Discover and read the best of Twitter Threads about #VBA
Most recents (4)
#VBA declare statement: from libname #obfuscation to remote dll loading 🧵
Declare is used to declare a ref to an external proc in a DLL
Syntax:
[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]
ref: docs.microsoft.com/en-us/office/v…
Declare is used to declare a ref to an external proc in a DLL
Syntax:
[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]
ref: docs.microsoft.com/en-us/office/v…
0⃣ both "kernel32" and "kernel32.dll" are acceptable libnames
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
Is libname actually a file path? yes
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
Gather round #infosec fam
Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA
Spoilers: This thread is gonna make some Blue Teams & sandboxes mad
Red Teams: There is plenty of fun up ahead.
Enjoy.
Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA
Spoilers: This thread is gonna make some Blue Teams & sandboxes mad
Red Teams: There is plenty of fun up ahead.
Enjoy.
Currently Office Malware is 3 steps generally:
1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out
I want to change all of this, however before we do that we need to upgrade Office Malware
1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out
I want to change all of this, however before we do that we need to upgrade Office Malware
For now lets focus on the first step and why obfuscating/encrypting your macros not ideal.
1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
So for today's lesson in C2C for #VBA I will be discussing abusing the AddWebVideo method.
This feature is literally for (surprise) adding videos inside documents.
However it is one of the most overlooked ways to implement C2C or exfil
#VBALostArts
This feature is literally for (surprise) adding videos inside documents.
However it is one of the most overlooked ways to implement C2C or exfil
#VBALostArts
AddWebVideo has 3 parameters that are partial to abuse for C2C and exfil (among other things).
EmbedCode, PosterFrameImage, and URL being the ones we are interested.
However they each have their own behavior and benefits.
EmbedCode, PosterFrameImage, and URL being the ones we are interested.
However they each have their own behavior and benefits.
Starting off with EmbedCode this variable accepts HTML content that is to be rendered within MS Office
So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)
Something like this gets the job done:
So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)
Something like this gets the job done:
UPA supporters blaming VBA & AIMM 4 "cutting votes" & UPA loss in 25 seats, let's understand the nuances. Politics is a spectrum, there isn't just a left & right. Every political agenda has a right to exist. We aren't a 2 party system. We are in danger of 1party system tho.
Those who voted for #VBA & #AIMM had a choice. They could have voted for UPA if they felt concerned that their votes would "go wasted". Many have weighed this decision and decided that UPA didn't fit in their plans & they would rather risk a Right candidate winning than vote for
Someone from the Left who wouldn't. They wanted to make a point, and they did. If you have to blame anybody, blame those voters, not the parties. But also ask why they didn't choose UPA against "the common enemy"
