Forensic

Windows Malware Analysis Intermediate - 5 days

Description

When dealing with security incidents, it is common to discover malicious code. This training aims to provide the keys to understanding Windows malware and extract the elements of interest.

During the training, several types of malicious code are illustrated depending on the language used or the phase of the attack (exploitation, persistence). The different static and dynamic analysis methods are explained in order to provide complementary approaches to the analysis. A fairly significant part of the training deals hands-on exercises in the context of security incidents or operating procedures regularly observed in incidents. This course only addresses the case of userland malicious code.

  • 5 days (35 hours)

  • Malicious code analyzed on different languages

  • Study of malicious files (Office, LNK)

Public and prerequisites

This training is suitable for people who have already done programming under Windows or who have already undertaken program analysis (debugging or malicious code). It is aimed at all people involved in handling malware, particularly security teams (SOC, CSIRT) or wishing to improve their skills on this subject.

  • SOC analysts

  • CSIRT analysts

Good Windows knowledge is recommended to better understand how a malware works.

Content

Day 1

Qualification of a first level code: OSINT, automatic sandbox. Working environment: installation of an analysis environment (isolated/open) to process malicious code. PE structure: understand the format and aspects used by malware. Static and dynamic analysis of code: concepts and simple examples.

Day 2

x86(-64) assembler: first steps, control of execution flow and important instructions. Windows: Windows API, library to be known and used by malicious codes. Disassembler 101: getting started, case of decompilers. Debugger 101: getting started, step-by-step study & breakpoint.

Day 3

Initial intrusion: type of code used and exploitation. Malicious scripts: website analysis, Javascript deobfuscation. Analysis of malicious files: PDF, Office (OLE, VBA/XLM macros, pcode), VBScript deobfuscation, RTF. PowerShell code analysis: PowerShell code and shellcode emulation. Analysis of concealment techniques: LNK, ISO, HTA.

Day 4

Reverse engineering of complex code: go further on the types of code encountered, unpacking. Anti-reverse design methods: debug, sandbox, static reverse design. Automating analysis: scripting to automate reverse engineering of obfuscated code.

Day 5

.NET code reverse engineering: introduction to .NET and CIL, .NET malware analysis. Go code reverse engineering: introduction to Go, golang malware analysis. Modular code case study.