homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Adapting to Advanced Malware: Insights from the 2024 Cybersecurity Frontlines
Xavier_mertens.png
Xavier Mertens

Adapting to Advanced Malware: Insights from the 2024 Cybersecurity Frontlines

Blocking the execution of malicious code has always been a cat and mouse game between defenders and attackers.

May 20, 2024

Compared to other often changing courses (e.g., Windows forensics courses), reverse engineering techniques do not often change. Assembly, API calls, etc., all remain the same. But that does not mean malware does not evolve over time. Attackers are imaginative at implementing new techniques to evade classic security controls (or automated ones) and make the lives of analysts and reverse engineers very difficult.

PDF documents are a perfect example. In the past, many PDF viewers (Acrobat Reader, FoxIt Reader, etc.) suffered from weird vulnerabilities. Today, however, PDF files are more often used as a “transport mechanism” to deliver other types of payloads with embedded objects or a URL. Once the malware has been delivered to and infected the victim’s computer, it must communicate with a central authority, known as a C2 server, to receive commands and/or send interesting data. Modern C2 servers rely on layer-7 protocols. From an attacker’s point of view, they offer a great tool for implementation thanks to powerful application programming interfaces (APIs) and, even more interesting, they can’t (without great difficulty) be blocked. Could you suddenly block Discord servers for your users?

Blocking the execution of malicious code has always been a cat and mouse game between defenders and attackers. Modern pieces of software implement many controls that will try to prevent malicious activity.  Microsoft Office document macros are a good example. They are very popular, but for a few months now, I have seen a large decrease in infected documents. This is likely due to Microsoft improving the decision rules to automatically execute VBA code. At the opposite end of the spectrum, they are attacks that remain classic. An example is CVE-17-11882, which targets the Equation Editor. Still today, I spot one or two examples per month. Crazy, seeing that the tools do not even exist anymore!

If attackers are always looking for new techniques to spread their malicious code, I like to say that the malware landscape is like fashion. Let me explain why. When it’s fashion week in Milan, a specific color is often used for a collection. The next year, another color will emerge, and so on. After a few years, a previous color will become trendy again, and everybody will be dressed in blue. It’s the same for malware. After a while, some tools and techniques are back on stage and reused by attackers. Why? Because newcomers aren’t aware of “vintage” techniques and some security controls, for performance reasons, will have some rules disabled. The best example I can give is the Excel 4.0 (XLM) macros.

What are the trends in malware landscape so far in 2024?

First, attackers are using other programming languages. In the Windows ecosystem, Microsoft offers a great tool called AMSI to track all scripts activities. This tool helps you log the execution of scripts like JavaScript, VBS, PowerShell, but it lacks support for one popular language (not installed by default), Python! These days, I see new malicious Python scripts targeting Windows systems daily. And they are really powerful!

If the .Net framework remains popular, there are other emerging programming languages like Go or Rust. Go has many advantages for an attacker: it’s relatively easy to learn, it’s powerful, cross-platform compatible, and Go binaries are challenging to debug and disassemble! Also, I often see compiled binaries in Python scripts. They are easier to deploy on the victim’s computer because they contain all the dependencies embedded in one file.

In recent years, there have been a lot of stories about the “supply chain.” The best example being SolarWinds. Supply chain attacks are very effective because third-party providers are trusted and their updates are allowed blindly because as security professionals always say, “patch, patch, and patch again!” Hopefully, the attack complexity makes it unavailable to all but a small group of attackers!

Ransomware remains a classic attack, but it seems less profitable since victims tend not to pay. Sometimes, malware tends to use simple scripts based on Living off the Land (LOTL) binaries. They offer simple functionalities for system administration tasks but they can be used by attackers for malicious reasons. Being part of the operating system, they are less suspicious. Even if based on simple tools, a ransomware will remain a real threat if you don’t get a decent backup mechanism

A specific malware trend is related to an information stealer or “infostealer.” the purpose of an infostealer is simple: Once the victim’s computer is infected, it searches for any sensitive information and exfiltrates it through a simple C2 protocol (usually Discord or Telegram). What type of information do they search for?

  • A footprint of the victim’s computer or network.
  • Credentials, (especially in browsers configurations).
  • Cookies. (Another goldmine.)

Wi-Fi credentials.

  • Cryptocurrency wallets.

The exfiltration of passwords from the Chrome browser is weird because, on one hand, we instruct people to use complex passwords and a password manager. So they do. Then, on the other hand, they make their passwords vulnerable by storing them in Chrome.

Pro tip: Do NOT save passwords in browsers. Instead, use a strong password manager.

Infostealers collect plenty of information that is then compiled and sold on black markets or directly reused by another attacker. Indeed, this is a common attack pattern:

  1. Group A infects computers with an infostealer malware and collect juicy data.
  2. The data is sold to Group B that uses it to implant a backdoor or otherwise compromise the victim’s infrastructure.
  3. The backdoor is sold to Group C that performs the real attack, often ransomware, against the victim.

Another fact is that Windows is not the only targeted operating system anymore. A few years ago, many people had the idea that Apple devices were “safe.” That’s not true! Recently, a new infostealer called Cuckoo Stealer has been discovered targeting MacOSs.

Another trend is the abuse of “new” features implemented in software. An example is the MSIX file format. MSI files are Microsoft Windows packages (like .rpm for Red Hat or .deb for Debian Linux distributions) that help developers deliver their applications with all the required dependencies. MSIX is the newest file format that implements nice features. The developer now has the opportunity to specify a script that will be automatically executed during the package installation. What could go wrong? Here is a practical example: The file “EditProAI-x64.msix” available on VirusTotal uses this technique. Let’s have a quick look at the file.

You don’t need complex tools to investigate the file. Zipdump is sufficient:

$ zipdump.py EditProAI-x64.msix
Index Filename                                      Encrypted Timestamp          
1 Registry.dat                                       0 2024-04-22 12:44:46
2 libsqlite3-0.dll                                   0 2023-07-04 14:24:14
3 gpg.exe                                            0 2023-07-04 14:23:30
4 libgpgme-11.dll                                    0 2023-07-04 14:24:04
5 libassuan-0.dll                                    0 2023-07-04 14:23:54
6 libgcrypt-20.dll                                   0 2024-04-22 12:34:44
7 libgpg-error-0.dll                                 0 2023-07-04 14:24:00
8 libnpth-0.dll                                      0 2023-07-04 14:24:10
9 zlib1.dll                                          0 2023-07-04 14:24:24
10 1.ps1                                              0 2024-03-23 12:37:22
11 StartingScriptWrapper.ps1                          0 2022-09-14 13:42:04
12 config.json                                        0 2024-04-22 12:44:46
13 PsfRuntime64.dll                                   0 2024-04-22 12:44:46
14 PsfRuntime32.dll                                   0 2022-09-14 15:17:16
15 PsfRunDll64.exe                                    0 2022-09-14 15:17:32
16 PsfRunDll32.exe                                    0 2022-09-14 15:17:14
17 assets/rocke.zip                                   0 2024-03-19 11:57:18
18 assets/Store50x50Logo.scale-100.png                0 2024-03-06 08:09:28
19 assets/gpg.exeSquare44x44Logo.scale-100.png        0 2022-09-14 13:42:10
20 assets/gpg.exeSquare150x150Logo.scale-100.png      0 2022-09-14 13:42:12
21 AI_STUBS/AiStubX64.exe                             0 2024-04-22 12:44:46
22 resources.pri                                      0 2024-04-22 12:44:46
23 AppxManifest.xml                                   0 2024-04-22 12:44:46
24 AppxBlockMap.xml                                   0 2024-04-22 12:44:48
25 [Content_Types].xml                                0 2024-04-22 12:44:46
26 AppxMetadata/CodeIntegrity.cat                     0 2024-04-22 12:44:46
27 AppxSignature.p7x                                  0 2024-04-22 08:29:34

The config.json file contains interesting information:

$ zipdump.py EditProAI-x64.msix -s 12 -d
{
    "processes": [
        {
            "executable": ".*",
            "fixups": []
        }
    ],
    "applications": [
        {
            "id": "gpg.exe",
            "startScript": {
                "scriptExecutionMode": "-ExecutionPolicy RemoteSigned",
                "scriptArguments": "-windowstyle hidden",
                "scriptPath": "1.ps1"
            }
        }
    ]
}

The script “1.ps1” will be executed once the package installed.

As you can see, a key element for reverse engineers is to be able to understand the environment targeted by the malware. While teaching FOR610, I like to say to my students that they must know the targeted operating system and how it works. Another good example: How can you guess that a malware implements persistence if you don’t know the purpose of the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run?

Malware developers have plenty of techniques that, at first, are not malicious at all. They are actually provided by Microsoft for legitimate purposes. Another critical point for malware reversers is that they must know common API calls used by attackers.

Let’s check another common technique used these days called process hollowing. It’s a nasty process injection technique that takes only a few steps:

  1. A new process (chosen by the attacker) is created in suspended mode (this is key!).
  2. The newly created process memory is hollowed (i.e., wiped).
  3. Free memory is allocated by the attacker in the remote process.
  4. The malicious code is copied in memory.
  5. The process is resumed.

To achieve this, the common API call ZwUnmapViewOfSection() is used. This function is provided by Microsoft and is not malicious. One day, a former student asked, “Why does Microsoft provide such a dangerous call? In which context could it be used for legitimate purposes?”  Here is the best explanation I have found:

“NtUnmapViewOfSection (and the corresponding NtMapViewOfSection) are function calls used by Windows kernel-mode drivers to manage shared memory. These functions can be used to share memory between kernel space and user space: for example, a driver could use them to communicate with a user-space configuration tool.” [source]

What Are the Challenges for Reverse Engineers?

