WS2 – Teams is for C2: Building and Reversing a Teams RAT (5h)

Botconf 2024
2024-04-23 | 13:00 – 18:30

Randy Pargman 🗣 | Kyle Cucci 🗣

This workshop consists of two parts:
First, we will build a Remote Access Tool with indirect syscalls, shellcode running and COFF running capabilities, and other common features that uses Microsoft Teams as its Command and Control channel. Participants will be provided with a VM for VMWare player or workstation that has all the necessary source code and build environment set up. Participants will need to create a free M365 Developer tenant prior to starting the workshop.

In the second part, we will reverse engineer the Teams RAT binary and a loader, showing how to analyze stack strings, deal with opaque predicates, XOR string obfuscation, and anti-debugging tricks of malware.

If workshop participants were not able to create a free M365 Developer tenant prior to Microsoft changing the policy to limit the program to Visual Studio subscribers, the workshop instructors will provide working accounts in a tenant for those participants to use.

To participate in this workshop, you will need to register for free Microsoft 365 Developer program, which creates your own Azure tenant with Microsoft Teams for the C2 channel. You will also need a laptop with VMWare Player, Workstation, or Fusion installed and at least 30-50GB free disk space. You will be provided with a VM for VMWare that is set up with all tools, or you can build your own Windows 11 VM and install Visual Studio setup for C++ development + vcpkg, libcurl, cJSON, x64dbg, and IDA Free if you prefer not to use a pre-built VM.

Scroll to Top