Course Overview
Arm yourself with knowledge and bring the fight to the bad guys! Practical Malware Analysis & Triage (PMAT) brings the state of the art of malware analysis to you in engaging instructional videos and custom-made, practical labs.
Welcome to Practical Malware Analysis & Triage. I’m Matt, aka HuskyHacks, and I’m excited to be your instructor for this course. I had a blast putting it together and I hope that you will come along with me and learn the art of splicing, slicing, inspecting, and dissecting malware samples.
Featuring two malware analysis lab build options: local virtual machines and a rapid-deployable cloud malware analysis network! Learn how to spin up a malware analysis network on AWS from anywhere in the world!
Skill Level
Basic-Plus to Intermediate. The course includes a selection of advanced topics. All concepts are taught in an accessible, foundational manner.
Language
English with optional English subtitles.
Why this course?
This course is centered on practical labs that bring malware samples to bear in a safe, controlled environment.
First, you will learn to handle malware safely and construct an isolated lab environment. Then, you will learn the basics of malware analysis on samples designed to teach you the core analysis concepts. As the labs progress, the level of offensive tradecraft employed by these samples grows.
By the end of the course, you’ll be using automated workflows and advanced analysis to extract key facts about real-world specimens.
Finally, and most importantly, you’ll learn the keys to writing detection rules and triage reports to tell the world what you have learned.
Who should take this course?
- IT professionals of all skill levels who are looking to gain foundational knowledge of malware analysis.
- Network defenders looking to deepen their knowledge of the state of the art of malware analysis.
- Penetration Testers/Red Teamers looking to pick up the skill of malware analysis to increase tradecraft/provide higher threat emulation fidelity.
- Anyone who wants to learn an in-demand skill set and bring the fight to the bad guys!
Requirements:
- Basic IT knowledge.
- Knowledge of the general classes of malware (virus, trojan, worm, etc). Knowledge of how these malware classes function on the technical level is not required.
- Comfort in the command line of Linux and Windows. All tools and techniques taught in the course are explained step-by-step but working knowledge of Bash and the Windows command prompt is recommended.
- For a local lab build, you need:
- A computer that:
- Has at least 6GB of available RAM.
- Has at least 40GB of available storage.
- Can run Oracle VirtualBox and host two lab virtual machines at the same time (with the option to host a third for additional development).
- Has an internet connection.
- For a cloud malware analysis lab, you need:
- An AWS account and a way to pay for AWS resource utilization.
- Knowledge of x86 Assembly and other low level computer programming concepts is not required.
Recommendations:
- Familiarity with programming concepts is recommended but not required.
- Familiarity with offensive cybersecurity Tactics, Techniques & Procedures (TTPs) will be helpful but is not required.
Course Topics
- Safety Always! Build good habits for handling malware safely and create an analysis lab.
- Safe Malware Sourcing. Learn where to source malware samples safely (no need for the dark web!).
- Basic Analysis. Learn basic analysis methodology, including interpreting strings, inspecting Windows API calls, identifying packed malware, and discovering host-based signatures. Then, detonate malware to collect network signatures and identify malicious domains and second-stage payloads!
- Intro to the x86 Assembly Language. Dip your toes into the low-level world of Assembly Language! Learn the foundations of x86 Assembly and use it to perform advanced analysis.
- Advanced Analysis. Use sophisticated tools like Cutter and x32dbg to discover key insights about malware samples at the lowest possible level. Control the execution flow of a program and manipulate its low-level instructions in a debugger.
- Patch It Out: Binary Patching & Anti-analysis. Learn the crafty practice of patching binaries at the ASM level to alter the flow of their programs. Then, learn to identify and defeat anti-analysis techniques.
- Gone Phishing. Learn to analyze malicious documents and document-delivered malware, including malicious macros and remote template injections.
- What the Shell? Learn to identify and carve out embedded shellcode.
- Off Script. Identify scripted, obfuscated malware delivery techniques that use PowerShell and Visual Basic Script.
- Stay Sharp. Decompile and reverse engineer C# assemblies and learn about reverse engineering the .NET Framework! Then, reverse engineer an encrypted malware C2 dropper back to near-perfect original source code with DNSpy!
- Go Time. Learn the analysis considerations of malware written in Go.
- Get Mobile! Use MobSF to reverse engineer malicious Android applications.
- The Bossfight! Use everything you have learned to do a full analysis of one of the most infamous malware samples in history.
- Automating the Process. Use Jupyter Notebooks and malware sandboxes to automate the analysis process.
- Tell the World! Write YARA rules to aid in the detection of malware samples and learn how to write effective analysis reports to publish findings.
- Course Final. Apply everything you’ve learned to display your mastery of the art and science of malware analysis!
What will I receive from this course?
- Access to the student-only channel on Discord to receive support from the instructor and other students.
- Access to 9+ hours of engaging, instructional video content.
- Access to the PMAT Lab repository containing dozens of malware samples designed to teach you the fundamentals.
- Course completion certificate.
Cyril H., Cybersec Padawan
“Practical Malware Analysis and Triage, another WAY-beyond-expectation installment in the TCM Academy library! The course progression is excellent, with practical, walk-along exercises in a majority of the videos. I particularly enjoy the rate-of-flow from Husky's pedagogical style -- it has a pristine blend of step-by-step instruction alongside a pace that deters distraction or boredom. Thanks Husky!”
