DeepSec 2022 Training: Deep Dive Into Malicious Office Documents For Offensive Security Professionals – Didier Stevens
Malicious Office documents have been on the radar for many years now. But do you know how to create and tailor them efficiently to achieve successful red team engagements? This training will first teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files, to better understand how to create them and evade detection. MS Office documents that execute code via macros. And we will take a very quick look at PDF too. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents, and Didier will teach you how to use his tools for Microsoft Office and PDF creation for offensive security. Several of these tools are private, but you get to keep them when you take this training. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications like AutoCAD.
No prior knowledge of malicious Office documents is required to take this training. We will use VBA programs and write our own programs that penetration testers need. VBA has an interface to the Windows API. We will learn to use this API to perform pentesting actions from within Office, like a port scan, and also how to use this API to inject and execute shellcode inside the Word/Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Word/Excel’s process memory, without touching the disk. This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills like knowledge of for loops and if statements is useful. The basics of VBA will be explained in class, and we will learn to use Didier’s tools and how to modify them to suit the task at hand. No exploits are necessary to achieve this goal, everything can be done with VBA without requiring vulnerabilities. We will learn how to reuse VBA functions and modules from the provided tools to create goal-specific documents (Word, Excel, …).
Over the years, Didier has developed many tools and techniques to “abuse VBA”. Non-exhaustive list of Didier’s tools shared during this class:
• Taskmanager with shellcode injector, process hollowing, parent process selection, .NET injector, …
• Filemanager and container to drop and exfiltrate, modify and encode arbitrary files
• Network tool (ping, port scan, service detection, communication, …)
• Document to perform reconnaissance and exfiltration
• Enumerate installed programs & patches
• Enumerate executables modifiable by the user
• CMD & Regedit running inside Word/Excel process
• Tool to create Excel files on different operating systems, without dependencies with MS Office (Mono required)
• Python tool to create / modify Office OLE and OOXML files, without dependencies with MS Office
• Python tool to hack ZIP containers
• Tool to uncover AV signatures to better evade AV detection
• …
Please tell us the top 5 facts about your training.
- A very short part of the training is dedicated to the analysis of malicious documents (a “blue” activity). I think that is important, because a) that teaches you how to analyze the maldocs you created, and see how easy or difficult they are to analyze and b) you can analyze real maldocs and be inspired by interesting, in-the-wild techniques for your own “red” maldocs.
- I developed several private tools, most of them in Python, to help with the creation of maldocs, and other offensive purposes (like ZIP file hacking). These tools are shared with the attendees, and they can keep them after the training and get a “license” for it. To see one of my private tools in action (olemake.py, a tool to create ole documents without an Office installation), take a look at this unlisted YT video: https://www.youtube.com/watch?v=FUJ3o-QnglI . I made it when the Follina exploit came out. The first part is the analysis of maldocs, and then around 8:45, I show how to use my private tools to create better PoCs than were going around at that time.
- I also keep a “red” blog & diary, where I document offensive techniques. This is not public information, but the blog & diary are shared with the attendees, and they also keep their access to the blog after the training.
- the training is very much hands on: not too much slides, but a lot of exercises
- I’m flexible while teaching, there’s a lot of training material that we share with the attendees, more than we can go through in 2 days. So we can cover some material in more depth at the request of attendees. Especially when a new maldoc technique comes out around the time of the training, I try to incorporate this asap.
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
I’m not a red teamer, but I regularly help our red team at NVISO with the creation of maldocs and special tools. As an expert in malicious documents, I not only learn a lot by analyzing in-the-wild maldocs that use new techniques, but I regularly say to myself: this can be done better (the Follina video illustrates this: the PoC ole file olemake creates contains the bare essentials, and not all of the “fluff” that you get when you use Office to create a PoC). Or I get inspired by something I see in the Microsoft documentation on Office documents, OOXML and OLE files, and develop a brand new technique. I want to share all this information, but only to people I trust. And that’s how this training came to be.
Why do you think this is an important topic?
Is there something you want everybody to know – some good advice for our readers maybe?
What I consider an essential skill: learn to analyze maldocs. It’s not that difficult. And I believe another important skill is letting malware analysis inspire you to create better malware (only for red team purposes, that is 🙂 ) That is something I try to convey in this training.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise, the topic of your workshop in particular?
We are starting to see a decline in the use of VBA maldocs. Although we still need to wait some time to get confirmation that this decline is permanent – maldocs are here to stay. Microsoft is introducing new configurations in Office, to flat-out block the execution of maldocs that originate from untrusted sources. For several years already, I see malware authors working out techniques to mislead the identification process that decides on trusted/untrusted sources. Like putting a Word document in an ISO file (or a derived format) and attaching said ISO file to an email. This trend will continue, researchers and malware authors will develop new techniques to have their maldocs trusted by Windows/Office, and thus execute the VBA code.
Didier Stevens (Microsoft MVP, SANS ISC Handler, Wireshark Certified Network Analyst, …) is a Senior Analyst working at NVISO (https://www.nviso.be). Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files. Didier regularly participates in pentests and red team engagements to create task specific documents. You can find his open source security tools on his IT security related blog. http://blog.DidierStevens.com