homepage
Open menu Go one level top
  • Train and Certify
    • Get Started in Cyber
    • Courses & Certifications
    • Training Roadmap
    • Search For Training
    • Online Training
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • NICE Framework
    • DoDD 8140
    • Specials
  • Manage Your Team
    • Overview
    • Security Awareness Training
    • Voucher Program
    • Private Training
    • Workforce Development
    • Skill Assessments
    • Hiring Opportunities
  • Resources
    • Overview
    • Reading Room
    • Webcasts
    • Newsletters
    • Blog
    • Tip of The Day
    • Posters
    • Top 25 Programming Errors
    • The Critical Security Controls
    • Security Policy Project
    • Critical Vulnerability Recaps
    • Affiliate Directory
  • Focus Areas
    • Blue Team Operations
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • SANS Community
    • CyberTalent
    • Work Study
    • Instructor Development
    • Sponsorship Opportunities
    • COINS
  • About
    • About SANS
    • Why SANS?
    • Instructors
    • Cybersecurity Innovation Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press Room
  • Log In
  • Join
  • Contact Us
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  1. Home >
  2. Blog >
  3. APT Memory and Malware Challenge Solution
370x370_Rob-Lee.jpg
Rob Lee

APT Memory and Malware Challenge Solution

The memory image contains real APT malware launched against a test system. Your job? Find it.

February 8, 2014

APT Memory & Malware Challenge Answers

The memory image contains real APT malware launched against a test system. Your job? Find it.

The object of our challenge is simple: Download the memory image and attempt to answer the 5 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 3 of the 5 questions will be entered into a drawing to win a FREE Simulcast seat at DFIRCON Monterey this March. Generally, we were very forgiving on the answers unless they were completely off base.

If you are interested in learning more about Memory Analysis and how it can help you out in your investigations read all about the updated and new FOR526: Memory Forensics.

DOWNLOAD LINK FOR MEMORY IMAGE: http://dfir.to/APT-Memory-Image

DOWNLOAD LINK FOR SOLUTION: http://dfir.to/MEMORY-SOLUTION

# vol.py —f APT.img -profile=WinXPSP3x86 pstree
image.png

You can see from the above that the iexplore.exe (PID 796) was spawned from svchost.exe (pid 884). If you inspected the volatility getsids output for PID 796 you will notice that iexplore.exe is running as a SYSTEM user. Both of these occurrences is very odd and not normal. Iexplore.exe should be launched from explorer.exe and should be running as a user process. In addition, explorer.exe also showed signs of injection by possibly poison ivy which is observed by running malfind (output listed below).

# vol.py —f APT.img -profile=WinXPSP3x86 connscan
image.png

In the connscan output above, you notice that PID 796 (iexplore.exe) is connecting to a remote system on port 89. Usually http traffic is directed on port 80 or 443 only. Again this would be a very odd thing to witness for a program. This makes the iexplore.exe process very suspicious indeed.

# vol.py —f APT.img -profile=WinXPSP3x86 dlllist —p 796
image.png

When you examine the dlllist output for PID 796 (iexplore.exe) you will notice that there is a rogue named dll which is hard to see. Irykmmww.d1l is named odd because the dll is spelled with a 1 (one) in the second letter where an l (lower case L) should be seen.

So it looks as though PID 796 is malware, but it is clear that it isn't started normally. If you tried to see if the svchost.exe was injected it would fail and not show up. Svchost.exe is not injected. So how does the malware start on the system?

# vol.py —f APT.img -profile=WinXPSP3x86 svcscan
image.png

When we run the svcscan (Service Scan) plugin for volatility, we notice a driver running on the system called irykmmww which is the same named rogue dll spotted earlier. To figure out what this driver is doing, we should check driver hooking in apihooks and ssdt.

# vol.py —f APT.img -profile=WinXPSP3x86 ssdt | grep -v ntoskrnl | grep -v win32k
image.png

Finally we can tell the driver irykmmww.sys is a rootkit loaded in the system. Clearly it is meant to do file hiding and more.

Here is some additional information on the IP address found earlier in our output of connscan.

DNS INFORMATION FOR 218.85.133.23

image.png

Excerpt from malware report on the malware.