David R., Cybersecurity Student
“It's a fantastic course packed to the brim with information. Everything is explained in a way that makes it very easy to understand. Instead of just spitting information at you, there are built-in challenges that give you an opportunity to put your understanding to the test. This is one if the highest quality courses I've taken in a while, and I couldn't be happier with it.”
Syed H., Security Engineer, DFIR
“The course curriculum is properly designed to take an analyst from the start till the end. I loved how Matt explained concepts to ensure everyone could be on the same playing field.… Should you get it? YES.”
Course Curriculum - 10+ Hours
- Lab Network Options: Local VMs vs. AWS Cloud Lab
- Downloading VirtualBox (2:29)
- Downloading Windows 10 (2:05)
- Setting Up the Windows 10 VM (8:12)
- Downloading REMnux (1:10)
- Installing REMnux (2:05)
- Installing FLARE-VM (16:45)
- Analysis Network Setup (7:26)
- INetSim Setup (13:16)
- Host-only Safety & Internal Networks
- Lab VM Repo Link
- Rapid-deployable Cloud Malware Analysis Lab Setup
- Course Lab Repo Link
- Course Lab Repo Download & Lab Orientation (4:00)
- Taking a Snapshot Before First Detonation (1:29)
- Detonating Our First Sample (5:57)
- Tool Troubleshooting (5:05)
- Course Tool List & Resources
- Basic Malware Handling (8:52)
- Safe Malware Sourcing & Additional Resources (6:50)
- Hashing Malware Samples (3:45)
- Malware Repositories: VirusTotal (2:49)
- Strings & FLOSS: Static String Analysis (8:03)
- Analyzing the Import Address Table (7:36)
- Introduction to the Windows API (6:00)
- MalAPI.io (4:08)
- To Pack Or Not To Pack: Packed Malware Analysis (9:42)
- Combining Analysis Methods: PEStudio (6:45)
- Identifying Malware Capabilities & Intro to MITRE ATT&CK
- Note Review (1:59)
- Basic Dynamic Analysis Intro: Host and Network Indicators (3:39)
- Initial Detonation & Triage: Hunting for Network Signatures (8:44)
- Host-Based Indicators: Procmon Part I (7:44)
- Host-Based Indicators: Procmon Part II (6:06)
- Dynamic Analysis of Unknown Binaries Part I: Analyzing Wireshark (13:02)
- Dynamic Analysis of Unknown Binaries Part II: Host-Based Indicators (21:19)
- Analyzing a Reverse Shell Part I: Correlating IOCs (18:12)
- Analyzing a Reverse Shell Part II: Parent-Child Process Analysis (6:43)
- Intro to Advanced Analysis & Assembly Language (10:01)
- Disassembling & Decompiling a Malware Dropper: Intro to Cutter (8:46)
- x86 CPU Instructions, Memory Registers, & the Stack: A Closer Look (13:06)
- Revisiting the Dropper: Assembly Instructions and the Windows API (8:17)
- Hello, World! Under a Microscope Part I (18:31)
- Advanced Analysis of a Process Injector (16:56)
This course is included in our
All-Access Membership
starting at $29.99/month
Get full access to the Practical Malware Analysis and Triage course and our full course catalog when you enroll in our All-Access Pass Membership.
About the Instructor
Matt Kiely (HuskyHacks) is a seasoned practitioner with 10 years of experience in IT and cybersecurity. Matt has worked as a Lead Cybersecurity Analyst at the Massachusetts Institute of Technology Lincoln Laboratory Space Research Division, Red Team Operator & Exploit Developer at a large financial institution, Principal Cybersecurity Content Architect & Instructor at SimSpace, and served as a United States Marine.
Matt holds a Bachelor of Science in Information Technology from Northeastern University and a Graduate Certificate in Cybersecurity from the Rochester Institute of Technology. Some of Matt's professional certifications include OSCP, eCPPT, eCPTX, CRTO, and CRTP.
Follow Matt on Social Media:
GitHub - https://github.com/HuskyHacks
Twitter - https://twitter.com/HuskyHacksMK
YouTube - https://www.youtube.com/channel/UCtJgZIyoZ0wIKEzctj_8pZQ
Blog - https://huskyhacks.dev
Courses Included in the All-Access Membership
Frequently Asked Questions
Can I get a refund if I'm unhappy with my purchase?
Yes. All courses come with a 24-hour money-back guarantee.
Will I receive a certificate of completion when I finish a course?
Yes. All courses come with a certificate of completion.
Do the courses count as Continuing Education Units (CEUs)?
Yes. Every certificate of completion comes with the total CEUs earned listed on the certificate.
What is the All-Access Pass?
As of July 1st, 2023 TCM Academy transitioned to a monthly subscription model, where you now receive full access to all of the courses on our platform for as long as your subscription remains active.
What if you already own courses on TCM Academy?
If you already own a course on our platform, you will continue to own that course forever. Previously owned courses will not be affected by this change.
I can see the course, but it won’t load or play. What should I do?
We use Cloudflare to protect our course platform and unfortunately, it does not play nice with VPNs. If you are experiencing issues, turn off your VPN and try again. If that does not solve the issue, please contact our support team at [email protected] and we will help you out.