0
1
00:00:10,360 --> 00:00:13,180
Hello friends welcome to my course on Malware Analysis and Reverse Engineering.
1

2
00:00:13,190 --> 00:00:19,240
In this video I'm going to give you a detailed explanation about
2

3
00:00:19,240 --> 00:00:20,960
the course overview.
3

4
00:00:21,120 --> 00:00:26,680
Many of you might have seen a quick introduction about this course where I have explained about the 
4

5
00:00:26,760 --> 00:00:27,510
overview.
5

6
00:00:27,660 --> 00:00:32,970
But in this video I want to give you slightly more details about the course and how it's going to proceed
6

7
00:00:32,970 --> 00:00:33,550
further.
7

8
00:00:35,400 --> 00:00:41,550
Before we move on I quickly want to introduce myself to the students. So I'm security enthusiast
8

9
00:00:41,580 --> 00:00:45,550
and I have been working with the security industry for quite some time now.
9

10
00:00:45,930 --> 00:00:50,750
I enjoy spending time on stuff that are related with stuff that are related with information security.
10

11
00:00:51,420 --> 00:00:52,900
I have also been a speaker
11

12
00:00:52,900 --> 00:00:58,560
at eminent conferences like Blackhat and RSA. The reason why I love talking at these conferences
12

13
00:00:58,560 --> 00:01:04,830
is because it gives me a chance to meet with like minded people and also kind of create some ears for
13

14
00:01:04,890 --> 00:01:06,410
what you want to talk about.
14

15
00:01:07,230 --> 00:01:11,750
I also authored a book titled Metasploit penetration testing cookbook.
15

16
00:01:11,760 --> 00:01:17,760
The book has been released in three editions now and it's available on all major bookstores online.
16

17
00:01:17,760 --> 00:01:24,380
I'm also the author of Instant wireshark. Both these books have been published by PACKT publishing house, UK.
17

18
00:01:24,780 --> 00:01:29,070
You can also follow me on Linkedin, Twitter or github. The links have been provided here.
18

19
00:01:31,480 --> 00:01:35,030
Now let us proceed to the course flow view.
19

20
00:01:35,100 --> 00:01:39,300
So this is the same diagram which I used in the introduction video.
20

21
00:01:39,820 --> 00:01:46,590
And the reason why I want to talk a bit more about it is because I want you to understand why I'm following
21

22
00:01:46,590 --> 00:01:48,940
this methodology.
22

23
00:01:49,030 --> 00:01:57,090
So when the attack happens it basically has certain predefined steps which it takes or which the attacker
23

24
00:01:57,100 --> 00:02:00,060
takes in order to compromise the hosts.
24

25
00:02:00,100 --> 00:02:06,220
So what the attacker first does is that it creates a weaponization level, where it targets the victim,
25

26
00:02:06,220 --> 00:02:14,100
plans the attack, starts doing enumeration on different services for example what servers
26

27
00:02:14,110 --> 00:02:20,380
The host is running, what version of http server is there, what version of SQL database is running
27

28
00:02:20,410 --> 00:02:21,730
and stuff like that.
28

29
00:02:22,120 --> 00:02:28,830
Once that information is collected by the attacker the next step is to deliver the attack.
29

30
00:02:29,170 --> 00:02:31,390
Now the delivery of attack can take place
30

31
00:02:31,380 --> 00:02:38,770
In multiple ways. For example it can be done through SpearPhishing or spam emails where the attacker can embed malicious
31

32
00:02:38,770 --> 00:02:45,640
attachments and it can send that e-mail to the particular user whose information was collected
32

33
00:02:45,680 --> 00:02:54,440
in the weaponization phase. Other delivery phases can include exploit kits or PUA(Potentially unwanted Applications) etc. We will go into details
33

34
00:02:54,440 --> 00:02:58,720
of each of these delivery phases in the later videos.
34

35
00:02:58,790 --> 00:03:03,530
So once the delivery has been done the next step is to exploit the machine.
35

36
00:03:03,530 --> 00:03:09,050
The reason why the attacker wants to exploit the machine is that a lot of times once you get inside the
36

37
00:03:09,050 --> 00:03:15,380
system you might not have the right privileges to do advanced activities like taking screen shots or
37

38
00:03:15,410 --> 00:03:19,010
probably installing malware on the system and things like that.
38

