A Practical Malware Analysis & Threat Hunting with Memory Forensics, Endpoint Telemetry, & AI-Driven Hunting - Monnappa K A & Sajan Shetty - DCSG2026

Name of Training: A Practical Malware Analysis & Threat Hunting with Memory Forensics, Endpoint Telemetry, & AI-Driven Hunting
Trainer(s):  Monnappa K A and Sajan Shetty
Dates: April 26-27, 2026
Time: TBD
Venue: Marina Bay Sands
Early Bird Cost (GST included): $2,287 USD / equivalent to $2,950 SGD 

Early bird price valid until February 8, 2026.

Short Summary:

This 2-day intensive, hands-on training teaches the concepts, tools, and techniques required to analyze, investigate, and hunt malware by combining four powerful approaches: malware analysis, reverse engineering, memory forensics, and endpoint telemetry-based threat hunting. The course begins with the foundations of malware analysis, Windows internals, and memory forensics, before moving into advanced concepts of malware investigation and hunting adversary techniques.

Through real-world labs and scenarios, students will perform static, dynamic, code, and memory analysis; investigate real malware samples and infected memory images (crimeware, APT malware, rootkits, fileless threats); and analyze Sysmon/endpoint telemetry to detect persistence, lateral movement, and stealth techniques such as LOLBins abuse. By studying these behaviors, participants will gain a deep understanding of the latest adversary tactics, techniques, and procedures (TTPs) and apply this knowledge directly in investigative workflows.

What makes this training unique and future-ready is the introduction to the concept of AI-powered autonomous hunting with the Garuda Threat Hunting Framework. By integrating Garuda with Large Language Models (LLMs), participants will see how AI can accelerate event triaging, extract IOCs, map activity to MITRE ATT&CK, and even generate automated hunting reports — enabling analysts to hunt unknown threats without relying on traditional IOCs, signatures, or patterns. This demonstrates how AI augments human expertise and strengthens modern SOC operations. (AI hunting preview: https://youtu.be/Sk_c5w1CEiY)

By the end of the training, attendees will be fully equipped to detect, analyze, investigate, hunt, and respond to sophisticated cyber threats — combining hands-on technical expertise with AI-assisted hunting capabilities. These are essential skills for SOC analysts, incident responders, malware analysts, and threat hunters who want to stay ahead of today’s evolving threats.

Whether you are a beginner building your foundation or an experienced professional refining advanced skills, this training delivers the knowledge, tools, and practical labs you need to succeed.

What’s included: Malware samples, infected memory images, course material, lab solution manual, video demos, custom scripts (including the Garuda Threat Hunting Framework with additional modules), and a preconfigured Linux VM for hands-on practice.

Course Description:

Malware analysis, memory forensics, and endpoint telemetry-based hunting are among the most powerful investigative techniques used in reverse engineering, digital forensics, threat hunting, and incident response. With adversaries becoming increasingly sophisticated — deploying fileless malware, rootkits, and stealthy techniques to compromise critical infrastructures, enterprises, and government organizations — the ability to detect, investigate, and respond to such intrusions has become an essential skill for every cybersecurity professional.

This hands-on training provides a complete practical approach, uniquely combining malware analysis, reverse engineering, memory forensics, and endpoint telemetry-based threat hunting into a single program. Participants will begin with the foundations of malware analysis, Windows internals, reverse engineering, and memory forensics, before progressing into advanced investigations such as rootkits, fileless malware, and stealthy adversary techniques that often bypass traditional defenses.

Throughout the training, attendees will learn to:

•  Analyze real-world malware samples using static, dynamic, code, and memory analysis — gaining skills directly applicable to real SOC and IR investigations.
• Investigate infected memory images (crimeware, APT malware, fileless malware, rootkits) using the Volatility memory forensics framework — a must-have capability for modern forensic investigations.
• Correlate Sysmon and endpoint telemetry with forensic artifacts to uncover persistence, credential theft, lateral movement, and stealth techniques such as Living off the Land (LOLBins) abuse — techniques adversaries use daily.
• Leverage the Garuda Threat Hunting Framework to filter, prioritize, and triage Sysmon events for more effective and efficient threat hunting.
• Experience AI-powered autonomous hunting by integrating Garuda with Large Language Models (LLMs) to accelerate event triaging, extract IOCs, map activity to MITRE ATT&CK, and generate automated reports — enabling you to hunt unknown threats without relying on IOCs, signatures, or patterns

To ensure a completely practical learning experience, each module includes scenario-driven labs and demonstrations. Attendees will:

• Build and operate a safe, isolated malware analysis lab.
• Analyze network and host-based indicators (IOCs).
• Investigate code injection, hooking, and persistence techniques used by adversaries.
• Incorporate malware analysis and memory forensics into sandbox automation workflows.
• Practice investigative workflows used in real-world SOC and IR environments.

