{"id":435,"date":"2018-06-03T10:05:39","date_gmt":"2018-06-03T10:05:39","guid":{"rendered":"https:\/\/www-new.brucon.org\/2018\/?page_id=435"},"modified":"2018-06-09T13:59:57","modified_gmt":"2018-06-09T11:59:57","slug":"malicious-documents-for-blue-and-red-teams","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2018\/brucon-2018-training\/malicious-documents-for-blue-and-red-teams\/","title":{"rendered":"Malicious Documents for Blue and Red Teams"},"content":{"rendered":"<div class=\"wpb-content-wrapper\"><p>[vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Course_Description\" class=\"mw-headline\">Course Description<\/span><\/h2>\n<div class=\"thumb tright\">\n<div class=\"thumbinner\">\n<div class=\"thumbcaption\">\n<div class=\"magnify\">\n<p>In this training you will learn to analyse and create malicious documents. PDF exploits and malicious PDF documents have been on the radar for several years now. Together with MS Office files like Word and Excel documents. But do you know how to detect them? And how they are constructed?<\/p>\n<p>This training will teach you how to analyse MS Office files (both \u201cold\u201d OLE and \u201cnew\u201d XML formats) and PDF files. PDF files that execute code via exploits. MS Office documents that execute code via macros or exploits. Didier Stevens will teach you how to use his Python tools to analyse PDF documents and MS Office documents, and how to use his tools to create such documents for pentesting. Documents that download and execute a payload, and documents that embed a payload. Documents that bypass sandbox detection, and documents that bypass application whitelisting. But you will also learn to create documents that do simple tracking, to be used as a canary or in a phishing simulation engagement.<br \/>\nThis is not an exploit development training. In the few cases were exploits are used, it will be known, documented exploits.<\/p>\n<p>By learning how to analyse malicious documents, you will also better understand how to make your own documents for pentesting. Programming skills are not required, some basic experience with scripting is a plus.<\/p>\n<p>Attendees will receive also a copy of Didier&#8217;s private &#8220;Red Booklet&#8221;, a collection of red team recipes, several of these never published.<\/p>\n<p>To get a better idea of the training, you can also view the following YouTube videos.<\/p>\n<p>PDF analysis:<\/p>\n<p><iframe width=\"267\" height=\"200\" src=\"https:\/\/www.youtube.com\/embed\/ns5rJAPOaso?feature=oembed\" frameborder=\"0\" allow=\"autoplay; encrypted-media\" allowfullscreen><\/iframe><\/p>\n<p>MS Office analysis of macros :<\/p>\n<p><iframe width=\"267\" height=\"200\" src=\"https:\/\/www.youtube.com\/embed\/Mj88jHWdQiM?feature=oembed\" frameborder=\"0\" allow=\"autoplay; encrypted-media\" allowfullscreen><\/iframe><\/p>\n<p>Red Team office:<\/p>\n<p><iframe width=\"267\" height=\"200\" src=\"https:\/\/www.youtube.com\/embed\/cDSR4ATsqiQ?feature=oembed\" frameborder=\"0\" allow=\"autoplay; encrypted-media\" allowfullscreen><\/iframe><\/p>\n<p>Learning objectives :<\/p>\n<ul>\n<li>Deep understanding of the Portable Document Format<\/li>\n<li>Analysis of (malicious) PDF files<\/li>\n<li>Creation of (malicious) PDF files<\/li>\n<li>Deep understanding of the OLE (CBF) file format<\/li>\n<li>Deep understanding of Microsoft\u2019s Office Open XML format<\/li>\n<li>Analysis of (malicious) MS Office files<\/li>\n<li>Creation of (malicious) MS Office files<\/li>\n<\/ul>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Course_contents\" class=\"mw-headline\">Course contents<\/span><\/h2>\n<p>Day 1<\/p>\n<p>Introduction to the PDF language<br \/>\nIdentification of PDF files with pdfid<br \/>\nAnalysis of PDF files with pdf-parser (20 custom designed exercises)<br \/>\nAnalysis of real malicious PDF files found \u201cin the wild\u201d<\/p>\n<p>Day 2<\/p>\n<p>Introduction to the OLE (CBF) file format<br \/>\nIntroduction to Microsoft\u2019s Office Open XML format<br \/>\nAnalysis of MS Office files with oledump (30 custom designed exercises)<br \/>\nAnalysis of real malicious MS Office files found \u201cin the wild\u201d<\/p>\n<p>Day 3<\/p>\n<p>Creation of (malicious) PDF files<br \/>\nCreation of (malicious) MS Office files<br \/>\nRequirements<br \/>\nThis training is for technical IT security professionals like pentesters, analysts and incident responders, but also for interested hackers. It&#8217;s recommended to be familiar with command line tools. Programming knowledge is not required.