“Dissection” Training

SEC-T₂ion 2017

SEC-T₂ion training is an intimate (small class) highly focused training class that takes place the days before the SEC-T Conference (12-13 September 2017).

The size of the classes has a maximum of 8 people and the training will happen even if there are less students in the classroom. This will maximize the time and value per student while giving the teachers maximum room to adapt the training to student needs. 2017 is the first year we are running the SEC-T₂ion training so the word has so far not spread, we decided to go with two training tracks, one well known (Monappa KAs Malware analysis) and one premiere first time due to popular demand (Jens Steubes Hashcat). If this is popular we promise to expand it next year with more tracks.

Training #1 A practical approach to malware analysis and memory forensics Teacher: Monappa KA (sold-out)

Training #2  Hashcat for IT-forensics Teacher: Jens Steube (sold-out)

Training is ordered together with your SEC-T ticket! Should this look confusing just send us an email to [email protected] and we will help sort you out.

---

Training#1: A practical approach to malware analysis and memory forensics

TEACHER: Monappa KA

Malware analysis and memory forensics are powerful analysis and investigative techniques used in reverse engineering, digital forensics and incident response. With adversaries becoming more sophisticated and carrying out advanced malware attacks on critical infrastructures, Data Centers, private and public organizations, detecting, responding and investigating such intrusions are critical to information security professionals. Malwareanalysis and memory Forensics have become a musthave skill for fighting advanced malwares, targeted attacks and security breaches. This training introduces you to the topic of malware analyis, reverse engineering, Windows internals, and techniques to perform malware and Rootkit investigations of real world memory samples using open source advanced memory forensics framework (Volatility). The training covers analysis and investigation of various real world malware samples and infected memory images(crimewares, APT malwares, rootkits etc) and contains hands on labs to gain better understanding of the subject.

The training provides practical guidance and attendees would walk away with the following skills:

• How malware and Windows internals work
• How to create a safe and isolated lab environment for malware analysis
• What are the techniques and tools to perform malware anlaysis
• How to perform static analysis to determine the metadata associated with malware
• How to perform dynamic analysis of the malware to determine its interaction with process,file system, registry and network
• How to perform code analysis to determine the malware functionality
• How to debug a malware using tools like IDA pro, Ollydbg/Immunity debugger
• What is Memory Forensics and its use in malware and digital investigation
• Ability to acquire a memory image from suspect/infected systems
• How to use open source advanced memory forensics framework (Volatility)
• Understanding of the techniques used by the malwares to hide from Live forensic tools
• Understanding of the techniques used by Rootkits(code injection, hooking etc)
• Investigative steps for detecting stealth and advanced malware
• How memory forensics helps in malware analysis and reverse engineering
• How to incorporate malware analysis and memory forensics in sandbox
• How to determine the network and host based indicators (IOC)
• Techniques to hunt malwares

Day 1:

Introduction to Malware Analysis

• What is Malware
• What they do
• Why malware analysis
• Types of malware analysis
• Setting up an isolated lab environment

Static Analysis

• Fingerprinting the malware
• Extracting strings
• Determining File obfuscation
• Pattern matching using YARA
• Fuzzing hashing & comparison
• Understanding PE File characteristics
• Disassembly
• Demo Static analysis of real malware sample
• Hands-on lab exercise involves analzying real malware sample

Dynamic Analysis/Behavioural Analysis

• Dynamic Analysis Steps
• Understanding Dynamic Analysis tools
• Simulating services
• Performing Dynamic Analysis
• Monitoring process, filesystem, registry and network activity
• Determining the Indicators of compromise (host and network indicators)
• Demo Showing the analysis of real malware sample
• Hands-on lab exercise involves analzying real malware sample

Automating Malware Analysis (sandbox)

• Custom Sandbox Overview
• Working of Sandbox
• Sandbox Features
• Demo Analyzing malware in the custom sandbox

Code Analysis

• Code Analysis Overview
• Disassmbler & Debuggers
• Code Analysis Tools
• Basics of IDA Pro
• Basics of Ollydbg/Immunity Debugger
• Understanding the API calls
• Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, http backdoor)
• Hands-on lab exercise involves analzying real malware sample

Introduction to Memory Forensics

• What is Memory Forensics
• Why Memory Forensics
• Steps in Memory Forensics
• Memory acquistion and tools
• Acquiring memory From physical machine
• Acquiring memory from virtual machine
• Hands-on excercise involves acquiring the memory

Volatility Overview

• Introduction to Volatility Advanced Memory Forensics Framework
• Volatility Installation
• Volatility basic commands
• Determining the profile
• Volatility help options
• Running the plugin

Day 2:

