Video Preview
Josh's Modern Malware – Discovering and Triaging Unknown Threats takes you on a 2-hour preview through the art and craft of malware threat hunting. This workshop gives you a peek into Josh's Modern Malware for Threat Hunters training offered at CATCH2022.
Abstract
Malware authors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion and maintain persistence to compromise an organization. To achieve this, malware authors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack.
In Modern Malware for Threat Hunters, you will get hands-on with real-world malware and learn how to identify key indicators of compromise/indicators of attack, apply analysis to enhance security products to protect your users and infrastructure and gain a deeper understanding of malware behavior through reverse engineering. Open-source and limited-use tools such as Ghidra, IDA Pro Free/Demo, Oledump/OleVBA, PE Studio and Suricata will be utilized to perform deep technical analysis of malware at each phase of an attack, focusing on developing effective strategies to maximize your time spent identifying key information and broader tactics.
By the end of this course you will be able to analyze malicious office documents, dig deep into native and interpreted code through disassembly and decompilation, identify and defeat prevalent obfuscation techniques and generate valuable threat intelligence to aid in your efforts to defend your organization or respond to an incident.
This is a fast-paced course designed to take you deep into malware operations – from delivery methods to payloads! Attendees will be provided with all of the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This course will also utilize several live classroom sharing resources, such as chat and notes to ensure that attendees have access to all material discussed throughout the training. Comprehensive lab guides will also be provided to ensure that attendees have the ability to continue learning after the course ends and maximize the knowledge gained from this course.
Key Learning Objectives
- Understand different attack methods used by malicious actors, how this affects your analysis and effective ways for disrupting the attack
- Learn the tools and skills needed to perform exhaustive analysis on malicious office documents, exploit kits, Java and .NET binaries, native code binaries (PE files) and shellcode
- Become proficient in utilizing reversing tools to identify and defeat obfuscation, packing and anti-analysis techniques.
- Gain a deeper understanding of binary file formats and how to analyze them to learn more about malware behaviour
- Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware including assembly level debuggers, disassemblers, decompilers and sandboxes
- Identify key indicators of compromise to update security products such as an IDS/IPS
Learn how to leverage network traffic to gain a deeper understanding of malware behavior
Who Should Attend
This course will take students through key phases of malware operations, providing deep technical analysis and hands-on labs to gain experience detecting, analyzing and reverse engineering malware. This is an ideal course for security analysts, threat researchers, malware researchers and anyone tasked with defending an organization to get hands-on diving deep into malware.
Agenda
Session 1 - Harnessing Threat Intelligence
- Utilizing open-source intelligence platforms such as Abuse.ch, VirusTotal and AlienVault OTX to investigate malware
- Gain proficiency with key malware analysis triage tools such as PE Studio, OLEDUMP, XLMDeobfuscator, malwoverview and more
- Understanding delivery mechanisms: Office documents, JavaScript attachments and other means of bypassing the perimeter
- Explore the use of custom and online sandboxes to further enhance malware analysis
- Leveraging network traffic to enhance analysis
Session 2 – Delivery Vehicles and Infrastructure
- Dig deep into Office documents to unravel VBA and Excel 4 macros, the use of PowerShell and other prevalent living off the land techniques
- Learn how to defeat complex obfuscation in malware such as the Javascript-based OSTAP
- Develop strategies for identifying and defeating obfuscation in interpreted code
- Create custom python scripts to work with APIs to create custom workflows
- Identify intermediary payloads and use tools like CyberChef to unravel layers of obfuscation
- A brief look at exploit kits and techniques for unraveling
- Analyzing compromised infrastructure through a server compromise
- Analyzing proxy scripts, webshells, command and control panels and other malicious infrastructure
- Leveraging network traffic analysis to identify malware families
Session 3 - Analyzing Payloads
- Identify and extract payloads from network traffic and other malicious artifacts
- Identifying evidence of data exfiltration and command-and-control beacons
- Leveraging network traffic analysis to identify malware families
- Automating IOC extraction from malware samples
- Understanding binary file formats and key operating system internals
- Determining signs of packing and other native code obfuscation techniques
Session 4 - Reverse Engineering Malware
- Identifying evidence of data exfiltration
- Recognizing patterns of command and control communications
- Reversing other file formats such as .NET and Java binaries
- Identifying and tracing malware use of shellcode
- Analyzing Windows-based shellcode, along with common obfuscation techniques
- Defeating string and API obfuscation techniques in native and interpreted code
- Extending reversing tools through plugins
Pre-requisites
The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course:
- Basic malware analysis
- An understanding of programming languages such as control structures (IF statements, loops and functions), data structures (objects, structures, arrays) and variable usage
- Ability to read assembly for Intel 32 and 64 bit architectures
- Proficiency with a Windows-based debugger such as WinDbg, x64dbg or Immunity
Pre-class Tutorials
To help prepare for this course, it is recommended that students be familiar with information from the following sources:
- A brief overview of malicious office documents
- Hack-in-the-Box CommSec Track 2018
- Assembly and Intel’s 32/64-bit architecture
- Specifically concepts from chapters 1 − 5
- Getting started with reverse engineering
System Requirements
- Linux/Windows/Mac desktop environment
- A laptop with the ability to run virtualization software such as VMWare or VirtualBox
- Access to the system BIOS to enable virtualization, if disabled via the chipset
- Ability to temporarily disable anti-virus or white-list folders/files associated with lab material
- A laptop that the attendee is comfortable handling live malware on
- Enough disk space to store at least a single 40 GB VM, although multiple VMs may be used
Students will be provided with
Students will be provided with all of the lab material used throughout the course in a digital format. This includes all lab material, lab guides and virtual machines used for training. This course will also utilize several live classroom sharing resources, such as chat and notes to ensure that students have access to all material discussed throughout the training. Comprehensive lab guides will also be provided to ensure that students have the ability to continue learning after the course ends and maximize the knowledge gained from this course.