Discover and read the best of Twitter Threads about #blueteams
Most recents (2)
Todays #VBALostArts Topic: #Sandbox Detection
So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.
I named it Thumper
So a few hours ago I whipped up a super basic Office #malware whose goal was to extract as much info from sandboxes as possible and send it in the clear so you can gather all the configurations of the sandbox.
I named it Thumper
Thumper does 4 things:
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)
It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.
- Built In Office/VBA Info Gathering
- Registry Reading (USER & LM)
- RecentFiles Methods
- Shoots results via HTTP (so you can see)
It does this (by design) with the elegance of a herd of drunken water buffaloes dancing to Russian hard bass in a tea shop.
As the reference to the name, it's meant to call the sandworms hidding in the dunes.
And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.
Like This:
And if you want to detect and avoid almost all of the sandboxes - easiest way is to check the DateTime stamps of RecentFile methods of Word.
Like This:
Now that my health is stable again, I will be resuming the development of the #Hephaestus project with a few new additions I would like to share.
For those who missed it the Hephaestus project was originally presented at #Hushcon in 2017: github.com/glinares/Offic…
For those who missed it the Hephaestus project was originally presented at #Hushcon in 2017: github.com/glinares/Offic…
Microsoft in the last year has done quite a few great features to enhance Office security and the overall posture of Office based exploits seem to be lower than a year ago.
However with this I am pivoting a bit on how #Hephaestus will be used and leveraged in #Redteam events
However with this I am pivoting a bit on how #Hephaestus will be used and leveraged in #Redteam events
#Hephaestus will be a 2nd phase tool that will allow an operator to exploit a system using Microsoft Office components as sort of a puppet. Think of how many tools use Powershell in order to compromise systems and stay persistent and gather system info.
