Sign In
Ridgeline Skill

For IR Practitioners, SOC Analysts, and Threat Hunters

Aligned to MITRE ATT&CKSTIX 2.1

Malware Triage

Focused skills. One capability. Production-ready.

Answer every question the IR team needs about a suspicious binary in 30 minutes — without opening a disassembler. Static properties, string analysis, sandbox execution, reputation lookup, and indicator extraction in a repeatable triage workflow.

Start Skill See Full Curriculum + Pricing

Text-based · Persistent labs on your own hardware · 2 free modules available now · Content last updated: May 2026

What you'll deploy
Malware triage workflow from initial sample to IOC extraction
Safe analysis environment configuration
Behavioral analysis techniques for unknown samples

The problem this solves

Malware triage is the 30-minute assessment between "we found a suspicious file" and "here's what the IR team needs to know." It's not reverse engineering — you don't disassemble the binary, trace execution paths, or decode custom protocols. Triage extracts surface-level indicators from file properties, embedded strings, PE structure, sandbox behavior, and reputation services. Those indicators feed containment decisions, YARA rules, network blocks, and the IR report.

Most practitioners either skip triage entirely (sending the file to a sandbox and waiting) or over-invest (spending hours in IDA Pro when 15 minutes with PEStudio would answer every question the SOC needs). This skill builds the middle ground — methodical triage that's thorough enough for IR and fast enough for active incidents.

What you will be able to do

1. Examine a suspicious file's static properties — PE headers, section characteristics, imports, strings, embedded resources — and classify it as likely malware, likely benign, or needs further analysis within 15 minutes.

2. Use hash-based reputation lookups across VirusTotal, MalwareBazaar, and threat intelligence platforms to determine if the sample is known, what family it belongs to, and what prior analysis exists.

3. Execute samples safely in a sandbox (ANY.RUN, Triage, Joe Sandbox) and read the behavioral report: process creation, file system changes, registry modifications, network connections, and dropped files.

4. Extract actionable IOCs from both static and behavioral analysis: file hashes, C2 IPs/domains, mutex names, registry paths, dropped file names, user agents — packaged for immediate use by the IR team.

5. Write a triage report that answers the five questions every IR team needs: what is it, what does it do, how bad is it, what should we block, and do we need deeper analysis?

Skill at a glance

Format: Ridgeline Skill — focused, practical, one topic

Sections: 5 content sections + guided lab

Tier: Premium subscription

Prerequisites: Basic understanding of PE file format (if you've seen a file header in a hex editor, you have enough). The Practical IR course gives you the investigation context, and the YARA skill teaches how to turn triage findings into detection rules.

Typical pace: 1-2 weeks at a few hours per week

What you leave with

Triage checklist: A step-by-step static + behavioral triage workflow you can execute against any suspicious file in under 30 minutes.

IOC extraction template: A structured format for packaging indicators from triage — ready to hand to the SOC for blocking or to the detection engineer for rule creation.

Triage report template: The 5-question report format that gives the IR team everything they need to make containment decisions without waiting for a full reverse engineering report.

Sections

Five focused sections plus a guided triage lab. Every sample and report uses the Northgate Engineering investigation thread.

MT0.1
Static Triage: File Properties, Strings, and PE Analysis — File metadata, magic bytes, PE header analysis with PEStudio. Section names, entropy, imports, exports, resources, and manifest. Strings analysis: extracting C2 domains, mutex names, registry paths, error messages. Rich header, compile timestamp, and PDB path as attribution indicators. 10-minute static triage workflow.
 MT0.2
Hashing, Reputation, and Threat Intel Lookup — MD5, SHA1, SHA256, imphash, ssdeep (fuzzy hash). VirusTotal: detection ratio, behavioral reports, community comments, relations graph. MalwareBazaar, Hybrid Analysis, and AlienVault OTX. OSINT enrichment: Shodan for C2 infrastructure, URLhaus for distribution URLs. When reputation says "clean" but the file is suspicious — what to do next.
 MT0.3
Behavioral Triage: Sandbox Execution and Report Analysis — Submitting samples to ANY.RUN, Triage (Hatching), and Joe Sandbox. Reading the behavioral report: process tree, file system activity, registry changes, network connections, DNS queries, dropped files. What the sandbox misses: environment-aware malware, time-delayed execution, VM detection. Interpreting Suricata and YARA alerts from sandbox output.
 MT0.4
Indicator Extraction and IOC Packaging — Extracting IOCs from static and behavioral analysis. File indicators: hashes, filename patterns, file sizes, PE characteristics. Network indicators: C2 IPs, domains, URIs, user agents, JA3/JA3S hashes. Host indicators: mutex names, registry paths, scheduled task names, service names, file paths. Packaging in STIX 2.1, OpenIOC, and CSV for SIEM import. Confidence levels for each indicator type.
 MT0.5
Triage Reporting: Enough to Action, Not Enough to Publish — The 5-question triage report: What is it? What does it do? How bad is it? What should we block? Do we need deeper analysis? Writing for the IR team (actionable, specific, decisive) vs writing for threat intelligence (comprehensive, attributed, contextualised). When to stop triaging and escalate to a reverse engineer. Time-boxing: the 30-minute and 2-hour triage gates.
 Lab
Guided Lab: Triage the INC-2026-0501 Beacon — You receive the SHA256 hash of the beacon recovered from NE-WS-042. Perform the complete triage workflow: static analysis of PE properties, reputation lookup across VirusTotal and MalwareBazaar, sandbox report analysis, IOC extraction, and triage report. Produce the 5-question report and an IOC package ready for the SOC to deploy as network and endpoint blocks.

Where triage fits in your workflow

Triage sits between evidence collection and deep analysis. During an IR engagement, you recover suspicious files from KAPE collections, memory dumps, or endpoint sweeps. Triage tells you what each file is and what it does — fast enough to inform containment decisions. The IOCs from triage feed into YARA rules (YARA skill), Sigma detections (Sigma skill), and network blocks.

What this skill is not

This is not a reverse engineering course. You will not use IDA Pro, Ghidra, x64dbg, or any disassembler. You will not trace execution paths, decode custom protocols, or write decompiler plugins. Those skills require months of dedicated study and are needed by malware analysts, not IR practitioners. This skill teaches the triage layer that 90% of practitioners need for 90% of incidents.