CYBER LISBON on-line TRAININGS

This hands-on training teaches the concepts, tools, and techniques to analyze, investigate and hunt malware by combining two powerful techniques malware analysis and memory forensics. This course will introduce attendees to basics of malware analysis, reverse engineering, Windows internals and memory forensics, it then gradually progresses deep into more advanced concepts of malware analysis & memory forensics.

• How malware and Windows internals work
• How to create a safe and isolated lab environment for malware analysis
• What are the techniques and tools to perform malware analysis
• How to perform static analysis to determine the metadata associated with malware
• How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry and network
• How to perform code analysis to determine the malware functionality
• How to debug a malware using tools like IDA Pro, Ollydbg/Immunity debugger/x64dbg
• How to analyze downloaders, droppers, keyloggers, fileless malware, HTTP backdoors, etc.
• What is Memory Forensics and its use in malware and digital investigation
• Ability to acquire a memory image from suspect/infected systems
• How to use open source advanced memory forensics framework (Volatility)
• Understanding of the techniques used by the malwares to hide from Live forensic tools
• Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
• Investigative steps for detecting stealth and advanced malware
• How memory forensics helps in malware analysis and reverse engineering
• How to incorporate malware analysis and memory forensics in sandbox
• How to determine the network and host-based indicators (IOC)
• Techniques to hunt malwares

SOC analysts, Incident Responders, Forensics Investigators, penetration testers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to next level.

Introduction to Malware Analysis

What is Malware

What they do

Why malware analysis

Types of malware analysis

Setting up an isolated lab environment

Static Analysis

Fingerprinting the malware

Extracting strings

Determining File obfuscation

Pattern matching using YARA

Fuzzing hashing & comparison

Understanding PE File characteristics

Disassembly

Hands-on lab exercise involves analyzing real malware sample

Dynamic Analysis/Behavioural analysis

Dynamic Analysis Steps

Understanding Dynamic Analysis tools

Simulating services

Performing Dynamic Analysis

Monitoring process, filesystem, registry and network activity

Determining the Indicators of compromise (host and network indicators)

Demo – Showing the static & dynamic analysis of real malware sample

Hands-on lab exercise involves analyzing real malware sample

Automating Malware Analysis(sandbox)

Custom Sandbox Overview

Working of Sandbox

Sandbox Features

Demo – Analyzing malware in the custom sandbox

Code Analysis:

Code Analysis Overview

Disassembler & Debuggers

Code Analysis Tools

Basics of IDA Pro

Basics of Ollydbg/x64dbg

Understanding the API calls

Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)

Hands-on lab exercise involves analyzing real malware sample

Introduction to Memory Forensics

What is Memory Forensics

Why Memory Forensics

Steps in Memory Forensics

Memory acquisition and tools

Acquiring memory From physical machine

Acquiring memory from the virtual machine

Hands-on exercise involves acquiring the memory

Volatility Overview

Introduction to Volatility Advanced Memory Forensics Framework

Volatility Installation

Volatility basic commands

Determining the profile

Volatility help options

Running the plugin

Investigating Process

Understanding Process Internals

Process(EPROCESS) Structure

Process organization

Process Enumeration by walking the double linked list

process relationship (parent-child relationship)

Understanding DKOM attacks

Process Enumeration using pool tag scanning

Volatility plugins to enumerate processes

Identifying malware process

Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating Process handles & Registry

Objects and handles overview

Enumerating process handles using Volatility

Understanding Mutex

Detecting malware presence using mutex

Understanding the Registry

Investigating common registry keys using Volatility

Detecting malware persistence

Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating Network Activities

Understanding malware network activities

Volatility Network Plugins

Investigating Network connections

Investigating Sockets

Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigation Process Memory

Process memory Internals

Listing DLLs using Volatility

Identifying hidden DLLs

Dumping malicious executable from memory

Dumping Dll’s from memory

Scanning the memory for patterns(yarascan)

Hands-on lab exercise(scenario based) involves investigating malware infected memory

Investigating User-Mode Rootkits & Fileless Malwares

Code Injection

Types of Code injection

Remote DLL injection

Remote Code injection

Reflective DLL injection

Hollow process injection

Demo – Case Study

Hands-on lab exercise(scenario based) involves investigating malware infected memory

Memory Forensics in Sandbox technology

Sandbox Overview

Integrating Memory Forensics into a sandbox

Demo – showing the use of memory forensics in a custom sandbox

Investigating Kernel-Mode Rootkits

Understanding Rootkits

Understanding Functional call traversal in Windows

Level of Hooking/Modification on Windows

Kernel Volatility plugins

Hands-on lab exercise(scenario based) involves investigating malware infected memory

Demo – Rootkit Investigation

Memory Forensic Case Studies

Demo – Hunting an APT malware from Memory

Students should:

Be familiar with using Windows/Linux

Have an understanding of basic programming concepts, while programming experience is not mandatory.

