OffensiveVBA – Code Execution And AV Evasion Methods For Macros In Office Documents

Main / OffensiveVBA – Code Execution And AV Evasion Methods For Macros In Office Documents

Discription

[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt2QNPY-RJ7ahBwOR7SdMADnOMoMKyiyKcd0YdAZRdFsupGyXNEPxoT8tTWK7E6UAFBLZaSWQbb7IV6et0i378hptCb8_UPr18jzL-PavfOQ8fLRP-3bpKj0sy9oM196TCNdrVMM1cZeonmpN1GFXtVUiv5-syx_wq5F456ljdHx6cclUhQaNqAmpu/w640-h350/OffensiveVBA.png)]()

In preparation for a VBS AV Evasion Stream/Video I was doing some research for Office Macro code execution methods and evasion techniques.

The list got longer and longer and I found no central place for offensive VBA templates – so this repo can be used for such. It is very far away from being complete. If you know any other cool technique or useful template feel free to contribute and create a pull request!

Most of the templates in this repo were already published somewhere. I just copy pasted most templates from ms-docs sites, blog posts or from other tools.

## Templates in this repo

File | Description
—|—
[ShellApplication_ShellExecute.vba]( “ShellApplication_ShellExecute.vba” ) | Execute an OS command via ShellApplication object and ShellExecute method
[ShellApplication_ShellExecute_privileged.vba]( “ShellApplication_ShellExecute_privileged.vba” ) | Execute an privileged OS command via ShellApplication object and ShellExecute method – UAC prompt
[Shellcode_CreateThread.vba]( “Shellcode_CreateThread.vba” ) | Execute shellcode in the current process via Win32 CreateThread
[Shellcode_EnumChildWindowsCallback.vba]( “Shellcode_EnumChildWindowsCallback.vba” ) | Execute shellcode in the current process via EnumChildWindows
[Win32_CreateProcess.vba]( “Win32_CreateProcess.vba” ) | Create a new process for code execution via Win32 CreateProcess function
[Win32_ShellExecute.vba]( “Win32_ShellExecute.vba” ) | Create a new process for code execution via Win32 ShellExecute function
[WMI_Process_Create.vba]( “WMI_Process_Create.vba” ) | Create a new process via WMI for code execution
[WMI_Process_Create2.vba]( “WMI_Process_Create2.vba” ) | Another WMI code execution example
[WscriptShell_Exec.vba]( “WscriptShell_Exec.vba” ) | Execute an OS command via WscriptShell object and Exec method
[WscriptShell_run.vba]( “WscriptShell_run.vba” ) | Execute an OS command via WscriptShell object and Run method
[VBA-RunPE]( “VBA-RunPE” ) | [@itm4n’s]( “@itm4n’s” ) RunPE technique in VBA
[GadgetToJScript]( “GadgetToJScript” ) | [med0x2e’s]( “med0x2e’s” ) C# script for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
[PPID_Spoof.vba]( “PPID_Spoof.vba” ) | [christophetd’s]( “christophetd’s” ) [spoofing-office-macro]( “spoofing-office-macro” ) copy
[AMSIBypass_AmsiScanBuffer_ordinal.vba]( “AMSIBypass_AmsiScanBuffer_ordinal.vba” ) | [rmdavy’s]( “rmdavy’s” ) AMSI Bypass to patch AmsiScanBuffer using ordinal values for a signature bypass
[AMSIBypass_AmsiScanBuffer_Classic.vba]( “AMSIBypass_AmsiScanBuffer_Classic.vba” ) | [rasta-mouse’s]( “rasta-mouse’s” ) classic AmsiScanBuffer patch
[AMSIBypass_Heap.vba]( “AMSIBypass_Heap.vba” ) | [rmdavy’s]( “rmdavy’s” ) [HeapsOfFun]( “HeapsOfFun” ) repo copy
[AMSIbypasses.vba]( “AMSIbypasses.vba” ) | [outflanknl’s]( “outflanknl’s” ) [AMSI bypass blog]( “AMSI bypass blog” )
[COMHijack_DLL_Load.vba]( “COMHijack_DLL_Load.vba” ) | Load DLL via COM Hijacking
[COM_Process_create.vba]( “COM_Process_create.vba” ) | Create process via COM object
[Download_Autostart.vba]( “Download_Autostart.vba” ) | Download a file from a remote webserver and put it into the StartUp folder
[Download_Autostart_WinAPI.vba]( “Download_Autostart_WinAPI.vba” ) | Download a file from a remote webserver via URLDownloadtoFileA and put it into the StartUp folder
[Dropper_Autostart.vba]( “Dropper_Autostart.vba” ) | Drop batch file into the StartUp folder
[Registry_Persist_wmi.vba]( “Registry_Persist_wmi.vba” ) | Create StartUp [registry key]( “registry key” ) for [persistence]( “persistence” ) via WMI
[Registry_Persist_wscript.vba]( “Registry_Persist_wscript.vba” ) | Create StartUp registry key for persistence via wscript object
[ScheduledTask_Create.vba]( “ScheduledTask_Create.vba” ) | Create and start sheduled task for code execution/persistence
[XMLDOM_Load_XSL_Process_create.vba]( “XMLDOM_Load_XSL_Process_create.vba” ) | Load XSL from a remote webserver to execute code
[regsvr32_sct_DownloadExecute.vba]( “regsvr32_sct_DownloadExecute.vba” ) | Execute regsvr32 to download a remote webservers SCT file for code execution
[BlockETW.vba]( “BlockETW.vba” ) | Patch EtwEventWrite in ntdll.dll to block ETW data collection
[BlockETW_COMPLUS_ETWEnabled_ENV.vba]( “BlockETW_COMPLUS_ETWEnabled_ENV.vba” ) | Block ETW data collection by setting the environment variable COMPLUS_ETWEnabled to 0, credit to [@_xpn_]( “@” )
[ShellWindows_Process_create.vba]( “ShellWindows_Process_create.vba” ) | ShellWindows Process create to get explorer.exe as parent process
[AES.vba]( “AES.vba” ) | An example to use AES encryption/decryption in VBA from [Here]( “Here” )
[Dropper_Executable_Autostart.vba]( “Dropper_Executable_Autostart.vba” ) | Get executable bytes from VBA and drop into Autostart – no download in this case
[MarauderDrop.vba]( “MarauderDrop.vba” ) | Drop a COM registered .NET DLL into temp, import the function and execute code – in this case loads a remote C# binary from a webserver to memory and executes it – credit to [@Jean_Maes_1994]( “@Jean_Maes_1994” ) for [MaraudersMap]( “MaraudersMap” )
[Dropper_Workfolders_lolbas_Execute.vba]( “Dropper_Workfolders_lolbas_Execute.vba” ) | Drop an embedded executable into the TEMP directory and execute it using C:windowssystem32Workfolders.exe as LOLBAS – credit to [@YoSignals]( “@YoSignals” )
[SandBoxEvasion]( “SandBoxEvasion” ) | Some SandBox Evasion templates
[Evasion Dropper Autostart.vba]( “Evasion Dropper Autostart.vba” ) | Drops a file to the Startup directory bypassing file write monitoring via renamed folder operation
[Evasion MsiInstallProduct.vba]( “Evasion MsiInstallProduct.vba” ) | Installs a remote MSI package using WindowsInstaller ActiveXObject avoiding spawning suspicious office child process, the msi installation will be executed as a child of the `MSIEXEC /V service`
[StealNetNTLMv2.vba]( “StealNetNTLMv2.vba” ) | Steal NetNTLMv2 Hash via share connection – credit to
[Parse-Outlook.vba]( “Parse-Outlook.vba” ) | Parses Outlook for sensitive keywords and file extensions, and exfils them via email – credit to [JohnWoodman]( “JohnWoodman” )
[Reverse-Shell.vba]( “Reverse-Shell.vba” ) | Reverse shell written entirely in VBA using [Windows API]( “Windows API” ) calls – credit to [JohnWoodman]( “JohnWoodman” )