Investigating Process

• Understanding Process Internals
• Process(EPROCESS) Structure
• Process organization
• Process Enumeration by walking the double linked list process relationship (parent child relationship)
• Understanding DKOM attacks
• Process Enumeration using pool tag scanning
• Volatililty plugins to enumerate processes
• Identifying malware process
• Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating Process Handles & Registry

• Objects and handles overview
• Enumerating process handles using Volatility
• Understanding Mutex
• Detecting malware presence using mutex
• Understanding the Registry
• Investigating common registry keys using Volatility
• Detecting malware persistence
• Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating Network Activities

• Understanding malware network activities
• Volatiltiy Network Plugins
• Investigating Network connections
• Investigating Sockets
• Handson lab exercise(scenario based) involves investigating malware infected memory

Investigation Process Memory

• Process memory Internals
• Listing Dll’s using Volatility
• Identifying hidden Dll’s
• Dumping malicious executable from memory
• Dumping Dll’s from memory
• Scanning the memory for patterns(yarascan)
• Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating User Mode Rootkits

• Code Injection
• Types of Code injection
• Remote DLL injection
• Remote Code injection
• Reflective DLL injection
• Hollow process injection
• Demo Case Study
• Hands-on lab exercise(scenario based) involves investigating malware infected memory

Memory Forensics in Sandbox Technology

• Sandbox Overview
• Integrating Memory Forensics in sandbox
• Demo showing use of memory forensics in custom sandbox

Investigating Kernel Mode Rootkits

• Understanding Rootkits
• Understanding Functional call traversal in Windows
• Level of Hooking/Modification on Windows
• Kernel Volatility plugins
• Hands- on lab exercise(scenario based) involves investigating malware infected memory
• Demo Rootkit Investigation

Memory Forensic Case Studies

• Demo Hunting an APT malware from Memory

Who should take this course?

This course is intended for forensic practitioners, incident responders, cyber security investigators, malware analysts, system administrators, software developers, students and curious security professionals new to this field and anyone interested in learning malware analysis and memory forensics.

• Should be familiar with using Windows/Linux
• Should have an understanding of programming concepts, while programming experience is not mandatory.
• Should have basic understanding of malware and its role in cyber attacks

What should students bring?

• Laptop with minimum 4GB RAM and 30GB free hard disk space
• VMware Workstation or VMware Fusion (even trial versions can be used).
• Windows Operating system (preferably Windows 7, even Windows 8 is fine) installed inside the VMware Workstation/Fusion

Note: VMware player or VirtualBox is not recommended for this training.

What students will be provided with

• Course material
• Lab solution material
• Videos used in the course
• Malware samples used in the course/labs
• Memory Images used in the course/labs
• Linux VM (to be opened with VMware Workstation/Fusion) containing necessary tools and samples

About the teacher

Monnappa K A works with Cisco Systems as information security investigator focusing on threat intelligence, investigation of advanced cyber attacks, researching on cyber espionage and APT attacks. He is author of Limon sandbox (for analyzing Linux malwares) and winner of Volatility plugin contest 2016. He is the co-founder of the cyber security research community Cysinfo. His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence. He has presented at security conferences like Black Hat, FIRST, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit and Cysinfo meetings on various topics which include memory forensics, malware analysis, rootkit analysis, and has conducted trainings at FIRST (Forum of Incident Response and Security teams) conference and 4SICS-SCADA/ICS cyber security summit. He has also authored various articles in Hakin9, eForensics, and Hack[In]sight magazines. You can find some of his contributions to the community in his YouTube channel.

This training has previously been done at Black Hat Asia 2017.

---

TRAINING #2: Hashcat for IT-forensics

Day 1: (Basic)

– Introduction how hashcracking work in general
– Different Attack modes
– Example: Basic wordlist cracking
– Example: Mask attack cracking
– Example: Mask attack cracking with known fixed password substrings
– Example: Mask attack cracking against a known password policy
– Example: Extracting a hash from a TrueCrypt Volume and make it portable
– Example: Cracking a Truecrypt Volume
– Example: Extracting a hash from a LUKS Volume and make it portable
– Example: Cracking a LUKS Volume
– How to use an external password generator to feed hashcat instead of internal attack modes
– Ideal Hardware for cracking
Day 2: (Advanced)

– Distributing work across multiple machines
– How to crack non-english passwords with foreign language special characters
– Example: Modifying a hashcat kernel to support a very long salt which is otherwise not supported by hashcat
– Example: Modifying a hashcat kernel to crack truncated hashes which is otherwise not supported by hashcat
– Example: Cracking a cipher with Known-Plaintext attack with guaranteed success rates
– Handle special requests from the Students