Hack-in-the-Box Amsterdam 2018

Heading home from another great week at Hack-In-The-Box in Amsterdam. I had the opportunity to present on malicious office documents in the COMMSEC track, you can find my slides at the HITB site:

https://conference.hitb.org/hitbsecconf2018ams/sessions/commsec-still-breaching-your-perimeter-a-deep-dive-into-malicious-documents/

or here

https://0xevilc0de.com/cons/2018/hitb_ams/2018_HITB_AMS.pdf

I’ll post the video when it’s available. Looking forward to next year!

Abstract:

Office documents have proven a reliable means of distributing malware. While not a new problem in the industry, they continue to plague the enterprise. In this talk we’ll discuss how to break apart a malicious document – inspect macros, identify the use of embedded objects and discuss social engineering aspects to ensure delivery. We will analyze the details of recent attack trends such as the use of PowerShell, process hollowing and application whitelist bypasses, shellcode, encrypted payloads and embedded content. We will also explore techniques used by malicious documents that do not rely on macros and even samples targeting OS X. This will be a fast-paced talk that will prepare you to deal with any malicious document.

The following topics will be covered:

  • Prevalence of Office Documents in malware distribution attacks
  • Anatomy of an attack leveraging a maldoc
  • Analysing macros w/ Oledump and the Office IDE
  • Debugging Macros
  • Macro Obfuscation (and use of Windows API)
  • Social Engineering
  • Use of forms to store secondary content (embedded executables, shellcode)
  • Staging and Executing shellcode, includes coverage of process hollowing
  • Macro use of PowerShell
  • Macro use of VB Scripts
  • Creative ways of deobfuscating code
  • Code execution without macros
  • Attacking OSX