Discover and read the best of Twitter Threads about #Hushcon
Most recents (2)
Gather round #infosec fam
Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA
Spoilers: This thread is gonna make some Blue Teams & sandboxes mad
Red Teams: There is plenty of fun up ahead.
Enjoy.
Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA
Spoilers: This thread is gonna make some Blue Teams & sandboxes mad
Red Teams: There is plenty of fun up ahead.
Enjoy.
Currently Office Malware is 3 steps generally:
1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out
I want to change all of this, however before we do that we need to upgrade Office Malware
1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out
I want to change all of this, however before we do that we need to upgrade Office Malware
For now lets focus on the first step and why obfuscating/encrypting your macros not ideal.
1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
Now that my health is stable again, I will be resuming the development of the #Hephaestus project with a few new additions I would like to share.
For those who missed it the Hephaestus project was originally presented at #Hushcon in 2017: github.com/glinares/Offic…
For those who missed it the Hephaestus project was originally presented at #Hushcon in 2017: github.com/glinares/Offic…
Microsoft in the last year has done quite a few great features to enhance Office security and the overall posture of Office based exploits seem to be lower than a year ago.
However with this I am pivoting a bit on how #Hephaestus will be used and leveraged in #Redteam events
However with this I am pivoting a bit on how #Hephaestus will be used and leveraged in #Redteam events
#Hephaestus will be a 2nd phase tool that will allow an operator to exploit a system using Microsoft Office components as sort of a puppet. Think of how many tools use Powershell in order to compromise systems and stay persistent and gather system info.
