• Stars
    star
    2,095
  • Rank 22,049 (Top 0.5 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created over 5 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.

This tool was released during our BlackHat Asia talk (March 28, 2019). A video recording of this talk is available at https://www.youtube.com/watch?v=9ULzZA70Dzg.

Evil Clippy

A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.

If you're new to this tool, you might want to start by reading our blog post on Evil Clippy: https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/

This project should be used for authorized testing or educational purposes only.

Current features

  • Hide VBA macros from the GUI editor
  • VBA stomping (P-code abuse)
  • Fool analyst tools
  • Serve VBA stomped templates via HTTP
  • Set/Remove VBA Project Locked/Unviewable Protection

If you have no idea what all of this is, check out the following resources first:

How effective is this?

At the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass most major antivirus products and various maldoc analysis tools (by using VBA stomping in combination with random module names).

Technology

Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features. It reuses code from Kavod.VBA.Compression to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).

Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.

Compilation

We do not provide a binary release for EvilClippy. Please compile executables yourself:

OSX and Linux

Make sure you have Mono installed. Then execute the following command from the command line:

mcs /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

Now run Evil Clippy from the command line:

mono EvilClippy.exe -h

Windows

Make sure you have Visual Studio installed. Then execute the following command from a Visual Studio developer command prompt:

csc /reference:OpenMcdf.dll,System.IO.Compression.FileSystem.dll /out:EvilClippy.exe *.cs

Now run Evil Clippy from the command line:

EvilClippy.exe -h

Usage examples

Print help

EvilClippy.exe -h

Hide/Unhide macros from GUI

Hide all macro modules (except the default "ThisDocument" module) from the VBA GUI editor. This is achieved by removing module lines from the project stream [MS-OVBA 2.3.1].

EvilClippy.exe -g macrofile.doc

Undo the changes done by the hide option (-g) so that we can debug the macro in the VBA IDE.

EvilClippy.exe -gg macrofile.doc

Stomp VBA (abuse P-code)

Put fake VBA code from text file fakecode.vba in all modules, while leaving P-code intact. This abuses an undocumented feature of module streams [MS-OVBA 2.3.4.3]. Note that the VBA project version must match the host program in order for the P-code to be executed (see next example for version matching).

EvilClippy.exe -s fakecode.vba macrofile.doc

Note: VBA Stomping does not work for files saved in the Excel 97-2003 Workbook (.xls) format

Set target Office version for VBA stomping

Same as the above, but now explicitly targeting Word 2016 on x86. This means that Word 2016 on x86 will execute the P-code, while other versions of Word wil execute the code from fakecode.vba instead. Achieved by setting the appropriate version bytes in the _VBA_PROJECT stream [MS-OVBA 2.3.4.1].

EvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc

Set/reset random module names (fool analyst tools)

Set random ASCII module names in the dir stream [MS-OVBA 2.3.4.2]. This abuses ambiguity in the MODULESTREAMNAME records [MS-OVBA 2.3.4.2.3.2.3] - most analyst tools use the ASCII module names specified here, while MS Office used the Unicode variant. By setting a random ASCII module name most P-code and VBA analysis tools crash, while the actual P-code and VBA still runs fine in Word and Excel.

EvilClippy.exe -r macrofile.doc

Note: this is known to be effective in tricking pcodedmp and VirusTotal

Set ASCII module names in the dir stream to match their Unicode counterparts. This reverses the changes made using the (-r) optoin of EvilClippy

EvilClippy.exe -rr macrofile.doc

Serve a VBA stomped template via HTTP

Service macrofile.dot via HTTP port 8080 after performing VBA stomping. If this file is retrieved, it automatically matches the target's Office version (using its HTTP headers and then setting the _VBA_PROJECT bytes accordingly).

EvilClippy.exe -s fakecode.vba -w 8080 macrofile.dot

Note: The file you are serving must be a template (.dot instead of .doc). You can set a template via a URL (.dot extension is not required!) from the developer toolbar in Word. Also, fakecode.vba must have a VB_Base attribute set for a macro from a template (this means that your fakecode.vba must start with a line such as Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}").

Set/Remove VBA Project Locked/Unviewable Protection

To set the Locked/Unviewable attributes use the '-u' option:

EvilClippy.exe -u macrofile.doc

To remove the Locked/Unviewable attributes use the '-uu' option:

EvilClippy.exe -uu macrofile.doc

Note: You can remove the Locked/Unviewable attributes on files that were not locked with EvilClippy as well.

Limitations

Developed for Microsoft Word and Excel document manipulation.

As noted above, VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.

Authors

Stan Hegt (@StanHacked) / Outflank

With significant contributions by Carrie Roberts (@OrOneEqualsOne / Walmart).

Special thanks to Nick Landers (@monoxgas / Silent Break Security) for pointing me towards OpenMCDF.

More Repositories

1

RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
Python
2,342
star
2

Dumpert

LSASS memory dumper using direct system calls and API unhooking.
C
1,464
star
3

C2-Tool-Collection

A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
C
1,090
star
4

Invoke-ADLabDeployer

Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
PowerShell
477
star
5

SharpHide

Tool to create hidden registry keys.
C#
463
star
6

Spray-AD

A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
C++
419
star
7

PrintNightmare

C
331
star
8

Ps-Tools

Ps-Tools, an advanced process monitoring toolkit for offensive operations
C
327
star
9

Excel4-DCOM

PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
PowerShell
321
star
10

Recon-AD

Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
C++
312
star
11

InlineWhispers

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)
Assembly
299
star
12

Scripts

Small scripts that make life better
JavaScript
289
star
13

FindObjects-BOF

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
266
star
14

WdToggle

A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.
213
star
15

edr-internals

Tools for analyzing EDR agents
C++
191
star
16

Zipper

Zipper, a CobaltStrike file and folder compression utility.
C
189
star
17

HelpColor

Agressor script that lists available Cobalt Strike beacon commands and colors them based on their type
188
star
18

TamperETW

PoC to demonstrate how CLR ETW events can be tampered.
C
186
star
19

Presentations

Presentation material presented by Outflank team members at public events.
177
star
20

NetshHelperBeacon

Example DLL to load from Windows NetShell
C++
174
star
21

Net-GPPPassword

.NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
C#
163
star
22

external_c2

POC for Cobalt Strike external C2
C
122
star
23

DoH_c2_Trigger

Code for blogpost: https://outflank.nl/blog/2018/10/25/building-resilient-c2-infrastructues-using-dns-over-https/
PowerShell
54
star
24

Training-MSOfficeOffensiveTradecraft

Info related to the Outflank training: Microsoft Office Offensive Tradecraft
50
star
25

unmanaged-dotnet-patch

Modify managed functions from unmanaged code
C++
50
star
26

PasswordDump2ELK

Clean public password dump files and store in ELK
Shell
36
star
27

RedELK-workshop

Items related to the RedELK workshop given at security conferences
25
star
28

Exploits

Exploits developped by Outflank B.V. team members
Python
21
star
29

RedFile

Serving files with conditions, serverside keying and more.
Python
19
star
30

Invoke-Templator

A PowerShell script to parse the docx/docm file format and update the template location.
PowerShell
17
star