## Missing – ToDos

File | Description
—|—
[Unhooker.vba]( “Unhooker.vba” ) | Unhook API’s in memory to get rid of hooks
[Syscalls.vba]( “Syscalls.vba” ) | Syscall usage – fresh from disk or Syswhispers like
[Manymore.vba]( “Manymore.vba” ) | If you have any more ideas feel free to contribute

## Obfuscators / Payload generators

1. [VBad]( “VBad” )
2. [wePWNise]( “wePWNise” )
3. [VisualBasicObfuscator]( “VisualBasicObfuscator” ) – needs some [modification]( “modification” ) as it doesn’t split up lines and is therefore not usable for office document macros
4. [macro_pack]( “macro_pack” )
5. [shellcode2vbscript.py]( “shellcode2vbscript.py” )
6. [EvilClippy]( “EvilClippy” )
7. [OfficePurge]( “OfficePurge” )
8. [SharpShooter]( “SharpShooter” )
9. [VBS-Obfuscator-in-Python]( “VBS-Obfuscator-in-Python” ) – – needs some modification as it doesn’t split up lines and is therefore not usable for office document macros

## Credits / usefull resources

ASR bypass:

Shellcode to VBScript conversion:

Bypass AMSI in VBA:

VBA purging:

F-Secure VBA Evasion and detection post:

One more F-Secure blog:

**[Download OffensiveVBA]( “Download OffensiveVBA” )**Read More

References

Back to Main

Subscribe for the latest news: