Randy Pargman
Last known affiliation: Proofpoint
Bio: Randy Pargman leads threat detection and engineering teams at Proofpoint, using custom dynamic sandbox systems to detect evasive malware and phishing threats that target customers around the world. He previously led threat hunting and endpoint detection engineering at Binary Defense, and investigated botnets and other cyber criminal activities as a member of the FBI Cyber Action Team and Seattle Cyber Task Force. Randy currently volunteers as a digital forensic analyst with The DFIR Report, and organizes DEATHCon, a global conference for Detection Engineering and Threat Hunting workshops.
Randy Pargman 🗣 | Kyle Cucci 🗣
Abstract (click to view)
This workshop consists of two parts:
First, we will build a Remote Access Tool with indirect syscalls, shellcode running and COFF running capabilities, and other common features that uses Microsoft Teams as its Command and Control channel. Participants will be provided with a VM for VMWare player or workstation that has all the necessary source code and build environment set up. Participants will need to create a free M365 Developer tenant prior to starting the workshop.
In the second part, we will reverse engineer the Teams RAT binary and a loader, showing how to analyze stack strings, deal with opaque predicates, XOR string obfuscation, and anti-debugging tricks of malware.
If workshop participants were not able to create a free M365 Developer tenant prior to Microsoft changing the policy to limit the program to Visual Studio subscribers, the workshop instructors will provide working accounts in a tenant for those participants to use.
To participate in this workshop, you will need to register for free Microsoft 365 Developer program, which creates your own Azure tenant with Microsoft Teams for the C2 channel. You will also need a laptop with VMWare Player, Workstation, or Fusion installed and at least 30-50GB free disk space. You will be provided with a VM for VMWare that is set up with all tools, or you can build your own Windows 11 VM and install Visual Studio setup for C++ development + vcpkg, libcurl, cJSON, x64dbg, and IDA Free if you prefer not to use a pre-built VM.
Kyle Cucci 🗣 | Randy Pargman 🗣
Abstract (click to view)
Ready to dive into the world of malware evasion techniques? This hands-on workshop will give students the tools and skills to spot and defeat evasion tricks used by malicious code. Split into three “modules,” the workshop will take you through a journey of analyzing malware with free, open-source tools. You’ll tackle evasion techniques head-on, learning how to see through the malware’s tricks and gain a deeper understanding of its behavior.
Expect a mix of instructor-created malware (with code to analyze alongside the samples) and real-world malware found in the wild. By the end, you’ll walk away with a collection of malware samples, pages of code, and the expertise to continue your analysis at home. Plus, you’ll have the know-how to bypass common anti-analysis and evasion methods that malware uses to sneak past sandboxes and endpoint defenses. Are you ready to level up your malware analysis skills? Let’s dive in!