Maldev Workshop: Create and Reverse Engineer a C++ Implant Using Microsoft Teams Chat as C2

address 28 avenue George V 75008 Paris

Fun with C2
As a Threat Hunter, I often think about what sort of stealthy threats would be most difficult to detect, and then experiment to find ways to improve detection capabilities to match the challenge. Part of experimenting involves building C2 frameworks, and I’ve had so much fun making this one – it’s just cool to use a familiar chat interface to send commands to an implant, inject shellcode, and receive the responses. I build this sample specifically for an introduction to reverse engineering class that I taught several times. In this workshop, I’ll touch on the RE aspects just a bit and focus mainly on building, using, and detecting this C2 technique.

Workshop Goals
At the end of this workshop, participants should have: + Created their own Microsoft 365 Developer tenant for experimenting (free) + Set up a Visual Studio development environment for C++ application development, or used a provided VM + Used Python to authenticate to Microsoft, collect authentication tokens, and obfuscated the tokens for embedding in the implant + Using provided C++ code, built a custom implant that uses Teams as a C2 channel to communicate + Tested the implant to run remote commands and inject shellcode + Reviewed Sysmon events to see how such an implant could be detected by blue team + Looked at the information available to reverse engineers analyzing the implant

Target Audience
This workshop is for red teams AND blue teams (threat hunters, reverse engineers). Red teams love having a new way to communicate with an implant over a channel that blends in with most corporate network environments. Threat hunters get value from testing ways to detect anomalies in endpoint behavior, and learning how to find and defeat common anti-analysis tricks while reverse engineering the implant. This code includes resolving API calls by hashed values, injecting shellcode into other processes, and multi-byte XOR string obfuscation.

Participants will finish the workshop with their own M365 developer tenant (free) and a working implant DLL keyed to their own tenant, which they can deploy using regsvr32, rundll32, or APC Queue injection into Teams processes. Participants will also get a brief introduction to reverse engineering malware.

I will bring some USB drives containing a VMWare VM and some other USB drives with a VirtualBox VM, both completely set up with all the software tools and configured to be ready to go, making it easy for participants. I know that some people don’t trust a pre-built VM and prefer to set theirs up themselves, so I will also share a video and written instructions for getting a VM set up using the free Windows 11 Developer VM from Microsoft. A VM is not strictly necessary, and participants with Windows computers can set up Visual Studio and all requirements on a host machine if they prefer, but they should do so before the start of the workshop to avoid waiting for long downloads.