The Art of Modern Malware Analysis: Initial Infection Malware, Infrastructure, and C2 Frameworks

Presented at DEF CON 30 (2022), Aug. 12, 2022, 9 a.m. (240 minutes)

Threat actors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion, and maintain persistence to compromise an organization. To achieve this, threat actors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack. Often, Malware-as-a-Service (MaaS) is leveraged. In this workshop, you will get hands-on experience with real-world malware and learn how to identify key indicators of compromise (IOCs), apply analysis to enhance security products to protect users and infrastructure, and gain a deeper understanding of malware behavior through reverse engineering. Our workshop focuses on MaaS samples and their prevalence in attacks. We will break down various MaaS samples and show how they function. We will review attacker-controlled infrastructure to show how Command and Control (C2) features are successful within YOUR (hopefully not YOUR!) environment. We will conclude with an analysis of the world’s #1 C2 infrastructure: Cobalt Strike (CS). We will break down the CS infrastructure, show how Malleable C2 profiles function, and show you how to extract and analyze profile configurations from script- and PE-based payloads alike. Students will be provided with all the lab material used throughout the course in a digital format. This includes all lab material, lab guides, and virtual machines used for training. The material provided will help to ensure that students have the ability to continue learning well after the course ends and maximize the knowledge gained from this course. Whatever isn’t covered during the class, or whatever the student wants to focus on later, will be available. Materials: Linux/Windows/Mac desktop environment A laptop with the ability to run virtualization software such as VMWare or VirtualBox Access to the system BIOS to enable virtualization, if disabled via the chipset Ability to temporarily disable anti-virus or white-list folders/files associated with lab material A laptop that the attendee is comfortable handling live malware on Enough disk space to store at least two 40 GB VMs, although more VMs may be used 16GB of RAM preferred to run all VMs simultaneously Prereq: The primary requirement for this course is a desire to learn and the determination to tackle challenging problems. In addition, having some familiarization with the following topics will help students maximize their time in this course: - A general background in Digital Forensics & Incident Response (DFIR) - Familiarity with blue team-oriented tools - An understanding of general networking concepts

Presenters:

• Ryan J Chapman - IR Practitioner
  Ryan is an experienced IR practitioner, malware analyst, and trainer. He is a Principal IR Consultant for BlackBerry, the lead organizer of CactusCon, a SANS author and trainer, and a Pluralsight author. Ryan strives to imbue comedy into his training and loves being able to teach others while learning from them at the same time. He is a veteran speaker having presented talks and/or workshops at conferences including DefCon, SANS Summits, BSides events, CactusCon, and more. "We must not teach people how to press buttons to get results. We must teach people what happens when these buttons are clicked, such that they fully understand the processes occurring in the background," says Ryan.
• Josh Stroschein - Malware Analyst
  Josh is an experienced malware analyst and reverse engineer who has a passion for sharing his knowledge with others. He is the Director of Training for OISF, where he leads all training activities for the foundation and is also responsible for academic outreach and developing research initiatives. Josh is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon and other public and private venues. Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, an author on Pluralsight, and a threat researcher for Bromium.
• Aaron Rosenmund - Threat Emulation and Detection Operator
  Aaron Rosenmund is an experienced threat emulation and detection operator. He is the Director of Security Research and Curriculum at Pluralsight, and as the Civilian Red Team Lead for the national DOD exercise Cyber Shield. Part time he serves in the Florida Air National Guard supporting state and federal missions including election support and Operation Noble Eagle (Homeland Defense). An accomplished speaker and trainer, he has over 100 published courses and labs, provided numerous talks and workshops, and continues to support various open source projects. Www.AaronRosenmund.com @arosenmund “ironcat”

Similar Presentations:

• DEF CON 31 (2023) / Digital Forensics and Incident Response Against the Digital Darkness: An Intro to Forensicating Evil Workshop
• AppSec USA 2015 / Training (2 days) : Malware Crash Course
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab