Some DNS servers, like 1.1.1.1, will accept and forward any byte values inside the DNS packet.
This makes it possible to use DNS as a C2 channel with a higher throughput than hexadecimal encoding.

Long time ago, in 2004 (that's even before the first Hack.lu conference), Microsoft released a patch for utilman.exe.
Since then, utilman.exe pops up in security incidents.

A method will be presented to decrypt the HTTP(S) C2 channel of an IIS backdoor developed by an APT group reportedly linked to the People’s Republic of China.

Maybe you already attended a maldoc analysis workshop from Didier at the Hack.lu conference. Didier has delivered workshops on PDF, Office and RTF document analysis. These workshops were bottom-up: we first learn about the fundamentals, and gradually we make our way through ever more complex exercises.

This workshop is the other way around: we go top-down (and we cover PDF, Office and RTF in the same workshop). We don’t start with the fundamentals (they will come later during the exercises when necessary), but we start directly with exercise files that we first have to identify, and then decide how to proceed with the analysis.

We immediately start with real maldoc samples, and you learn how to triage the file and start the analysis. You will learn what tools to use depending on the type of maldoc, and what analysis strategy to follow. You will also be guided with custom decision trees designed for this workshop, that you can use later on in your professional practice.

And we will also cover some automation to perform batch analysis.