Come join BSides Charleston and FortyNorth Security for an exciting 2 day course! Attendees are asked to be present and setup by 8:45am so that the class can begin promptly at 9:00am. A portion of the proceeds from this event will go towards the BSides Charleston 501c3 Non-Profit Organization to benefit our main conference in November.

*All students must bring a windows laptop or virtual machine with administrative rights.

This class will cover a wide range of topics over a two-day period:

• Development Environment Prep – We start by building multiple development environments (within virtual machines) for writing malware. We discuss the different tools, languages, and operating system configurations that our malware developers use when writing code and then set them up in our virtual machines.

• Malware/Campaign Goals – When writing phishing malware, we typically have one of two goals: harvest credentials from our victim or execute arbitrary code on their workstation.

We explore how we can accomplish both goals:

• Credential Harvesting – Harvesting account credentials can be very dependent upon the type of services your target has publicly available. Is there a VPN portal, outlook web access, HR self-service portal, Citrix access? Ultimately, your goal is to entice the user to enter their credentials into a web form that securely saves their information and possibly their multi-factor token. We’ll look at both custom code and existing open source tooling which helps to accomplish this objective.

• Arbitrary Code Execution – Code execution typically will result in a Meterpreter or Cobalt Strike Beacon connecting back to your command and control servers when your attack vector is executed by the targeted employee. To accomplish the code execution objective, we discuss and customize browser-based attacks that attackers use to accomplish this objective.

• Code Execution Deep Dive – After looking at examples of how attackers can leverage web browsers to execute code on their target’s systems, we do a deep-dive into different methods of customizing code execution malware.

• Process Injection Techniques – There are many ways that an attacker can inject code not only into its current process, but also other processes that are running on the targeted system. We discuss the pros and cons of injecting into remote processes and walk through the different API calls that enable these capabilities.

• DotNetToJScript – The tool DotNetToJScript has changed how the industry writes phishing malware. It has extended the functionality of “low capability” browser-compatible languages to match that of fully functional development languages. We walk through how you can use different process injection techniques within a browser-based attack with DotNetToJScript.

At the conclusion of the class, students will have a strong understanding of different techniques used by modern attackers in phishing attacks. Additionally, all students will have learned various methods to extend basic phishing attacks to include process injection techniques that are used to avoid detection.

Attendees should have an understanding of basic programming concepts to get the most out of this class. Experience with .NET would be extremely beneficial. This course is geared toward attacking Window’s environments and all malware written during class will be for Window’s targets.

Instructor Bios:

Christopher Truncer is a co-founder and red team lead of FortyNorth Security’s offensive security team. Christopher is an industry leading ethical hacker with extensive experience performing red team assessments, external and internal penetration tests, web application assessments, and social engineering tests. His experience extends across a wide range of industries, from public to private, banking, health care, insurance, retail, and more. Christopher has spoken at conferences around the world and has taught courses on penetration testing and red teaming at conferences such as Black Hat and SteelCon. Christopher is an active open source developer where he contributes to a large number of security tools such as the Veil-Framework, EyeWitness, WMImplant and more.

Joseph Leon is an Offensive Security Engineer on FortyNorth Security's offensive security team. Joseph holds the OSCP certification, previously trained at BlackHat USA (Intrusion Operations) and was nationally recognized as a top scorer in the US Cyber Challenge, a program supported by the US Department of Homeland Security. Prior to joining FortyNorth Security, Joseph founded and sold two companies: a data cleansing SaaS application that he led full stack development for as CTO and a sales consulting and lead generation firm that he led as CEO. In addition to his responsibilities with FortyNorth Security, Joseph is currently pursuing a Master's of Engineering in Cyber Security through New York University. Prior to his web development and computer science experience, Joseph worked in the outbound lead generation space, training and consulting sales teams on how to generate new sales leads. This experience has uniquely informed his ability to conduct highly-effective social engineering campaigns.