SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques
FOR610Digital Forensics and Incident Response
- 6 Days (Instructor-Led)
- 36 Hours (Self-Paced)
Course created by:
Lenny Zeltser & Anuj Soni
Course created by:Lenny Zeltser & Anuj Soni
- GIAC Reverse Engineering Malware (GREM)
- 36 CPEs
Apply your credits to renew your certifications
- In-Person, Virtual or Self-Paced
Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months
- 48 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Explore malware analysis tools and techniques in depth and acquire the practical skills to examine malicious programs that target and infect Windows systems.
Featured Quote
This course has helped me to improve my knowledge of malware techniqueI’ve taken 9 SANS courses in 3 years, and FOR610 is one of the best courses SANS offers. Even if malware reversing isn’t a part of one’s regular duties, it’s still a worthwhile class just for exposure and enjoyment.
Course Overview
FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques equips students with hands-on skills to analyze malware targeting Windows systems. Through labs and Capture-the-Flag challenges, students use advanced tools to uncover malware capabilities, analyze obfuscation techniques, and address common threats. This malware analysis course is ideal for those seeking to enhance threat intelligence, incident response, and enterprise defenses.
What You’ll Learn
- Set up a secure lab to analyze malware behavior
- Use monitoring tools to observe interactions with Windows systems
- Analyze obfuscated scripts and executables
- Control malware through network interception and code patching
- Investigate internals using disassemblers and debuggers
- Identify assembly-level patterns like code injection and anti-analysis tactics
- Extract IOCs and assess threats from malicious files
Business Takeaways
- Enable teams to perform in-house malware analysis, reducing reliance on external resources
- Expand analysis capabilities to provide greater value to internal or external stakeholders
- Increase efficiency in delivering actionable insights and analysis results
- Minimize incident scope and cost with faster response times to security threats
Meet Your Authors
- Slide 1 of 2
Lenny Zeltser
FellowLenny Zeltser, CISO at Axonius, is a leader in developing resilient security programs. His invaluable tools, like REMnux, a widely used Linux distribution for malware analysis, have become industry standards in combating malicious software.
Read more about Lenny Zeltser - Slide 2 of 2
Anuj Soni
Senior InstructorAnuj Soni, Principal Reverse Engineer at United Healthcare, has over 15 years of experience enhancing organizational security postures. His expertise has led to the identification, containment, and remediation of multiple threat actor groups.
Read more about Anuj Soni
Slide 1 of 0
(1/0)
Course Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR610™: Hacker Tools, Techniques, and Incident Handling™.
Section 1Malware Analysis Fundamentals
Section 1 introduces essential malware analysis techniques, covering static, behavioral, and code analysis to understand malware interactions and inner workings. Students will set up a flexible lab environment, using Windows and REMnux virtual machines, to conduct these analyses effectively and with instructor guidance.
Topics covered
- Assembling a toolkit for effective malware analysis
- Examining static properties of suspicious programs
- Performing behavioral analysis of malicious Windows executables
- Performing dynamic code analysis of malicious Windows executables
- Exploring network interactions of malware in a lab for additional characteristics
Labs
- Setting up and using your lab for behavioral analysis
- Intercepting and examining malicious network traffic
- Decoding malicious artifacts using dynamic analysis
- Debugging malware using x64dbg
- Understanding command-and-control (C2)
Section 2Reversing Malicious Code
Section two dives into assembly-level analysis of Windows executables, teaching key x86 and x64 concepts for malware analysis using tools like Ghidra. Students will learn to interpret disassembled code, follow control flow, and identify common malware characteristics, such as command and control, through hands-on exercises.
Topics covered
- Understanding core x86 assembly concepts for malicious code analysis
- Identifying key assembly constructs with a disassembler
- Following program control flow to understand decision points
- Recognizing common malware characteristics at the Windows API level
- Extending assembly knowledge to include x64 code analysis
Labs
- Static analysis of malicious code using Ghidra
- Analysis of common assembly-level patterns
- Examining API interactions at the assembly level
- 64-bit assembly code peculiarities
Section 3Analyzing Malicious Documents and Scripts
Section 3 covers the analysis of malicious documents and scripts, teaching techniques for examining PDFs, VBA macros in Office files, RTF documents, and deobfuscating JavaScript. Students will learn to identify threats, extract indicators of compromise (IOCs), and understand shellcode capabilities within these file types.
