Emulation Checksīefore we get into patching AMSI in VBA, we'll go over some simple tests you can perform in an attempt to detect whether your VBA is running in an emulated environment and if so, stop the macro from executing anything malicious. Import Windows APIs -> Check for emulation before running -> Obfuscate AMSI-related function strings, -> Identify addresses of "AmsiScanBuffer" and "AmsiScanString" functions relative to "AmsiUacInitialize" Function -> Patch AMSI in VBA memory -> Decode custom-obfuscated PoSH commands -> Instantiate powershell.exe process via WMI Object -> Disable AMSI in PoSH -> Retrieve Stage 1 PoSH shellcode runner -> Shellcode runner retrieves Sliver implant bytecode, loads in memory, and executes -> VBA stomped with EvilClippy so VBA source is non-malicious. The following flow represents the code I ended up with. I wanted to create an obfuscated, macro-enabled Office document that retrieves and executes a Sliver implant without triggering antivirus/EDR. This blog post will be a summary of a recent macro I made and the research that inspired the decisions that built the macro. To start, this article assumes you have the basics of VBA down and know that executing macros in Microsoft documents can lead to unwanted actions on your device. This has slowly risen to 5 as the engines always evolve. Over the course of tweaking it, I got the detection down to 2 of 20 on in the end. Conversely, if you do know what you're up against, then you only need to worry about that engine. Although this is less than half of the engines it tests for, this is still relatively high if you don't know what you're up against before you perform your phishing campaign. On the original file was detected at the lowest 7 out of 20 detection rates. On my macro creation journey, I initially found that my macro-enabled document had a very high detection rate no matter what I tried doing to bypass AV engines. Both certifications have their positives and negatives. I am taking this certification course after taking the eCPTXv2 and I am still learning a lot of topics that weren't covered in the eCPTXv2. If you're looking for your next cyber security knowledge binge, I'd highly recommend the OSEP. The OSEP certification inspired a lot of the content you'll see here and gave me a base to work up from. I was working on my OSEP certification when I was inspired to stop studying for a bit to deep-dive into malicious word documents.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |