Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details

All Projects → christophetd → Spoofing Office Macro

christophetd / Spoofing Office Macro

Licence: agpl-3.0

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.

Programming Languages

vba

158 projects

This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments

Demo

Click for full size.

Notes

The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.
The 64-bit version is a contribution brought by @py7hagoras.
The size of the original command line stored in originalCli needs to be greater than the size of the real one stored in cmdStr

Acknowledgments & inspiration

"Red Teaming in the EDR age" by Will Burgess
https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
https://twitter.com/subtee

Disclaimer

You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Stars: ✭ 303

Visit Git Page 🔗Visit User Page 🔗Visit Issues Page (3) 🔗