This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments
Demo
Click for full size.
Notes
-
The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.
-
The 64-bit version is a contribution brought by @py7hagoras.
-
The size of the original command line stored in
originalCli
needs to be greater than the size of the real one stored incmdStr
Acknowledgments & inspiration
- "Red Teaming in the EDR age" by Will Burgess
- https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- https://twitter.com/subtee
Disclaimer
You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.