Most malware analysts and incident responders either lack the
equipment or knowledge to dissect macOS malware. With increasing
corporate use of MacOS devices, organizations must be prepared to
analyze malware and threats that target macOS.
This course uses a practical, hands-on approach to introduce the
tools and methodologies learners need to analyze malware that targets
the macOS platform.
Course topics include macOS specific static and dynamic analysis
tools and techniques to quickly uncover host and network-based
indicators, analysis of compiled Objective-C code and Cocoa
applications using IDA Pro and the use of the lldb debugger in dynamic
analysis. Demonstrations and hands-on labs with real malware will
enable learners to immediately apply this knowledge.
After completing this course, learners should be able to:
- Learn macOS internals relevant to malware analysis
- See how to create a safe malware analysis environment in
- Explore the tools and methodologies used to perform
basic analysis, and extract host and network-based indicators from
malware without running it
- Discover tools and methodologies
used to analyze malware behavior by executing it in a safe
- Acquire disassembly techniques specific to
- Practice malware debugging in the
macOS environment and how it can be used to monitor and change its
behavior at run time
Who Should Attend
Malware analysts, incident responders, Intel analysts, information
security staff, forensic investigators, or others requiring an
understanding of how macOS specific malware works and how to analyze it.
Training or experience in Windows malware analysis, familiarity with
object-oriented programming, the x86 architecture, IDA Pro and
Unix-like operating systems is required.
What to Bring
Students must bring their own MacBook with VMware Fusion 7+
installed. Laptops should have at least 30GB of free space. A
currently licensed copy of a fully-updated IDA Pro that supports the
x86_64 architecture is required. It can be for any OS, as long as it
is accessible on the MacBook.