This repo is a knowledge-base/checklist. It consists of all the techniques of generating and supplying malicious macro-enabled excel files during your pentest/red-teaming project.
- Excel presented with Fake DocuSign instructions to enable content.
- Macros create temp folders in user folder and download a series of other files for the encoded PowerShell execution.
- Macros create an hta file that contains implant download commands.
- Macros run base64 encoded commands to download first and second stage backdoors to implant.
- Basic evasion technique - Change file names frequently.
- Macros can be crafted in password-protected 'sheets'.
- Code can be obfuscated using the CHAR function within excel.
- Macros create random string folder in %programdata%, copies certutil.exe to this folder for AV/EDR evasion, copy of certutil.exe can be random string or matched to the random string of that folder. That certutil.exe (renamed one) being used to connect C&C server of attacker to download malware for further persistence attack.
- Auto-open functionality can be used with macro-enabled excel docs.
- Phishing email contains link to the fraudulent call center support which then downloads office files with malicious macros.
- Phishing emails contains document which then contains link to the fraudulent call center support which then downloads office files with malicious macros.
- Macro with ana bility to create a scheduled task, both commonly known auto-start extensibility points (ASEPs).
- Majority of macros download some sort of dll which then run/executed by rundll32.exe or winlogon.exe in order to evade AV/EDRs.
- Pop-ups can be used in the spreadsheet to evade screenshot detection.
- Checks can be written in macros to determine if the excel is opened in the sandbox or virtual environment or not.- https://malware.news/t/excel-4-macros-get-workspace-reference/38892 . GET.WORKSPACE(int) can be used to perform various checks. Example: GET.WORKSPACE(19) - checks for the presence of a mouse GET.WORKSPACE(42) - checks if the device can play sounds
- Excel sheets can be hidden and also can be 'very hidden'. Hidden Sheets can be made visible either through the Excel GUI of the file, but Very Hidden Sheets cannot be unhidden through the Excel GUI. - https://www.ablebits.com/office-addins-blog/2017/12/20/very-hidden-sheets-excel/
- Use AMSI (Anti-malware scan interface) to block runtime execution of macro based documents. Ensure this feature should be enabled for all locations and not just trusted locations. - https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware/
- Disallow all legacy workbooks that require excel 4.0 and below.
- Prevent internet originated macros.
- Disallow macros or allow only macros from trusted locations.
- Do not allow Win32 API calls execution for Macros.
- Do not use unsigned macros, for any organization internally, they should use signed macros only for the execution.
- Educate users on not enabling macros by clicking on enable content on any unexpected excel workbooks.
- Use attack surface reduction rules to prevent users against Macro based phishing attacks. - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide
Warning/Disclaimer: Read the detailed disclaimer at my blog - https://github.com/iamthefrogy/Disclaimer-Warning/blob/main/README.md
Logo credit - www.designevo.com