outflanknl/Excel4-DCOM outflanknl/Excel4-DCOM

  • Stars
    star
    321
  • Rank 130,752 (Top 3 %)
  • Language
    PowerShell
  • Created over 5 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
outflanknl/Excel4-DCOM
github

outflanknl

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)

Excel4-DCOM

PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe).

Technology

Last year, after our presentation at DerbyCon, we released a blog post detailing the abuse of Excel 4.0 macros (also called XLM macros). This is a macro language which is completely different from VBA and which has been embedded within Excel since 1992. The original blog can be found here, which includes a process injection sample: https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/

It turns out that Excel 4.0 macros are also exposed to DCOM via the ExecuteExcel4Macro method. We modified our process injection XLM macro sample to work on remote hosts as well via DCOM and we hereby release it in PowerShell and Cobalt Strike script versions.

Usage

Cobalt Strike version

Excel4-DCOM <targethost> <listener>

This will inject a x86 staging payload into excel.exe on the target host. Make sure to execute this from a 32 bit beacon (which can be running on a 64 bit system).

PowerShell version

Invoke-Excel4DCOM -ComputerName <target> -Payload <payload location>

This will inject a x86 staging payload into excel.exe on the target host. Make sure to execute this from a 32 bit PowerShell host (%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe).

Why would I use this method over lateral movement method XYZ?

A big plus for this method is that it does direct shellcode injection into excel.exe via Windows API calls. In contrast to most other lateral movement methods (including practically all DCOM-based ones), this technique does not rely on powershell.exe or any other LOLBIN at the target. Hence, this method can be completely "fileless". And as a plus, AMSI only works for VBA macros and not for XLM, making this method very difficult to detect by AV.

What are the disadvantages of this method?

Firstly, this method is slow. The Cobalt Strike staging payload (roughly 800 bytes) requires about 1 to 2 minutes to be injected in a remote host. Note that this is mostly due to the Proof of Concept implementation which injects the payload byte-by-byte in order to avoid XLM macro line-length constraints. It should be possible to do this in chunks of 10 bytes, while still remaining under XLM line-length limits. I just need to find some time to brush up my code. :-)

Secondly, due to XLM data type constraints (read our blog for details), this method only targets 32 bit installs of Excel.exe - which fortunately is the vast majority of installations. Note that x86 installs on x64 systems are fine. This also means that you should execute this method from a 32 bit PowerShell host or beacon.

Authors

Stan Hegt (@StanHacked) / Outflank

Special thanks to Philip Tsukerman (@PhilipTsukerman) for pointing out to me that Excel 4.0 macros are exposed via DCOM.

More Repositories

1

RedELK

Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
Python
2,342
star
2

EvilClippy

A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
C#
2,095
star
3

Dumpert

LSASS memory dumper using direct system calls and API unhooking.
C
1,464
star
4

C2-Tool-Collection

A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
C
1,090
star
5

Invoke-ADLabDeployer

Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams.
PowerShell
477
star
6

SharpHide

Tool to create hidden registry keys.
C#
463
star
7

Spray-AD

A Cobalt Strike tool to audit Active Directory user accounts for weak, well known or easy guessable passwords.
C++
419
star
8

PrintNightmare

C
331
star
9

Ps-Tools

Ps-Tools, an advanced process monitoring toolkit for offensive operations
C
327
star
10

Recon-AD

Recon-AD, an AD recon tool based on ADSI and reflective DLL’s
C++
312
star
11

InlineWhispers

Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)
Assembly
299
star
12

Scripts

Small scripts that make life better
JavaScript
289
star
13

FindObjects-BOF

A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
266
star
14

WdToggle

A Beacon Object File (BOF) for Cobalt Strike which uses direct system calls to enable WDigest credential caching.
213
star
15

edr-internals

Tools for analyzing EDR agents
C++
191
star
16

Zipper

Zipper, a CobaltStrike file and folder compression utility.
C
189
star
17

HelpColor

Agressor script that lists available Cobalt Strike beacon commands and colors them based on their type
188
star
18

TamperETW

PoC to demonstrate how CLR ETW events can be tampered.
C
186
star
19

Presentations

Presentation material presented by Outflank team members at public events.
177
star
20

NetshHelperBeacon

Example DLL to load from Windows NetShell
C++
174
star
21

Net-GPPPassword

.NET implementation of Get-GPPPassword. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
C#
163
star
22

external_c2

POC for Cobalt Strike external C2
C
122
star
23

DoH_c2_Trigger

Code for blogpost: https://outflank.nl/blog/2018/10/25/building-resilient-c2-infrastructues-using-dns-over-https/
PowerShell
54
star
24

Training-MSOfficeOffensiveTradecraft

Info related to the Outflank training: Microsoft Office Offensive Tradecraft
50
star
25

unmanaged-dotnet-patch

Modify managed functions from unmanaged code
C++
50
star
26

PasswordDump2ELK

Clean public password dump files and store in ELK
Shell
36
star
27

RedELK-workshop

Items related to the RedELK workshop given at security conferences
25
star
28

Exploits

Exploits developped by Outflank B.V. team members
Python
21
star
29

RedFile

Serving files with conditions, serverside keying and more.
Python
19
star
30

Invoke-Templator

A PowerShell script to parse the docx/docm file format and update the template location.
PowerShell
17
star