How to Register
Since space is limited for each of these free workshops, we recommend that you register via the virtual event platform as soon as you receive your access (around Wednesday, September 16).
Advanced Binary Analysis
Discover practical advanced binary analysis techniques like code emulation, symbolic execution and dynamic instrumentation to help dealing with and understanding obfuscated and packed executables.
This workshop introduces advanced binary analysis concepts that are often required when reverse engineering executables protected by digital rights management (DRM) solutions or malicious software that attempts to hide behavior through code obfuscation and various indirections.
Participants will work on a tailor-made binary that simulates a packed and obfuscated malware dropper and apply the techniques learned to defeat its obfuscation and unpack each stage in order to recover and analyze the final payload. The solution to each stage will be presented and explained in detail. At the end of the workshop, attendees will be able to write emulation scripts using Python and Unicorn engine, use dynamic instrumentation to automate unpacking and perform selective symbolic execution and constraint solving to analyze program behavior.
Template Injection in Action
Template engines are libraries mainly used to design views for web applications. Their use helps simplify common design tasks for developers. However, their use may introduce new risks if they are used in an improper way. Template injection is a vulnerability class that has emerged in 2016. The exploitation of this type of issue will require specific knowledge associated with the template library or the language being used underneath. Knowing vulnerability basics is often insufficient to be effective. For these reasons, we are proposing a practical workshop that focuses on template injection vulnerabilities. The training will cover various template engine in different programming languages (PHP, Python and Java).
This workshop will be a unique opportunity to have access to live vulnerable applications. The participants will receive a complete introduction to the topic with step-by-step instructions to complete the exercise.
Cypher for Defenders: Leveraging Bloodhound Data Beyond the UI
Bloodhound stores Active Directory (AD) data in a Neo4j. The UI allows you to get some information out of the box, but that is only the tip of the iceberg. Using Cypher if you can think it, you can visualize it!
The workshop will start with a quick presentation of BloodHound (BH). This is to make sure everybody understands the product as I very often meet security practitioners that never heard of the tool.
The participants will be provided with test data, either in JSON format (a few KB) that can import in the BH UI or as a Neo4j database. The reason to provide both is that BH is now detected by many AV as a Hacking tool and I don’t want to exclude participants who come with their work computer. Those files will be provided ahead of time via Dropbox or similar file sharing site.
The first part of the workshop will go over the various objects present in BH: Computers, Groups, OU, Domains, etc. and the properties of those objects. We will learn how to interact with them using both the UI and the Neo4j Web Console (NWC). We will then use the prebuilt queries from the BH UI and use them in the NWC. From there we will start modifying them and see what impact it has. Debugging techniques will be shown.
After that we will go into a bit more advanced query type, for example multiple relationships and chaining queries together. A few examples will be provided and the participants will be able to replicate the queries and see the result.
Finally, the participants will receive a list of questions and they will need to build the Cypher Queries themselves in order to find the answer. I will be there to assist them and debug their queries as needed.
PyRDP: Remote Desktop Protocol Monster-in-the-Middle (MITM) and Library
PyRDP is a Remote Desktop Protocol (RDP) monster-in-the-middle (MITM) tool and library useful in intrusion testing and malware research. Its out of the box offensive capabilities can be divided in three broad categories: client-side, MITM-side and server-side. On the client-side PyRDP can actively steal any clipboard activity, crawl mapped drives and collect all keystrokes. On the MITM-side PyRDP records everything on the wire in several formats (logs, JSON events), allows the attacker to take control of an active session and performs a pixel perfect recording of the RDP screen. On the server-side, on-logon PowerShell or command injection can be performed when a legitimate client connects.
Over the last year, we implemented several features that we are going to demonstrate in this demo-oriented workshop: a headless mode that allows deployment on systems with less resources or without an X11 stack, a fully transparent layer-2 deployment capability leveraging IP_TRANSPARENT sockets, a brand new Windows Graphical Device Interface (GDI) implementation and the ability to convert recorded sessions into MP4 videos.
On the malware research side, PyRDP can be used as part of a fully interactive honeypot. It can be placed in front of a Windows RDP server to intercept malicious sessions. It can replace the credentials provided in the connection sequence with working credentials to accelerate compromise and malicious behavior collection. It also saves a visual and textual recording of each RDP session, which is useful for investigation or to generate IOCs. Additionally, PyRDP saves a copy of the files that are transferred via the drive redirection feature and clipboard, allowing it to collect malicious payloads.
Malicious Network Data Analysis Using Open-Source Tools
Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (Pandas, Numpy and Plotly). During the workshop, participants will do practical technical labs with datasets created during a botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data analysis environment at home and reproduce similar analysis with their own traffic data.
The workshop will be divided in three sections. The first section will present the contextual information needed for participants to start the practical technical labs. The second section will focus on scaling Pcap data extraction and analysis. The third section will emphasize on graphs and the use of the python libraries to analyze a large amount of traffic.
Section 1 – Contextual Information
Section 2 – Pcap data extraction and analysis
- Lab 1 – Extract SOCKS Traffic with Tshark (Wireshark’s command-line interface)
- Lab 2 – Introduction to Jupyter notebook and its shell integration (xargs, parallel)
Section 3 – Data manipulation and graphs
- Lab 3 – Manipulate dataframes with network traffic with Pandas
- Lab 4 – Graph data using Plotly
We will provide a hosted environment in which the tools (tshart, bash, GNU parallel, Jupyter notebook, Pandas, Numpy, Plotly) will be installed and the notebooks, data and exercises will all be available.