deep knowledge technical trainings

AUGUST 22 / 23 / 24 / 25 @ INTERCONTINENTAL SINGAPORE

A Practical Approach To Malware Analysis, Hunting And Memory Forensics

This course features hands-on labs that use real world malware samples and infected memory images (Crimewares, APT malwares, Rootkits etc) to help attendees gain better understanding of the subject. After taking this course attendees will be equipped with skill to analyze, investigate and respond to malware related incidents.

Categories 3-Day Training, HITB2022SIN, Virtual Tags Malware Analysis, memory forensics

$3,299.00

Duration

3-day

Delivery Method

Virtual

Level

beginner

Seats Available

20

REGISTRATION CLOSED

DATE: 22-24 August 2022

TIME: 09:00 to 17:00 SGT/GMT +8

Date	Day	Time	Duration
22 Aug	Monday	0900-17:00 SGT/GMT +8	8 Hours
23 Aug	Tuesday	0900-17:00 SGT/GMT +8	8 Hours
24 Aug	Wednesday	0900-17:00 SGT/GMT +8	8 Hours

This hands-on training teaches concepts, techniques and tools to understand the behavior and characteristics of malware by combining two powerful techniques, malware analysis and memory forensics.

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics and incident response. Adversaries are becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations. This makes detecting, responding and investigating such intrusions increasingly critical for information security professionals. Malware analysis and memory forensics have become a must-have skill for fighting advanced malwares, targeted attacks and security breaches.

This course will introduce attendees to basics of malware analysis,reverse engineering, Windows internals and memory forensics. It will then gradually progress deeper into more advanced concepts of memory forensics.

This course uses hands-on labs using real world malware samples and infected memory images (Crimewares, APT malwares, Rootkits etc) to help attendees gain better understanding of the subject. The training also shows how these techniques can be incorporated in a sandbox to automate malware analysis. After taking this course attendees will be equipped with skill to analyze, investigate and respond to malware related incidents.

Students will be provided with:

Course material
Lab solution material
Videos used in the course
Malware samples used in the course/labs
Memory Images used in the course/labs
Custom Scripts
Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples

Agenda

Day 1

Introduction to Malware Analysis

What is Malware
What they do
Why malware analysis
Types of malware analysis
Setting up an isolated lab environment

Static Analysis

Fingerprinting the malware
Extracting strings
Determining File obfuscation
Pattern matching using YARA
Fuzzing hashing & comparison
Understanding PE File characteristics
Disassembly
Hands-on lab exercise involves analyzing a real malware sample

Dynamic Analysis/Behavioural analysis

Dynamic Analysis Steps
Understanding Dynamic Analysis tools
Simulating services
Performing Dynamic Analysis
Monitoring process, filesystem, registry, and network activity
Determining the Indicators of compromise (host and network indicators)
Hands-on lab exercise involves analyzing a real malware sample

Automating Malware Analysis(sandbox)

Custom Sandbox Overview
Working of Sandbox
Sandbox Features
Demo – Analyzing malware in the custom sandbox

Malware Persistence Methods

Run registry key
Scheduled Tasks
Startup Folder
Service
Winlogon registry entries
Image File Execution Options (IFEO)
Accessibility programs
AppInit_DLLs
DLL Search order hijacking
COM Hijacking
Hands-on lab exercise involves analyzing a real malware sample

Day 2

Code Analysis

Code Analysis Overview
Disassembler & Debuggers
Code Analysis Tools
Basics of IDA Pro
Basics of Ollydbg/x64dbg
Understanding the API calls
Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
Hands-on lab exercise involves analyzing a real malware sample

Introduction to Memory Forensics

What is Memory Forensics
Why Memory Forensics
Steps in Memory Forensics
Memory acquisition and tools
Acquiring memory From physical machine
Acquiring memory from the virtual machine
The hands-on exercise involves acquiring the memory

Volatility Overview

Introduction to Volatility Advanced Memory Forensics Framework
Volatility Installation
Volatility basic commands
Determining the profile
Volatility help options
Running the plugin

Investigating Process

Understanding Process Internals
Process(EPROCESS) Structure
Process organization
Process Enumeration by walking the double linked list
Process relationship (parent-child relationship)
Understanding DKOM attacks
Process Enumeration using pool tag scanning
Volatility plugins to enumerate processes
Identifying malware process
Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigating Process handles & Registry