This ensures attendees don’t just learn concepts — they apply them exactly as they would in live investigations.

By the end of the course, participants will have the skills to:

• Understand how malware and Windows internals work.
• Create safe and isolated environments for malware analysis.
• Perform static, dynamic, and code-level malware analysis.
  
• Debug malware with IDA Pro and x64dbg.
  
• Investigate downloaders, droppers, keyloggers, backdoors, and fileless malware.
  
• Detect advanced persistence, process injection, and rootkit techniques.
  
• Acquire and analyze memory images using Volatility.
  
• Incorporate memory forensics into reverse engineering and sandboxing workflows.
  
• Hunt malware using endpoint telemetry and Sysmon logs.
  
• Leverage the Garuda Framework and AI-powered hunting to detect stealthy adversary behavior and automate investigation steps.

This course is suitable for both beginners and experienced professionals. Beginners will build a strong foundation in malware analysis and forensics, while seasoned professionals will sharpen their skills in advanced threat detection, incident response, and AI-assisted hunting

Course Outline: 

The following topics will be covered in this course:

Day 1:

Introduction to Malware Analysis
 - What is Malware
 - What they do
 - Why malware analysis
 - Types of malware analysis
 - Setting up an isolated lab environment

Static Analysis
 - Fingerprinting the malware
 - Extracting strings
 - Determining File obfuscation
 - Pattern matching using YARA
 - Fuzzing hashing & comparison
 - Understanding PE File Characteristics
 - Disassembly
 - Hands-on lab exercise involves analyzing the real malware sample
 
Dynamic Analysis/Behavioural analysis
 - Dynamic Analysis Steps
 - Understanding Dynamic Analysis tools
 - Simulating services
 - Performing Dynamic Analysis
 - Monitoring process, filesystem, registry, and network activity
 - Determining the Indicators of compromise (host and network indicators)
 - Demo - Showing the static & dynamic analysis of real malware sample
 - Hands-on lab exercise involves analyzing the real malware sample

 Automating Malware Analysis(sandbox)
 - Custom Sandbox Overview
 - Working of Sandbox
 - Sandbox Features
 - Demo - Analyzing malware in the custom sandbox

Code Analysis
 - Code Analysis Overview
 - Disassembler & Debuggers
 - Code Analysis Tools
 - Basics of IDA Pro
 - Basics of Ollydbg/x64dbg
 - Understanding the API calls
 - Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
 - Hands-on lab exercise involves analyzing th real malware sample

Introduction to Memory Forensics
 - What is Memory Forensics
 - Why Memory Forensics
 - Steps in Memory Forensics
 - Memory acquisition and tools
 - Acquiring memory From a physical machine
 - Acquiring memory from the virtual machine
 - Hands-on exercise involves acquiring the memory

Volatility Overview
 - Introduction to Volatility Advanced Memory Forensics Framework
 - Volatility Installation
 - Volatility basic commands
 - Determining the profile
 - Volatility help options
 - Running the plugin

Day 2:

Investigating Process
 - Understanding Process Internals
 - Process(EPROCESS) Structure
 - Process organization
 - Process Enumeration by walking the double-linked list
 - process relationship (parent-child relationship)
 - Understanding DKOM attacks
 - Process Enumeration using pool tag scanning
 - Volatility plugins to enumerate processes
 - Identifying malware process
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigating Process handles & Registry
 - Objects and handles overview
 - Enumerating process handles using Volatility
 - Understanding Mutex
 - Detecting malware presence using the mutex
 - Understanding the Registry
 - Investigating common registry keys using Volatility
 - Detecting malware persistence
 - Hands-on lab exercise (scenario-based) involves investigating malware-infected memory

Investigating Network Activities
 - Understanding malware network activities
 - Volatility Network Plugins
 - Investigating Network connections
 - Investigating Sockets
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigation Process Memory
 - Process memory Internals
 - Listing DLLs using Volatility
 - Identifying hidden DLLs
 - Dumping malicious executable from memory
 - Dumping Dll's from memory
 - Scanning the memory for patterns(yarascan)
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigating User-Mode Rootkits & Fileless Malwares
 - Code Injection
 - Types of Code injection
 - Remote DLL injection
 - Remote Code injection
 - Reflective DLL injection
 - Hollow process injection
 - Demo - Case Study
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Investigating Kernel-Mode Rootkits
 - Understanding Rootkits
 - Understanding Functional call traversal in Windows
 - Level of Hooking/Modification on Windows
 - Kernel Volatility plugins
 - Hands-on lab exercise(scenario-based) involves investigating malware-infected memory

