COMMSEC: Still Breaching Your Perimeter – A Deep Dive Into Malicious Documents

PRESENTATION SLIDES

Office documents have proven a reliable means of distributing malware. While not a new problem in the industry, they continue to plague the enterprise. In this talk we’ll discuss how to break apart a malicious document – inspect macros, identify the use of embedded objects and discuss social engineering aspects to ensure delivery. We will analyze the details of recent attack trends such as the use of PowerShell, process hollowing and application whitelist bypasses, shellcode, encrypted payloads and embedded content. We will also explore techniques used by malicious documents that do not rely on macros and even samples targeting OS X. This will be a fast-paced talk that will prepare you to deal with any malicious document.

The following topics will be covered:

  • Prevalence of Office Documents in malware distribution attacks
  • Anatomy of an attack leveraging a maldoc
  • Analysing macros w/ Oledump and the Office IDE
  • Debugging Macros
  • Macro Obfuscation (and use of Windows API)
  • Social Engineering
  • Use of forms to store secondary content (embedded executables, shellcode)
  • Staging and Executing shellcode, includes coverage of process hollowing
  • Macro use of PowerShell
  • Macro use of VB Scripts
  • Creative ways of deobfuscating code
  • Code execution without macros
  • Attacking OSX

COMMSEC TRACK
Location: Track 4 / CommSec Date: April 12, 2018 Time: 5:30 pm - 6:00 pm Josh Stroschein