Whenever I conduct a workshop, I ensure to provide step-by-step instructions within a PDF file that facilitate running through the entire workshop at any time. Should you be interested in going through any of my previously published workshops, simply grab the workshop’s PDF from GitHub. You’ll be able to follow them from start to finish by reading through the slide notes.


Understanding and Analyzing Weaponized Carrier Files

Originally held @ DefCon 27 (2019) and CactusCon 8 (2019)

GitHub repo: https://github.com/rj-chap/CFWorkshop

ReadMe: https://github.com/rj-chap/CFWorkshop/blob/master/README.md

PDF: https://github.com/rj-chap/CFWorkshop/blob/master/dc27-carrier_files_workshop-rjc.pdf

Weaponized carrier files, such as PDF and Office docs, are used in various attack campaigns in order to compromise victims. In this workshop, we’ll cover the file formats, associated weaponization methods, and analysis techniques of the attack code used with these types of files. We’ll pull apart PDF object streams, deobfuscate JavaScript code, and analyze PDf-based attacks. For Office docs, we’ll review the OLE file format; take a gander at VBA-based macros; extract, deobfuscate, and debug the VBA code; and identify indicators of compromise. We’ll be using a Windows-based malware VM along with tools such as oledump, PDFStreamDumper, the MS VBA Editor, and more!


Exploit Kit Shenanigans: They’re Cheeky!

Originally held @ BSides San Francisco (2015)

GitHub repo: https://github.com/rj-chap/EKWorkshop

ReadMe: https://github.com/rj-chap/EKWorkshop/blob/master/README.md

PDF: https://github.com/rj-chap/EKWorkshop/blob/master/Chapman-BSidesLV_2015-EK_Workshop.pdf

The “Exploit Kit Shenanigans: They’re Cheeky!” workshop will consist of attendees pulling apart a few exploit kits to understand how they work at a low level. This will be an intermediate-level workshop, developed for people familiar with running Linux commands (we’ll be using REMnux) and those whom can learn new tools quickly (we’ll be using a bevy of tools, including the likes of Immunity Debugger). I LOVE analyzing exploit kits, and I cannot wait to show others how to review an exploit kit’s real intent. We would begin by grabbing some samples off VirusTotal (pre-selected of course), work to deobfuscate the threats, cover how the actual exploits work, and then analyze the relevant shellcode in a debugger.


Network Forensics Workshop Deux: Long Live Packet Pillaging

Originally held @ CactusCon 5 (2016)

GitHub repo: https://github.com/rj-chap/NFWorkshop16

ReadMe: https://github.com/rj-chap/NFWorkshop16/blob/master/README.md

PDF: https://github.com/rj-chap/NFWorkshop16/blob/master/Chapman-CactusCon-NFWorkshop16.pdf

In the workshop, I will walk attendees through how our team took 1st place in LMG Security’s Network Forensics Puzzle Contest (NFPC) at DefCon 23 (2015). This was a repeat win for us, and we enjoyed every minute that we have spent on these challenges. LMG holds an awesome annual contest, and we are proud to show the tech that we used to complete the most recent challenge. Keep in mind that this is a “WE” thing. I put together the workshop, but OUR TEAM wins these things. I am honored to work with such awesome people.

To solve the sucker, we used tools such as Wireshark, NetworkMiner, bash, volatility, Python, and others. I cover how we put together some scripts and commands in order to streamline our methodology. My goal: Show off some cool network forensics tech and garner interest for yet another NFPC. We want some top-notch competition, so check out what we have to offer and be sure to get your game on at DefCon 24 in 2016!


Network Forensics Workshop: Packet Pillaging Done Right, SON!

Originally held @ CactusCon 4 (2015) & BSides San Francisco (2015)

GitHub repo: https://github.com/rj-chap/NFWorkshop

ReadMe: https://github.com/rj-chap/NFWorkshop/blob/master/README.md

PDF: https://github.com/rj-chap/NFWorkshop/blob/master/Chapman-CactusCon_2015-NFWorkshop.pdf

In the workshop, I walked attendees through how our team took 1st place in LMG Security’s Network Forensics Puzzle Contest (NFPC) at DefCon 22 (2014). Each year, LMG holds an awesome contest, and we are proud to show the tech that we used to complete last year’s challenge.

To solve the sucker, we used tools such as Wireshark, tshark, tcpflow, bash, perl (regex one-liners baby!), Python (w/various modules), and others. I cover how we put together some scripts and commands in order to streamline our methodology. My goal: Show off some cool network forensics tech and garner interest for this year’s NFPC. We want some top-notch competition, so check out what we have to offer and be sure to get your game on at DefCon 23 in 2015!