Showing Articles About
microsoft office
-
Riccardo Ancarani - 2 Feb 2023
Detecting OneNote Abuse
OneNote file formats present multiple attack vectors for threat actors to embed malicious attachments with minimal user interaction. The article explores various abuse techniques including executable attachments, living-off-the-land binaries, and right-to-left override spoofing. Detection strategies involve monitoring OneNote process operations, tracking file write events, and analyzing parent-child process relationships.
-
Calum Hall Luke Roberts - 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #1
This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #2
This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.
- Riccardo Ancarani
- 24 Jun 2020
Attack Detection Fundamentals: Initial Access - Lab #1
This article demonstrates a technique for establishing initial access in a target environment using malicious Office macros. The lab walkthrough covers creating a PowerShell-based command and control payload embedded in a macro document. Detection strategies are explored through parent-child process analysis and Sysmon event log examination, with a focus on identifying anomalous process spawning from Office applications.
- Yong Chuan Koh
- 23 Nov 2017
Corrupting Memory In Microsoft Office Protected-View Sandbox
This presentation explores vulnerabilities in Microsoft Office's Protected-View sandbox through fuzzing its Inter-Process Communication (IPC) attack surface. Two critical CVEs were discovered targeting the reduced functionality sandbox environment. The talk details the methodology for generating test cases and analyzing potential security weaknesses in Protected-View.
- William Knowles
- 18 Sep 2017
Land, Configure Microsoft Office, Persist
This presentation explores native Microsoft Office add-in mechanisms that can be exploited for persistence on compromised workstations. Various techniques for abusing Office add-ins are analyzed from a red teaming perspective. The talk examines deployment complexity, privilege requirements, and effectiveness in different computing environments.
- William Knowles
- 16 May 2017
DLL Tricks with VBA to Improve Offensive Macro Capability
This article explores advanced VBA macro techniques for bypassing security controls using DLLs. Two key techniques are presented: executing remote COM scriptlets without regsvr32 and storing malicious DLLs as seemingly legitimate Office files. These methods enable attackers to execute payloads while evading traditional security detection mechanisms.
- William Knowles
- 21 Apr 2017
Add-In Opportunities for Office Persistence
This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.
- Kostas Lintovois
- 11 Nov 2016
One Template To Rule 'Em All
A presentation explored how Microsoft Office VBA and templates can be exploited as a persistent malware delivery mechanism. The talk demonstrated vulnerabilities in locked-down environments through a proof-of-concept tool called WePWNise. VBA-enabled files remain an attractive attack vector due to business requirements and human factors in targeted attacks.
- Yong Chuan Koh
- 3 Jul 2015
Understanding the Protected-View Sandbox
The whitepaper analyzes the Microsoft Office 2013 Protected-View sandbox architecture. It explores the sandbox's initialization, system resource restrictions, and Inter-Process Communication (IPC) mechanism. The technical analysis was originally presented at the REcon 2015 Security Conference.