Malware analysis

The course covers basic techniques, tools and approaches used for identification and analysis of different types of malicious code, discovery of its main functionalities and implementation of relevant defensive controls against it. It teaches the skills necessary for basic analysis of suspicious files and processes in the context of everyday security operations as well as during incident investigation and response.

The course is highly practical and gives the trainees a chance to try out a multitude of different tools and techniques during analysis of different types of real-world malware - from static analysis of downloaders hidden in VBS scripts or Office documents, through dynamic analysis of obfuscated downloaders all the way to reverse engineering of modern ransomware

Contents

  1. Malware classification and different techniques and vectors of infection
  2. Sample triage and analysis of potentially infected machines
    • Detection of active and dormant malicious code
    • Common persistence techniques
    • Fileless malware and its detection
    • Threat hunting of malicious code
  3. Basic approach to analysis of malicious samples
    • Identification and use of IoCs
    • Different techniques for deobfuscation of malicious code
    • Static and dynamic analysis benefits and drawbacks
  4. Most common malicious file types and tools and procedures for their static and/or dynamic analysis
    • Archives and images
    • Office documents
    • PDFs
    • LNK files
    • Scripts
    • PE files
    • …
  5. Recommended approaches and techniques for analysis of different types of PE files
    • Compiled code vs. Intermediate code and differences in analysis
    • Differences between code created in different programming languages
    • Debuggers, disassemblers and decompilers
    • Basics of x86/x64 assembly
    • Basics of reverse engineering of PE files
    • Shellcode analysis
  6. Analysis outcomes
    • Recommendations for reporting
    • Development of YARA rules and other types of signatures and analytics

The course is aimed at

  • Senior Security Operations Center (SOC) analysts
  • Computer Security Incident Response Team (CSIRT) operators
  • Security specialists who deal with potentially malicious files on a daily basis
  • Anyone who want to learn malware analysis and reverse engineering

Prerequisites

  • User-level experience with Windows
  • User-level experience with Linux
  • Experience with programming/scripting
  • Experience with x86/x64 assembly
  • Familiarity with most common networking protocols (TCP, UDP, IP, ICMP, DNS, HTTP, etc.)
  • Familiarity with common security technologies (IDS/IPS, EDR, antivirus, etc.)

Additional requirements

A properly configured laptop with installed hypervisor capable of creating “snaphots” of virtual machines is required to participate in the course. The latop has to be able to allocate 2 vCPUs, 8 GB RAM and 100 GB of storage space to a virtual machine, which will be used during the training. A virtual machine, based on the Windows 10 operating system, has to be individually prepared by each participant according to provided instructions before start of the course.

Materials

Trainees will receive an electronic version of the study materials.

Duration

2 days

Currently available training dates

Date Location Language Price (before VAT)
9.-10. 11. 2023 Prague Czech 45 000 CZK Registration
8.-9. 4. 2024 Online Czech 45 000 CZK Registration will open soon
11.-12. 4. 2024 Online English 45 000 CZK Registration will open soon