SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR710: Reverse-Engineering Malware: Advanced Code Analysis
FOR710Digital Forensics and Incident Response
- 36 Hours (Self-Paced)
Course created by:
Anuj Soni
Course created by:Anuj Soni
- 36 CPEs
Apply your credits to renew your certifications
- Virtual Live Instruction or Self-Paced
Train from anywhere. Attend a live instructor-led course remotely or train on your time over 4 months.
- Advanced Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 12 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Explore and tackle real-world reverse engineering malware scenarios. Learn to dissect sophisticated Windows executables that dominate headlines and preoccupy incident response teams around the globe.
Featured Quote
I really enjoyed this course. I felt that it was a good and logical next step after taking FOR610. The material made sense and was relevant to what I see at work every day.
Course Overview
FOR710: Reverse-Engineering Malware: Advanced Code Analysis prepares malware specialists to dissect sophisticated Windows executables, such as those that dominate the headlines and preoccupy incident response teams across the globe. This malware reverse engineering course not only includes essential background and instructor-led walkthroughs, but also provides students with numerous opportunities to tackle real-world reverse engineering scenarios during class.
What You’ll Learn
- Handle code obfuscation techniques like control flow flattening, string encryption, and steganography
- Analyze loaders, droppers, payloads, and persistence mechanisms
- Locate and extract deobfuscated shellcode during runtime
- Analyze files like documents, images, and archives for embedded malware
- Understand structures and fields (entry point, sections), and their significance
- Debug and analyze process data structures (PEB, TIB), and investigate memory usage
- Utilize Python, DBI, Ghidra, and binary emulation for efficient analysis
Business Takeaways
- Gain deep visibility into high-impact threats to improve detection and response
- Boost efficiency and scale malware analysis through automation
- Produce high-confidence threat intelligence and actionable insights to guide defense
Meet Your Author
Anuj Soni
Senior InstructorAnuj Soni, Principal Reverse Engineer at United Healthcare, has over 15 years of experience enhancing organizational security postures. His expertise has led to the identification, containment, and remediation of multiple threat actor groups.
Read more about Anuj SoniCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR710: Reverse-Engineering Malware: Advanced Code Analysis.
Section 1Code Deobfuscation and Execution
Malware authors employ evasion techniques and in-memory execution to hide data, hinder analysis, and thwart detection. First, we discuss the use of malicious steganography. Then we cover key steps in program execution, identifying how code is launched and labeling functions accordingly. Finally, we analyze shellcode with the support of WinDbg Preview.
Topics covered
- Analyzing code deobfuscation
- Identifying program execution
- Understanding shellcode execution
Labs
- Investigating code deobfuscation
- Analyzing malicious program execution
- Analyzing shellcode execution
Section 2Encryption in Malware
Section 2 tackles the use of encryption in malware. Adversaries use cryptography for many reasons: to encrypt files, protect keys, conceal configuration settings, and obfuscate command and control (C2) communications. Reverse engineers must be prepared to investigate and articulate the purpose of routines in high-impact malware that implement encryption.
Topics covered
- Encryption essentials
- File encryption and key protection
- Data encryption in malware
Labs
- Encryption essentials knowledge quiz
- Identifying file encryption and key protection in ransomware
- Analyzing data encryption in malware
Section 3Automating Malware Analysis
Section 3 covers automating malware analysis. We introduce Python, writing scripts to decrypt configuration data, deobfuscate strings, and extract payloads. We cover a Dynamic Binary Instrumentation (DBI) framework, injecting and executing code within a process to examine its internals. We write Python scripts to automate debugging and dump unpacked code.
Topics covered
- Python for malware analysis
- Dynamic Binary Instrumentation (DBI)
Labs
- Automating config extraction with Python
- Automating payload extraction with Frida
Section 4Automating Malware Analysis (Continued)
In this section, we continue discussing approaches to automating malware analysis. We introduce Ghidra’s API and write Python scripts to accelerate static code analysis. We also examine the value of binary emulation frameworks and use the Qiling framework to simulate execution and deobfuscate code and data.
Topics covered
- Automating Aanalysis within Ghidra
- Binary emulation frameworks
Labs
- Scripting with Ghidra
- Emulating code with Qiling (using Ghidra)
- Emulating code with Qiling (using SMDA)
Section 5Advanced Malware Analysis Tournament (Extended Access)
Section 5 allows students to flex new skills in an independent competitive environment. With extended access to a capture the flag (CTF) platform, students must recall key concepts and perform workflows discussed in class to succeed. This is an opportunity to analyze real-world, complex malware samples and reinforce your new advanced code analysis skills.
Things You Need To Know
Relevant Job Roles
Cyber Incident Responder
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigation (OPM 221)
NICE: InvestigationResponsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathIncident Response (OPM 531)
NICE: Protection and DefenseResponsible for investigating, analyzing, and responding to network cybersecurity incidents.
Explore learning pathDigital Evidence Analysis (OPM 211)
NICE: InvestigationResponsible for identifying, collecting, examining, and preserving digital evidence using controlled and documented analytical and investigative techniques.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
OnDemand Bundle
When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.
SANS Skills Quest by NetWars Core Edition
Add 6 months of hands-on skills practice. Add to your cart when purchasing your course.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Anuj SoniDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Washington, DC, US & Virtual (live)
Instructed by Anuj SoniDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Virtual (live)
Instructed by Xavier MertensDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesEnrollment options - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Xavier MertensDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Coral Gables, FL, US & Virtual (live)
Instructed by Anuj SoniDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Orlando, FL, US & Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxesEnrollment options
Showing 6 of 6
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3I really enjoyed this course. I felt that it was a good and logical next step after taking FOR610. The material made sense and was relevant to what I see at work every day.
- Slide 2 of 3I was recently named our IR lead, and coming from purple teaming/pentesting I needed the content of this course to make meaningful improvements to the program. I feel well prepared to tackle the challenges ahead now.
- Slide 3 of 3The labs and exercises for the automation were excellent and really showed off what is needed to perform RE through automation.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources