Review: Practical Malware Analysis and Triage (PMAT)

I have often recommended the book Practical Malware Analysis (PMA) by Michael Sikorski and Andrew Honig; however, the book was originally published in 2012 and there have been no updates to the core book, so if I recommend the book, I always have to give caveats regarding the age and the age of some of the tools… Some of the content is evergreen, but a lot has also changed in the world of malware in terms of tools and types of malware.

I have often looked for books to recommend in place of PMA, but have had difficulty finding anything as solid and educational. In October 2021, the Practical Malware Analysis and Triage course (PMAT) became available from TCM-Sec and it has become my new top recommendation.

PMAT is a spiritual successor of the PMA book and teaches the same basic techniques. The goal of this review is to introduce the course, encourage administrators and those new to malware analysis to check out the course, and draw some contrasts between the PMA book and the PMAT course.

Course Overview:

The course was created by HuskyHacks and the course is intended for absolute beginners but can provide great help those with some exposure to malware analysis already. Students will be given basic instructions for setting up a safe and secure lab. HuskyHacks is able to update the course regularly to clarify content and is readily available in a Discord Server dedicated to the course.

Like PMA, PMAT teaches malware analysis in four phases: basic static analysis, basic dynamic analysis, advanced static analysis, and advanced dynamic analysis. This allows the student to receive a comprehensive introduction to malware analysis: starting from looking at human readable strings in a binary (basic static analysis), but also being exposed to assembly language and debugging (advanced static and advanced dynamic analysis).

Why administrators and others should be interested

Even the most basic of the skills taught in the course can be immensely helpful for a system administrator or anyone needing to triage malware. For example, being able to find static strings from a malicious binary can easily help administrators find more information about a malware, that is, even if you don’t do a full analysis of the malware yourself, you can often use your findings from looking at malware to find published analysis of the malware you find and this course can help you do that. Finding more analysis about a binary can easily help identify other indicators thus helping you resolve an infection and understand the impact of the malware.

Understanding the impact of malware is an important thing for administrators. In many cases, I see administrators reformatting a device after malware was found without taking the time to understand the impact of the malware. For malware such as Solarmarker, the most significant impact was stolen credentials, so reformatting a PC resolves the infection, but does not mitigate the most significant damage. So I often recommend for individuals to try to get a basic understanding of a malware infection in order to determine what was compromised and what additional actions may need to be taken. Reformatting is still a good practice, but you don’t want to reformat and find further compromise later because the initial infection was not understood.

PMA compared to PMAT

PMAT has many things to recommend it over the PMA book. This section will compare the two, but also give you an idea of what is found in both resources.

In contrast to the PMA book, the PMAT course consists of videos and labs, this allows students to have hands-on and a visual understanding of all of the tools in the course.

PMAT introduces malware types that were not relevant for PMA in 2012. Malware types addressed in PMAT include the following:

• malicious PowerShell scripts,
• malicious VBA,
• malicious GO binaries,
• mobile malware,
• malicious C# binaries.

I say, “introduces” as there is one lab for most of these malicious file types. While it could be desirable to have more samples, the course does a good job in not going to deep but still providing basic guidance that can then be applied to real-world samples.

One thing that made PMA great was having many samples from the authors of the book. PMAT still accomplishes this by having 20 labs in total and by having walk-throughs of each of the labs. Both PMA and PMAT do a good job of providing the student tasks and allowing them to examine the samples on their own before receiving the answers.

PMAT aims at beginners and, as a result, it omits important topics which are in PMA but are more specialized and more advanced. The following are more advanced topics which do not make it into PMAT :

• static analysis with IDAPro and Ghidra; instead of these tools, Cutter is used, this helps keep the course simpler without spending immense time learning how to navigate IDA or Ghidra
• rootkits; the course only discusses user-level malware which seems appropriate for the general audience. User-level malware also the most common and most relevant to beginning analysts.
• anti-analysis, anti-sandbox, anti-debugging techniques used by malware; like PMA, PMAT uses a simulated network to evade some sandbox detection, but the topic itself is not discussed in length
• different types of binary packing; the idea of packing is discussed and examples are given, but there is no in-depth discussion of unpacking malware

The omissions make sense for the course and the course does not suffer from their omission.

In addition to analysis portions, the PMAT course includes rule writing and report writing. These processes are critical for communicating to teammates and the security community. The course specifically focuses on YARA rules and gives guidance throughout the course in regards to keeping notes on analysis.

Conclusion: Selling points

As mentioned above, PMAT is now what I recommend to people first getting into malware analysis. The course is very accessible as it comes to learning and being exposed to tools. If students have any difficulty, they are also able to get help from HuskyHacks or others in the course Discord.

Not only is it accessible in terms of exposure to tools and being guided to use the tools; the course is also accessible in terms of cost. The course is normally $30 (which is half the price of the 2012 PMA book), much cheaper than most other training, and can often be bought at a discount using a coupon code from TCM-Sec. This makes the course easily accessible to anyone financially.

If you read this and decide to buy the course, I’d be happy to know. I often hang out in the course Discord and I hope to see you there.