Home

Awesome

OffensiveVBA

In preparation for a VBS AV Evasion Stream/Video I was doing some research for Office Macro code execution methods and evasion techniques.

The list got longer and longer and I found no central place for offensive VBA templates - so this repo can be used for such. It is very far away from being complete. If you know any other cool technique or useful template feel free to contribute and create a pull request!

Most of the templates in this repo were already published somewhere. I just copy pasted most templates from ms-docs sites, blog posts or from other tools.

Templates in this repo

FileDescription
ShellApplication_ShellExecute.vbaExecute an OS command via ShellApplication object and ShellExecute method
ShellApplication_ShellExecute_privileged.vbaExecute an privileged OS command via ShellApplication object and ShellExecute method - UAC prompt
Shellcode_CreateThread.vbaExecute shellcode in the current process via Win32 CreateThread
Shellcode_EnumChildWindowsCallback.vbaExecute shellcode in the current process via EnumChildWindows
Win32_CreateProcess.vbaCreate a new process for code execution via Win32 CreateProcess function
Win32_ShellExecute.vbaCreate a new process for code execution via Win32 ShellExecute function
WMI_Process_Create.vbaCreate a new process via WMI for code execution
WMI_Process_Create2.vbaAnother WMI code execution example
WscriptShell_Exec.vbaExecute an OS command via WscriptShell object and Exec method
WscriptShell_run.vbaExecute an OS command via WscriptShell object and Run method
VBA-RunPE@itm4n's RunPE technique in VBA
GadgetToJScriptmed0x2e's C# script for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
PPID_Spoof.vbachristophetd's spoofing-office-macro copy
AMSIBypass_AmsiScanBuffer_ordinal.vbarmdavy's AMSI Bypass to patch AmsiScanBuffer using ordinal values for a signature bypass
AMSIBypass_AmsiScanBuffer_Classic.vbarasta-mouse's classic AmsiScanBuffer patch
AMSIBypass_Heap.vbarmdavy's HeapsOfFun repo copy
AMSIbypasses.vbaoutflanknl's AMSI bypass blog
COMHijack_DLL_Load.vbaLoad DLL via COM Hijacking
COM_Process_create.vbaCreate process via COM object
Download_Autostart.vbaDownload a file from a remote webserver and put it into the StartUp folder
Download_Autostart_WinAPI.vbaDownload a file from a remote webserver via URLDownloadtoFileA and put it into the StartUp folder
Dropper_Autostart.vbaDrop batch file into the StartUp folder
Registry_Persist_wmi.vbaCreate StartUp registry key for persistence via WMI
Registry_Persist_wscript.vbaCreate StartUp registry key for persistence via wscript object
ScheduledTask_Create.vbaCreate and start sheduled task for code execution/persistence
XMLDOM_Load_XSL_Process_create.vbaLoad XSL from a remote webserver to execute code
regsvr32_sct_DownloadExecute.vbaExecute regsvr32 to download a remote webservers SCT file for code execution
BlockETW.vbaPatch EtwEventWrite in ntdll.dll to block ETW data collection
BlockETW_COMPLUS_ETWEnabled_ENV.vbaBlock ETW data collection by setting the environment variable COMPLUS_ETWEnabled to 0, credit to @xpn
ShellWindows_Process_create.vbaShellWindows Process create to get explorer.exe as parent process
AES.vbaAn example to use AES encryption/decryption in VBA from Here
Dropper_Executable_Autostart.vbaGet executable bytes from VBA and drop into Autostart - no download in this case
MarauderDrop.vbaDrop a COM registered .NET DLL into temp, import the function and execute code - in this case loads a remote C# binary from a webserver to memory and executes it - credit to @Jean_Maes_1994 for MaraudersMap
Dropper_Workfolders_lolbas_Execute.vbaDrop an embedded executable into the TEMP directory and execute it using C:\windows\system32\Workfolders.exe as LOLBAS - credit to @YoSignals
SandBoxEvasionSome SandBox Evasion templates
Evasion Dropper Autostart.vbaDrops a file to the Startup directory bypassing file write monitoring via renamed folder operation
Evasion MsiInstallProduct.vbaInstalls a remote MSI package using WindowsInstaller ActiveXObject avoiding spawning suspicious office child process, the msi installation will be executed as a child of the MSIEXEC /V service
StealNetNTLMv2.vbaSteal NetNTLMv2 Hash via share connection - credit to https://book.hacktricks.xyz/windows/ntlm/places-to-steal-ntlm-creds
Parse-Outlook.vbaParses Outlook for sensitive keywords and file extensions, and exfils them via email - credit to JohnWoodman
Reverse-Shell.vbaReverse shell written entirely in VBA using Windows API calls - credit to JohnWoodman

Missing - ToDos

FileDescription
Unhooker.vbaUnhook API's in memory to get rid of hooks
Syscalls.vbaSyscall usage - fresh from disk or Syswhispers like
Manymore.vbaIf you have any more ideas feel free to contribute

Obfuscators / Payload generators

  1. VBad
  2. wePWNise
  3. VisualBasicObfuscator - needs some modification as it doesn't split up lines and is therefore not usable for office document macros
  4. macro_pack
  5. shellcode2vbscript.py
  6. EvilClippy
  7. OfficePurge
  8. SharpShooter
  9. VBS-Obfuscator-in-Python - - needs some modification as it doesn't split up lines and is therefore not usable for office document macros

Credits / usefull resources

ASR bypass: http://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf

Shellcode to VBScript conversion: https://github.com/DidierStevens/DidierStevensSuite/blob/master/shellcode2vbscript.py

Bypass AMSI in VBA: https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/

VBA purging: https://www.mandiant.com/resources/purgalicious-vba-macro-obfuscation-with-vba-purging

F-Secure VBA Evasion and detection post: https://blog.f-secure.com/dechaining-macros-and-evading-edr/

One more F-Secure blog: https://labs.f-secure.com/archive/dll-tricks-with-vba-to-improve-offensive-macro-capability/