Exploring the malware development side of red teaming.
Links to training I have taken or am interested in taking.
This course is online.
The course materials include text, videos, code files, and there are virtual machines [VMware and VirtualBox] that can be downloaded and used while going through the course (they include all the tools and course code.)
The class is single user.
The lab environment is NOT shared with other students as it is your own VM that you download and use.
At the time of this review, the course prices were listed as follows (Check the web site for actual prices!)
60 day access
180 day access
It is a comprehensive malware development course that focuses on x64 malware development. Even if you have no prior experience in malware development, this course is beginner friendly, and it also covers both intermediate and advanced concepts. The course is also continuously updated.
I want to learn more about creating my own code for red team/penetration testing/CTFs/training. When a co-worker posted a screenshot of a Tweet where the course was announced, I was immediately interested. After release, several of my co-workers joined and began to highly recommend the class and they kept telling me how good the material was. Since I was hooked on the malware development side of things, after taking other courses that covered the topic, I thought this would help take my skills to the next level. I finally got approval from work to take the course, and so I signed up.
I really like the design of the website, so I am going to highlight some of the cool features before diving into the review of the material.
There were 91 "Main Modules" at the time I started this review, and 8 "New Modules". They were color coded so that you could instantly tell how difficult the specific module was. Green for beginner, Orange for intermediate, and Red for advanced.
There were buttons in the top right corner of each module: one to toggle the screen size, one to see the objectives, one to open a terminal where you could take temporary notes (just don't forget to copy the notes out before exiting), and one to download code file(s) associated with the module (if the module had code associated with it.)
There were buttons at the bottom of each module: one to return to the previous module (except the first module), one to return you to the home page to see the list of modules, one to either mark the module as complete or to undo marking it as complete and returning it to "in progress" (which is handy if you want to keep a module as "in progress" so that you know to refer back to it often), and one to move to the next module (unless you are on the last module).
The Beginner Modules
There were 32 green modules. The course start with a general introduction, then goes over the tools needed for the course which you can install in your own environment or you can use the provided links in "Module 3 - Required Tools" to download the VM you want for your favorite virtualization platform [VMware or VirtualBox]*...(or if you need both because you use both at various times then you have both of the links), and then the course launches into the fundamentals needed for malware development.
* The VMware VM was around 15.4 GB. Your download speed will vary, but for me the VM downloaded in somewhere around 10 minutes. The VirtualBox VM was around 13.1 GB. Your download speed will vary, but for me the VM downloaded in somewhere around 7 minutes.
I really do appreciate the effort it took to build the VMs and make them available for download. It is nice to have a portable environment that can be used for course content.
There is a lot of good information in the beginner section. Many other courses that I have taken either expect you to already have the knowledge that is taught in this section, or they cover parts of the material at a higher level.
And with so many modules, I was expecting them to be short and sweet. But some were very long and detailed with plenty of pictures and code snippets. And just because they were marked as beginner level didn't mean there wasn't information to be learned from them. I got a lot from this section alone, and this was really the start of the course. But it did build the foundation I would need for the later sections.
One thing that I found beneficial in the beginner section, was that some of the information that I learned previously was cleared up through the details provided. So it not only helped build new knowledge, it helped expand and broaden old knowledge.
Serious effort is placed into bringing the student up to speed on concepts and coding. And having an explanation, code samples matching the explanation, and sometimes screenshots of the tools help solidify understanding of key concepts.
Some of my favorite topics were the different payload encryption methods, obfuscation techniques, and the Windows Registry module (except take caution with this technique because you might encounter a big 'gotcha' depending on the payload you are storing... but I'll leave this as homework for the student to figure out if the materials haven't been updated already to include this gotcha.)
The Intermediate Modules
There were 49 orange modules. To me, this was the heart of the material. This section immediately begins by building on the information from the beginner modules, and then branches out into new, but more complex, techniques.
From process enumeration to various injections (local and remote) techniques all the way to the Bypassing AVs "Using a combination of previously discussed techniques to create an evasive payload loader." module, this entire section broadens the student's understanding of malware development techniques.
I really like how they teach a technique so that you understand it, and then tell why you shouldn't use that technique and highlight other similar techniques that you should be using instead. Each module seems to build on the module before it, making it easy to progress once the foundational information is learned.
I had seen some of these techniques implemented in C# code from other training I have taken, but the C code was different enough that it was like learning the technique all over again. Luckily for me, a lot of this section was doing one thing locally and then the same technique remotely in the next module, and the similarities didn't require too much time to grasp the differences.
There is a lot of depth to these topics. Care is taken to explain each concept so that the student will understand them. However, a student shouldn't hesitate to follow links provided to additional resources to further expand their knowledge.
My favorite topics from this section? Pretty much all of them! But I will say, the "Bypassing AVs" module was at the top of the list because the module stepped the student through constructing a feature-rich payload loader from the ground up to reinforce what had been taught in the previous modules.
The Advanced Modules
There were 10 red modules. The advanced section begins with an introduction to EDRs and continues with advanced topics on EDR evasion techniques.
A lot of the modules cover NTDLL unhooking methods in great detail
This section covers new materials, but also revisits ideas from earlier modules at a much deeper level, all with the main goal of avoiding EDR detection.
The New Modules
There were 8 modules at the time I am publishing this review, listed as Update 1 and Update 2, and there was a post on Twitter and on Discord about "two variations of a new initial access technique exclusively for @MalDevAcademy premium & lifetime users (in update 2 or update 3)"
Some of these modules had a video demo at the end of them instead of static photos for the module demo.
There are several tools in the provided materials that were written for the course, by the course authors, that are really handy not only for the course but for further learning/testing. There have also been several "reveals" in Discord of things given to the course participants. There is a ton of good information in the course material and in the Discord channel.
There is no certification exam at the time of this review, but you can get a Certificate of Completion upon completing the course.
Ok, let me just say, WOW. I signed up for the Long-Term, and I love it. Totally worth it "as is", but with more things to come, this, to me, is the best bang for the buck.
I have taken a LOT of online courses, so when I logged in and started looking at the website, I was very impressed. I really love the online layout, and how easy it is to get around and view the course materials. It helps make the learning just a little bit easier. And based on their layout, I tweaked this site just a little bit.
I have seen chatter about written content vs video content and which is better or faster. I have taken a large number of training classes over these many, many, many years of my career. I have taken live classes, video classes (of all shapes and sizes), online text based classes, and classes from physical materials. Each type of class has its own strengths and weaknesses. And I like to switch up my learning methods, so I am not always using the same method over and over. This course combines text, videos, photos, and hands-on learning in an amazing way.
I joined the Discord channel and was happy to see people were active there. I saw that a few of my co-workers had already joined, as well as some previous co-workers that have similar interests, so I look forward to what that channel has to offer.
Having gone through the materials once, I realize that I need to go through all the material another time or two (probably 10 or 20 times) to fully grasp all the concepts, and then mark sections to reference over and over again... I figure after a few times through, I will start tweaking the code in each section to see what breaks and how to troubleshoot it when it does break, and this will help more than anything else to drive home the syntax of the programs and how they work.
Malware Development Training Reviews
Copyright © 2023