On the 13th March, 2020, BSides Melbourne are offering our participants free training to help them further educate themselves in their Information Security career. The following training classes are available:
Introduction to Incident Response
Windows Driver Exploitation for Newbies
Introduction to Incident Response - Artefacts Collection and Analysis
Participant Level: Intermediate The participants must know how to use the command line interface and install a program. They may be working as a security analyst, developer, system administrator or network administrator in their organisation and they have been tasked to investigate a system.
Description: This training session will cover the use open source tools in acquiring artefacts from a system, which artefacts to collect first and why, and educate the participants what these artefacts mean when responding to a cyber security incident. This training session will cover:
the use of open source tools in acquiring artefacts from a system
which artefacts to collect first and why
what these artefacts mean when responding to a cyber security incident.
Training Outline:
Introduction What is an incident? What triggers the incident response process?
Collection of Artefacts/Evidence Once the IR process starts, what do you need to collect? What are the artefacts that can be collected?
Tools
Labs Artefacts collection Examination of collected artefacts
Key Takeaways: At the end of this training, the attendees will be able to do the following:
Run the open source tool on a system and extract the artefacts that they need to investigate
Interpret what happened in the system by focusing on certain artefacts that they collected from the system
What you need: Participants will need:
laptop with a virtual machine (VM), including their licensed operating system (Windows).
to download the open source tool before training
Meet Your Trainers
Shanna Daly is the founder of Caccia Cybersecurity. She started it with the view of making world-class security incident response solutions accessible to the Australian market.
Gyle dela Cruz is a digital forensics and incident response enthusiast who has trained and mentored students and cybersecurity professionals across the Asia Pacific region.
Morgaine Timms is a security engineer turned penetration tester. She has built security programmes from the ground up, including incident response policy, procedure, and practice.
Windows Driver Exploitation for Newbies
Participant Level: Beginner - Intermediate The target participants would be those who have some basic knowledge of setting up virtual machines, using the windbg debugger and "classical" stack-based buffer overflow but have zero knowledge of how Windows drivers works and/or how to exploit them. However, total newbies who has none of the above mentioned prior knowledge are welcome and help will be given during the course.
Description: This course aims to introduce the fundamentals of Windows kernel mode device driver exploitation. The participants will learn to dissect the basic structure of a training "toy" Windows device driver binary through reverse engineering, identify vulnerability and develop exploit for the target driver.
Training Outline:
Windows 7 virtual machines and windbg setup.
Introduction to basic concepts of Windows device driver structure.
Installation of target Windows device driver in target VM.
Reverse engineering target Windows device driver and identify vulnerability.
Exploit development.
Recap and discussion on limitations and applicability of the techniques introduced.
(Optional) If time permits, for those who are interested, Windows 7 device driver building/customization.
Key Takeaways: The key learning in this course are:
Basic understanding of kernel mode Windows device driver.
Basic Windows driver exploitation technique.
Key takeaways is "Driver/kernel exploitation are not scary as one might believe. If you know (or even if you don't yet know) basic binary exploitation, you can do it!"
What you need: Participants will need to have:
Each student would need a laptop hosting Windows 7 32-bit virtual machines. The instructor prefers Windows host laptop with Hyper-V. However, alternatives such as VMWare, Virtualbox or even KVM/Qemu (for Linux user) should work.
Windbg debugger on host machine. (For Linux user running KVM/Qemu, at least 2 virtual machines will be needed where one of the virtual machine will act as a debugger host with windbg).
Disassembler of your choice on the host machine. IDA Pro, radare2, Ghindra, Hopper, Binary Ninja etc.
C/C++ compiler that can produce Windows binary on the host machine. Visual Studio Community, MingW.
OSR online driver loader in the target Windows VM.
Microsoft Sysinternals suite in the target Windows VM.
Wifi is needed for downloading additional software.
(Optional) Windows 7 WDK.
Meet Your Trainer
Wei Chong was a former speaker in BSides Melbourne 2019.
He has a wide spectrum of interest (which keeps him constantly busy). His interest includes system internals (operating systems, hypervisor, firmware, IoT & PC platforms), binary exploitation, AV/EDR evasion techniques, hardware hacking, cryptanalysis and learning in general.
He believes in constant learning and helping newbies. He still identifies himself as a newbie in his many areas of interest.