The course covers basic techniques, tools and approaches used for identification and analysis of different types of malicious code, discovery of its main functionalities and implementation of relevant defensive controls against it. It teaches the skills necessary for basic analysis of suspicious files and processes in the context of everyday security operations as well as during incident investigation and response.
The course is highly practical and gives the trainees a chance to try out a multitude of different tools and techniques during analysis of different types of real-world malware - from static analysis of downloaders hidden in VBS scripts or Office documents, through dynamic analysis of obfuscated downloaders all the way to reverse engineering of modern ransomware
Contents
- Malware classification and different techniques and vectors of infection
- Sample triage and analysis of potentially infected machines
- Detection of active and dormant malicious code
- Common persistence techniques
- Fileless malware and its detection
- Threat hunting of malicious code
- Basic approach to analysis of malicious samples
- Identification and use of IoCs
- Different techniques for deobfuscation of malicious code
- Static and dynamic analysis benefits and drawbacks
- Most common malicious file types and tools and procedures for their static and/or dynamic analysis
- Archives and images
- Office documents
- PDFs
- LNK files
- Scripts
- PE files
- …
- Recommended approaches and techniques for analysis of different types of PE files
- Compiled code vs. Intermediate code and differences in analysis
- Differences between code created in different programming languages
- Debuggers, disassemblers and decompilers
- Basics of x86/x64 assembly
- Basics of reverse engineering of PE files
- Shellcode analysis
- Analysis outcomes
- Recommendations for reporting
- Development of YARA rules and other types of signatures and analytics
The course is aimed at
- Senior Security Operations Center (SOC) analysts
- Computer Security Incident Response Team (CSIRT) operators
- Security specialists who deal with potentially malicious files on a daily basis
- Anyone who want to learn malware analysis and reverse engineering
Prerequisites
- User-level experience with Windows
- User-level experience with Linux
- Experience with programming/scripting
- Experience with x86/x64 assembly
- Familiarity with most common networking protocols (TCP, UDP, IP, ICMP, DNS, HTTP, etc.)
- Familiarity with common security technologies (IDS/IPS, EDR, antivirus, etc.)
Additional requirements
A properly configured laptop with installed hypervisor capable of creating “snaphots” of virtual machines is required to participate in the course. The latop has to be able to allocate 2 vCPUs, 8 GB RAM and 100 GB of storage space to a virtual machine, which will be used during the training. A virtual machine, based on the Windows 10 operating system, has to be individually prepared by each participant according to provided instructions before start of the course.
Materials
Trainees will receive an electronic version of the study materials.
Duration
2 days
Currently available training dates
Date | Location | Language | Price (before VAT) | |
---|---|---|---|---|
9.-10. 11. 2023 | Prague | Czech | 45 000 CZK | Registration |
8.-9. 4. 2024 | Online | Czech | 45 000 CZK | Registration will open soon |
11.-12. 4. 2024 | Online | English | 45 000 CZK | Registration will open soon |