Whenever I conduct a workshop, I ensure to provide step-by-step instructions within a PDF file that facilitate running through the entire workshop at any time. Should you be interested in going through any of my previously published workshops, simply grab the workshop’s PDF from GitHub. You’ll be able to follow them from start to finish by reading through the slide notes.
Table of Contents
DefCon Workshops
Understanding and Analyzing Weaponized Carrier Files
DefCon 27 (2019) and CactusCon 8 (2019)
GitHub repo: https://github.com/rj-chap/CFWorkshop
ReadMe: https://github.com/rj-chap/CFWorkshop/blob/master/README.md
PDF: https://github.com/rj-chap/CFWorkshop/blob/master/dc27-carrier_files_workshop-rjc.pdf
Weaponized carrier files, such as PDF and Office docs, are used in various attack campaigns in order to compromise victims. In this workshop, we’ll cover the file formats, associated weaponization methods, and analysis techniques of the attack code used with these types of files. We’ll pull apart PDF object streams, deobfuscate JavaScript code, and analyze PDf-based attacks. For Office docs, we’ll review the OLE file format; take a gander at VBA-based macros; extract, deobfuscate, and debug the VBA code; and identify indicators of compromise. We’ll be using a Windows-based malware VM along with tools such as oledump, PDFStreamDumper, the MS VBA Editor, and more!
Active Directory Attacks: The Good, The Bad, and The LOLwut
DefCon 31 (2023) – with Josh Stroschein and Aaron Rosenmund
GitHub repo with support files: https://github.com/arosenmund/defcon_31_ad_good_bad_lolWut
DefCon forum posting: https://forum.defcon.org/node/246032
Threat actors such as ransomware affiliates around the world are carrying out attacks on Active Directory (AD) at scale. When doing so, such actors often stick to the mainstream in terms of attack methodologies and tooling. But… that’s lame! Why borrow tactics, techniques, and procedures (TTPs) that are so well known and thus readily detectable?! Come hang out with us as we provide an overview of AD, show the most common attack scenarios, then show you how to detect and prevent those very attacks. Stick around as we then transition to covering what you could, and should, be doing instead.
We will be providing a remote network range to which you will connect. Once in the range, you will be acting as the ransomware threat actor, “pentester” as they like to call themselves. You will carry out attacks such as enumeration via Bloodhound, credential discovery and compromise, pass the hash attacks, and kerberoasting via common tools such as Mimikatz & Rubeus. After carrying out the attacks yourself, you’ll then learn how to prevent and detect those very attacks. We’ll then show you custom-developed methods to carry out the same attacks without the reliance on well-known TTPs/tools. And even better, we’ll show you how you could, at least where it’s even possible, detect the more custom/advanced methodologies.
Join us if you are a blue teamer, red teamer, purple teamer, cyber defender, DFIR analyst… basically anyone who wants (or needs!) to learn to defend and/or attack Active Directory. Come for the tech, stay for the humor. See ya there!
Modern Malware Analysis for Threat Hunters
DefCon 30 (2022) – with Josh Stroschein and Aaron Rosenmund
GitHub repo with support files: https://github.com/ps-interactive/labs_modern_malware_c2
DefCon forum posting: https://forum.defcon.org/node/241776
Threat actors go to great lengths to bypass enterprise security to deliver malware, avoid detection after the initial intrusion, and maintain persistence to compromise an organization. To achieve this, threat actors employ a wide variety of obfuscation and anti-analysis techniques at each phase of an attack. Often, Malware-as-a-Service (MaaS) is leveraged. In this workshop, you will get hands-on experience with real-world malware and learn how to identify key indicators of compromise (IOCs), apply analysis to enhance security products to protect users and infrastructure, and gain a deeper understanding of malware behavior through reverse engineering.
Our workshop focuses on MaaS samples and their prevalence in attacks. We will break down various MaaS samples and show how they function. We will review attacker-controlled infrastructure to show how Command and Control (C2) features are successful within YOUR (hopefully not YOUR!) environment. We will conclude with an analysis of the world’s DEF CON Forums C2 infrastructure: Cobalt Strike (CS). We will break down the CS infrastructure, show how Malleable C2 profiles function, and show you how to extract and analyze profile configurations from script- and PE-based payloads alike.
