Malicious Macros
Threat actors have been using malicious Office macros to compromise companies for as long as time. Here's some important information & techniques we can use with modern macros.
Last updated
Threat actors have been using malicious Office macros to compromise companies for as long as time. Here's some important information & techniques we can use with modern macros.
Last updated
Microsoft Office applications allow us to embed macros, which are commands and instructions that complete a task. This can be linking documents, loading libraries, or other legitimate tasks that help companies manage their programs.
Macros are one of the oldest and best-known client-side attack vectors.
The threat landscape for Microsoft Office is relatively vast.
I won't be including the steps on installing Office, though I might add a VM Image here in the future that includes a free trial for us to use.
Zone Identifier Alternate Data Stream's are information on a the origins of a file. This is used by administrators and system monitoring tools to protect users from possible malicious software.
Windows Defender Smartscreen
Microsoft Office
Luckily for us, it's Microsoft we're targeting. So there are plenty of ways to bypass this.
We can avoid being flagged by MOTW by using 7zip, ISO, IMG, and other containerized file formats.
We will start by creating an empty Office Word document and navigating to View -> Macro.
We go Macro -> Document Name -> Create.
We are brought to the Visual Basic for Applications IDE.
We can Instantiate and Invoke a Windows Script with CreateObject. In this example we run PowerShell.
We specify AutoOpen() and Document_Open() to automatically run the macro when the office document is opened.
Like any successful malware, proper obfuscation techniques is essential for bypassing AV / EDR. View "Malware Development" for more resources.
Fetch From Web Server:
