Monitoring and Detection: File Analysis

In this lab, you’ll practice hunting malware with YARA and HollowsHunter (PE-Sieve). When you’re finished, you’ll have experience using open-source tooling to identify malware on disk with YARA and extract in-memory payloads with HollowsHunter. You’ll also briefly use CAPA, SpeakEasy and Floss in an automated solution to quickly grab new signatures.

* Our Labs are Available for Enterprise and Professional plans only.
Terms and conditions apply.

Contact sales

Lab info

Level

Beginner

Duration

Released

Jan 23, 2024

Lab author

Aaron Diaz

Aaron Diaz has worked primarily as a government contractor working with different branches of the military and government agencies. Aaron has worked as a Threat Hunter, Malware Reverse Engineer, Software Developer, and a Penetration tester. He is passionate about reverse engineering software and all things related to offensive security (malware/exploit development). During his tenure on a Threat Hunting team, he became the lead Malware Reverse Engineer. This sparked a love for understanding how ... more

Challenge

Getting Started in the Lab Environment

Here are the initial instructions and explanation of the lab environment. Read this while your environment is busy creating itself from nothing. Yes, this violates physics; we know. How fun!

Challenge

Byte scanning with YARA - The Hunt For BloodMoon

This challenge will discuss how YARA rules can be used to identify malware and how they are created. We will go over what makes a good rule and how to identify false positives. Finally, we will use some custom YARA rules to scan the filesystem for malware and upload the file to Sandblast for analysis.

Challenge

Shellcode Extraction with HollowsHunter - BloodMoon Stage2

This challenge will focus on explaining in-memory malware and how we can extract it using tools like HollowsHunter, powered by PE-Sieve. We will run HollowsHunter against the system and see if we can identify the next stage of the malware.

Challenge

The Last Challenge

Welcome to the final challenge! This is your last chance to experiment in the environment. Clicking Finish Lab will end this little world that flittered into existence just for you.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Recommended prerequisites

Fundamental understanding of software/applications and how they are used on Windows.
Familiar with tools used to identify specific attributes of software (Strings, YARA, hashes etc..).
Familiar with concepts of “what” is malware and why it is used by malicious actors.

Ready to skill up
your entire team?

Subscriptions

Continue to checkout Continue to checkout

Cancel

With your Pluralsight plan, you can:

With your 30-day pilot, you can:

Access thousands of videos to develop critical skills
Give up to 50 users access to thousands of video courses
Practice and apply skills with interactive courses and projects
See skills, usage, and trend data for your teams
Prepare for certifications with industry-leading practice exams
Measure proficiency across skills and roles
Align learning to your goals with paths and channels

Ready to skill up
your entire team?

Subscriptions

Continue to checkout

Cancel

With your Pluralsight plan, you can:

With your 30-day pilot, you can:

Access thousands of videos to develop critical skills
Give up to 50 users access to thousands of video courses
Practice and apply skills with interactive courses and projects
See skills, usage, and trend data for your teams
Prepare for certifications with industry-leading practice exams
Measure proficiency across skills and roles
Align learning to your goals with paths and channels

Contact Sales

Monitoring and Detection: File Analysis

Lab info