Philippe Lagadec – decalage.info - @decalage2

More documents

Recommendations

Info

MacroRaptor - mraptor Observations: • Malicious macros need to start automatically. • AutoOpen, Document_Open, Document_Close, etc • They need to drop a payload as a file, or inject code into a process. • They need to execute the payload. • Most of these actions cannot be obfuscated in VBA. • Most non-malicious macros do not use these features. => It is possible to detect most malicious macros using a small number of keywords.
MicroRaptor Picture published by Conty in the public domain MacroRaptor - mraptor MacroRaptor algorithm: • A: Automatic triggers • W: Any write operation that may be used to drop a payload • X: Any execute operation • Suspicious = A and (W or X) See http://decalage.info/mraptor And https://github.com/decalage2/oletools/wiki/mraptor
Page 1 and 2: Toulouse Hacking Convention 3 rd Ma
Page 3 and 4: Au menu Red Side • Malicious Macr
Page 5 and 6: What can a malicious macro do? •
Page 7 and 8: Sample VBA Dropper Private Declare
Page 9 and 10: Blue Side: Analysis
Page 11 and 12: olevba - extraction + analysis $ ./
Page 13 and 14: Services/Projects using olevba Vipe
Page 15 and 16: ViperMonkey • Olevba alone: 1. Ex
Page 17 and 18: Other Analysis Techniques • Loffi
Page 19: Macro Detection & Prevention • Wh
Page 23 and 24: MacroRaptor applications Mraptor_mi
Page 25 and 26: Conclusion VBA Macros are still a v
Page 27 and 28: Extra Slides
Page 29 and 30: Obfuscation iKJINJdg = StrReverse(C
Page 31 and 32: MS Office File Formats with macros
Page 33 and 34: oledump • http://blog.didiersteve
Page 35 and 36: oledump - plugins $ ./oledump.py ~/
Page 37 and 38: ViperMonkey - hello world
Page 39 and 40: ViperMonkey - what next • Minimal

Philippe Lagadec – decalage.info - @decalage2

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?