
DEF CON Training
Vishal Thakur - AAA of Modern Malware Analysis: Attack, Automate and Analyze $2,000
Name of training:
AAA of Modern Malware Analysis: Attack, Automate and Analyze
Trainer bio:
Vishal Thakur has worked in the information security industry for many years in hands-on technical roles, specializing in Incident Response with a heavy focus on Emerging Threats, Malware Analysis and Research.
He has presented his research at international conferences (BlackHat, FIRST, SANS DFIR Summit) and has also run training/workshops at BlackHat and FIRST Conference. Vishal is currently working as Manager, Threat Operations Center for Huntress. In past roles, Vishal worked as a Senior Researcher at Salesforce, helping their Incident Response Centre with advanced threat analysis and developing DFIR tools and has been a part of the Incident Response team at the Commonwealth Bank of Australia.
Vishal is also the founder of Hack Sydney and BSides Sydney conferences.
Trainer(s) social media links:
https://www.linkedin.com/in/malienist/
Training information:
Have you taught this training before This is a new course but I have taught parts of it before. Here is a piece of the training:
https://www.first.org/conference/2022/program (text search for my name)
Class description:
This 90% practical, lab-based course covers the three phases of Modern Malware Analysis:
Attack phase: learn what goes into creating malware, author malicious code and build (code) techniques that real-world malware developers use to evade detection.
Automate phase: learn how to automate parts of the analysis process for speed and scaling.
Analysis phase: finally, learn how to analyze malware using all the knowledge gained in the first two phases.
This course aims to look at malware analysis from a new angle.
Instead of just looking at analyzing malware, we learn what goes into creating malware before we analyze it. Because of this novel approach, we get to see the development of malware and how to use this knowledge to reverse engineer it.
From malicious scripts to executables, we look at the code behind the application, build the binaries and take it all the way to execution in order to understand all steps involved in creating most of the common types of malware we see in the real-world.
We also look at how parts of the analysis process can be automated to facilitate faster analysis on a bigger scale by looking at building on basic code frameworks to open-source tools available.
We cover both Windows and Linux malware and look at the tools, techniques and tricks that can be used to practice this approach in malware analysis. The result is very speedy malware analysis and super deep understanding of basic malware concepts that you can build upon. Also, we analyze a bunch of real-world malware on both days and put the knowledge gained from this course to test!
Class outline:
Course Details (with timing) :
Day 1
Lab 1.0 - A basic DevOps Environment
Create a DevOps Environment for the course
Basics (practical hands-on)
Create a repository (practical hands-on)
Create your first code project (practical hands-on)
Commit to your first repository (practical hands-on)
1 hour
Lab 1.1 - Functions in C++, JavaScript and VBS
Writing Functions - basics (practical hands-on)
Writing Functions for malicious purposes (practical hands-on)
30 min
Lab 1.2 - Malicious Code: Scripting
Writing Malicious Scripts - basics (practical hands-on)
Code Obfuscation
Why Obfuscation? (lecture)
Obfuscation Tools (practical hands-on)
Write an Obfuscator (practical hands-on)
Obscure techniques (eg. in-sheet macros with no scripting) (practical hands-on)
1.5 hours
Lab 1.3 - Encryption
Build Encrypted Payloads (eg. AES) (practical hands-on)
Write an Encryptor (practical hands-on)
Write a Decryptor (practical hands-on)
1 hour
Lab 1.4
Write malicious scripts(practical hands-on)
Encrypt the payloads(practical hands-on)
Obfuscate a malicious scripts(practical hands-on)
Deliver and execute(practical hands-on)
1.5 hours
Lab 1.5. - Assembly Language
Basics of Assembly Language (lecture)
Memory Allocation and Stack Instructions (lecture)
String Instructions and Logical Operations (lecture)
Writing Assembly Code (practical hands-on)
Reading Assembly Code (practical hands-on)
1.5 hours
Day 2
Lab 2.0 - Malware Analysis Environment Setup
Tools setup and familiarity - Windows [Ghidra, x64DBG, OllyDbg, WinDbg etc] (practical hands-on)
Tools setup and familiarity - Linux (practical hands-on)
1 hour
Lab 2.1 - Analysing Script-based malware
Tools, techniques and tricks (practical hands-on)
Analyze code written on Day 1 (practical hands-on)
Analyze real-world malicious scripts (practical hands-on)
1.5 hours
Lab 2.3 - Malware Code
Packing - how to pack code (practical hands-on)
Encryption - how to use encryption for malicious purposes (practical hands-on)
Registry - interact with the Windows Registry (practical hands-on)
Network - perform network operations such as downloading secondary payloads (practical hands-on)
1.5 hour
Lab 2.4 - Analysing Windows Malware (Executable Binaries)
Static Analysis
Analyze code written on Day 1 (practical hands-on)
Analyze real-world malware (practical hands-on)
Dynamic Analysis
Analyze code written on Day 1 (practical hands-on)
TEST: Analyze real-world malware (practical hands-on)
Automate analysis by building debugger extensions (practical hands-on)
2 hours
Lab 2.5 - TEST: Analysing Linux Malware
Static Analysis
Analyze real-world malware (practical hands-on)
Write a report based on analysis (practical hands-on)
Dynamic Analysis
TEST: Analyze real-world malware (practical hands-on)
Write a report based on analysis (practical hands-on)
1.5 hours
Technical difficulty of the class:
Beginner
Suggested prerequisites for the class:
Students need to have a basic understanding of how code works. Any experience with coding is a plus. Familiarity with how to setup a virtual machine is required to get started with the course.
Students will be required to have the community version of Microsoft Visual studio and also a functional virtual machine running Ubuntu. Detailed instructions on how to setup the environment will provided to all students prior to course commencement and all the required tools will be provided.
Items students will need to provide:
Students are required to bring a laptop/macbook that is capable of easily running at least 2 virtual machines (8 GB of free RAM and at least 50 GB Hard drive space)
VMware Workstation or VMware Fusion (trial versions are fine)
Windows (Windows 10 64-bit preferred) on one of the VMs
Ubuntu on the other VM
Host system should be internet-ready
Full Admin rights preferred on host system if possible
Full Admin rights on the VMs
USB port in case course material needs to be transferred using a USB
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Vishal Thakur
- 16 hours of training with a certificate of completion.
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.
DEF CON Communications, Inc.
1100 Bellevue way NE
8A-85
Bellevue, WA 98004