This section focuses on analyzing .NET-based malware using advanced techniques. The lessons center on the SolarWinds Sunburst Backdoor, a sophisticated .NET-based threat. Students learn to decompile and examine malware using tools like dnSpy, explore function call trees, and uncover hidden malicious payloads embedded in legitimate code. Topics include understanding fingerprinting methods like concatenating machine GUIDs and MAC addresses, validating execution environments, and detecting domain-joined computers.

The course also covers how the malware conducts extensive enumeration of services, processes, and system drivers to evaluate attack viability and escalate privileges. Through step-by-step analysis, participants learn how the malware interacts with DNS and C2 servers, builds HTTP requests with disguised user agents, and exfiltrates config files containing sensitive system data. This section equips students with essential skills to dissect .NET malware and understand its stealth techniques.