

Investigating Process
– Understanding Process Internals
– Process(EPROCESS) Structure
– Process organization
– Process Enumeration by walking the double linked list
– process relationship (parent-child relationship)
– Understanding DKOM attacks
– Process Enumeration using pool tag scanning
– Volatility plugins to enumerate processes
– Identifying malware process
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

 

Investigating Process handles & Registry
– Objects and handles overview
– Enumerating process handles using Volatility
– Understanding Mutex
– Detecting malware presence using the mutex
– Understanding the Registry
– Investigating common registry keys using Volatility
– Detecting malware persistence
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

 

Investigating Network Activities
– Understanding malware network activities
– Volatility Network Plugins
– Investigating Network connections
– Investigating Sockets
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigation Process Memory
– Process memory Internals
– Listing DLLs using Volatility
– Identifying hidden DLLs
– Dumping malicious executable from memory
– Dumping Dll’s from memory
– Scanning the memory for patterns(yarascan)
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigating User Mode Rootkits & Fileless Malwares
– Code Injection
– Types of Code injection
– Remote DLL injection
– Remote Code injection
– Reflective DLL injection
– Hollow process injection
– Demo – Case Study
– Hands-on lab exercise(scenario based) involves investigating malware infected memory

 

Investigating Kernel-Mode Rootkits

– Understanding Rootkits
– Understanding Functional call traversal in Windows
– Level of Hooking/Modification on Windows
– Kernel Volatility plugins
– Hands-on lab exercise(scenario-based) involves investigating malware infected memory
– Demo – Rootkit Investigation

Memory Forensic Case Studies
– Demo
– Hunting an APT malware from Memory

Why You Should Take This Course

The training provides practical guidance, and attendees should walk away with the following skills:
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • Techniques to Investigate and hunt malware

Who Should Attend

This course is intended for:
  • Forensic practitioners, incident responders, Threat Hunters, cyber-security investigators, security researchers, malware analysts, system administrators, software developers, students, and curious security professionals who would like to expand their skills.
  • Anyone interested in learning malware analysis, threat hunting, and memory forensics.

Key Learning Objectives

  • Prerequisite Knowledge

    • Students Should be familiar with using Windows/Linux
    • Students Should have an understanding of basic programming concepts, while programming experience is not mandatory.
    • This course starts with basics and then gradually progresses deep into more advanced concepts, so this course is suitable for Beginners, Intermediate and Advanced professionals.

    Hardware / Software Requirements

    • Laptop with a minimum of 6GB RAM and 40GB free hard disk space
    • VMware Workstation or VMware Fusion (even trial versions can be used). Linux VM will be provided will provided few days before the training.
    • Windows Operating system (preferably 64-bit versions of Windows 10, Windows 8, or Windows 7) installed inside the VMware Workstation/Fusion. Students must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion.
    Note: VMware Player or VirtualBox is not suitable for this training. Apple systems using the M1 processor line cannot perform the necessary virtualization functionality; therefore, they are not suitable for this course.

    Your Instructor

    Monnappa K A is a Security professional with over 15 years of experience in incident response and investigation. He previously worked for Microsoft & Cisco as a threat hunter mainly focusing on threat hunting, investigation, and research of advanced cyber attacks.

    He is the author of the best-selling book “Learning Malware Analysis.”He is the review board member for Black Hat Asia, Black Hat USA, Black Hat Europe. He is the creator of Limon Linux sandbox and the winner of the Volatility plugin contest 2016. He is the co-founder of the cybersecurity research community “Cysinfo” (https://www.cysinfo.com).

    He has conducted training sessions on malware analysis, reverse engineering, and memory forensics at Black Hat, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has presented at various security conferences, including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit, and Cysinfo meetings on various topics related to memory forensics, malware analysis, reverse engineering, and rootkit analysis.  He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com

    What students say about this training:

    “It is an excellent Malware introductory course which helps me to learn basic ideas and provide a guideline for further study in the future”

    “Well organised & run”

    “Particularly appreciative of how the course materials were well-prepared, and how informative [the] explanations were”

    “Great course. Next time I would like to be on site.”