Washington D.C
FOR610
This class was one of my favorite class that I have ever taken. It was very content heavy, and I felt like I’ve learned a tons EACH day after class. The demographic was pretty diversified…from professional reverse engineers, to hobbyist, to complete beginner. The week went something like this:
Day 1 was an intro to malware analysis. We were taught static malware analysis through analyzing the PE headers, and behavioral analysis through tools like ProcMon, ProcDot, Process Hacker, reg shot…etc. Essentially, seeing what type of network does a malware make once it run, what additional files does it download, what does it add to the registry, what information does it tries to collect or send.
Day 2 was ALL assembly. We went over the stack, all the registers, how data are stored, different instructions, control flow, and how to use and navigate around IDA and x32/64dbg. Honestly, I ended the day feeling like my brain was going to explode :’).
Day 3 was on analyzing malicious documents such as word docs, pdfs, rtf, and Javascript.
Day 4 was in-depth malware analysis. We went over how to recognize packed malware, how to unpack malware, how to use a debugger to dump running process memory to read strings and produce the unpacked malware. We went over code injection, API hooking, and also malware memory forensics.
Day 5 was on self-defending malware and how they hide. It was pretty interesting to see how they can detect whether or not if they are currently running in a sandbox and stay dormant if so, or exhibit different behaviors to make it difficult to be analyzed. They do this through enumerating through the process list, expect some type of click, calculate the time it’s going from one instruction to the next (tick time) because if it’s taking too long then it’s being debugged…etc.
Day 6 was a CTF to tie together all of the concepts learned in class over the past week!
I learned SO much this week, and would absolutely recommend this class to anyone who’s interested. I understand a lot more about how to read API’s documentation to see what values are being passed around (bless MSDN), how malware hook into different API, how it inject code into different processes and tries to avoid detection. I took away the ability to correlate and understand how some EDR tools work. It made me realized how some EDR platform would alert on false positives on some benign software as they probably have some wrapper around sensitive processes that often get hooked into (lsass, smss, mshta, etc…) and fire an alert if it detect a program that does that (although, it could just be people writing bad software! :))
Netwars - Tournament of Champions
For those who have won a Netwars CORE event before, this is THE event where SANS invite all the winners together to compete for the very top spot! Right before the event, they held a little happy hour/social event for all the invited players to network and form groups. I was stuck in my malware class until 5:30pm, so I only got to snuck out for 5 mins to check in and grab my stuffs. Look at ALL this swags I got from this event…
Overall, super fun trip! My brain is pretty darn fried and I need to take a nap for the next 10 days or so.