[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Hardware.2Fsoftware_Requirements\" class=\"mw-headline\">Requirements<\/span><\/h2>\n<p>TO BE ADDED[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Requirements\" class=\"mw-headline\">Hardware\/Software requirements<\/span><\/h2>\n<ul>\n<li>A Windows laptop<\/li>\n<li>MS Office (this is only needed for day 3, Creation of (malicious) MS Office files)<\/li>\n<li>Administrative rights<\/li>\n<li>Rights to disable AV<\/li>\n<\/ul>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Target_audience\" class=\"mw-headline\">Testimonials<\/span><\/h2>\n<p>&#8220;<em>Presented the material in a very logical way, increased the difficulty step by step. Added some extra info related to the analysis, such as heap-spray, python scripting etc.<\/em>&#8221;<\/p>\n<p>&#8220;<em>Great value for money !<\/em>&#8221;<\/p>\n<p>&#8220;<em>It is clear that Didier can rely on many years of experience in the trenches of information security, and he is gifted with the exceptional skill of transferring his knowledge in a clear and relaxed way.<\/em>&#8220;[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column][vc_column_text]<\/p>\n<h2><span id=\"Trainer_Biography\" class=\"mw-headline\">Trainer Biography<\/span><\/h2>\n<p>[\/vc_column_text][\/vc_column][\/vc_row][vc_row][vc_column width=&#8221;5\/6&#8243;][vc_column_text]Didier Stevens (Microsoft MVP Consumer Security, SANS ISC Senior Handler, GREM &#8211; GIAC Reverse Engineering Malware, GCIH, CISSP, GSSP-C, MCSD .NET, MCSE\/Security, MCITP Windows Server 2008, RHCT, CCNP Security, OSWP, WCNA) is a Senior Analyst working at NVISO (<a href=\"https:\/\/www.nviso.be\/\" target=\"_blank\" rel=\"noopener\">https:\/\/www.nviso.be<\/a>)<\/p>\n<p>Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files.<\/p>\n<p>You can find his open source security tools on his IT security related blog\u00a0<a href=\"https:\/\/blog.didierstevens.com\/\" target=\"_blank\" rel=\"noopener\">https:\/\/blog.didierStevens.com<\/a>[\/vc_column_text][\/vc_column][vc_column width=&#8221;1\/6&#8243;][vc_single_image image=&#8221;1054&#8243;][\/vc_column][\/vc_row][vc_row][vc_column][vc_empty_space][\/vc_column][\/vc_row]<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>[vc_row][vc_column][vc_column_text] Course Description In this training you will learn to analyse and create malicious documents. PDF exploits and malicious PDF documents have been on the radar for several years now. Together with MS Office files like Word and Excel documents. But do you know how to detect them? And how they are constructed? This training will teach you how to analyse MS Office files (both \u201cold\u201d OLE and \u201cnew\u201d XML formats) and PDF files. PDF&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":75,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-435","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/comments?post=435"}],"version-history":[{"count":4,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/435\/revisions"}],"predecessor-version":[{"id":1413,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/435\/revisions\/1413"}],"up":[{"embeddable":true,"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/pages\/75"}],"wp:attachment":[{"href":"https:\/\/archive.brucon.org\/2018\/wp-json\/wp\/v2\/media?parent=435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}