Kai Bernardini Winnona DeSombre
Kai Bernardini
- Remove
🤠E-m-a-i-l:k🤠.🤠b🤠e🤠r🤠n🤠a🤠r🤠d🤠i🤠n🤠i🤠@🤠n🤠o🤠r🤠t🤠h🤠e🤠a🤠s🤠t🤠e🤠r🤠n🤠.🤠e🤠d🤠u🤠If you come across the email that is [email protected] this is the wrong email. It is [email protected]
Email: kai
The class introduces students to the wild world of offensive capabilities development and cyber threat hunting by taking on the role of both attacker and defender to better understand various stages of cyber attacks. Focusing on the Windows operating system, students will create and analyze malware in the context of combating a simulated threat actor APT-ChonkyBear in addition to creating their own tools to emulate their capabilities.
Entries marked as (G) are relevant only to the folks enrolled in the graduate version of the class.
Like most topics related to technology, the field of offensive capabilities development is one that is rapidly evolving. The details of what you learn in this class will rapidly become stale. However, the concepts will likely have a longer shelf life, and the habits of mind are timeless! Students who succeed in this class will be able to
- Triage malware by performing basic static and dynamic analysis
- extract IOCs, unpack malware, and pivot off of indicators
- read documentation written in Microsoft Parlance (I promise you this is a skill)
- program in c using the Windows API
- reverse engineer and implement first stage implants
- build PE Loaders
- understand and implement various forms of Process Injection
- Design simple Implant frameworks
Said differently, the goal of this class from a technical level is to demystify malware.
- Malware and Threat Hunting 101
- Basics of Visual C
- Windows API
- Objects, Handles
- Processes, threads
- Virtual Memory basics
- I/O
- network IO
- Executable File formats
- Linking, Loading
- MITRE ATT&CK
- Static Analysis
- Dynamic Analysis
- Ghidra
- scripting with Ghidrathon
- integration with unicorn/qiling
- Debugging and triage
- Pivoting
- Crypto 101
- Ciphers
- MACs
- Asymmetric Cryptography
- Ransomware
- Stealers
- C2 Engineering
- C2 Channels
- PE loaders
- Injection
- DLL injection
- Process Injection
- Reflective DLL injection
- More advanced Process injection
- Packers, builders and AV Evasion
- Unpacking Malware
- Hooking
- Officially supported methods
- IAT hooking
- Trampoline Hooking
- Exception Based hooking
- Detours library
- Implant design
- Modularity
- RPC
- Use of Cryptography
- Backend Engineering (Pub Sub, pattern)
- Basic MVC design patterns with Flask, SQLAlchemy and Mysql
- Selected Advanced topics may include
- Exotic Executable file Formats (COFF, BOF, and other)
- EDR Evasion
- Memory evasion
- GDB/experience debugging native binaries. Note we will either be using x64dbg or WinDbg. You're welcome to use GDB if you want though.
- Experience with compiler toolchains (compilers, linkers)
- This class will make use of
mingwwhich is a drop in replacement for GCC for windows. It can function as a cross compiler. If you have never used gcc before, or compiled a c program, you might want to consider talking this course in the future.
- This class will make use of
- Python3: you need to be very proficient with python or a scripting language of your choice. Lecture will heavily leverage python.
- c/c++/some other systems programming language: you should be able to write and debug simple C programs. You don't need to be Dennis Ritchie but pointers arithmetic shouldn't scare you. You should also be comfortable with structs, unions, and manually managing memory. You should also know what I mean when I ask for the difference between Stack and Heap memory from a userland perspective.
- Intel x86 assembly: you should be able to read x86 assembly. Being able to write it is a plus!
- (G) comfort with programming in assembly. There will be assignments where you will write some x86_64 assembly.
- (G) Be very comfortable with virtual memory and threads.
- IP : you should know the difference between a private and public IP, the basics of addressing, and know the relationship between a domain name, DNS and an IP address
- I.e. If you should understand why it doesn't make sense to share
10.10.10.3as a valid, Malicious IP address that every organization should null route.
- I.e. If you should understand why it doesn't make sense to share
- TCP: More so the basics of socket programming, less so the internals of how reliability is achieved or what the handshake process looks like.
- DNS: You don't need to understand how DNS works, but you need to know what it does. I.e., you should understand what
A/AAAArecords are. - TLS: You need to understand the basics of what the following are:
- a Certificate Authority
- TLS cert (mostly for how it is used for establishing secure tunnels)
- HTTP(s): HTTP verbs, request structure, and error codes.
- You should know what a User-Agent is
- Combinatorics: you should be comfortable with basic counting: i.e. if I ask you how many bit strings of length
$n$ are there, you should instinctively know the answer is$2^n$ and how to prove it. - Probability: Discrete Random variables. Also nice if you have heard "Exponential Random Variable" and "Poisson Counting Processes" before.
- We will primarily be dealing with i.i.d. Bernoulli random variables but will also talk about modeling beaconing behavior
- Computing systems: as mentioned in the programming section, it is essential to ahve familiarity with memory management, c programming, reading assembly, using debuggers and compiler toolchains. You should know the difference between stack and heap memory. But even more than that, you should understand what Virtual Memory really is.
- Basic Cryptography: familiarity with Ciphers, MACs and Hash functions. Ideally also the idea behind asymmetric cryptography. Not the end of the world if you haven't been exposed to cryptography as some fundamental concepts will be briefly introduced.
