christophetd / Spoofing Office Macro
Licence: agpl-3.0
🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
Stars: ✭ 303
Programming Languages
vba
158 projects
This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments
Demo
Click for full size.
Notes
-
The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.
-
The 64-bit version is a contribution brought by @py7hagoras.
-
The size of the original command line stored in
originalCli
needs to be greater than the size of the real one stored incmdStr
Acknowledgments & inspiration
- "Red Teaming in the EDR age" by Will Burgess
- https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- https://twitter.com/subtee
Disclaimer
You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].