Malware Analysis & Persistence Training

The Malware Analysis & Persistence Training is an intensive, hands-on program designed to equip cybersecurity professionals with the essential skills required to dissect, understand, and defend against malware threats. This course provides participants with both theoretical knowledge and practical experience in analyzing malicious software, enabling them to uncover the inner workings of malware and its potential impact on systems and organizations.

Participants will gain a comprehensive understanding of the malware ecosystem, exploring various types of threats such as trojans, ransomware, spyware, worms, and advanced persistent threats (APTs). The training emphasizes the use of both static and dynamic malware analysis techniques, allowing attendees to analyze the structure of malicious code as well as monitor its behavior in real time within sandbox environments. Through reverse engineering, participants will learn how to dissect obfuscated or encrypted malware using industry-standard tools, uncovering the logic and functions hidden within binaries.

In addition, the course will cover essential methods for identifying and extracting Indicators of Compromise (IOCs), such as file hashes, malicious URLs, IP addresses, and domain names, which can enhance detection and alerting capabilities. Participants will also build practical skills in threat mitigation and incident response, learning how to quickly contain and neutralize malware in live environments. Throughout the training, attendees will engage in real-world labs and simulations, working with live malware samples to apply their newly acquired analysis techniques and respond to modern cyber threats effectively. Furthermore, the course will provide proficiency in utilizing a range of malware analysis tools, including debuggers, disassemblers, and behavior monitoring systems, empowering professionals to respond with confidence to emerging malware challenges. Additionally, the training equips students with skills in disk acquisition, data recovery, and forensic analysis, enabling them to extract and investigate critical system artifacts, track program activity, and analyze network data for comprehensive investigations.

Module 1: APT Attacks & Investigation 

• Understanding the advanced persistent threats.
• The attacker's tactics, techniques & procedures (MITRE ATT&CK)
• The Incident Response Process for malware attacks
• The APT Attack Vectors
• Types of malware
• Malware analysis process
• Walkthrough the setting up of the isolated lab environment 

Module 2: Understanding information gathering and timelining 

• The main goals of digital forensics and timeline analysis
• Analyzing Windows Change Logs to detect recent file changes
• Analyzing Prefetch files to detect loaded processes
• Creating the attack timeline & understanding its root cause
• Deep Dive into NTFS Artifacts for Hidden Malware Files
• Extracting Timestamps from Master File Table (MFT)
• Hunting Deleted Malware Files via $LogFile & $UsnJrnl

Module 3: Common Persistence Used by Malware 

• The Role of Persistence in Malware Operations
• Common Threat Actors Leveraging Persistence
• Case Study: Malware Families with Strong Persistence (e.g., APT29, Stuxnet, TrickBot etc.)
• Analyzing registry hives & detecting persistent malware samples
• Scheduled Tasks & Windows Services
• Details of Hiding Services
• Startup Folder & WMI Event Subscription
• Other techniques

Module 4: Uncommon Persistence Mechanisms Used by Malware 

• DLL Sideloading and Hijacking Techniques
• Exploiting Legitimate Application Dependencies
• Demonstration of DLL Injection Techniques
• Kernel-Level Persistence
• Hidden Processes 6. DKOM
• Living off the Land (LotL) Techniques:
  Fileless Malware Persistence 
  Abusing Built-in Tools (PowerShell, WMI, MSHTA)
• NTFS Alternate Data Streams (ADS) for Hiding Executables
• Process Hollowing & Process Doppelgänging
• Application Shimming for Persistence
• Abusing Windows Authentication Providers:
  Registering malicious DLLs as credential providers or SSPs (Security Support Providers) 
  Example: Mimikatz injecting SSP for stealing credentials persistently.
• Other techniques

Module 5: Introduction to Hunting for Persistence 

• Log Analysis for Persistence Indicators
• Memory Forensics with Volatility
• YARA and Sigma Rules for Persistence Detection
• Threat Hunting Scenarios in RealWorld Attacks
• Memory acquisition techniques
• Introduction to Volatility
• Determining OS of the memory image
• Volatility commands & modules

Module 6: Memory Analysis 

• Identifying suspicious processes through processes' lists & trees
• Detecting injected DLLs using Volatility
• Identifying hidden DLLs
• Identify malicious strings, web injects, and more information from the memory dump
• Finding signs of persistence in memory
• Hands-on lab exercise involves investigating malware-infected memory
• Detect injected code inside processes
• Dumping malicious processes, DLLs, and injected code from memory
• Hands-on lab exercise involves investigating Stuxnet memory dump
• Investigating RWX Memory Regions
• Finding Reflective DLL Injection artifacts.

