-->

OffensiveVBA - Code Execution And AV Evasion Methods For Macros In Office Documents


In preparation for a VBS AV Evasion Stream/Video I was doing some research for Office Macro code execution methods and evasion techniques.

The list got longer and longer and I found no central place for offensive VBA templates - so this repo can be used for such. It is very far away from being complete. If you know any other cool technique or useful template feel free to contribute and create a pull request!

Most of the templates in this repo were already published somewhere. I just copy pasted most templates from ms-docs sites, blog posts or from other tools.


Templates in this repo

File Description
ShellApplication_ShellExecute.vba Execute an OS command via ShellApplication object and ShellExecute method
ShellApplication_ShellExecute_privileged.vba Execute an privileged OS command via ShellApplication object and ShellExecute method - UAC prompt
Shellcode_CreateThread.vba Execute shellcode in the current process via Win32 CreateThread
Shellcode_EnumChildWindowsCallback.vba Execute shellcode in the current process via EnumChildWindows
Win32_CreateProcess.vba Create a new process for code execution via Win32 CreateProcess function
Win32_ShellExecute.vba Create a new process for code execution via Win32 ShellExecute function
WMI_Process_Create.vba Create a new process via WMI for code execution
WMI_Process_Create2.vba Another WMI code execution example
WscriptShell_Exec.vba Execute an OS command via WscriptShell object and Exec method
WscriptShell_run.vba Execute an OS command via WscriptShell object and Run method
VBA-RunPE @itm4n's RunPE technique in VBA
GadgetToJScript med0x2e's C# script for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
PPID_Spoof.vba christophetd's spoofing-office-macro copy
AMSIBypass_AmsiScanBuffer_ordinal.vba rmdavy's AMSI Bypass to patch AmsiScanBuffer using ordinal values for a signature bypass
AMSIBypass_AmsiScanBuffer_Classic.vba rasta-mouse's classic AmsiScanBuffer patch
AMSIBypass_Heap.vba rmdavy's HeapsOfFun repo copy
AMSIbypasses.vba outflanknl's AMSI bypass blog
COMHijack_DLL_Load.vba Load DLL via COM Hijacking
COM_Process_create.vba Create process via COM object
Download_Autostart.vba Download a file from a remote webserver and put it into the StartUp folder
Download_Autostart_WinAPI.vba Download a file from a remote webserver via URLDownloadtoFileA and put it into the StartUp folder
Dropper_Autostart.vba Drop batch file into the StartUp folder
Registry_Persist_wmi.vba Create StartUp registry key for persistence via WMI
Registry_Persist_wscript.vba Create StartUp registry key for persistence via wscript object
ScheduledTask_Create.vba Create and start sheduled task for code execution/persistence
XMLDOM_Load_XSL_Process_create.vba Load XSL from a remote webserver to execute code
regsvr32_sct_DownloadExecute.vba Execute regsvr32 to download a remote webservers SCT file for code execution
BlockETW.vba Patch EtwEventWrite in ntdll.dll to block ETW data collection
BlockETW_COMPLUS_ETWEnabled_ENV.vba Block ETW data collection by setting the environment variable COMPLUS_ETWEnabled to 0, credit to @xpn
ShellWindows_Process_create.vba ShellWindows Process create to get explorer.exe as parent process
AES.vba An example to use AES encryption/decryption in VBA from Here
Dropper_Executable_Autostart.vba Get executable bytes from VBA and drop into Autostart - no download in this case
MarauderDrop.vba Drop a COM registered .NET DLL into temp, import the function and execute code - in this case loads a remote C# binary from a webserver to memory and executes it - credit to @Jean_Maes_1994 for MaraudersMap
Dropper_Workfolders_lolbas_Execute.vba Drop an embedded executable into the TEMP directory and execute it using C:\windows\system32\Workfolders.exe as LOLBAS - credit to @YoSignals
SandBoxEvasion Some SandBox Evasion templates
Evasion Dropper Autostart.vba Drops a file to the Startup directory bypassing file write monitoring via renamed folder operation
Evasion MsiInstallProduct.vba Installs a remote MSI package using WindowsInstaller ActiveXObject avoiding spawning suspicious office child process, the msi installation will be executed as a child of the MSIEXEC /V service
StealNetNTLMv2.vba Steal NetNTLMv2 Hash via share connection - credit to https://book.hacktricks.xyz/windows/ntlm/places-to-steal-ntlm-creds
Parse-Outlook.vba Parses Outlook for sensitive keywords and file extensions, and exfils them via email - credit to JohnWoodman
Reverse-Shell.vba Reverse shell written entirely in VBA using Windows API calls - credit to JohnWoodman

Missing - ToDos

File Description
Unhooker.vba Unhook API's in memory to get rid of hooks
Syscalls.vba Syscall usage - fresh from disk or Syswhispers like
Manymore.vba If you have any more ideas feel free to contribute

Obfuscators / Payload generators

  1. VBad
  2. wePWNise
  3. VisualBasicObfuscator - needs some modification as it doesn't split up lines and is therefore not usable for office document macros
  4. macro_pack
  5. shellcode2vbscript.py
  6. EvilClippy
  7. OfficePurge
  8. SharpShooter
  9. VBS-Obfuscator-in-Python - - needs some modification as it doesn't split up lines and is therefore not usable for office document macros

Credits / usefull resources

ASR bypass: http://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf

Shellcode to VBScript conversion: https://github.com/DidierStevens/DidierStevensSuite/blob/master/shellcode2vbscript.py

Bypass AMSI in VBA: https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/

VBA purging: https://www.mandiant.com/resources/purgalicious-vba-macro-obfuscation-with-vba-purging

F-Secure VBA Evasion and detection post: https://blog.f-secure.com/dechaining-macros-and-evading-edr/

One more F-Secure blog: https://labs.f-secure.com/archive/dll-tricks-with-vba-to-improve-offensive-macro-capability/



Disqus Comments