39
00:03:19,100 --> 00:03:22,040
That's where exploitation comes handy.
39

40
00:03:22,280 --> 00:03:30,140
Once exploration is done the user can basically escalate its privilege to get more permissions onto
40

41
00:03:30,140 --> 00:03:38,700
the system which he or she has compromised. Once the exploitation phase is done the next action that
41

42
00:03:38,700 --> 00:03:43,730
the attackers want to take is to create persistance onto the system.
42

43
00:03:43,770 --> 00:03:50,100
A lot of times the systems might reboot or you might shut it down and restarted later on.
43

44
00:03:50,100 --> 00:03:56,320
So how do the attackers ensure that they have a persistence into the system that they have compromised.
44

45
00:03:56,850 --> 00:03:58,980
This is done by different steps.
45

46
00:03:58,980 --> 00:04:02,870
For example they can create registry entries for start ups.
46

47
00:04:02,880 --> 00:04:08,580
So every time the machine boots up the malware automatically starts onto the system.
47

48
00:04:08,580 --> 00:04:10,340
They can set up cron jobs.
48

49
00:04:10,440 --> 00:04:16,650
They can set up different WMI scripts and stuff like that. we will go into a lot more details about each
49

50
00:04:16,650 --> 00:04:23,370
of these stuffs then we'll be analyzing malwares because these are very critical in understanding how
50

51
00:04:23,380 --> 00:04:29,580
malware infect the system and how they kind of create a foothold into the network and systems that they
51

52
00:04:29,580 --> 00:04:30,920
have compromised.
52

53
00:04:31,380 --> 00:04:37,170
So once the persistance has been done and the malware has maintained a foothold into the system and
53

54
00:04:37,170 --> 00:04:38,010
the network.
54

55
00:04:38,130 --> 00:04:45,980
The next step is to exfiltrate the data. Data exfilteration would happen by sending stolen data to its command
55

56
00:04:45,980 --> 00:04:47,200
and control server.
56

57
00:04:47,390 --> 00:04:49,730
There are different ways by which they do it.
57

58
00:04:49,790 --> 00:04:52,990
We will be seeing that in much more details in the later videos.
58

59
00:04:53,780 --> 00:05:02,570
So this was a quick overview of the entire work flow that an attacker takes and I have designed this course
59

60
00:05:02,840 --> 00:05:10,100
based on this workflow itself so that we basically not directly jump into understanding malwares, but we
60

61
00:05:10,100 --> 00:05:13,980
first understand the attackers mindset, how they craft their attacks
61

62
00:05:14,180 --> 00:05:19,980
And then only we can you know create effective defense methodology around each of these steps.
62

63
00:05:22,050 --> 00:05:28,970
Well all these steps have been borrowed from a very popular Cyber Kill-Chain Model.
63

64
00:05:29,160 --> 00:05:35,260
This model basically lays down the different steps at which an attack takes place.
64

65
00:05:35,550 --> 00:05:41,190
There are basically seven different steps in the cyber kill-chain but I have narrowed it down to five major
65

66
00:05:41,190 --> 00:05:47,790
steps and this is why I just wanted to quickly give you an idea about the cyber Kill chain. We will be going
66

67
00:05:47,790 --> 00:05:50,580
into the details of these steps in the next video as well.
67

68
00:05:50,580 --> 00:05:56,870
But I just wonder to let you know that the concept is basically picked up from the cyber chain.  We will
68

69
00:05:56,910 --> 00:06:03,840
be mapping all the attacks at these steps and we will be applying the analysis strategies based on how the
69

70
00:06:03,840 --> 00:06:05,090
activities are performed.
70

71
00:06:07,410 --> 00:06:10,720
The entire of course is divided into sections.
71

72
00:06:10,960 --> 00:06:15,970
For example the first section is course introduction and overview of the cyber kill chain.
72

73
00:06:15,990 --> 00:06:21,550
The section will contain multiple lecture videos and along with those lecture videos there will be different
73

74
00:06:21,610 --> 00:06:23,530
assignments associated with them.
74

75
00:06:23,890 --> 00:06:25,830
So that's the logical flow.
75

76
00:06:25,930 --> 00:06:28,370
And that's how Udemy has designed the course.
76

77
00:06:28,510 --> 00:06:38,570
And this is how we are going to design the entire course around the sections and assignments.
77

78
00:06:39,110 --> 00:06:40,650
So that's it for this video.
78

79
00:06:41,480 --> 00:06:42,080
Thanks a lot.