Malware Analysis Intermediate - 3 days - 3500€ HT
Description
When dealing with security incidents, it is common to discover malicious code. This training aims to provide the keys to understanding malware and extract the elements of interest.
During the training, several types of malicious code are illustrated depending on the language used or the phase of the attack (exploitation, persistence). The different static and dynamic analysis methods are explained in order to provide complementary approaches to the analysis. A fairly significant part of the training deals hands-on exercises in the context of security incidents or operating procedures regularly observed in incidents. This course only addresses the case of userland malicious code.
-
3 days (21 hours)
-
Malicious code analyzed on different languages
-
Study of malicious files (Powershell, LNK, HTA)
Objectives
- Understand the fundamentals of Windows malware structure and analysis techniques (static and dynamic)
- Analyze malicious code using assembly, debugging, and Windows/Linux API insights
- Perform practical reverse engineering of complex malware samples in multiple languages (e.g., .NET, Go)
Public and prerequisites
This training is suitable for people who already have some experience in assembly (x86) or who have already undertaken program analysis (observing malware in sandbox). It is aimed at all people involved in handling malware, particularly security teams (SOC, CSIRT) or wishing to improve their skills on this subject.
-
SOC analysts
-
CSIRT analysts
Basic Windows/Linux knowledge is recommended to better understand how a malware works.
Content
Day 1
Qualification of a first level code: OSINT, automatic sandbox. Working environment: installation of an analysis environment (isolated/open) to process malicious code. PE/ELF structure: understand the format and aspects used by malware. Static and dynamic analysis of code: concepts and simple examples.
Day 2
x86(-64) assembler: first steps, control of execution flow and important instructions. Windows/Linux: suspicious APIs to know about and used by malicious codes. Disassembler 101: getting started, case of decompilers. Debugger 101: getting started, step-by-step study & breakpoint.
Day 3
Reverse engineering of real-world malware: PE malware, ELF malware, observation of interactions with the operating system. Malicious scripts: PowerShell deobfuscation and shellcode emulation. Analysis of concealment techniques: LNK, HTA.
All the details regarding how the training is conducted are described on this page.