• Stars
    star
    498
  • Rank 88,494 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
_______  ______ _____ _           _   ____                    _   
| ____\ \/ / ___| ____| |    _ __ | |_|  _ \  ___  _ __  _   _| |_ 
|  _|  \  / |   |  _| | |   | '_ \| __| | | |/ _ \| '_ \| | | | __|
| |___ /  \ |___| |___| |___| | | | |_| |_| | (_) | | | | |_| | |_ 
|_____/_/\_\____|_____|_____|_| |_|\__|____/ \___/|_| |_|\__,_|\__|
                    by @JoeLeonJr (@FortyNorthSec)                

EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files.

Installation

chmod +x install.sh
./install.sh

What is installed?

  • pip3
  • mono-complete (both mcs and all possible libraries you'd reference in your source files)
  • EXCELntDonut as a CLI

If you'd like to run EXCELntDonut as just a python script, you'll need to setup a virtual environment with two packages "pandas" and "donut-shellcode". Additionally, you'll need to apt-get install mono-complete and call the drive.py script using python3. We recommend just using the ./install.sh bash script, but it's up to you.

Usage

Usage:
	$ EXCELntDonut -f exe_source.cs -r System.Windows.Forms.dll --sandbox --obfuscate

Flags:
	(required)
	-f path to file containing your C# soure code (exe only)

	-r References needed to compile your C# code (same ones for when using mcs to compile on Linux)
	(ex: -r 'System.Management')

	(optional)
	-o output filename
	--sandbox 
		Perform basic sandbox checks. This will be updated as new approaches are discovered.
	--obfuscate 
		Perform basic macro obfuscation. 

How it works

You provide a C# file containing your payload (like an EXE with a main method that executes a cobalt strike beacon payload). That C# file is compiled using MCS into two .NET assemblies: x86 and x64. After compilation, the awesome tools Donut (for x86) and CLRvoyance (for x64) convert each assembly into position independent shellcode. Next, all nullbytes are removed, since XLM (Excel 4.0) macros don't play nicely with nullbytes and the payload is chunked into lines with no more than 255 characters (for x86) or 10 characters (for x64).

Once the shellcode is prepared, it's combined with basic process injection functions (VirtualAlloc, WriteProcessMemory and CreateThread) as well as an architecture check function to determine which payload (x86 or x64) to run on the target system. If you elect to execute sandbox checks or basic obfuscation, then those functions will update your macro. Finally, the output is placed in a CSV file (saved as .txt).

How to create a XLM (Excel 4.0) Macro

Once you have the output file from EXCELntDonut, open the output file in a text editor and copy the entirety of it (Ctrl-A, Ctrl-S). Open up Excel on a Windows VM, right-click on "Sheet 1" and select "Insert". Choose "MS Excel 4.0 Macro". Go to cell A1 and paste the EXCELntDonut output. All the data will likely be pasted in one column. The data is semi-colon separated ";". Go to the "Data" tab and then click "Text-to-columns". Select "Delimited" and on the next screen select "Semicolon" and then click "Finish". The macro will spread across the appropriate columns and rows.

(Note - if you selected the "--obfuscate" flag, you'll need to scroll horizontally quite a bit to find your actual code, since part of the obuscation logic moves the macro into a random section of the worksheet).

We recommend two things at this point:

  1. Find the starting cell (will be the top-left cell of your macro code, likely A1). Right-click and select "Run". Test out your macro to make sure it works.
  2. Once you verify that the macro works, select that same top-left cell again. On the left-side of the screen, there should be a dropdown that says the cell you're in (likely "A1"). Click in the dropdown and change the text value to "Auto_open". That will produce the same automatic execution functionality that you're used to in VBA macros.

Save the file (.xls) and try opening it up. It should automatically execute your payload.

Sandbox Checks

These checks are based on what actual threat actors are using in their malware.

  1. Is there a mouse active?
  2. Is the screen size greater than 770 width and 381 height?
  3. Can the host play sounds?
  4. Is this a Windows machine?

Obfuscation

  1. For the process injection instructions (VirtuaAlloc, WriteProcessMemory, CreateThread) and sandbox checks, all macro functions will turn into the following structure:
=FORMULA(D3&D23&D54&D23&D44,E45)

The FORMULA function allows us to place a formula, which can later be executed, into another cell. So in this case, we put the process injection instructions and then use the FORMULA function to place the actual function into another cell to be executed. This avoids defenders conducting static analysis from seeing things like "VirtualAlloc".

  1. The entire macro will shift some value to the right, so that when you initially open up the sheet with the macros, it appears blank.

Things to know

  • Less sophisticated payloads just uses the =EXEC() command to execute commands. Some also use URLMON to download files. Other files even includes the word "SHELL". All of that seemed like a bad idea to us. This tool doesn't include any of that. Instead it injects your C# source code into the Excel process (either 32-bit or 64-bit) and then executes. From there, it's up to your payload on what it does next. .

Tips

  • Your C# source code could do anything you want it to. We recommend your source code break the Parent > Child relationship between Excel and whatever you spawn into.
  • There's a lot of good blog posts about "Very Hidden" excel sheets. Consider using that.
  • Don't forget to make your Excel file look real.

Troubleshooting

"The type or namspace name ... does not exist ... "
root@excelntdonut-test:/opt# EXCELntDonut -f test.cs
 _______  ______ _____ _           _   ____                    _   
| ____\ \/ / ___| ____| |    _ __ | |_|  _ \  ___  _ __  _   _| |_ 
|  _|  \  / |   |  _| | |   | '_ \| __| | | |/ _ \| '_ \| | | | __|
| |___ /  \ |___| |___| |___| | | | |_| |_| | (_) | | | | |_| | |_ 
|_____/_/\_\____|_____|_____|_| |_|\__|____/ \___/|_| |_|\__,_|\__|
                    by @JoeLeonJr (@FortyNorthSec)                
[i] Generating your x86 .NET assembly.
warning CS8001: SDK path could not be resolved
test.cs(2,14): error CS0234: The type or namespace name `Management' does not exist in the namespace `System'. Are you missing an assembly reference?

This error most likely means you're missing a reference assembly during compilation using mono. To fix this, simply pass in the namespace mentioned into the -r flag. In this case, we'd add -r 'System.Management' to the command line. The new command would be:

root@excelntdonut-test:/opt# EXCELntDonut -f test.cs -r 'System.Management'
"Metadata file ... could not be found"
root@excelntdonut-test:/opt# EXCELntDonut -f test.cs -r System.Management
 _______  ______ _____ _           _   ____                    _   
| ____\ \/ / ___| ____| |    _ __ | |_|  _ \  ___  _ __  _   _| |_ 
|  _|  \  / |   |  _| | |   | '_ \| __| | | |/ _ \| '_ \| | | | __|
| |___ /  \ |___| |___| |___| | | | |_| |_| | (_) | | | | |_| | |_ 
|_____/_/\_\____|_____|_____|_| |_|\__|____/ \___/|_| |_|\__,_|\__|
                    by @JoeLeonJr (@FortyNorthSec)                
[i] Generating your x86 .NET assembly.
warning CS8001: SDK path could not be resolved
error CS0006: Metadata file `System.Management' could not be found

[x] Error in generating x86 .NET assembly using MCS. See error message above.

This error should not pop up unless you run EXCELntDonut without using the install.sh bash script. In that case, you'll need to manually install mono-complete. This will download the relevant dependencies. You can install it using apt like this:

apt-get install mono-complete
"Program ... does not contain a static 'Main' method ..."
root@kali:~/Desktop# EXCELntDonut -f test.cs
 _______  ______ _____ _           _   ____                    _   
| ____\ \/ / ___| ____| |    _ __ | |_|  _ \  ___  _ __  _   _| |_ 
|  _|  \  / |   |  _| | |   | '_ \| __| | | |/ _ \| '_ \| | | | __|
| |___ /  \ |___| |___| |___| | | | |_| |_| | (_) | | | | |_| | |_ 
|_____/_/\_\____|_____|_____|_| |_|\__|____/ \___/|_| |_|\__,_|\__|
                    by @JoeLeonJr (@FortyNorthSec)                
[i] Generating your x86 .NET assembly.
error CS5001: Program `_excelntdonut_GJAoNuVPMcX.exe' does not contain a static `Main' method suitable for an entry point

[x] Error in generating x86 .NET assembly using MCS. See error message above.

At the moment, EXCELntDonut only allows C# files with payloads in the Main function.

General Troubleshooting Advice
  1. First, compile your C# source code using csc on windows and execute to verify that the payload works. Test this out by compiling to x86 and x64 payloads, since it's likely you won't know if your target environment operates 32-bit or 64-bit Excel.
  2. You should be able to run your payload multiple times in the same process, but if you're getting weird errors, exit it out of Excel, re-open and retry.
  3. When in doubt, close out of Excel and create a new file to test from.