Topics covered
- Malicious PDF file analysis
- The analysis of suspicious websites
- VBA macros in Microsoft Office documents
- Examining malicious RTF files
- Understanding shellcode
Labs
- Examining suspicious PDF documents
- Investigating malicious websites
- Analyzing VBA macros in Microsoft Office documents
- Examining shellcode artifacts
- Deobfuscating JavaScript and PowerShell
Section 4In-Depth Malware Analysis
Section 4 delves into advanced techniques for malware analysis, focusing on unpacking, deobfuscating, and analyzing multi-technology malware, including .NET and "fileless" threats. Students will learn to identify packers, handle code injection methods, and examine obfuscated JavaScript, PowerShell, and shellcode.
Topics covered
- Recognizing packed Windows malware
- Getting started with unpacking
- Using debuggers for dumping packed malware from memory
- Analyzing multi-technology and "fileless" malware
- Analyzing .NET malware
Labs
- Getting started with unpacking
- Dumping packed malware from memory
- Debugging packed malware
- Analyzing fileless malware
- Unpacking and decoding .NET assemblies
Section 5Examining Self-Defending Malware
Section 5 covers anti-analysis techniques used by malware authors, teaching students to identify and bypass evasion tactics, unpack malware employing process hollowing, and handle code misdirection. This section integrates and expands previous techniques, with hands-on exercises to reinforce skills in analyzing resistant malware.
Topics covered
- How malware detects debuggers and protects embedded data
- Unpacking malicious software that employs process hollowing
- Bypassing the attempts by malware to detect and evade analysis tools
- Handling code misdirection techniques, including SEH and TLS callbacks
- Unpacking malicious executables by anticipating the packer's actions
Labs
- Patching malware to bypass anti-analysis measures
- Deobfuscating embedded strings
- Examining sandbox evasion capabilities of malware
- Unpacking a variety of malware samples
Section 6Malware Analysis Tournament
Section 6 consolidates malware analysis skills through a capture-the-flag tournament, offering practical challenges with real-world malware. This hands-on experience reinforces key techniques in static and dynamic analysis, unpacking, and examining self-defending malware.
Topics covered
- Malware analysis fundamentals
- Reversing malicious code using static and dynamic techniques
- Analyzing malicious documents
- In-depth malware analysis, including unpacking
- Examining self-defending malware
Things You Need To Know
Relevant Job Roles
Forensics Analyst (DCWF 211)
DoD 8140: Cyber EnablersInvestigates cybercrimes, analyzing digital media and logs to establish documentary or physical evidence in support of cyber intrusion cases.
Explore learning pathCyber Defense Forensics Analyst (DCWF 212)
DoD 8140: CybersecurityAnalyzes digital evidence to investigate computer security incidents and support mitigation of vulnerabilities and ongoing threat response.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchase Options?Contact Us
GIAC Certification Attempt
Add a GIAC certification attempt and receive free two practice tests. View pricing in the info icons below.
OnDemand Course Access
When purchasing a live instructor-led class, add an additional 4 months of online access after your course. View pricing in the info icons below.
Filter by:
Location & instructorDate & TimeCourse priceRegistration Options
- Location & instructor
Virtual (OnDemand)
Instructed by Lenny ZeltserDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$8,780 USD*Prices exclude applicable local taxesRegistration Options - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Evan DygertDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Michael MurrDate & TimeFetching schedule..View event detailsCourse price$8,780 USD*Prices exclude applicable local taxes - Location & instructor
Prague, CZ & Virtual (live)
Instructed by Lenny ZeltserDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxes - Location & instructor
Tokyo, JP & Virtual (live)
Instructed by Jim ClausingDate & TimeFetching schedule..View event detailsCourse price¥1,335,000 JPY*Prices exclude applicable local taxesRegistration Options - Location & instructor
London, GB & Virtual (live)
Instructed by Xavier MertensDate & TimeFetching schedule..View event detailsCourse price£7,160 GBP*Prices exclude applicable taxes | EUR price available during checkout - Location & instructor
Singapore, SG & Virtual (live)
Instructed by Michael MurrDate & TimeFetching schedule..View event detailsCourse price$8,900 USD*Prices exclude applicable local taxes - Location & instructor
Paris, FR
Instructed by Jess GarciaDate & TimeFetching schedule..View event detailsCourse price€8,230 EUR*Prices exclude applicable local taxesRegistration Options
Showing 8 of 16
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 4I've taken 9 SANS courses in 3 years, and FOR610 is one of the best courses SANS offers. Even if malware reversing isn't a part of one's regular duties, it's still a wortwhile class just for exposure and enjoyment.
- Slide 2 of 4I learned a great amount of valuable information in FOR610, including what areas I need to master for my job. The CTF lab was a wake up call regarding how much I don't know, so thank you!
- Slide 3 of 4I'd recommend FOR610 to anyone in cyber security who is looking to get deeper into malware analysis.
- Slide 4 of 4This course has helped me to improve my knowledge of malware techniques, to understand how to better protect assets, and how to successfully complete the eradication steps.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources