In the adversary emulation world it is crucial to stay up to date with the latest news in order to provide the best value to your client. Recently, researchers from Fortinet discovered a new Buer campaign that utilizes Rust and XLL files. In this workshop, we will take the TI as described in this article: https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader/
and use it to rapidly prototype an emulation campaign!
Prior to the workshop, please download and install Lab 0 with the following instructions: https://sansurl.com/setup-buer-workshop
Messing during the workshop will be in the SANS Offensive Ops Discord here: https://discord.com/invite/f3R93W38gs
Join the #sans-workshop channel here: https://discord.gg/x3MNBsJb
This workshop was designed to be as accessible as possible, even if you have never touched XLL files or Rust before. To achieve the optimal benefits of this workshop, it is advised that you are at least familiar with an object-oriented programming language. Knowing your way around Visual Studio could come in handy as well, but is not necessarily required.