DEF CON Training
Vishal Thakur - AAA of Modern Malware Analysis Attack, Automate and Analyze $1,800 Early $1,450
Trainer bio:
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research.
He has presented his research at international conferences (BlackHat, FIRST, SANS DFIR Summit) and has also run training/workshops at BlackHat and FIRST Conference. Vishal is currently working as Manager, Threat Operations Center for Huntress. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia.
Vishal is also the founder of Hack Sydney and BSides Sydney conferences.
Trainer(s) social media links:
https://www.linkedin.com/in/malienist/
https://malienist.medium.com/aaa-of-modern-malware-analysis-attack-automate-and-analyse-d51ff8e6134a
Training description:
This 90% practical, lab-based course covers the three phases of Modern Malware Analysis:
Attack phase: learn what goes into creating malware, author malicious code and build (code) techniques that real-world malware developers use to evade detection.
Automate phase: learn how to automate parts of the analysis process for speed and scaling
Analysis phase: finally, learn how to analyse malware using all the knowledge gained in the first two phases.
This course aims to look at malware analysis from a new angle.
Instead of just looking at analyzing malware, we learn what goes into creating malware before we analyze it. Because of this novel approach, we get to see the development of malware and how to use this knowledge to reverse engineer it.
From malicious scripts to executables, we look at the code behind the application, build the binaries and take it all the way to execution in order to understand all steps involved in creating most of the common types of malware we see in the real-world.
We also look at how parts of the analysis process can be automated to facilitate faster analysis on a bigger scale by looking at building on basic code frameworks to open-source tools available.
We cover both Windows and Linux malware and look at the tools, techniques and tricks that can be used to practice this approach in malware analysis. The result is very speedy malware analysis and super deep understanding of basic malware concepts that you can build upon. Also, we analyze a bunch of real-world malware on both days and put the knowledge gained from this course to test!
Class outline:
Course Details (with timing) :
Day 1
Lab 1.0 - A basic DevOps Environment
Create a DevOps Environment for the course
Basics (practical hands-on)
Create a repository (practical hands-on)
Create your first code project (practical hands-on)
Commit to your first repository (practical hands-on)
1 hour
Lab 1.1 - Functions in C++, JavaScript and VBS
Writing Functions - basics (practical hands-on)
Writing Functions for malicious purposes (practical hands-on)
30 min
Lab 1.2 - Malicious Code: Scripting
Writing Malicious Scripts - basics (practical hands-on)
Code Obfuscation
Why Obfuscation? (lecture)
Obfuscation Tools (practical hands-on)
Write an Obfuscator (practical hands-on)
Obscure techniques (eg. in-sheet macros with no scripting) (practical hands-on)
1.5 hours
Lab 1.3 - Encryption
Build Encrypted Payloads (eg. AES) (practical hands-on)
Write an Encryptor (practical hands-on)
Write a Decryptor (practical hands-on)
1 hour
Lab 1.4
Write malicious scripts(practical hands-on)
Encrypt the payloads(practical hands-on)
Obfuscate a malicious scripts(practical hands-on)
Deliver and execute(practical hands-on)
1.5 hours
Lab 1.5. - Assembly Language
Basics of Assembly Language (lecture)
Memory Allocation and Stack Instructions (lecture)
String Instructions and Logical Operations (lecture)
Writing Assembly Code (practical hands-on)
Reading Assembly Code (practical hands-on)
1.5 hours
Bonus workshop (Optional, will take place after the class)
1YARA Signatures
2What is a YARA signature
3YARA rules
4Writing YARA rules
Lab - YARA Rules
Write YARA rules for sample malware - Windows
Test YARA signature - Windows
Write YARA rules for sample malware - Linux
Test YARA signature - Linux
Day 2
Lab 2.0 - Malware Analysis Environment Setup
Tools setup and familiarity - Windows [Ghidra, x64DBG, OllyDbg, WinDbg etc] (practical hands-on)
Tools setup and familiarity - Linux (practical hands-on)
1 hour
Lab 2.1 - Analysing Script-based malware
Tools, techniques and tricks (practical hands-on)
Analyse code written on Day 1 (practical hands-on)
Analyse real-world malicious scripts (practical hands-on)
1.5 hours
Lab 2.3 - Malware Code
Packing - how to pack code (practical hands-on)
Encryption - how to use encryption of malicious purposes (practical hands-on)
Registry - interact with the Windows Registry (practical hands-on)
Network - perform network operations such as downloading secondary payloads (practical hands-on)
1.5 hour
Lab 24 - Analysing Windows Malware (Executable Binaries)
Static Analysis
Analyse code written on Day 1 (practical hands-on)
Analyse real-world malware (practical hands-on)
Dynamic Analysis
Analyse code written on Day 1 (practical hands-on)
TEST - Analyse real-world malware (practical hands-on)
Automate analysis by building debugger extensions (practical hands-on)
2 hours
Lab 2.5 - Analysing Linux Malware
Static Analysis
Analyse real-world malware (practical hands-on)
Write a report based on analysis (practical hands-on)
Dynamic Analysis
TEST - Analyse real-world malware (practical hands-on)
Write a report based on analysis (practical hands-on)
1.5 hours
A certificate of completion will be provided to all students once they complete the course.
A certificate will be issued to all students who pass the tests.
Technical difficulty of the class:
Beginner
Suggested prerequisites for the class:
Students need to have a basic understanding of how code works. Any experience with coding is a plus.
Familiarity with how to setup a virtual machine is required to get started with the course.
Students will be required to have the community version of Microsoft Visual studio and also a functional virtual machine running Ubuntu. Detailed instructions on how to setup the environment will provided to all students prior to course commencement and all the required tools will be provided.
Items students will need to provide:
Students are required to bring a laptop that is capable of easily running at least 2 virtual machines (8 GB of free RAM and at least 50 GB Hard drive space)
VMware Workstation or VMware Fusion (trial versions are fine)
Windows (Windows 10 64-bit preferred) on one of the VMs
Ubuntu on the other VM
Host system should be internet-ready
Full Admin rights preferred on host system if possible
Full Admin rights on the VMs
USB port in case course material needs to be transferred using a USB
A detailed list of these requirements will be provided to enrolled students before course commencement.
DATE: April 13th-14th 2023
TIME: 8am to 5pm PDT
VENUE: Meydenbauer Center Bellevue, WA
TRAINER: Vishal Thakur
- 16 hours of training with a certificate of completion.
- Note: Classes that do not meet their minimum class size by July 15 will be canceled, please register early.
- 2 coffee breaks are provided per day.
- Note: Food is not included.
Registration terms and conditions:
Trainings are refundable before March 1st, the processing fee is $250.
Trainings are non-refundable after March 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
$1,450.00