SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Spring Training 2016 - Analysing Malicious Documents"

Difference between revisions of "Spring Training 2016 - Analysing Malicious Documents"

From BruCON 2017

Jump to: navigation, search
(Created page with "=Analysing Malicious Documents= ===Course Description=== PDF exploits and malicious PDF documents have been on the radar for several years now. Together with MS Office files...")
 
(Course Description)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
=Analysing Malicious Documents=
 
=Analysing Malicious Documents=
 +
One of our resident trainers and fellow Belgian, Didier Stevens, will teach you how to analyse malicious PDF or MS Office documents using his own created Phyton tools in this 2-day course!
  
 
===Course Description===
 
===Course Description===
Line 8: Line 9:
 
Didier’s Python tools also use YARA rules to detect shellcode or other indicators of executable code. Didier will explain his YARA rules, and teach you how to tweak them and build your own.
 
Didier’s Python tools also use YARA rules to detect shellcode or other indicators of executable code. Didier will explain his YARA rules, and teach you how to tweak them and build your own.
  
Attendees will receive a personal license to Didier Stevens Labs’ “PDF Workshop” videos.  
+
Attendees will receive a personal license to Didier Stevens Labs’ “PDF and MS Office Analysis Workshop” videos.  
  
 
To get a better idea of the training, you can also view the following YouTube videos Didier produced:
 
To get a better idea of the training, you can also view the following YouTube videos Didier produced:
 
<youtube>yVJTT4TbaaU</youtube>
 
<youtube>yVJTT4TbaaU</youtube>
 
<youtube>Mj88jHWdQiM</youtube>
 
<youtube>Mj88jHWdQiM</youtube>
 +
 +
  
 
Learning Objectives
 
Learning Objectives
Line 37: Line 40:
 
* Analysis of real malicious MS Office files found “in the wild”
 
* Analysis of real malicious MS Office files found “in the wild”
  
= Requirements =  
+
= Target audience =  
This training is for technical IT security professionals like analysts and incident responders, but also for interested hackers. Be familiar with command line tools.
+
This training is for technical IT security professionals like analysts and incident responders, but also for interested hackers.  
 +
 
 +
= Requirements =
 +
 
 +
Be familiar with command line tools.
  
 
= Hardware/software Requirements =
 
= Hardware/software Requirements =
  
 +
* A Windows laptop is preferred, although the Python tools pdfid, pdf-parser and oledump also work on OSX and Linux
 +
* Administrative rights
 +
* Rights to disable AV
  
=Trainers Biography=
+
=Trainer Biography=
 
[[File:Didier_Stevens.png|thumb|125px]]
 
[[File:Didier_Stevens.png|thumb|125px]]
 
Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, GREM - GIAC Reverse Engineering Malware, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is an IT Security Consultant currently working at a large Belgian financial corporation.
 
Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, GREM - GIAC Reverse Engineering Malware, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is an IT Security Consultant currently working at a large Belgian financial corporation.
Line 58: Line 68:
 
* [http://blog.didierstevens.com/screencasts-videos/ Screencast and Video's]
 
* [http://blog.didierstevens.com/screencasts-videos/ Screencast and Video's]
  
''Mon. 20 - 21 October 2015 (09:00 - 17:00) (2-day)''
+
''Wed. 20 - 21 April 2016 (09:00 - 17:00) (2-day)''
  
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
 
[[File:Register.jpg||link=https://registration.brucon.org/training-registration/]]
  
 
[[Training|Back to Training Overview]]
 
[[Training|Back to Training Overview]]

Latest revision as of 22:39, 16 December 2015

Analysing Malicious Documents

One of our resident trainers and fellow Belgian, Didier Stevens, will teach you how to analyse malicious PDF or MS Office documents using his own created Phyton tools in this 2-day course!

Course Description

PDF exploits and malicious PDF documents have been on the radar for several years now. Together with MS Office files like Word and Excel documents. But do you know how to detect them? And how they are constructed?

This training will teach you how to analyse PDF files and MS Office files (both “old” OLE and “new” XML formats). PDF files that execute code via exploits. MS Office documents that execute code via macros or exploits. Didier Stevens will teach you how to use his Python tools to analyse PDF documents and MS Office documents.

Didier’s Python tools also use YARA rules to detect shellcode or other indicators of executable code. Didier will explain his YARA rules, and teach you how to tweak them and build your own.

Attendees will receive a personal license to Didier Stevens Labs’ “PDF and MS Office Analysis Workshop” videos.

To get a better idea of the training, you can also view the following YouTube videos Didier produced:


Learning Objectives

  • Deep understanding of the Portable Document Format
  • Analysis of (malicious) PDF files
  • Deep understanding of the OLE (CBF) file format
  • Deep understanding of Microsoft’s Office Open XML format
  • Analysis of (malicious) MS Office files

Course outline

Day 1

  • Introduction to the PDF language
  • Identification of PDF files with pdfid
  • Analysis of PDF files with pdf-parser (20 custom designed exercises)
  • Analysis of real malicious PDF files found “in the wild”

Day 2

  • Introduction to the OLE (CBF) file format
  • Introduction to Microsoft’s Office Open XML format
  • Analysis of MS Office files with oledump (30 custom designed exercises)
  • Analysis of real malicious MS Office files found “in the wild”

Target audience

This training is for technical IT security professionals like analysts and incident responders, but also for interested hackers.

Requirements

Be familiar with command line tools.

Hardware/software Requirements

  • A Windows laptop is preferred, although the Python tools pdfid, pdf-parser and oledump also work on OSX and Linux
  • Administrative rights
  • Rights to disable AV

Trainer Biography

Didier Stevens.png

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, GREM - GIAC Reverse Engineering Malware, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is an IT Security Consultant currently working at a large Belgian financial corporation.

Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files. In 2012, Didier founded his own company Didier Stevens Labs. You can find his open source security tools on his IT security related blog (see below)

More information is available on Didier Stevens Blog


300px-twitter-icon.jpg @DidierStevens

Links :

Wed. 20 - 21 April 2016 (09:00 - 17:00) (2-day)

Register.jpg

Back to Training Overview