Objects and handles overview
Enumerating process handles using Volatility
Understanding Mutex
Detecting malware presence using a mutex
Understanding the Registry
Investigating common registry keys using Volatility
Detecting malware persistence
Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Day 3

Investigating Network Activities

Understanding malware network activities
Volatility Network Plugins
Investigating Network connections
Investigating Sockets
Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigation Process Memory

Process memory Internals
Listing DLLs using Volatility
Identifying hidden DLLs
Dumping malicious executable from memory
Dumping Dll’s from memory
Scanning the memory for patterns(yarascan)
Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Investigating User-Mode Rootkits & Fileless Malwares

Code Injection
Types of Code injection
Remote DLL injection
Remote Code injection
Reflective DLL injection
Hollow process injection
Demo – Case Study
Hands-on lab exercise(scenario-based) involves investigating malware infected memory

Memory Forensics in Sandbox technology

Sandbox Overview
Integrating Memory Forensics into a sandbox
Demo – showing the use of memory forensics in a custom sandbox

Investigating Kernel-Mode Rootkits

Understanding Rootkits
Understanding Functional call traversal in Windows
Level of Hooking/Modification on Windows
Kernel Volatility plugins
Hands-on lab exercise(scenario-based) involves investigating malware infected memory
Demo – Rootkit Investigation

Memory Forensic Case Studies

Demo – Hunting an APT malware from Memory

Dr Kailong Wang

Researcher

National University Singapore

Dr. Wang Kailong is currently a research fellow at National University of Singapore (NUS). He received his PhD degree from School of Computing NUS in 2022. He has worked as a Research Assistant in NUS while pursuing his PhD degree from 2016 to 2021. His research interests include mobile and web security and privacy, and protocol verification. His works have appeared in the top conferences such as WWW and MobiCom.

Gal Diskin

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Kevin Chen

Senior Security Researcher

Huajiang “Kevin2600” Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Why You Should Take This Course

This course features hands-on labs that use real world malware samples and infected memory images (Crimewares, APT malwares, Rootkits etc) to help attendees gain better understanding of the subject. After taking this course attendees will be equipped with skill to analyze, investigate and respond to malware related incidents.

Who Should Attend

This course is intended for anyone interested in learning malware analysis and memory forensics. This includes:

forensic practitioners
incident responders
cyber security investigators
malware analysts
system administrators
software developers
students and
curious security professionals new to this field

Key Learning Objectives

[“How malware and Windows internals work”,”How to create a safe and isolated lab environment for malware analysis”,”What are the techniques and tools to perform malware anlaysis”,”How to perform static analysis to determine the metadata associated with malware”,”How to perform dynamic analysis of the malware to determine its interaction with process,filesystem, registry and network”,”How to perform code analysis to determine the malware functionality”,”How to debug a malware using tools like IDA pro, Ollydbg\/Immunity debugger”,”What is Memory Forensics and its use in malware and digital investigation”,”Ability to acquire a memory image from suspect\/infected systems”,”How to use open source advanced memory forensics framework (Volatility)”,”Understanding of the techniques used by the malwares to hide from Live forensic tools”,”Understanding of the techniques used by Rootkits(code injection, hooking etc)”,”Investigative steps for detecting stealth and advanced malware”,”How memory forensics helps in malware analysis and reverse engineering”,”How to incorporate malware analysis and memory forensics in sandbox”,”How to determine the network and host based indicators (IOC)”,”Techniques to Hunt Malwares”]

Prerequisite Knowledge

The course assumes no prior knowledge of the subject and starts from the basics and slowly progresses towards advanced topics. – Students Should be familiar with using Windows/Linux – Students Should have an understanding of programming concepts, while programming experience is not mandatory. – Students Should have basic understanding of malware and its role in cyber attacks

Hardware / Software Requirements

– Laptop with minimum 6GB RAM and 40GB free hard disk space – Laptop with USB ports – lab samples, and custom Linux VM will be shared via USB sticks – VMware Workstation or VMware Fusion (even trial versions can be used). – Windows Operating system (preferably Windows 10 64-bit, even Windows 8 and Windows 7 versions are fine) installed inside the VMware Workstation/Fusion. Students must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion. Note: VMware Player or VirtualBox is not suitable for this training.