SEARCH
TOOLBOX
LANGUAGES
Difference between revisions of "Spring Training 2017 - Malicious Documents for Blue and Red Teams"

Difference between revisions of "Spring Training 2017 - Malicious Documents for Blue and Red Teams"

From BruCON 2017

Jump to: navigation, search
(Course Description)
(Course Description)
Line 13: Line 13:
 
To get a better idea of the training, you can also view the following YouTube videos.
 
To get a better idea of the training, you can also view the following YouTube videos.
  
PDF analysis with YARA :
+
'''PDF analysis with YARA :'''
  
 
<youtube>yVJTT4TbaaU</youtube>
 
<youtube>yVJTT4TbaaU</youtube>
  
MS Office analysis of macros :
+
'''MS Office analysis of macros :'''
  
 
<youtube>Mj88jHWdQiM</youtube>
 
<youtube>Mj88jHWdQiM</youtube>

Revision as of 20:37, 16 December 2016

Malicious Documents for Blue and Red Teams

In this training, our resident trainer Didier Stevens will teach you how to both analyse as well as create malicious files such as PDF, Word and Excel documents. You'll learn how to analyse malicious files as well as creating your own for Red teams!

Course Description

In this training you will learn to analyse and create malicious documents. PDF exploits and malicious PDF documents have been on the radar for several years now. Together with MS Office files like Word and Excel documents. But do you know how to detect them? And how they are constructed?

This training will teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files. PDF files that execute code via exploits. MS Office documents that execute code via macros or exploits. Didier Stevens will teach you how to use his Python tools to analyse PDF documents and MS Office documents, and how to use his tools to create such documents for pentesting. Documents that download and execute a payload, and documents that embed a payload. Documents that bypass sandbox detection, and documents that bypass application whitelisting. But you will also learn to create documents that do simple tracking, to be used as a canary or in a phishing simulation engagement.

By learning how to analyse malicious documents, you will also better understand how to make your own documents for pentesting. Programming skills are not required, some basic experience with scripting is a plus.

Attendees will receive a copy of “PDF Workshop” and “Malicious Documents Part 1 Workshop” videos.

To get a better idea of the training, you can also view the following YouTube videos.

PDF analysis with YARA :

MS Office analysis of macros :

Learning objectives

  • Deep understanding of the Portable Document Format
  • Analysis of (malicious) PDF files
  • Creation of (malicious) PDF files
  • Deep understanding of the OLE (CBF) file format
  • Deep understanding of Microsoft’s Office Open XML format
  • Analysis of (malicious) MS Office files
  • Creation of (malicious) MS Office files

Course contents

Day 1

  • Introduction to the PDF language
  • Identification of PDF files with pdfid
  • Analysis of PDF files with pdf-parser (20 custom designed exercises)
  • Analysis of real malicious PDF files found “in the wild”

Day 2

  • Introduction to the OLE (CBF) file format
  • Introduction to Microsoft’s Office Open XML format
  • Analysis of MS Office files with oledump (30 custom designed exercises)
  • Analysis of real malicious MS Office files found “in the wild”

Day 3

  • Creation of (malicious) PDF files
  • Creation of (malicious) MS Office files

Requirements

This training is for technical IT security professionals like pentesters, analysts and incident responders, but also for interested hackers. Be familiar with command line tools.

Hardware/software Requirements

  • A Windows laptop
  • MS Office (this is only needed for day 3, Creation of (malicious) MS Office files)
  • Administrative rights
  • Rights to disable AV


Trainers Biography

Didier Stevens.png

Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Handler, GREM - GIAC Reverse Engineering Malware, CISSP, GSSP-C, MCSD .NET, MCSE/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is a Senior Analyst working at NVISO

Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files.

You can find his open source security tools on his IT security related blog


300px-twitter-icon.jpg @DidierStevens

Links :

Mon. 19 - 21 April 2017 (09:00 - 17:00) (2-day)

Register.jpg

Back to Training Overview