Facebook-f Twitter Youtube Linkedin
Cart

Malicious Document Analysis [HITB+ CYBERWEEK 2021]

$2,299.00

REGISTER

Duration

2 days

Delivery Method

virtual

Level

intermediate

Seats Available

20

Duration

2 days

Delivery Method

virtual

Level

intermediate

ATTEND ONLINE: Virtual via Zoom and LMS

DATE: 22-23 November 2021

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
22 Nov Monday 0900-17:00 GST/GMT+4 8 Hours
23 Nov Tuesday 0900-17:00 GST/GMT+4 8 Hours

 

This course explains through practical and real examples how to analyze malicious documents, which are the main vector of infection by malware in the current days and, different of the common intuition, can be very hard to analyze. During the class, students will learn how to perform static and dynamic analysis of different types of documents such as pdf, doc/docx, xls/xlsx, rtf, msi, and so on, which adversaries use many anti-forensic tricks such as obfuscated shellcodes, embedded documents, obfuscated scripts, and many other tactics.

The class (almost 100% practical) is focused and guided by practical examples, where the instructor analyzes real malicious documents in real time followed by students at same time.

The course is composed by the following topics:

1. Introduction

2. Creating a lab and fundamental concepts

3. Analyzing Malicious PDF Documents.

4. Analyzing Malicious MS Office Documents

5. Analyzing Malicious MS Office Documents – Dynamic Analysis

6. Miscellaneous

Students will analyze, in real time, several document (and other formats) files for two days, which makes this course an almost 100% hands-on course!

Agenda

  • Introduction (slides)

    This very short section presents the motivations about learning malicious documents analysis. A real fact (provided by Kaspersky in 2019 and 2020) is that about 70% of malware compromises cases has occurred due the usage of malicious documents as a vector. * There isn't hands-on lab in this section.

  • Creating a lab and fundamental concepts (slides + hands-on)

    This section explains and shows how to create a suitable lab for making experiments with malicious documents. Additionally, the internal structure of a PDF file is explained to help students in their analysis. * There isn't hands-on lab in this section.

  • Analyzing Malicious PDF documents (completely practical)

    This section presents several real PDF documents to be analyzed in real time by the instructor and students. These malicious PDF documents use several tricks such as embedded shellcode, embedded obfuscated scripts, embedded malicious Microsoft Office Documents, hidden executables, encoding and so on. * This a completely practical (hands-on based) section, which the instructor proposes the malicious documents and solve it step-by-step together with students. Additionally, few exercises are proposed to be solved only by students.

  • Analyzing Malicious MS Office Documents (completely practical)

    This section presents several real malicious Microsoft Office Documents to be analyzed in real time by the instructor and students. Different formats solved such as doc/docx, xls/xlsx, ppt/pptx and rtf documents. On these malicious samples, adversaries use different tricks such as VBA and JavaScript obfuscation, encoding and packing in multiple stages. * This a completely practical (hands-on based) section, which the instructor proposes the malicious documents and solve it step-by-step together with students. Additionally, few exercises are proposed to be solved only by students.

  • Analyzing Malicious MS Office Documents – Dynamic Analysis (completely practical)

    This section presents several real malicious Microsoft Office Documents to be analyzed in real time by the instructor and students using a dynamic approach. Different formats solved such as doc/docx, xls/xlsx and so on. On these malicious samples, adversaries use different tricks such as VBA and JavaScript obfuscation, encoding, password locking and packing in multiple stages. * This a completely practical (hands-on based) section, which the instructor proposes the malicious documents and solve it step-by-step together with students. Additionally, few exercises are proposed to be solved only by students.

  • Miscellaneous (completely practical)

    This section is composed by a mixed batch of documents to be analyzed by students during the hands-on lab. They'll will use their just learned knowledge to analyze different malicious documents without any kind of hints. A final note: this course is almost 100% hands-on based and offers 35 examples solved in real time by instructor and students, together.

Why You Should Take This Course

In the last few years, malicious documents have been used as the main malware’s vector of infection in 70% percent of incidents, so they became the main weapon to spread malware and starting attacks against companies and government around the world. Different from common perception, this kind of artifact can be complicated to be analyzed because they usually try to evading detection and can turn analysis harder task through techniques such as obfuscation, shellcoding and other evil tricks to evade sandbox detection, being that its common usage is to download binaries from Internet to proceed with the infection chain. Understanding how to analyze them and learning their goals are usually important to trace how criminals could try to compromise company’s defenses.

Who Should Attend

Basically, any professional working as threat hunter, system administrators, digital forensic investigators, and beginners in malware analysis and/or reverse engineering.

Key Learning Objectives

  • Learn the mechanism of malicious documents analysis using real and difficult malicious samples.

  • Learn real tricks used by adversaries.

  • Learn how to defeat anti-forensic tactics such as obfuscated scripts, encoded shellcodes, malware samples using multiple packing stages and so on.

    • Prerequisite Knowledge

    Windows and Windows administration and programming.

    Hardware / Software Requirements

    1. Laptop with two guest virtual machines on VMware or VirtualBox): the first one a Windows (7 or 8 or 10 — with Microsoft Office 2010 or 2016 installed) and the second one with Ubuntu 18/20 or  Kali Linux (newest version). Disable any kind of antivirus or Windows Defender on Windows virtual machines.  A Windows evaluation version can be downloaded here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows
    2. Each virtual machine should have 2 GB RAM, with shared folder feature enabled.
    3. USB should be working on both virtual machines.
    4. (Optional) Install and configure the Malwoverview tool from https://github.com/alexandreborges/malwoverview
    5. Additionally, student will need to register and get public APIs offered by Virus Total (http://www.virustotal.com), – Hybrid-Analysis (https://www.hybrid-analysis.com/ – Malshare (https://malshare.com/) – URLHaus (https://urlhaus.abuse.ch/), – Polyswarm (https://polyswarm.io/), – Malpedia, Alien Vault (https://otx.alienvault.com/api) – Triage (https://tria.ge/signup).
     

    Your Instructor

    No data was found

    HACK IN THE BOX LIMITED

    Masdar City, United Arab Emirates