HackTheKnowledge logo
InicioCursosLaboratoriosPreciosNosotrosBlogComunidadContactoCarrito
Cargando…

Learning Path (Beginner + Intermediate)

Windows Malware

From static triage to advanced unpacking, process injection, C2 extraction, and MITRE ATT&CK-mapped DFIR reports, all in isolated FLARE-VM labs.

Save 79 EUR
Join Waitlist →Start with Beginner 119 EURGo Intermediate

Lab tools you will use

FLARE-VMx64dbgPE-StudioProcmonProcess ExplorerCAPAYARAFakeNet-NGWiresharkAutorunsDIEFLOSSScyllaPE-sieveCyberChefSigmaFLARE-VMx64dbgPE-StudioProcmonProcess ExplorerCAPAYARAFakeNet-NGWiresharkAutorunsDIEFLOSSScyllaPE-sieveCyberChefSigmaFLARE-VMx64dbgPE-StudioProcmonProcess ExplorerCAPAYARAFakeNet-NGWiresharkAutorunsDIEFLOSSScyllaPE-sieveCyberChefSigmaFLARE-VMx64dbgPE-StudioProcmonProcess ExplorerCAPAYARAFakeNet-NGWiresharkAutorunsDIEFLOSSScyllaPE-sieveCyberChefSigma

Included Courses

BEGINNER

Windows Malware Beginner

Master the fundamentals of Windows malware analysis: static triage, dynamic execution, C2 detection, persistence hunting, and MITRE ATT&CK mapping in a guided FLARE-VM lab environment.

1 guided lab12h

119 EUR

View Beginner Details →
INTERMEDIATE

Windows Malware Intermediate

Advanced Windows malware analysis: defeat anti-analysis evasion, manually unpack binaries, analyze process injection and hollowing, extract C2 configurations, and produce professional DFIR reports.

2 guided labs14h

159 EUR

View Intermediate Details →

Why Choose the Full Pack?

Get the Beginner + Intermediate courses bundled together and unlock exclusive extras.

Save 79 EUR
Beginner + Intermediate courses (26h)
All 4 guided labs with isolated VMs
All per-module + certification exams
2 HTK certificates (Beginner + Intermediate)
Extra consolidation lab
Lifetime access + priority support
Access to the HTK community
Join Waitlist →
199 EUR278 EUR

Roadmap

Each phase maps to a course module; scroll to reveal your full progression from beginner fundamentals to intermediate mastery.

1

Phase 1

Beginner

Introduction to Malware & Analysis Environments

Start your windows malware journey with Windows Malware Beginner.

  • Malware taxonomy by capability: ransomware, stealers, RATs, loaders, bots
  • Anatomy of a modern infection chain: dropper → loader → payload → persistence → C2
  • Professional analysis workflow: static triage → dynamic execution → correlation → documentation
2

Phase 2

Beginner

Initial Static Analysis

  • Analyzing samples without execution: PE structure, sections, entropy, imports, resources, and strings
  • Early detection of packing and obfuscation with DIE, PEStudio, and PEview
  • Extracting stable IOCs: hashes, domains, file paths, mutexes, configuration artifacts
3

Phase 3

Beginner

Basic Dynamic Analysis

  • Controlled execution workflow: snapshot → monitors → execute → filter → export → rollback
  • Process and thread observation with Procmon and Process Explorer
  • Filesystem, registry, and network monitoring (DNS, HTTP, beaconing, C2 patterns)
4

Phase 4

Beginner

C2 Communication & Basic Persistence

  • Command and Control fundamentals: protocols, beaconing patterns, periodicity, and telemetry
  • Reading HTTP/HTTPS and DNS traffic in malware context with Wireshark and FakeNet-NG
  • Windows persistence mechanisms: Run keys, Startup folder, ASEPs, scheduled tasks, services
5

Phase 5

Beginner

End-to-End Lab Case + MITRE ATT&CK Mapping

  • MITRE ATT&CK for analysts: behavior language, not ID memorization
  • Guided end-to-end case: static triage → dynamic analysis → IOC extraction → ATT&CK mapping
  • Mapping 2–4 real techniques with concrete evidence
6

Phase 6

Intermediate

Evasion & Anti-Analysis Techniques

Advance into complex scenarios with Windows Malware Intermediate.

  • Analyst friction techniques: packing, obfuscation, anti-debug, anti-VM, anti-sandbox, and environment checks
  • Playbook for neutralizing execution bias and detecting behavior changes with/without debugger
  • MITRE ATT&CK mapping of evasion techniques including virtualization/sandbox detection families
7

Phase 7

Intermediate

Basic Unpacking with x64dbg

  • Complete manual unpacking workflow: identify packing → follow stub → locate OEP → dump image → reconstruct IAT
  • Criteria for validating whether a dump is correct and reusable for further analysis
  • Controlled scenarios with UPX and lab packers using x64dbg and Scylla
8

Phase 8

Intermediate

Advanced Dynamic Analysis: Injection & Process Hollowing

  • Code injection into legitimate processes: shellcode injection, DLL injection, and process hollowing (RunPE)
  • Distinguishing suspicion from technical confirmation with evidence correlation
  • Timeline correlation between processes, image loads, and memory artifacts
9

Phase 9

Intermediate

Advanced C2 Traffic Analysis + Configuration Extraction

  • Identifying realistic C2 in HTTP/HTTPS/DNS: beaconing, jitter, rotation/fallback, dynamic resolution, DGA patterns
  • Analyzing encrypted traffic: metadata, timing analysis, payload sizes, and endpoint patterns
  • Basic configuration extraction: C2 server lists, URIs, sleep intervals, jitter values, and operational flags
10

Phase 10

Intermediate

End-to-End Case: From Sample to Professional Report

  • Complete intermediate pipeline integration: static triage → unpacking → advanced dynamic analysis → C2 + config → ATT&CK mapping → final report
  • Professional DFIR report standard for SOC, IR, and Threat Hunting teams
  • Guided end-to-end case with controlled lab sample
Windows Malware Learning Path: Beginner to Intermediate Cybersecurity Course | HackTheKnowledge | HackTheKnowledge