- (G) you will have to build a static unpacker for a particular kind of sample. doing so without any background in cryptography will prove to be difficult.
Subject to change: this usually works out in your favor and I reserve the right to weigh different components for different students. How is this fair you ask? Again, this usually works in your favor. For example, bombed the homeworks but crushed final project? No problem.
There is a curve for this class, but it will never hurt your grade. I only curve up. The average for the Undergrad course is generally B/B+ and I expect the average for the grade version to be an A-.
As a general comment, it is difficult to fail the course, common to get the average, and very had to get an A.
- Malware Write up: 10%
- Exercises: 5%
- Capture the Flag (CTF): 10%
- Reverse Engineering Assignments: 15%
- Coding Assignments: 10%
- Capstone Project: 50% - 100%
- (G) Paper/Project 0-100%
- Grad students have the option to submit a paper in lieu of a capstone. Of course, you are expected to submit some code but it doesn't need to be as operational as the undergraduates. it does, however, need to highlight a novel or cutting edge technique of some kind. You get to choose how much of your grade is determined by the paper, including 0 if you want to just do the capstone!
Bonus Points:
- Grad students have the option to submit a paper in lieu of a capstone. Of course, you are expected to submit some code but it doesn't need to be as operational as the undergraduates. it does, however, need to highlight a novel or cutting edge technique of some kind. You get to choose how much of your grade is determined by the paper, including 0 if you want to just do the capstone!
- Class Participation: 2.5% -10%
- Guest lecture attendance 2.5%-10%
- Vibes 0-50%
- This does not mean you get points for nothing. If you knock my socks off for the final project, I will likely not even bother calculating your grade, and just give you an A. I might even help you find a job :-)
- That said, I can be difficult to impress :-). Do not stake your final grade on the final project. It has worked our roughly 50% of the time.
- To be clear, bonus points do not affect other students.
Exercises are weekly, quick turn around homework, and in class assignments. They are designed to be sanity checks for topics as the course progresses. They are questions that should take between 5 and 10 minutes. Questions will always be based on recent material, but topics build on each other. You should bring your laptop to class in case there is an exercise.
Example exercise that I almost always give out:
- given an exe with stripped symbols, find the Virtual Address (VA) of the main function assuming the exe is mapped to its preferred VA.
- explain the difference between static and dynamic linking
- What does this function (obviously memcpy or strcpy) do?
Each assignment consists of a new epoch of malware sent to students highlighting a new technique to analyze. It will be their job to reverse engineer the new implant, detail its functionality, and identify attacker infrastructure and IOCs. These assignments will often be multi staged and difficult. It is easy to spend hours reverse engineering a binary if you're not careful with your time. Often times, malware will be multi staged. What this means is just because you found the first implant, doesn't mean you are even close to being done. How do you know when you have found all of the implants? You don't! This is designed to emulate a real world hunting environment. Usually though, there won't be more then 3-10 stages, and only marginal completion is required to pass the assignment.
On the offensive side, students will work to recreate capabilities observed within new epochs of malware that can be integrated into their own Command and Control (C2) framework. For more on this, see Capstone.
This iteration, we are going to try out something new! Students will be given skeleton code that defines a simple shell: sHELL. Why is it called sHELL? Because it is a hellish shell (shell HELL) to implement! You are not allowed to use MSVRCT (Microsoft's version of LIBC)! How does that even work? Its painful! You may only use pre-approved DLLs to implement your code. This is to help bridge the gap between course work and the capstone project. For example, there is no memcpy, or strlen. You must implement those yourself! The sHELL will also have many quirks that introduce concepts relevant to Malware Development, such as modularity.
The course will have a semester-long capture the flag competition where students will compete to solve challenges that are often times hidden in epochs of malware.
This class will guide students through the creation of their own production ready Remote Administration Tool (RAT) and Command and Control (C2) team server. Each component of the capstone will be introduced as an offensive homework assignment, and will be integrated into the framework over the course of the semester.
Attendance is mandatory, but I do not take attendance. instead, I will non-deterministically give an exercise at the start of class that you have 5-10 minutes to complete. If you need to miss a class, do give course staff a heads up.
- You are allocated 3 late days for the semester, and may use them at your discretion.
- You may ask for more late days for extenuating circumstances. I am usually pretty reasonable when it comes to providing extensions-- but the time to do it is not the night before a deadline.
- Late days may only be used on reverse engineering assignments, or coding assignments.
- There are no late days for the capstone project or exercises.
- I do not accept submissions for exercises if you are remote.
- I give incompletes to students who have extenuating circumstances: usually medical emergencies.
- Mental health emergencies are medical emergencies.
- There will be some sections that discuss material that may be triggering to some.
- Warnings will be given at the start of such lectures, and attendance is completely optional.
- If you say the words “I am having a mental health emergency and need an incomplete” you will get one, zero questions asked.
There are no mandatory textbooks for this course. Required readings will consist of documentation, blog posts, or source code. Below are several references that will be relevant to various homework assignments
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software 1st Edition
- Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation 1st Edition
- http://www.harmj0y.net/blog/empyre/building-an-empyre-with-python/
- https://vx-underground.org
- https://github.com/yeyintminthuhtut/Awesome-Red-Teaming
- https://learn.microsoft.com/en-us/windows/win32/api/