Detection

There's a lot of posts about using OLEDUMP.py to review XLM files. Consider this one:

https://clickallthethings.wordpress.com/2020/04/06/covid-19-excel-4-0-macros-and-sandbox-detection/

Defense

  1. Enable GPO blocking macro execution for files downloaded from the internet. See - https://www.microsoft.com/security/blog/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
  2. AMSI unfortunately doesn't help here.
  3. ASR Rules...we're not sure.
  4. Most users send .xlsx files these days. Perhaps block .xls files from being sent to your employees' inboxes. It wouldn't be outrageous to request someone re-send a file saved as .xlsx.
  5. The most recent version of Defender ATP caught the unobfuscated version of this file when dropped to disk.

Acknowledgments

This wouldn't even be on our radar without the fantastic work done by the folks at Outflank (@outflanknl). Special thanks to @StanHacked for his insight during this project. Also, equally, this project would not be possible without Donut (by @TheWover and @odzhan) and the related python library (by @byt3bl33d3r). Related, the team at Accenture created CLRvoyance, which solved some x64 issues we couldn't figure out with Donut + XLM 4.0 macros. Finally, thanks to Philip Tsukerman with Cybereason for the awesome research on making XLM macros compatible with 64-bit versions of Excel.

Disclaimer

We are not responsible for misuse of this tool. This tool was generated for educational and authorized-testing purposes to demonstrate how C# source code can be injected into memory using a XLM (Excel 4.0) macro. The ultimate goal of this project is to (1) provide red teamers another phishing payload option to emulate what actual adversaries are currently using, and (2) provide defenders a frame of reference for building analytics and mitigations. Without a tool to quickly generate this type of payload, we believe defenders will not be adequately prepared for what's actually coming their way. Please act responsibly.

License

Please see the license file in this folder. Please note that this tool incorporates two other open source tools including Donut and CLRvoyance.

More Repositories

1

EyeWitness

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Python
4,899
star
2

C2concealer

C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
Python
987
star
3

WMImplant

This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
PowerShell
798
star
4

Just-Metadata

Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Python
623
star
5

Egress-Assess

Egress-Assess is a tool used to test egress data detection capabilities
PowerShell
610
star
6

GraphStrike

Cobalt Strike HTTPS beaconing over Microsoft Graph API
C
539
star
7

WMIOps

This repo is for WMIOps, a powershell script which uses WMI for various purposes across a network.
PowerShell
381
star
8

EDD

Enumerate Domain Data
C#
312
star
9

PersistAssist

Fully modular persistence framework
C#
249
star
10

CIMplant

C# port of WMImplant which uses either CIM or WMI to query remote systems
C#
196
star
11

AutoFunkt

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
Python
189
star
12

Jigsaw

Hide shellcode by shuffling bytes into a random array and reconstruct at runtime
Python
173
star
13

AggressorAssessor

Aggressor scripts for phases of a pen test or red team assessment
Python
171
star
14

hot-manchego

Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
C#
140
star
15

jargon

Python
114
star
16

Screenshooter

C# program to take a full size screenshot or a recording of the user's desktop. Takes in 0-3 flags
C#
83
star
17

DigDug

Python
66
star
18

FunctionalC2

A small POC of using Azure Functions to relay communications. Feel free to add additional functionality beyond this POC!
Python
66
star
19

What-The-F

This repo hosts a poc of how to execute F# code within an unmanaged process
C++
64
star
20

SqlClient

POC for .NET mssql client for accessing database data through beacon
C#
59
star
21

MiddleOut

A small .NET compression utility
C#
54
star
22

Hasher

Hasher is designed to be a tool that allows you to quickly hash plaintext strings, or compare hashed values with a plaintext locally. Not meant to crack passwords, but designed for local checks.
Python
48
star
23

GPPDeception

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers
PowerShell
44
star
24

rstools

Python
39
star
25

Chromatophore

Utilities for obfuscating shellcode
C
38
star
26

RandomScripts

Scripts for public use that we've randomly written, or have updated from other people's work.
Shell
36
star
27

ProxmarkWrapper

A wrapper around the Proxmark3 client that will alert the user of specific events
Python
29
star
28

CLM-Base64

This project provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode
PowerShell
22
star
29

SharpCollectionTemplate

PowerShell
13
star
30

Delta-Encoder

Python
12
star
31

CredCheck

.NET wrapper around LogonUserA to test creds
C#
10
star
32

RansomwareTalks

code for ransomware talks
C#
8
star
33

CUDA-Installation-Script

Quick and dirty installation script for CUDA drivers on Ubuntu 18.04 LTS to save a bit of time.
Shell
3
star