Threat Hunting Using Event Triaging
 - Introduction to Sysmon
 - Understanding Sysmon Events
 - Introduction to Garuda Threat Hunting Framework
 - Filtering Sysmon events using Garuda
 - Living off the Land attacks
 - Demo: Hunting LoLbins (Living of the land binary) and multi-staged attacks

AI-Powered Threat Hunting
 - Introduction to AI in threat detection & hunting
 - Introduction to MCP (Model Context Protocol)
 - Exposing Tools to the LLM
 - Integrating Garuda Framework with AI application.
 - How Garuda + AI can triage events, identify IOCs, and Map events to ATT&CK Techniques
 - Demo: AI-powered autonomous Threat hunting to hunt for complex attack patterns.

Difficulty Level:

All - This course starts with basics and then gradually progresses deep into more advanced concepts, so this course is suitable for Beginners, Intermediate and Advanced students.

Suggested Prerequisites:

• Should be familiar with using Windows/Linux
  
• Should have an understanding of basic programming concepts, while programming experience is not mandatory.

What Students Should Bring:

• Laptop with a minimum of 8GB RAM and 60GB free hard disk space
  
• Laptop with USB ports - lab samples and custom Linux VM will be shared via USB sticks
  
• VMware Workstation or VMware Fusion (even trial versions can be used).
  
• Windows Operating system (preferably 64-bit versions of Windows 11 or Windows 10) installed inside VMware Workstation/Fusion. Students must have full administrator access to the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware Player or VirtualBox is not suitable for this training. Apple systems using the M1 processor line cannot perform the necessary virtualization functionality; therefore, they are not suitable for this course.

What the Trainer Will Provide:

• Course material (pdf copy)
  
• Lab solution material
  
• Videos used in the course
• Malware samples used in the course/labs
  
• Memory Images used in the course/labs
  
• Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples
  
• Custom tools

Trainer(s) Bio:

Monnappa K A is a Security Professional with over 17 years of experience in incident response, investigation, and threat hunting. He previously worked for Microsoft and Cisco as a threat hunter, mainly focusing on the investigation and research of advanced cyberattacks. He is the author of the best-selling book Learning Malware Analysis, and serves on the review board for Black Hat Asia, Black Hat USA, Black Hat Europe. He is the creator of the Garuda Threat Hunting Framework, Limon Linux sandbox, and the winner of the Volatility Plugin Contest 2016. He co-founded the cybersecurity research community Cysinfo (https://www.cysinfo.com). Monnappa has trained thousands of security professionals globally through his highly acclaimed hands-on training sessions on malware analysis, reverse engineering, memory forensics, and threat hunting at major conferences such as Black Hat (USA, Europe, Asia, MEA), DEFCON, BruCON, HITB, FIRST (Forum of Incident Response and Security Teams), SEC-T, OPCDE, and 4SICS-SCADA/ICS cybersecurity summit. He has also presented at numerous security conferences, including Black Hat, DEFCON, FIRST, DSCI, National Cyber Defence Summit, Bharat NCX, and Cysinfo meetings, covering topics related to threat hunting, memory forensics, malware analysis, and reverse engineering. In addition, he has authored articles for eForensics and Hakin9 magazines.You can find some of his contributions to the community on his YouTube channel (http://www.youtube.com/c/MonnappaKA), and you can read his blog posts at https://cysinfo.com
Twitter: @monnappa22

Sajan Shetty is a Cyber Security enthusiast. He is an active member of Cysinfo, an open Cyber Security Community(https://www.cysinfo.com) committed to educating, empowering, inspiring, and equipping cyber security professionals and students to better fight and defend against cyber threats. He has conducted training sessions at Black Hat, DEFCON, BRUCON and HITB, and his primary fields of interest include machine learning, malware analysis, and memory forensics. He has various certifications in machine learning and is passionate about applying machine learning techniques to solve cybersecurity problems.

Registration Terms and Conditions: 

Trainings are refundable before March 27, 2026, minus a non-refundable processing fee of $250.

Between March 27, 2026 and April 21, 2026 partial refunds will be granted, equal to 50% of the course fee minus a processing fee of $250.

All trainings are non-refundable after April 21, 2026.

Training tickets may be transferred to another student. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification will be considered a no-show. No refund will be given.

DEF CON Training may share student contact information, including names and emails, with the course instructor(s) to facilitate sharing of pre-work and course instructions. Instructors are required to safeguard this information and provide appropriate protection so that it is kept private. Instructors may not use student information outside the delivery of this course without the permission of the student.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions. Some courses offer an option to upgrade to a certificate of proficiency, which requires an additional purchase and sufficient performance on an end-of-course evaluation.