Table of Contents

Preface

Section 1: Basic Techniques

Chapter 1: Creating and Maintaining your Detonation Environment

Technical requirements

Setting up VirtualBox with Windows 10

Downloading and verifying VirtualBox

Installing Windows 10

Installing the FLARE VM package

Isolating your environment

Maintenance and snapshotting

Summary

Chapter 2: Static Analysis – Techniques and Tooling

Technical requirements

The basics – hashing

Hashing algorithms

Obtaining file hashes

Avoiding rediscovery of the wheel

Leveraging VirusTotal

Getting fuzzy

Picking up the pieces

Malware serotyping

Collecting strings

Challenges

Challenge 1

Challenge 2

Summary

Further reading

Chapter 3: Dynamic Analysis – Techniques and Tooling

Technical requirements

Detonating your malware

Monitoring for processes

Network IOC collection

Discovering enumeration by the enemy

Domain checks

System enumeration

Network enumeration

Case study – Dharma

Discovering persistence mechanisms

Run keys

Scheduled tasks

Malicious shortcuts and start up folders

Service installation

Uncovering common techniques

Final word on persistence

Using PowerShell for triage

Persistence identification

Registry keys

Service installation

Scheduled tasks

Less common persistence mechanisms

Checking user logons

Locating secondary stages

Examining NTFS (NT File System) alternate data streams

Challenge

Summary

Chapter 4: A Word on Automated Sandboxing

Technical requirements

Using HybridAnalysis

Using Any.Run

Installing and using Cuckoo Sandbox

Cuckoo installation – prerequisites

Installing VirtualBox

Cuckoo and VMCloak

Defining our VM

Configuring Cuckoo

Network configuration

Cuckoo web UI

Running your first analysis in Cuckoo

Shortcomings of automated analysis tools

Challenge

Summary

Section 2: Debugging and Anti-Analysis – Going Deep

Chapter 5: Advanced Static Analysis – Out of the White Noise

Technical requirements

Dissecting the PE file format

The DOS header

PE file header

Optional header

Section table

The Import Address Table

Examining packed files and packers

Detecting packers

Unpacking samples

Utilizing NSA's Ghidra for static analysis

Setting up a project in Ghidra

Challenge

Summary

Further reading

Chapter 6: Advanced Dynamic Analysis – Looking at Explosions

Technical requirements

Monitoring malicious processes

Regshot

Process Explorer

Process Monitor

Getting away with it

Network-based deception

FakeNet-NG

ApateDNS

Hiding in plain sight

Types of process injection

Detecting process injection

Case study – TrickBot

Challenge

Summary

Chapter 7: Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill

Technical requirements

Leveraging API calls to understand malicious capabilities

x86 assembly primer

Identifying anti-analysis techniques

Examining binaries in Ghidra for anti-analysis techniques

Other analysis checks

Tackling packed samples

Recognizing packed malware

Manually unpacking malware

Challenge

Summary

Chapter 8: De-Obfuscating Malicious Scripts: Putting the Toothpaste Back in the Tube

Technical requirements

Identifying obfuscation techniques

String encoding

String concatenation

String replacement

Other methodologies

Deobfuscating malicious VBS scripts

Utilizing VbsEdit

Using WScript.Echo

Deobfuscating malicious PowerShell scripts

Compression

Other methods within PowerShell

Emotet obfuscation

A word on obfuscation and de-obfuscation tools

Invoke-Obfuscation and PSDecode

JavaScript obfuscation and JSDetox

Other languages

Challenges

Summary

Section 3: Reporting and Weaponizing Your Findings

Chapter 9: The Reverse Card: Weaponizing IOCs and OSINT for Defense

Technical requirements

Hashing prevention

Blocking hash execution with Group Policy

Other methodologies

Behavioral prevention

Binary and shell-based blocking

Network-based behaviors

Network IOCs – blocking at the perimeter

Common tooling for IOC-based blocking

Challenge

Summary

Chapter 10: Malicious Functionality: Mapping Your Sample to MITRE ATT&CK

Technical requirements

Understanding MITRE's ATT&CK framework

Tactics – building a kill chain

Case study: Andromeda

Initial access

Execution

Persistence

Defense evasion

Command and Control

Utilizing MITRE ATT&CK for C-level reporting

Reporting considerations

Challenge

Summary

Further reading

Section 4: Challenge Solutions

Chapter 11: Challenge Solutions

Chapter 2 – Static Analysis – Techniques and Tooling

Challenge 1

Challenge 2

Chapter 3 – Dynamic Analysis – Techniques and Tooling

Chapter 4 – A Word on Automated Sandboxing

Chapter 5 – Advanced Static Analysis – Out of the White Noise

Chapter 6 – Advanced Dynamic Analysis – Looking at Explosions

Chapter 7 – Advanced Dynamic Analysis Part 2 – Refusing to Take the Blue Pill

Chapter 8 – De-Obfuscating Malicious Scripts – Putting the Toothpaste Back in the Tube

Chapter 9 – The Reverse Card – Weaponization of IOCs and OSINT for Defense

Chapter 10 – Malicious Functionality – Mapping Your Sample's Behavior against MITRE ATT&CK

Summary

Other Books You May Enjoy