I attended the FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques Live Online Training streamed from Amsterdam between January 20-25, 2025.
Xavier Mertens was the amazing instructor who delivered this training! I was super excited as this was my first live SANS training and totally enjoyed the experience :)
This is a super intensive and fun training!
Initial Impression of FOR610:
At this point, I was already doing malware analysis at my workplace but it was limited entirely to static and dynamic analysis. I always wanted to advance my malware analysis skills to reverse-engeering to pop under the hood of malicious programs. Hence doing FOR610 was on my to-do list for a very long time! And that time came when I saw Live Online Training Schedule and enrolled myself for it.
After hearing from my colleagues and others in my professional network who had taken FOR610 previously, I heard that the course was outdated and had not been updated in years. This made me confused about whether to take this course or delay it for some time/months so that the course could be updated.
I reached out to Xavier before the course started and asked about this, and he assured me that the course undergoes regular updates, although not as fast as other SANS Forensics courses.
So, when I received the course materials, I quickly checked what year the course material was from, and it turned out that the course is from 2023! This gave me a kind of relief from all the doubts I had :)
Technical Setup:
Since I own a Silicon M Series Mac, which is not compatible with running the VMs provided for the training, I had to use an Intel Mac Mini (i7) for the labs. Of course, I had to switch back and forth between labs and the training and reconnect the external screen, but being able to watch and do things on an external large screen is fantastic!
FOR610 Lab VMs still run on Intel-based CPUs and are not compatible with any ARM-based CPUs.
Instructor:
Xavier is a dynamic and engaging instructor having an amazing energy throughout the class. I love his teaching style, and his ability to break down intricate concepts into simple, memorable lessons, making complex topics easily understandable to all. Xavier enriches his sessions with a wealth of tips, tricks, and case studies, drawing from his extensive experience with past training examples and writing SANS Internet Storm Center (ISC) diaries. He ensures that learning is thorough by pacing the lessons well, never rushing through slides or material. Even when technical glitches occur, Xavier maintains his composure, using the opportunity to teach resilience in real-time problem-solving. And yes, he often surprises students with bonus tips that weren't part of the current curriculum—like a magician revealing tricks from retired acts! I’ll always remember his line when analyzing a sample “What do we do now? We make the Malware Happy!”
I managed to capture an iconic pose of Xavier while teaching :)
To be honest, he was making sure the camera was moving/tilting when he was teaching and explaining the slides.
Sometimes the camera didn't respond at all, even after Xavier did his iconic pose!
Day 1:
Day 1 focused on the traditional Static and Dynamic analysis of the samples. This included the tools and techniques used for the same, along with the emulation approach for executables. A primer on using x64dbg was also shown. The most interesting part was the networking module, which demonstrated how we can use network monitoring and emulation for extracting network indicators of the suspicious file during analysis.
Day 2:
Day 2 is focused on disassembling the code, analyzing it using Ghidra to view and reverse functions, identifying control flow, and recognizing API patterns. This involved entirely utilizing Ghidra and exploring its functionalities.
Day 3:
Day 3 focused on analyzing various suspicious file types like PDF, Microsoft Office documents, RTF, and JS. This is my favorite section as these file types affect not just Windows but also macOS and Linux!
Day 4:
Day 4 focused on packing and unpacking malware samples. This was another very interesting module where we utilized the debugger to debug the packed malware, using ProcDot to visualize the activities performed by the malicious file during dynamic analysis. Another highlight was the introduction to shellcode and debugging it! We also explored the .NET malware and code injection techniques employed by malware.
Day 5:
Day 5 focused on exploring self-defending malware and how to deal with it when encountered during analysis, along with bypassing it. Another interesting technique was dealing with process hollowing and SEH for misdirecting an analyst.
Day 6:
This was all about the FOR610 CTF, in which we had 6 hours of playtime! I managed to be in the 6th position. The CTF really tests your skills and knowledge shared across the 5 days of training.
NetWars:
The NetWars was organized for 2 days for 3 hours each day, but I wasn't able to play it and enjoy it to the fullest due to the time zone difference and the fact that it was organized after a full day of training. The NetWars started at 11 PM IST :(
My Thoughts:
Pros:
Interaction:
You get to learn and interact with the instructor from the Live Online Training rather than some SME students who answer your queries when you take up a SANS On-Demand Training bundle, and you do have access/opportunity to interact with the course instructor/author.
Recordings:
You get access to Live Training recordings, which are far better than the On-Demand bundle videos. On-Demand videos are mostly 2-5 minutes long and, in some cases, maybe more.
Slack workspace:
Live Online Training provides you access to a Slack workspace where you can interact with other students taking the course with you, and you have access to interact with the SANS instructors/authors of not just your course but other courses too! This is super nice to have!
Student/TA Support:
Amazing TA support whenever someone is stuck. The TAs both virtual and in-person were quick to respond and address any queries.
Evaluations:
SANS takes the evaluation very seriously and improves/addresses it the very next day. On all 5 days of training, the students are provided with an evaluation form for collecting feedback about what and how could be improved regarding all the aspects of training like instructor, course content, delivery platform, student support/TA, etc.
You have the option to be added to the invite-only, REM-alumni discussion mailing list for those who completed the FOR610 training or earned the GREM cert!
Cons:
Affordability:
SANS courses/trainings are not at all affordable but considering the market value and brand it is way superior to other training vendors. Not everyone can shell out the $10k bucks for a SANS training unless you are assisted by your employer and taking it up as part of sans.edu or the discount/voucher program of your company or via the SANS WorkStudy program.
Only the training cost comes around the tag of $8900. And of course anyone would like to attempt the exam and get certified which adds $999 more to your pocket!
Timing:
Live Online Trainings for SANS courses are generally in a different time zone than you are residing in, which becomes challenging for anyone who attends it.
OS:
The course is very much Windows-focused, so if you are into Linux and macOS, you will feel a bit sad.
Labs:
The course lab VMs work only on Intel-based machines and not ARM. You would require an Intel-based Windows/macOS/Linux.
Course Content:
The course does not touch on malware written in Rust and Go programming languages.
The course materials include only x86 ASM and not ARM.
Netwars:
After attending the full-day training, you hardly have the energy to play Netwars on 2 separate days if you consider attending it from a different time zone than the in-person event. The Netwars is switched on for 3 hours/day for 2 days.
Conclusion:
Although the course states no prerequisites are required for this, you definitely need some basics like ASM, static and dynamic analysis to follow through the course.
The course does not include and teach all the basics, so it is better to pair related books and other supplements like courses, videos, and blogs.
Overall Impression:
The overall training was fantastic! The live online is probably the best mode of learning compared to On-Demand, which comes with shorter duration videos on each topic.
Huge shoutout to Xavier for delivering this training. I would definitely recommend taking up the FOR610 course as I enjoyed it thoroughly! Waiting for FOR710 to get SANS certification so that I can take it up later!
That's all, I'm off prepping for the GREM cert now!