  • The malware will create the device \Device\irykmmww (NT namespace) and \.\irykmmww ("Win32" namespace), and the driver \Driver\irykmmww. These will be visible with normal tools such as "Winobj".
  • The malware may hide at least one instance of an IExplore.exe process such that it is detectable only with memory forensics
  • The malware kernel driver runs as a service named irykmmww with a Description of irykmmww.
  • Files, directories, registry keys, and registry values starting with the name irykmmww may be hidden unless you are using memory forensics to see it
  • The DLLs irykmmww.d1l (D-one-L) or irykmmww.dll may appear in a process module listing, although the files themselves may remain hidden due to the rootkit.
  • The malware will make HTTP requests to 218.85.133.23 on TCP port 89
  • The malware may make HTTP requests with the URI /index.asp?<number> with no User-Agent

Additional Analysis submitted by Gebhard Zocher

Stage 1: Identify Rogue Processes

vol.py pslist:
- system boot time: 2009-04-16 16:10:01
- msiexec.exe (Windows Installer, 1464, 2009-04-16 16:11:02) started from
services (704, 2009-04-16 16:10:06)
- cmd.exe (840, 2009-05-05 15:56:24) from explorer.exe (1672, 2009-04-16
16:10:10) running MIRAgent.exe (456, 2009-05-05 19:28:40)
- iexplore.exe (IE, 796, 2009-05-05 19:28:28) started from svchost.exe
(884, 2009-04-16 16:10:07)

vol.py psscan:
- no news

vol.py pstree:
- no news

Stage 2: Analyze Process DLLs and Handles

vol.py dlllist -p 1464
- command line: C:\WINDOWS\system32\msiexec.exe /V
- nothing stands out

vol.py dlllist -p 704
- nothing stands out

vol.py dlllist -p 840
- nothing stands out

vol.py dlllist -p 1672
- nothing stands out

vol.py dlllist -p 456
- OK, command line shows this is obviously the MIRA Agend from Mandiant,
so everything regarding 456 is not suspicious anymore

vol.py dlllist -p 796
- nothing stans out

vol.py dlllist -p 884
- command line: C:\WINDOWS\system32\svchost -k DcomLaunch

so regarding the processes we still have:
- msiexec.exe (Windows Installer, 1464, 2009-04-16 16:11:02) started from
services (704, 2009-04-16 16:10:06)
- iexplore.exe (IE, 796, 2009-05-05 19:28:28) started from svchost.exe
(884, 2009-04-16 16:10:07)
-> mostly suspicious is the IE started from svchost 884

vol.py getsids -p 796:
Volatile Systems Volatility Framework 2.2
iexplore.exe (796): S-1-5-18 (Local System)
iexplore.exe (796): S-1-5-32-544 (Administrators)
iexplore.exe (796): S-1-1-0 (Everyone)
iexplore.exe (796): S-1-5-11 (Authenticated Users)
-> interesting, an IE running as local system ...

vol.py getsids -p 1464:
Volatile Systems Volatility Framework 2.2
msiexec.exe (1464): S-1-5-18 (Local System)
msiexec.exe (1464): S-1-5-32-544 (Administrators)
msiexec.exe (1464): S-1-1-0 (Everyone)
msiexec.exe (1464): S-1-5-11 (Authenticated Users)

vol.py handles -p 796
!!! 0x822e9578 796 0x758 0x12019f File
\Device\irykmmww
??? 0xe10096e0 796 0x7fc 0xf0003 KeyedEvent
CritSecOutOfMemoryEvent

vol.py handles -p 1464
??? 0xe10096e0 1464 0x4 0xf0003 KeyedEvent
CritSecOutOfMemoryEvent
!!! 0x822f2108 1464 0x24 0x1f0001 Mutant
SHIMLIB_LOG_MUTEX
??? 0x81e7c8e0 1464 0x3c 0x100001 File
\Device\KsecDD
??? 0x822fe1d0 1464 0x50 0x1f0003 Event DINPUTWINMM
??? 0x81f07750 1464 0x70 0x12019f File
\Device\NamedPipe\net\NtControlPipe13
??? 0xe1d74160 1464 0xf8 0xf003f Key
MACHINE\SOFTWARE\MICROSOFT\COM3
??? 0xe1015030 1464 0x138 0x1f0001 Port
OLE6D80DE069215474C95DC80B2A50C
??? 0x821607f0 1464 0x1a8 0x120001 Mutant
ShimCacheMutex
??? 0xe177e620 1464 0x208 0x2 Section
ShimSharedMemory
??? 0x81da8160 1464 0x274 0x100000 Event userenv:
Machine Group Policy has been applied
??? 0x81f78820 1464 0x278 0x100000 Event userenv: User
Group Policy has been applied
+ various Keys regarding certificates

vol.py filescan
-> no idea for what to grep
irykmmww

vol.py svcscan:
-> # 1464 seems to be legit, but SHIMLIB_LOG_MUTEX is suspicious
-> potentially inserted?

