A Crash Course in Assembly for Malware Reverse Engineers
9:15 am - 5:30 pm
Do you analyze malware in a sandbox but get lost when there are limited results and you need to read the assembly to know why? If you want to dig into the malicious assembly code but don't know how to start, this class is for you. This lab based workshop will introduce everything you need to get started analyzing malware down at the code level. We will review all the fundamentals; tools, assembly instructions, memory layout, calling conventions, essential API’s, common programming patterns, and more. On top of the fundamentals, you will learn strategies to put everything together and actually analyze malicious assembly code to discover Indicators of Compromise (IOC’s) not visible in a sandbox. Our goal is for you to start viewing assembly code as source code, no different than reading C or Java. You won’t be a malware expert after just one course, but you will come away with everything you need to practice and progress from a triage analyst all the way up to a true malware reverse engineer.
- Students should have an entry level understanding of programming in any language. A general idea of malware analysis goals will be helpful, but is not necessary.
- Students must bring a 64 bit laptop with: * VirtualBox or VMWare Workstation installed (VMWare Workstation Player is acceptable)
* 25GB of free disk space to install a provided analysis VM
* 8GB of RAM
* 1 USB slot
* Internet Connectivity
Adam Gilbert is an avid security researcher and founder of AGDC Services, a boutique computer security firm which provides malware analysis training and consulting services. He has 10+ years of infosec experience and a M.S. in Electrical and Computer Engineering, but his knowledge isn’t academic. It comes from digging down deep into malware to reverse engineer every aspect. Translating complex malware techniques into understandable concepts for fellow security practitioners is a truly rewarding experience that Adam is passionate about.
Atomic Red Team is an open source project that helps you measure, monitor and improve your security controls by executing simple “atomic tests” that are mapped directly to the Mitre ATT&CK Framework. This class will provide an overview of the Mitre ATT&CK framework and give you in-depth, hands-on knowledge of how to execute atomic tests that exercise many of the techniques defined in Mitre ATT&CK. You will be provided with access to a Windows 10 virtual machine where you can safely experiment with running a variety of atomic tests during class. At the end of this class you will have the knowledge to execute these atomic tests within your own test environment where you can create and validate detection in a script-able and consistent way.
A computer that can connect via Remote Desktop Protocol (RDP) to another computer on the internet.
Darin Roberts is a Security Analyst for Black Hills Information Security where he performs a variety of Penetration tests. He has a BS in Computer Information Technology and holds several GIAC Security certifications. He writes helpful blog posts and contributes to open source tools, including Atomic Red Team and The Domain Password Audit Tool. He has years of experience teaching in public school systems at the High School level, both online and in person. He loves to teach and give back to the community.
Computer forensics is a skill that is widely in demand and with good reason. As organizations obtain more visibility into their environments, more compromises are detected and the need to determine what happened grows.
In my experience, skills are learned faster by doing rather than watching. Therefore, this course will be taught differently than most in that it is solely composed of labs. Participants will work through a number of exercises where they analyze various aspects of Microsoft Windows using computer forensics on one or more compromised systems. Each lab will start with a brief introduction, followed by the lab itself. After an allotted time has passed, the techniques used to analyze the system and answer the questions will be discussed.
Sample skills that will be utilized in the labs include analyzing logs, the file system, the registry, and memory. In addition to the class labs, students will be given additional labs to perform on their own and at their own pace. This course is designed for those with different Windows forensics skill levels - from beginners to experts, so there will be challenges for everyone. However, labs chosen will be tailored to the overall skill level of the class.
Required Materials: Laptop
Tyler Hudak has more than 20 years of extensive real-world experience in incident handling, malware analysis, computer forensics, and information security for multiple Fortune 500 firms. He has spoken and taught at a number of security conferences on the topics of malware analysis, incident response, and penetration testing, and brings his front line experience and proven techniques to bear in his training. He is currently the Practice Lead of Incident Response for TrustedSec.