System Requirements:

Laptop with minimum 6GB RAM and 40GB free hard disk space

Laptop with USB ports. The lab samples and custom Linux VM will be shared via USB sticks

VMware Workstation or VMware Fusion (even trial versions can be used).

Windows Operating system (preferably Windows 7 64-bit, even Windows 8 and above versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware player or VirtualBox is not suitable for this training. The lab setup guide will be sent you after registration.

Minimum 7

Maximum 20

Monnappa K A works for Cisco Systems as an information security investigator focusing on threat intelligence, investigation, and research of cyber espionage and advanced cyber attacks. He is the author of the best selling book “Learning Malware Analysis” and member of Black Hat review board. He is the creator of Limon Linux sandbox and winner of Volatility plugin contest 2016. He is the co-founder of the cybersecurity research community “Cysinfo” (https://www.cysinfo.com). His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence.

He has presented at various security conferences including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit and Cysinfo meetings on various topics which include memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has conducted training sessions at Black Hat, BruCON, OPCDE, FIRST (Forum of Incident Response and Security teams), SEC-T and 4SICS-SCADA/ICS cyber security summit. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA) and you can read his blog posts at https://cysinfo.com

This class teaches audience a wealth of hacking techniques to compromise modern day web applications, APIs and associated end-points. This class focus on specific areas of appsec and on advanced vulnerability identification and exploitation techniques. The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. Attendees can also benefit from a state-of-art Hacklab and we can provide 30 days lab access after the class to allow attendees more practice time.

If you wonder:

• Are there a ways to effectively exfiltrate data using Out of Band Techniques for certain Vulnerabilities?
• Are there ways to Pen Test encrypted parameters to find vulnerabilities?
• Are there ways to bypass SSO functionalities?
• Are there ways to find SQL injection vulnerabilities not detected by Automated tools?
• Are there ways to break weak crypto implementations?
• Would there be an effective way to bypass password reset functionalities?
• What are the different things i can do with an SSRF vulnerabilities?
• How can deserialization vulnerabilities be exploited?

• Obtain a hands-on introduction to application security vulnerabilities like SQL Injection, XXE, Authentication and authorization flaws on our purposely built vulnerable web applications.
• Identify and perform Out of Band Injections for Vulnerabilities like SQL Injection and XXE to exfiltrate Data
• Learn how to perform Remote Code execution and find Deserialization Vulnerability
• Lastly learn how to attack weak key cryptography and how to fuzz and find vulnerabilities in completely encrypted parameters

Web developers, SOC analysts, intermediate level penetration testers, DevOps engineers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to next level.

Attacking Authentication and SSO

Token Hijacking attacks

Logical Bypass / Boundary Conditions

Bypassing 2 Factor Authentication

Authentication Bypass using Subdomain Takeover

JWT Token Brute-Force attacks

SAML Authorization Bypass

OAuth Issues

Password Reset Attacks

Cookie Swap

Host Header Validation Bypass 

Case study of popular password reset fails.

Business Logic Flaws / Authorization flaws

Mass Assignment

Invite/Promo Code Bypass

Replay Attack

API Authorisation Bypass

HTTP Parameter Pollution (HPP)

XML External Entity (XXE) Attack

XXE Basics

Advanced XXE Exploitation over OOB channels

XXE through SAML

XXE in File Parsing

Breaking Crypto

Known Plaintext Attack (Faulty Password Reset)

Padding Oracle Attack

Hash length extension attacks

Auth bypass using .NET Machine Key

Remote Code Execution (RCE)

Java Serialisation Attack

.Net Serialisation Attack

Node.js Serialization Attack

PHP Serialization Attack

JSON Serialization Attack

Server Side Template Injection

SQL Injection Masterclass

2nd order injection

Out-of-Band exploitation

SQLi through crypto

OS code exec via powershell

Advanced topics in SQli

Advanced SQLMap Usage and WAF bypass

Exploiting code injection over OOB channel

Tricky File Upload

Malicious File Extensions 

Circumventing File validation checks 

Exploiting hardened web servers

Server Side Request Forgery (SSRF)

