Tweet
Title: From EK to DEK: Analyzing Document Exploit Kits
Instructor: Josh Reynolds
Abstract: Exploit Kits haven’t disappeared, they’ve simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.
In this workshop you will learn how to analyze exploits, shellcode, and infection chains produced by modern Document Exploit Kits such as ThreadKit and VenomKit.
This workshop is aimed at security professionals who are interested in gaining experience with reverse engineering, malware analysis and exploit development. Previous experience in any of these areas will assist the attendee in completing the workshop successfully in a timely fashion. The skills learned in this workshop are most applicable to those who work or are interested in blue team areas, such as those in security operations centers (SOCs), incident responders, intel analysts, and reverse engineers. Those who work or are interested in red team areas will find the content applicable for re-implementation for use in offensive exercises.
The following tools will be used in this workshop:
- rtfobj for OLE object extraction
- x64dbg for dynamic analysis of exploits, shellcode, and infection chains
- procmon and procexp for dynamic analysis of infection chains
- IDA Pro for static analysis of vulnerable applications and shellcode
- ffdec for static analysis of Adobe Flash exploits
- FakeNet-NG and Wireshark for network traffic analysis
Level: Intermediate
Pre-Requisites:
- A basic understanding of Microsoft Windows operating system internals
- A basic understanding of exploit development
- A programming background with C/C++ and/or x86 assembly
- Experience with debugging binary applications
- Optional: Experience with reverse engineering and/or malware analysis on Microsoft Windows
Required Materials: Students will be provided with a virtual machine to use during the workshop. They will need to bring a laptop that meets the following requirements:
- The laptop must have VirtualBox installed and working (VMWare is not supported).
- The laptop must be able to allocate 2GB of RAM to a guest OS, and provide a stable amount of RAM to the host OS.
- The laptop must have at least 60GB of disk space free but 100GB of free space is preferred.
- The laptop must be able to mount USB storage devices (please ensure that you have the appropriate adapter if needed).
Instructor: Josh Reynolds
Abstract: Exploit Kits haven’t disappeared, they’ve simply moved to Microsoft Office. Traditional Exploit Kits (EKs) have the ability to fingerprint and compromise web browser environments, but with the advent of sandboxing and advanced security measures, there has been a shift toward using the Microsoft Office environment as a primary attack surface. Document Exploit Kits (DEKs) leverage DCOM, ActiveX controls, and logic bugs to compromise machines by packing multiple exploits into a single file.
In this workshop you will learn how to analyze exploits, shellcode, and infection chains produced by modern Document Exploit Kits such as ThreadKit and VenomKit.
This workshop is aimed at security professionals who are interested in gaining experience with reverse engineering, malware analysis and exploit development. Previous experience in any of these areas will assist the attendee in completing the workshop successfully in a timely fashion. The skills learned in this workshop are most applicable to those who work or are interested in blue team areas, such as those in security operations centers (SOCs), incident responders, intel analysts, and reverse engineers. Those who work or are interested in red team areas will find the content applicable for re-implementation for use in offensive exercises.
The following tools will be used in this workshop:
- rtfobj for OLE object extraction
- x64dbg for dynamic analysis of exploits, shellcode, and infection chains
- procmon and procexp for dynamic analysis of infection chains
- IDA Pro for static analysis of vulnerable applications and shellcode
- ffdec for static analysis of Adobe Flash exploits
- FakeNet-NG and Wireshark for network traffic analysis
Level: Intermediate
Pre-Requisites:
- A basic understanding of Microsoft Windows operating system internals
- A basic understanding of exploit development
- A programming background with C/C++ and/or x86 assembly
- Experience with debugging binary applications
- Optional: Experience with reverse engineering and/or malware analysis on Microsoft Windows
Required Materials: Students will be provided with a virtual machine to use during the workshop. They will need to bring a laptop that meets the following requirements:
- The laptop must have VirtualBox installed and working (VMWare is not supported).
- The laptop must be able to allocate 2GB of RAM to a guest OS, and provide a stable amount of RAM to the host OS.
- The laptop must have at least 60GB of disk space free but 100GB of free space is preferred.
- The laptop must be able to mount USB storage devices (please ensure that you have the appropriate adapter if needed).