{"id":1845,"date":"2019-06-10T20:40:11","date_gmt":"2019-06-10T18:40:11","guid":{"rendered":"https:\/\/archive.brucon.org\/2019\/?page_id=1845"},"modified":"2019-06-10T20:46:43","modified_gmt":"2019-06-10T18:46:43","slug":"malicious-documents-for-red-teams","status":"publish","type":"page","link":"https:\/\/archive.brucon.org\/2019\/brucon-2019-training\/malicious-documents-for-red-teams\/","title":{"rendered":"Malicious Documents for Red Teams"},"content":{"rendered":"

[vc_row][vc_column][vc_column_text]<\/p>\n

Course Description<\/h2>\n

Malicious Office documents have been on the radar for several years now. Together\u00a0with malicious PDF documents. But do you know how to create and tailor them efficiently to achieve successful read team engagements?\u00a0This training will first teach you how to analyse MS Office files (both \u201cold<\/em>\u201d OLE and \u201cnew<\/em>\u201d XML formats) and PDF files, to better understand how to create them and evade detection. PDF files that execute code via exploits. MS Office documents that execute code via macros or exploits. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents.<\/p>\n

In this training, Didier will teach you how to use his tools for Microsoft Office and PDF creation for\u00a0offensive security. Several of these tools are private, but you get to keep them when you take this training. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications\u00a0that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications\u00a0like AutoCAD.<\/p>\n

We will use VBA programs and write our own programs that penetration testers need. VBA has an\u00a0interface to the Windows API. We will learn to use this API to perform pentesting actions from\u00a0within Office, like a port scan, and also how to use this API to inject and execute shellcode inside\u00a0the Word\/Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Word\/Excel\u2019s process memory, without touching the disk.\u00a0This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills\u00a0like knowledge of for loops and if statements are useful. The basics of VBA will be explained in\u00a0class, and we will learn to use Didier\u2019s tools and how to modify them to suit the task at hand. No\u00a0exploits are necessary to achieve this goal, everything can be done with VBA without requiring\u00a0vulnerabilities. We will learn how to reuse VBA functions and modules from the provided\u00a0 tools to create goal-specific documents (Word, Excel, \u2026).<\/p>\n

Over the years, Didier has developed many tools and techniques to \u201cabuse VBA\u201d. These tools will\u00a0be explained and used during this training. Some of these tools have never been published, but you\u00a0will receive them all (Didier\u2019s public and private tools) when you attend this class. Non-exhaustive\u00a0list of Didier\u2019s tools shared during this class:<\/p>\n