BruCON 0x0A

In recent years malscripts and file based exploits have become a main delivery method for malware. Malscripts are often heavily obfuscated and they can take many different forms including WScript, Javascript, macros, and PowerShell. There has also been been a rise in document based exploits used to deliver and execute these malscripts. As a result incident responders and malware analysts need to be comfortable analyzing different document formats, identifying potential exploits, and analyze malscripts.

In this workshop you will work through the triage of a live malware delivery chain that includes a malicious document, malicious scripts, and a final malware payload. During this process you will be exposed to different document based exploits, and you will practice the skills required to manually analyze malscripts. This workshop focuses on the fundamental analysis techniques used when identifying, deobfuscating, and analyzing maldocs and malscripts. However, we will also provide an introduction to automaton tools and techniques that can be used to speed up the analysis process.

This workshop is aimed at junior incident responders, hobby malware analysts, and general security or IT practitioners who are interested in learning more about the malware triage process. If you have no experience with malware analysis but you have a good understanding of scripting languages like VBScript, and Javascript, and you are familiar with windows internals you should have no problem completing the workshop.

You will be provided with a VirtualMachine to use during the workshop, please make sure to bring a laptop that meets the following requirements. Your laptop must have VirtualBox installed and working (VMWare is not supported). Your laptop must have at least 60GB of disk space free, preferably 100GB. Your laptop must be able to mount USB storage devices. Make sure you have the appropriate dongle if you need one.