We will explore the boundaries and design weaknesses of AMSI for VBA that would allow attackers to bypass and evade this defensive mechanism. Note that attacks on the engine itself (such as in-memory patching) are out of scope for this post.
https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/
#evasion #vba #redteaming
https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/
#evasion #vba #redteaming
Outflank
Bypassing AMSI for VBA | Outflank
This blog is a writeup of the various AMSI weaknesses presented at the Troopers talk ‘MS Office File Format Sorcery‘ and the Blackhat Asia presentation ‘Office in Wonderland’. We will explore the boundaries and design weaknesses of AMSI for VBA that would…
Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes. It uses evasion & detection techniques implemented by malicious documents.
https://github.com/joesecurity/pafishmacro
#phishing #redteaming #vba #evasion
https://github.com/joesecurity/pafishmacro
#phishing #redteaming #vba #evasion
GitHub
GitHub - joesecurity/pafishmacro: Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes.…
Pafish Macro is a Macro enabled Office Document to detect malware analysis systems and sandboxes. It uses evasion & detection techniques implemented by malicious documents. - GitHub - joese...
EXCEL4.0 MACROS - NOW WITH TWICE THE BITS!
Excel 4.0 macros (XLM), the older, awkward sibling of VBA, have been the focus of a couple of interesting offensive techniques. Since Stan Hegt and Pieter Ceelen of Outflank first played with the feature, and we have abused it for a funny little lateral movement technique and they have evolved to do some impressive work weaponizing it as a shellcode runner.
https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits
#vba #macro #office #redteaming
Excel 4.0 macros (XLM), the older, awkward sibling of VBA, have been the focus of a couple of interesting offensive techniques. Since Stan Hegt and Pieter Ceelen of Outflank first played with the feature, and we have abused it for a funny little lateral movement technique and they have evolved to do some impressive work weaponizing it as a shellcode runner.
https://www.cybereason.com/blog/excel4.0-macros-now-with-twice-the-bits
#vba #macro #office #redteaming
Cybereason
Excel4.0 Macros - Now with Twice The Bits!
In this research, we outline how to enable the execution of 64-bit shellcode via Excel 4.0 macros and previous research on 32-bit shellcode.
Cracking VBA Project Passwords
https://blog.didierstevens.com/2020/07/20/cracking-vba-project-passwords/
#vba #windows #tools #bruteforce
https://blog.didierstevens.com/2020/07/20/cracking-vba-project-passwords/
#vba #windows #tools #bruteforce
Didier Stevens
Cracking VBA Project Passwords
VBA projects can be protected with a password. The password is not used to encrypt the content of the VBA project, it is just used as protection by the VBA IDE: when the password is set, you will b…