Students will be provided with all the lab material used throughout the course in a digital format. This includes all lab material, lab guides, and virtual machines used for training. The material provided will help to ensure that students have the ability to continue learning well after the course ends and maximize the knowledge gained from this course. Whatever isn’t covered during the class, or whatever the student wants to focus on later, will be available.
Modern Malware Analysis for Threat Hunters
DefCon 29 (2021) – with Josh Stroschein and Aaron Rosenmund
GitHub repo: https://github.com/jstrosch/malware-samples/tree/master/trainings_workshops/2021/DefCon
My good buddy Aaron and I presented this workshop using materials produced by Josh Stroschein. Josh was unable to make the conference, so I stepped in to fill in his spot. See Josh’s GitHub archive linked above for PDFs and sample files.
General Workshops
Exploit Kit Shenanigans: They’re Cheeky!
Originally held @ BSides San Francisco (2015)
GitHub repo: https://github.com/rj-chap/EKWorkshop
ReadMe: https://github.com/rj-chap/EKWorkshop/blob/master/README.md
PDF: https://github.com/rj-chap/EKWorkshop/blob/master/Chapman-BSidesLV_2015-EK_Workshop.pdf
The “Exploit Kit Shenanigans: They’re Cheeky!” workshop will consist of attendees pulling apart a few exploit kits to understand how they work at a low level. This will be an intermediate-level workshop, developed for people familiar with running Linux commands (we’ll be using REMnux) and those whom can learn new tools quickly (we’ll be using a bevy of tools, including the likes of Immunity Debugger). I LOVE analyzing exploit kits, and I cannot wait to show others how to review an exploit kit’s real intent. We would begin by grabbing some samples off VirusTotal (pre-selected of course), work to deobfuscate the threats, cover how the actual exploits work, and then analyze the relevant shellcode in a debugger.
Network Forensics Workshop Deux: Long Live Packet Pillaging
Originally held @ CactusCon 5 (2016)
GitHub repo: https://github.com/rj-chap/NFWorkshop16
ReadMe: https://github.com/rj-chap/NFWorkshop16/blob/master/README.md
PDF: https://github.com/rj-chap/NFWorkshop16/blob/master/Chapman-CactusCon-NFWorkshop16.pdf
In the workshop, I will walk attendees through how our team took 1st place in LMG Security’s Network Forensics Puzzle Contest (NFPC) at DefCon 23 (2015). This was a repeat win for us, and we enjoyed every minute that we have spent on these challenges. LMG holds an awesome annual contest, and we are proud to show the tech that we used to complete the most recent challenge. Keep in mind that this is a “WE” thing. I put together the workshop, but OUR TEAM wins these things. I am honored to work with such awesome people.
To solve the sucker, we used tools such as Wireshark, NetworkMiner, bash, volatility, Python, and others. I cover how we put together some scripts and commands in order to streamline our methodology. My goal: Show off some cool network forensics tech and garner interest for yet another NFPC. We want some top-notch competition, so check out what we have to offer and be sure to get your game on at DefCon 24 in 2016!
Network Forensics Workshop: Packet Pillaging Done Right, SON!
Originally held @ CactusCon 4 (2015) & BSides San Francisco (2015)
GitHub repo: https://github.com/rj-chap/NFWorkshop
ReadMe: https://github.com/rj-chap/NFWorkshop/blob/master/README.md
PDF: https://github.com/rj-chap/NFWorkshop/blob/master/Chapman-CactusCon_2015-NFWorkshop.pdf
In the workshop, I walked attendees through how our team took 1st place in LMG Security’s Network Forensics Puzzle Contest (NFPC) at DefCon 22 (2014). Each year, LMG holds an awesome contest, and we are proud to show the tech that we used to complete last year’s challenge.
To solve the sucker, we used tools such as Wireshark, tshark, tcpflow, bash, perl (regex one-liners baby!), Python (w/various modules), and others. I cover how we put together some scripts and commands in order to streamline our methodology. My goal: Show off some cool network forensics tech and garner interest for this year’s NFPC. We want some top-notch competition, so check out what we have to offer and be sure to get your game on at DefCon 23 in 2015!