My key takeaways
- putting a
wll
file (which is a renameddll
) in a "trusted location" will be executed on start up M$ Word - In Excel it doesn’t work this easy with
xll
‘s as disabled by default - But Excel Add-in’s (
XLA/XLAM
) will be executed in trusted locations - rewriting the default templates for Word or Excel might circumvent GPO blocking wll and xll
- detect files written to trusted locations using Sysmon Event ID 11
- the lagecy feature
DDE
can be abused in Excel to execute CLI commands - "CreateObject" in Outlook and Visio might be used to excute an arbitrary VBScript or JScript payload
- Whitelisted URI’s can be listed using the
netsh http show urlacl
command
Env
- Provided by Wild West Hackin’ Fest
- Presenter: Kyle Avery