Module 7: Disk Analysis - part 1 

• Introduction to storage acquisition and analysis
• Drive acquisition
• Mounting forensic disk images
• Virtual disk images
• Signature vs. file carving
• Introduction to NTFS file system
• Windows file system analysis
• Autopsy with other file systems
• External device usage data extraction (USB usage, etc.)
• Reviving the account usage
• Extracting data related to recent use of applications and files
• Recovering data after deleting partitions

Module 8: Disk: Storage acquisition and analysis part 2 

• Extracting deleted files and files related information
• Extracting data from file artifacts like $STANDARD_INFORMATION, etc.
• Patterns of malicious activity
• Password recovery
• Extracting indexing service data
• Deep dive into automatic destinations
• Detailed analysis of Windows Prefetch
• Extracting information about program execution (UserAssist, RecentApps, Shimacache, appcompatcahce, etc.)
• Extracting information about browser usage (web browsing history, cache, cookies, etc.)
• Communicator apps data extraction
• Extracting information about network activity
• Building timelines

Module 9: Static Analysis

• Questions that basic static analysis helps you to answer
• Investigating the malware decrypted strings
• Investigating the malware headers (PE)
• Understand malware functionality through imported windows commands (APIs)
• Detecting packed and encrypted malware & unpack them automatically
• Hands-on lab exercise involves analyzing real malware samples

Module 10: Behavioral Analysis & Sandboxing

• Questions that behavioral analysis helps you to answer
• Understanding Behavioral Analysis tools & techniques
• Deep dive into network forensics for investigating malware network activity
• Monitoring process, file system, and registry activity
• Determining the malware indicators of compromise (IoCs)
• Hands-on lab exercise involves analyzing a real malware sample

Module 11: Advanced Techniques: Fileless Malware & API Hooking

• Understanding Process Internals
• Process & Thread Environment Block Structure
• Detect & investigate code injection
• Remote DLL & shellcode injection
• Process Hollowing (Stuxnet Technique)
• API Hooking & IAT Hooking
• Hands-on lab exercise involves investigating malware memory image

Module 12: Spear-phishing Attacks with Malicious Documents

• Examining a malicious office document packed with VBScript for applications macros code
• Examining & Dissecting malicious pdf files
• Hands-on labs to examine documents packed with malicious macros (real attacks)

Module 13: Intro To x86/x64 Assembly

• Understanding CPU registers and assembly instructions
• Dive deeper into the assembly language and memory handling
• Reversing assembly code blocks into a higher-level language (C++)
• Dealing with local & global variables 

Module 14: Intro to Code Analysis & Malware Functionalities

• Intro to real malware code analysis
• roppers & Downloaders
• Maintaining Persistence
• Keylogging
• Banking Trojans & Man in The Browser (MiTB)
• Point of Sale Malware (POS)
• Understanding Indication of Comprise 8. Analyze a real malware sample
• Write your own YARA rule (Hands-on)

Module 15: Static & Dynamic Code Analysis InDepth

• Basics of IDA Pro
• Demo: Hands-on labs for static code analysis (Hands-on Practice)
• Basics of Ollydbg/x64dbg
• Demo: Hands-on labs for dynamic code analysis
• Investigating the windows commands calls (API calls)
• What to look for while performing code analysis 

Module 16: Unpacking Packed Samples

• Unpacking malware using generic unpackers
• Manually unpacking a malware using memory breakpoint on execution
• Dealing with anti-reverse engineering techniques

Module 17: Dealing with Encryption

• Understand & reverse with basic encryption algorithms
• Deal with complex encryption algorithms, including RC4, AES, and public key encryption
• Uncover encrypted strings, windows commands (APIs), and domains
• Hands-on lab exercise involves analyzing real malware samples (Hands-on Practice)

Module 18: Ransomware by Example (Handson Real-world Scenario)

• Basic analysis of the ransomware
• Code analysis of the ransomware functionality
• Understanding its files' encryption algorithm
• Determine the possibility of decrypting the files & retrieving the key

• Cybersecurity professionals