Hey everyone! I’m doing something a little different this time. I recently completed the Practical Malware Analysis & Triage course from TCM academy (https://academy.tcm-sec.com/p/practical-malware-analysis-triage), and I figured I would give it a review. I’ll give an overview of the material covered, what I liked, what I didn’t like, what I supplemented the course with, etc. Let me first off say, the instructor who put together and led this course, Matt Kiely, is an amazing teacher, and deserves a lot of credit for putting out this course. In short, I think this is absolutely worth the $29.99 price tag, if not more. In just a week and a half to two weeks, I went from knowing very little about malware analysis to having a solid base of knowledge to build off of. Go get the course, put in the time and complete it, and continue on learning. You will be glad you did.
Lab Setup and Malware Safety
The course starts off by walking you through exactly how to set up a safe, sandboxed analysis environment by installing REMnux and FlareVM in the virtualbox hypervisor. Now, I can not stress enough, you MUST follow all of the steps as they are laid out by Matt, because otherwise you may accidentally misconfigure something which could put your host machine at risk. You will be executing actual malware samples inside of virtual machines in the course. Matt will walk you through everything, just follow along.
Once you have set up the analysis environment and confirmed the correct configuration, you will detonate your first malware sample and see exactly what it is like. For me, this was a bit of a nerve wracking moment. I’ve known for a while that malware analysis can be done inside of virtual machines as they provide a sealed environment for malware to be executed and not touch the host OS, but it was still a weird feeling to intentionally run known malware. This section of the course will also cover where you can source some malware to analyze once you complete the course, so that you can continue your learning.
Basic Static Analysis
This part of the course will teach you the tools and techniques to conduct static analysis, where you will be examining the basic properties of the file without actually executing the malware. This phase of analysis may seem boring, but it is vitally important, as it will cue you in to what to look for in the follow-on phases of analysis. Some of the techniques you will learn include hashing executables, viewing API imports, and determining whether a sample is packed (compressed) or not. Overall, I thought this part of the course was very good. I think Matt does a great job of explaining the Windows API in ways that should be very easy for a total beginner to understand. You may not even know what API stands for before starting the course, but you will understand the basics of the Windows API by the time you finish the course.
Basic Dynamic Analysis
Now this is the part of the course where things start getting really really fun. You will be executing live malware again, and this time, you will learn some common host-based and network-based indicators to look for. Things such as changing/making new registry entries, DNS requests and other network traffic, etc. You will also learn an interesting technique for analyzing reverse shells, which I’m not gonna spoil, but I thought it was pretty cool.
There are a few challenges throughout this course where you will put your newly-learned skills to the test to answer some questions about malware samples. The first one comes after the basic dynamic analysis section. I’m not gonna cover the challenges in depth, but overall, I thought all of the challenges were great. They were challenging but not too challenging to the point that they felt overwhelming. Each challenge also includes a walkthrough to watch once you complete your analysis and answer all of the questions (Or if you get totally stuck. There’s no shame in that!).
Advanced Static Analysis
This section of the course is honestly the only part that I have any complaints about, and they’re very minor complaints at that. It is still very well put together, and I learned a ton. You will learn the basics of x86 assembly, CPU registers, differences between x86 and x64 architecture, and you’ll revisit the Windows API. My only complaint about this entire course is that there are some assembly concepts that are only lightly covered, and maybe too lightly. I found myself having to google some assembly instructions to learn what they are and how they work. I also supplemented this part of the course with the book “Learning Malware Analysis by Monnappa K A”, which you can buy here: https://www.amazon.com/Learning-Malware-Analysis-techniques-investigate-ebook/dp/B073D49Q6W. Do I think it necessary to supplement the course with a book like that? No. Do I think it was helpful? Yes. The book covered a little bit more of assembly and helped fill in some gaps. I would recommend using the book when you have questions or start to feel a little lost, then come back to the course once you’ve found your answers and you feel comfortable. This course isn’t intended to take you from knowing nothing about malware to being a master malware analyst, so it is understandable that it would not go so in depth in assembly. Nonetheless, you will still learn enough assembly to be able to complete the rest of the course, and the overall quality of instruction is still great.
Advanced Dynamic Analysis
This section of the course covers the tools and techniques used to debug malware. This part was really cool in my opinion because you learn how to take total control over the execution of malware and really put all the pieces together to figure out how it works. You’ll be applying much of information learned in the last section, as you will be seeing a lot of assembly, CPU registers, API calls, etc., but you’ll also be learning about the features and tools unique to debuggers which allow analysts to really pick apart malware. This was where I really started to see how all of the skills and techniques build off of each other and how to put together a solid workflow.
Specialty Malware Classes
This section of the course covers several different concepts, including Microsoft Office Maldocs (Malicious Documents), shellcode injection, powershell, the .NET framework, Golang malware, and mobile malware. I found the maldocs instruction to be especially relevant due to the prevalence of maldocs being used by threat actors, and the mobile malware instruction also seemed very applicable in the wake of 2021’s buzz about the Pegasus malware. Again, very useful material in here.
You will arrive to this point with all of the tools and knowledge you need to be successful in this challenge. Take advantage of your notes and you will be successful. I’m not going to spoil too much about this challenge, but you should find it to be a good learning experience like I did. Just like the other challenges, I thought this one was just right in the level of complexity.
Here you will learn how to use automated online sandboxes and jupyter notebooks to automate some of the triage and analysis tasks that a malware analyst would perform. I won’t spoil too much here either, and there’s not much I can really cover here without you just seeing and doing it yourself. I will say that I also found this instruction very useful, as just about every SOC will be implementing at least some level of automation. If you haven’t done so before, I would recommend looking at some security analyst job ads on the internet. You will notice many ads looking for analysts with some level of proficiency with python and security automation tools. It’s definitely worth your time to learn these skills.
Yara Rules and Course Final
Now you will learn how to write Yara rules based on the observations you make while analyzing malware. Yara is a really cool tool to use for hunting and gathering intelligence and it is widely used across the security industry. I had done some experimenting with Yara rules before, but this section of the course is very useful and you will learn everything you need to know in order to be proficient with Yara rules. You will also learn how to integrate Yara rules into malware analysis reports, and Matt even provides a template which you can use to author your own analysis reports. Take all of the skills and tools you’ve learned throughout the course and apply them to write your own report! Congratulations, once you’ve completed that, you have finished the course!
In closing, I really can’t recommend this course enough. TCM Academy is a great resource for anybody looking to learn new infosec/cybersecurity skills, or even just refine existing skills. All of their courses deliver immense value compared to the pricetag. The instructors are all fantastic, and Matt Kiely is certainly no exception. Go give him a follow on twitter and buy this awesome course!
Thanks for taking the time to read this review. If you enjoyed it, go ahead and check out my other blog posts! Thanks!