suspicious process:
Offset: 0x38ab98
Order: 252
Process ID: -
Service Name: irykmmww
Display Name: irykmmww
Service Type: SERVICE_KERNEL_DRIVER
Service State: SERVICE_RUNNING
Binary Path: \Driver\irykmmww

vol.py filescan | grep -i irykmmww
Volatile Systems Volatility Framework 2.2
0x01f1cd20 1 0 -W—-
\Device\HarddiskVolume1????UME~1\demo\LOCALS~1\Temp\irykmmww.log
0x01f20d20 1 0 R-r-d
\Device\HarddiskVolume1\WINDOWS\system32\drivers\irykmmww.sys
0x02121e08 1 0 R-r-d
\Device\HarddiskVolume1\WINDOWS\system32\irykmmww.dll
0x02387908 1 0 R—-
\Device\HarddiskVolume1\WINDOWS\system32\irykmmww.d1l
0x023beca8 1 0 R-r-d
\Device\HarddiskVolume1\WINDOWS\system32\irykmmww.d1l
0x02f7cd20 1 0 R-r-d
\Device\HarddiskVolume1\WINDOWS\system32\drivers\irykmmww.sys
0x03282e08 1 0 R-r-d
\Device\HarddiskVolume1\WINDOWS\system32\irykmmww.dll
0x1347fd20 1 0 R-r-d
\Device\HarddiskVolume1\WINDOWS\system32\drivers\irykmmww.sys

Summary:
- IE 796 ran from svchost
- suspicious MS Installer process 1464
- suspicious service w/o process ID
- suspicious files:
????UME~1\demo\LOCALS~1\Temp\irykmmww.log
\WINDOWS\system32\drivers\irykmmww.sys
\WINDOWS\system32\irykmmww.dll

Stage 3: Review Network Artifacts

vol.py connections
0x81e611f8 192.168.157.10:1053 218.85.133.23:89 796
-> IE accessing a system in China on port 89
inetnum: 218.85.0.0 - 218.86.127.255
netname: CHINANET-FJ
descr: CHINANET Fujian province network
descr: Data Communication Division
descr: China Telecom
country: CN

vol.py connscan
additionally:
192.168.157.10:1050 222.128.1.2:443 1672
-> explorer.exe having accessed a web site by https in China
inetnum: 222.128.0.0 - 222.131.255.255
netname: UNICOM-BJ
descr: China Unicom Beijing province network
descr: China Unicom
country: CN

is a closed connection, so should be happend before

vol.py sockets:
0x822ef510 796 1053 6 TCP 0.0.0.0 2009-05-05
19:29:06
0x822d25b0 4 0 47 GRE 0.0.0.0 2009-05-05
19:28:35
0x822f6618 4 1052 6 TCP 0.0.0.0 2009-05-05
19:28:35

-> IE listens on port 1053 ...

vol.py sockscan
- nothing new

Stage 4: Look for Evidence of Code Injection

vol.py malfind -dump-dir ./outdir/ > malfind.out
interesting pieces:

Process: explorer.exe Pid: 1672 Address: 0x2570000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x1820000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x1680000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x1670000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x16a0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x1690000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x16b0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x16c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x16d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x16e0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x16f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: explorer.exe Pid: 1672 Address: 0x1810000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6

Process: msiexec.exe Pid: 1464 Address: 0x12f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 3, PrivateMemory: 1, Protection: 6

Process: msiexec.exe Pid: 1464 Address: 0x1350000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 3, PrivateMemory: 1, Protection: 6

vol.py ldrmodules -p 1672
1672 explorer.exe 0x00970000 True True True
\WINDOWS\system32\irykmmww.dll

vol.py ldrmodules -p 1464
- nothing stands out

stage 5: Check for Signs of a Rootkit

vol.py psxview
- nothing stands out

vol.py modscan
0x01f1c7d0 irykmmww.sys 0xf836f000 0x4000
\??\C:\WINDOWS\system32\drivers\irykmmww.sys

