At the end of this workshop, participants should have: + Created their own Microsoft 365 Developer tenant for experimenting (free) + Set up a Visual Studio development environment for C++ application development, or used a provided VM + Used Python to authenticate to Microsoft, collect authentication tokens, and obfuscated the tokens for embedding in the implant + Using provided C++ code, built a custom implant that uses Teams as a C2 channel to communicate + Tested the implant to run remote commands and inject shellcode + Reviewed Sysmon events to see how such an implant could be detected by blue team + Looked at the information available to reverse engineers analyzing the implant
This workshop is for red teams AND blue teams (threat hunters, reverse engineers). Red teams love having a new way to communicate with an implant over a channel that blends in with most corporate network environments. Threat hunters get value from testing ways to detect anomalies in endpoint behavior, and learning how to find and defeat common anti-analysis tricks while reverse engineering the implant. This code includes resolving API calls by hashed values, injecting shellcode into other processes, and multi-byte XOR string obfuscation.
Participants will finish the workshop with their own M365 developer tenant (free) and a working implant DLL keyed to their own tenant, which they can deploy using regsvr32, rundll32, or APC Queue injection into Teams processes. Participants will also get a brief introduction to reverse engineering malware.
I will bring some USB drives containing a VMWare VM and some other USB drives with a VirtualBox VM, both completely set up with all the software tools and configured to be ready to go, making it easy for participants. I know that some people don’t trust a pre-built VM and prefer to set theirs up themselves, so I will also share a video and written instructions for getting a VM set up using the free Windows 11 Developer VM from Microsoft. A VM is not strictly necessary, and participants with Windows computers can set up Visual Studio and all requirements on a host machine if they prefer, but they should do so before the start of the workshop to avoid waiting for long downloads.