What to expect
This is a three day course that runs from 8:30a-5:00p. We will all sit together in one classroom.
Audience
- Security Operations Center Staff
- Reverse Engineers
- Incident Responders
- Software Engineers
- System Administrators
Applicability
This course is designed to benefit students who already have some level of exposure to malware analysis and want to improve their skillset further. We would recommend taking our Malware Analysis - Stage 1 prior to taking this course.
Objectives
- Know how to use dynamic analysis tools on executables
- Know how to efficiently use a disassembler and decompilation for analysis
- Trace program flow in an executable
- Locate key sections of programs and label information to better understand purpose
- Modify executables in-memory to alter behavior
- Create indicators of compromise based on key code blocks
- Identify and analyze advanced obfuscation methods used by malware
- Identify and analyze malware written in modern languages such as Rust and Golang
- Understand and defeat anti-analysis techniques
Typical Agenda
Setup
We recommend you begin configuring your VM early, allowing time for things to go wrong. We strongly recommend that you use VMWare Workstation Pro (Windows and Linux) or VMWare Fusion (OS X). You can try it out for 30 days for free, though you’ll likely want a license if you’re going to be analyzing malware regularly. VMWare Workstation Player will not suffice for our purposes, as we need the ability to create snapshots and Workstation Player does not provide this ability. The instructors will not be prepared to troubleshoot issues outside of the recommended platform.