vol.py apihooks -p 1672 -Q
- nothing

vol.py apihooks -p 1464 -Q
- nothing

vol.py ssdt | egrep -v '(ntoskrnl|win32k)'
Volatile Systems Volatility Framework 2.2
[x86] Gathering all referenced SSDTs from KTHREADs...
Finding appropriate address space for tables...
SSDT[0] at 80501b9c with 284 entries
Entry 0x0042: 0xf836fe9c (NtDeviceIoControlFile) owned by irykmmww.sys
Entry 0x0047: 0xf83706dc (NtEnumerateKey) owned by irykmmww.sys
Entry 0x0049: 0xf837075e (NtEnumerateValueKey) owned by irykmmww.sys
Entry 0x0077: 0xf837028f (NtOpenKey) owned by irykmmww.sys
Entry 0x0091: 0xf8370a8c (NtQueryDirectoryFile) owned by irykmmww.sys
Entry 0x00ad: 0xf836fe3e (NtQuerySystemInformation) owned by
irykmmww.sys
Entry 0x00b1: 0xf837091a (NtQueryValueKey) owned by irykmmww.sys
SSDT[1] at bf999d00 with 667 entries

vol.py driverirp -r tcpip
- nothing stands out

vol.py idt
- nothing stands out

Stage 6: Dump Suspicious Processes and Drivers

vol.py dlldump -dump-dir ./outdir -p 1672 -r irykmmww
Volatile Systems Volatility Framework 2.2
Process(V) Name Module Base Module Name Result
———- ——————- ———- ——————- ——
0x81da71a8 explorer.exe 0x000970000 irykmmww.dll OK:
module.1672.1fa71a8.970000.dll

md5sum outdir/module.1672.1fa71a8.970000.dll
319bff282b3046e6c85bbe0e67338c72 outdir/module.1672.1fa71a8.970000.dll
->
https://www.virustotal.com/en/file/fe9fbcc2cf6c6666d2cdd17b7665ce66fd3ba2ceec381cf4ea09f2a7a3387749/analysis/

vol.py moddump -dump-dir ./outdir -r irykmmww
Volatile Systems Volatility Framework 2.2
Module Base Module Name Result
———- ——————- ——
0x0f836f000 irykmmww.sys OK: driver.f836f000.sys

md5sum outdir/driver.f836f000.sys
c8c2e11f5627f9f143152aec4e61c10b outdir/driver.f836f000.sys
->
https://www.virustotal.com/en/file/a80d0353c34c20a50a35771e3794de255e9030d8b7ab21ef6d1953afa692dd97/analysis/

Summary:
- System is infected with kernel driver irykmmww.sys
(\WINDOWS\system32\drivers\irykmmww.sys, c8c2e11f5627f9f143152aec4e61c10b)
which loads on startup
- explorer.exe (1672) is infected with irykmmww.dll
(\WINDOWS\system32\irykmmww.dll, 319bff282b3046e6c85bbe0e67338c72
- so every user process is under control of the attacker
- explorer.exe (1672) accessed a web site in China via https
192.168.157.10:1050 222.128.1.2:443
- IE (796) is accessing a system in China on port 89:
192.168.157.10:1053 218.85.133.23:89
- log file may contain additional information:
????UME~1\demo\LOCALS~1\Temp\irykmmww.log

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
SUMMIT_Free_SANS_2021_Summits_Teaser.jpg
Digital Forensics and Incident Response, Cyber Defense Essentials, Industrial Control Systems Security, Purple Team, Blue Team Operations, Penetration Testing and Ethical Hacking, Cloud Security, Security Management, Legal, and Audit
November 30, 2020
Good News: SANS Virtual Summits Will Be FREE for the Community in 2021
They’re virtual. They’re global. They’re free.
Emily Blades
read more
Blog
En.png
Digital Forensics and Incident Response
November 24, 2020
SANS DFIR Presenta Nuevos Webcasts en Español
SANS DFIR presenta sus nuevos episodios en Español! En este blog podrás ver todos los episodios con concluciones y con recursos para aprender DFIR
SANS DFIR
read more
Blog
shutterstock_1473864617.jpg
Digital Forensics and Incident Response
October 14, 2020
Defense Spotlight: Finding Hidden Windows Services
Attackers can make a Window services disappear from view. Fortunately these services can still be found, through unconventional discovery techniques.
370x370_Joshua-Wright.jpg
Joshua Wright
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters
  • The Critical Security Controls
  • Focus Areas
  • Blue Team Operations
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Join the SANS Community to receive the latest curated cybersecurity news, vulnerabilities, and mitigations, training opportunities, plus our webcast schedule.
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2021 SANS™ Institute
  • Privacy Policy
  • Contact
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn