Blog

Ordinal Numbers and VBA can be fun – who knew!

My previous couple of posts have all been centred around VBA, AMSI and Macros. This isn’t going to be different!. This makes for the easiest AMSI and Windows Defender bypass. Whilst reading through MSDN, which incidentally makes great bedtime reading…., I read that it was possible to use ordinal numbers with VBA when declaring functionsContinue reading Ordinal Numbers and VBA can be fun – who knew!

Are we nearly there yet? Walking Half the PEB with VBA

This is really just a variation on a theme, however I thought I’d write a quick post none the less. As previously stated the traditional way to get to AMSI function addresses was through LoadLibrary and then GetProcAddress. Microsoft blacklisted some function names to make using GetProcAddress unavailable which is why my my colleague andContinue reading Are we nearly there yet? Walking Half the PEB with VBA

Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA

By Richard Davy (@rd_pentest) & Gary Nield (@Monobehaviour) As most Pentesters know, Windows Defender is installed by default on Windows 10 and all new versions of Windows Server. During an engagement this can sometimes be frustrating, when wanting to obtain access to a remote machine, especially during a Phishing engagement. There are multiple AMSI bypassesContinue reading Dynamic Microsoft Office 365 AMSI In Memory Bypass Using VBA

Malicious ODT File Generator Metasploit Module

I decided that I’d have a go at writing a Metasploit module as it’s been a while since I’ve programmed anything in Ruby. When writing the python script which I previously posted, I created an odt file and then just added the modified content.xml file. Doing this in Metasploit and Ruby proved more challenging andContinue reading Malicious ODT File Generator Metasploit Module

NTLM Credential Theft via malicious ODT Files

CVE-2018-10583 https://www.exploit-db.com/exploits/44564/ A couple of days ago a piece of research was published by Check Point showing how NTLM hashes can be leaked via PDF files with no user interaction or exploitation. Their work was following on from recent discoveries that MS Outlook using OLE can be used to steal credentials also. Now Microsoft doContinue reading NTLM Credential Theft via malicious ODT Files