Malware and Exploit Essentials

The Malware and Exploit Essentials course will provide deep technical insights for cyber defenders into techniques that malware uses to exploit vulnerabilities and to intrude into systems. Based on an introduction to OS features and analysis techniques, the use of debuggers as the most important tools for exploit research and methods for vulnerability detection like fuzzing will be discussed and then trained in hands-on exercises.

IMPORTANT NOTICE

Due to the COVID-19 situation this course MIGHT be held as an online course and in that case the confirmed students DON’T HAVE TO TRAVEL to Estonia, and in that case they don’t have to buy flight tickets and don’t have to book accommodation in Tallinn. 

If the course will be held online, then all of the technical details to join the course will be shared with the confirmed participants until 3rd of May, 2021 and the Administration fee will be reimbursed for the participants. 

Learning Objectives

  • Introduction into memory, assembly language and compiling
  • Usage of debuggers (GDB, Immunity Debugger, WinDBG)
  • Basic exploitation techniques on Linux and Windows systems
  • Introduction to fuzzing
  • Understand operating system mechanisms like ASLR, SEH and DEP and how they get bypassed
  • Basic static (IDA Pro), dynamic (OllyDbg) and behavior analysis on different malware samples
  • IOC’s writing (Yara)
  • Hands-on training of all the learned techniques

Target Audience

  • Technical staff of CERTs, IT departments or other governmental or military entities being involved in technical IT security or cyber defence.

Outline

  • Introduction:
    • Course Introduction.
    • Malware and Exploits – basics and definitions.
  • Modern OS environment:
  • Creating a program.
  • Compilation, linking, shared libraries, sections of program.
  • Assembly introduction, AT&T vs. Intel syntax, endianness.
  • Debuggers:
    • Static and dynamic program analysis.
    • Getting info about binaries.
  • Buffer overflows:
  • Concept of stack frame and local variables of function.
  • Buffer overflows without ASLR and NX/XD techniques.
  • Return-to-system and chaining.
  • Protective mechanisms and common exploitation ideas:
  • Canaries, non-executable stack.
  • Structured Exception Handler (SEH).
  • Address space layout randomization (ASLR).
  • Data Execution Prevention (DEP)
  • Return-Oriented-Programming (ROP)
  • Examining static properties of suspicious programs
    • Static analysis (IDA Pro)
  • Performing behavioral analysis of malicious Windows executables
    • Inetsim, FakeDNS, Wireshark
  • Performing dynamic code analysis of malicious Windows executables
    • Dynamic analysis (OllyDbg, WinDgb)
  • Determining the network and host-based indicators (IOC)
    • IOC’s writing (Yara)

Prerequisites

  • Good work/administration experience in the Linux and Windows environments, especially command line.
  • Basic understanding of assembler and higher programming languages (optional).
  • Programming experience in assembler, C(++) or PYTHON (optional).
  • English language skill comparable to STANAG 6001, 3.2.3.2.

NB! Please be aware of the strong technical nature of this course: this is not a course for beginners. Note that we most strongly discourage the participation of students who do not fulfil the prerequisites, since the course contains advanced lab sessions assuming this knowledge. Therefore, the presence of unskilled attendees is likely to hinder the overall progress of the course.

Registration

Registration opens on 22nd of  February, 2021. Applicants from CCDCOE member nations should use the registration code provided by their national Point of Contact. An email confirming the participation will be sent only after the registration has closed.

If you have any questions or issues with registration, please contact [email protected]