They are many techniques used by attackers to defeat malware analysts. Process hollowing (see above) is one. Other protections can be grouped in two main categories:

  1. Defeat the analyst or the automatic analysis (in a sandbox).
    1. Anti-debugging techniques (to detect when executed inside a debugger).
  2. Hide interesting information (code or data).
    1. Packers,
    2. Obfuscation,
    3. Encryption, and/or
    4. Junk code/data.

Attackers are very good at detecting environments. The goal is to detect as soon as possible where in the host machine or network the infection should be targeted and the malware executed. For example, state-sponsored groups would like to keep friendly countries (I won’t mention any example here 😉) from being affected. But they also try to defeat the automatic analysis by checking for common indicators. Recently, I found an interesting piece of PowerShell that implemented all those checks. Example:

Detection of evil GPUs:

$gpu1 = Get-WmiObject -Class win32_videocontroller | Select-Object -ExpandProperty Caption
$pcusn = $env:USERNAME
$uuid = (Get-WmiObject Win32_ComputerSystemProduct).UUID
$evilgpu = @(
'29__HERE'
'2RO_8UVU'
'5KBK41_L'
'5LXPA8ES'
'5PECN6L1'
'5RPFT3HZ'
'6BOS4O7U'
'6BZP2Y2_’
'AMD Radeon HD 8650G'
'ASPEED Graphics Family(WDDM)'
…)
if ($evilgpu -contains $gpu1) {
exit 1
}
else {
    {}
}

Detection of bad hostnames:

$badpcname = $env:COMPUTERNAME
$badpcnamearr = @(
'00900BC83803'
'0CC47AC83803'
'6C4E733F-C2D9-4'
'ACEPC'
'AIDANPC'
'ALENMOOS-PC'
'ALIONE'
'APPONFLY-VPS'
'ARCHIBALDPC'
'azure'
'B30F0242-1C6A-4'
'BAROSINO-PC'
'BECKER-PC'
… )
if ($badpcnamearr -contains $badpcname) {
exit 1
}
else {
    {}
}

They know the name of suspicious processes and they know the IP addresses used by most security vendors. It’s a huge amount of knowledge.

Finally, like most people working in IT, malware developers and attackers are lazy. If they can find interesting free online resources, they will use them to store payloads, collect data, and serve as C2 protocols.

What to Expect in the Future?

I don’t have a crystal ball, but malware developers will certainly continue to have crazy ideas to make our lives more difficult. Computers are everywhere and there are still domains out there that are not yet massively targeted. I’m thinking about connected cars, for example. Can you imagine a ransomware targeting cars? In the morning, you step into your car, turn the engine on, and the multimedia interface displays a ransom note. Scary!

If most malware can be detected by modern tools like endpoint detection and response (EDR), there are already researches demonstrating how easy they can be bypassed, like the Process Mockingjay.

Finally, we must strengthen our methodologies to speed up the analysis of the huge amount of malware detected daily. It’s important to make a clear distinction between the regular “noise” (like the classic AgentTesla, RedLine, etc.) and the real new interesting piece of malware that deserve to be investigated deeper.

About Xavier Mertens

Xavier, deeply passionate about information security, has shaped his career around gaining comprehensive expertise in this ever-evolving field. He is drawn to the dynamic nature of cybersecurity, where the continual emergence of new threats and techniques demands perpetual learning. While his primary focus is on the defensive aspects of cybersecurity, encompassing incident management, malware analysis, and threat hunting, he occasionally delves into offensive strategies like penetration testing. Beyond his professional role, Xavier is significantly involved in the cybersecurity community as a SANS Internet Storm Center handler, a SANS Certified Instructor of FOR610 and FOR710, and a co-organizer of the BruCON security conference. His teaching method highlights the practical application of complex technical subjects through real-world examples and visual aids. Xavier also enjoys personal pursuits such as drone piloting and mountain biking.

Interested in learning more about reverse engineering malware? Check out Xavier’s SANS profile to see when he’s teaching near you, and sign up for a demo of FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques or FOR710: Reverse-Engineering Malware: Advanced Code Analysis.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
Digital Forensics, Incident Response & Threat Hunting
January 13, 2025
How You Can Start Learning Malware Analysis
Lenny Zeltser shares a roadmap for getting into malware analysis, with pointers to 10 hours of free recorded content and additional references.
Lenny_Portrait_New_370x370.jpg
Lenny Zeltser
read more
Blog
blog image - ransomware summit.png
Digital Forensics, Incident Response & Threat Hunting
May 29, 2024
A Visual Summary of SANS Ransomware Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS Ransomware Summit 2024
No Headshot Available
Alison Kim
read more
Blog
Malware_Blogs.png
Digital Forensics, Incident Response & Threat Hunting
September 21, 2023
Latest Must-Read Malware Analysis Blogs
In this post, we present a selection of recent malware analysis write-ups to highlight individuals' passion for malware analysis
Anuj_Soni_370x370.png
Anuj Soni
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn