Advanced Windows Malware Analysis

Recent Windows malware use various techniques to avoid easy detections and analysis. This course focuses on the recent PowerShell and Office threats and supply chain attack analysis. Using dynamic and static analysis methods, you will learn how to achieve full deep analysis on the PE and non-PE threats in general.

Part 1. Office/PowerShell Threat Analysis

  • Objectives:
    • Learn the current living-off-the-land malware threat landscape
    • Learn methods to dissect Office files using public and private tool sets
      • Learn structure of OLE (stream storage)
      • Learn basic XML based Office file structure
    • Learn methods to decode very complicated PowerShell threats
      • Using PowerShell events and AMSI
      • Using automated PowerShell analyzer - PowerShellRunBox

Analysis Targets

  • Office Threat (APT)
    • Office Macro abuse
    • Obfuscated PowerShell
    • Living-Off-The-Land attack
  • Office Exploit Without Macro (Commodity Malware)
    • Encrypted Office document
    • Office exploit
  • Pure PowerShell Malware (Commodity Malware)
    • DNS C2 channel
    • Pure PowerShell malware
    • PowerShell persistency

Part 2. PE Threat Analysis

  • Objectives
    • Understand usual mechanism of supply chain attacks in general
    • Learn methods to analyze very complicated muti-stage shellcode
      • Using static and dynamic analysis methods and tricks
    • Learn methods to remove multi-level obfuscations against disassemblers (using IDAPython)
    • Learn usual migration mechanism used with PE threats
      • Process injection
      • Process hollowing
      • Learn how to acquire artifacts and apply dynamic and static analysis methods

Analysis Targets

  • Impactful PE threat
    • Supply chain attack
    • Anti-disassembly: jmp Obfuscator
    • Multi-stage shellcode
    • Encoded shellcode
    • DGA
    • Process injection