SSRF to query internal network

SSRF to call internal files

Various Case studies

Attacking the Cloud

SSRF Exploitation

Serverless exploitation

Google Dorking in the Cloud Era

Post Exploitation techniques on Cloud hosted applications

Various Case Studies

Attacking Hardened CMS

Identifying and attacking various CMS

Attacking Hardened WordPress, Joomla and Sharepoint

Misc Attacks

Identifying Blind XSS via OOB channel

Exploiting Self XSS

CSP bypass

Various Case Studies on weird and wonderful XSS and CSRF attacks

Web Caching Attacks

Attack Chaining N tier vulnerability Chaining leading to RCE

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

Minimum 10

Maximum 20

Dhruv Shah is an information security professional working as a Principal Security Consultant at NotSoSecure. He has over 9+ years of experience in application, mobile and network security. He has co-authored the book 'Kali Linux Intrusion and Exploitation' by Packtpub. His work can be found on security-geek.in. He is also a trainer of NotSoSecure's much acclaimed advanced web hacking class and has been a trainer at several leading public conferences such as Black Hat USA and Europe. He has provided security training to various clients in UK, EU and USA via corporate training

This 3-day course cuts through the mystery of Cloud Services (including AWS, Azure and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing a traditional network infrastructure.

• Introduction to Cloud Computing
• Why cloud matters
• How cloud security differs from conventional security
• Types of cloud services
• Shared responsibility model
• Legalities around attacking / pen testing cloud services.
• Understanding the Attack Surfaces of various Cloud offerings, such as IaaS, PaaS, SaaS, FaaS
• Enumerating Cloud Services
• Understanding metadata APIs
• Exploiting serverless applications
• Owning cloud machines
• Attacking cloud services such as storage service or database services w.r.t different providers
• Examples and case studies of various cloud hacks
• Privilege escalation (horizontal and vertical) and pivoting techniques in cloud
• Obtaining persistence in cloud and performing post exploitation
• Exploiting dormant assets: Id’s, services, resources groups, security groups and more
• Cloud Infrastructure Defence
• Monitoring and logging
• Benchmarks
• Auditing Cloud Infrastructure (Manual and automated approach)
• Base Images / Golden Image auditing for Virtual Machine / Container Infrastructure
• Preventive measures against cloud attacks
• Host-based Defence
• Using Cloud services to perform continuous monitoring and defence
• Ending CTF to reinforce the learning

Cloud Administrators, Developers, Solutions Architects, DevOps Engineers, SOC Analysts, Penetration Testers, Network Engineers, security enthusiasts and anyone who wants to take their skills to next level.
Prior pentest experience is not a strict requirement, however, some knowledge of Cloud Services and a familiarity with common command line syntax will be greatly beneficial.

Our own customized version of kali linux with inhouse developed scripts and tools to help with hacking auditing and securing Cloud.

Introduction to Cloud Computing

What is cloud and Why it matters

Types of clouds and cloud services

What changes from conventional security models

Shared responsibility model (pizza as a service v2.0)

Attacking Cloud Services

Conventional vs Cloud Infra Assessment

Legalities around Cloud Pentesting

How to approach Pentesting cloud services

Understanding Metadata API

Understand the attack surface in each type of cloud

Enumerating for cloud assets

Gaining Entry in Cloud Environment

Lambda attacks

Web application Attacks

Exposed Service ports

Attacking Specific Cloud Services

Storage Attacks

Azure AD Attacks

Financial Attacks

IAM Attacks : Shadow admins

Dormant assets

Google Dorking in Cloud Era

Post - Exploitation

Maintain access after the initial attack

Post access asset enumeration

Extracting secrets from Snapshot access

Defending the Cloud Environment

Setting up Monitoring and logging of the environment

Catching attacks using monitoring and logging

Metadata API Protection

Host base Defences for IaaS

Windows server auditing

Linux Server Auditing

Auditing and benchmarking of Cloud

Prepare the environment for the audit

Automated auditing using open source tools

Golden Image / Docker image audits

Relevant Benchmarks for cloud

Continuous inventory monitoring

Continuous monitoring to Detect changes in cloud environment

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtualbox / VMWare) pre installed. A customized version of Kali Linux (ova format) containing custom tools, scripts and VPN scripts for the class will be provided to the students. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicated for the VM. 

Our own customized version of kali linux with inhouse developed scripts and tools to help with hacking auditing and securing Cloud.

Minimum 10

Maximum 20

To be disclosed.