PTX Course
Macro
OfficeOpenXML Standard file extensions:
Macros not permitted
DOCX
DOTX [Template]
Macros permitted:
DOCM
DOTM [Template]
DOCM(and other extensions that support macros) files containing macros can be renamed to other formats such as RTF[which do not support macros by design], and still keep their macro executing capabilities.
Macro leveraging file properties to hide its payload and StdIn to avoid logging
AutoOpen is picked up by some AVs and therefore more creative ways should be employed for macro execution, such as triggering the macro from a button.
Powershell based payloads are added in the document's properties, such as "Author".
Hide Powershell command's arguments from commandline logging via invocation with StdIn.WriteLine
Hide payload in custom excel forms in an encoded form.
Macro Code: Link
Including unused code is a simple obfuscation tactic. In the above example variable c is not used anywhere in the macro.
Leveragin ActiveX Controls for automatic macro execution
....
Download and Run from Disk
Download certutil encoded .crt file and decode to HTA and execute.
Last updated