Webinar Takeaway: Abusing Microsoft Office for Post-Exploitation

My key takeaways

• putting a wll file (which is a renamed dll) in a "trusted location" will be executed on start up M$ Word
• In Excel it doesn’t work this easy with xll‘s as disabled by default
• But Excel Add-in’s (XLA/XLAM) will be executed in trusted locations
• rewriting the default templates for Word or Excel might circumvent GPO blocking wll and xll
• detect files written to trusted locations using Sysmon Event ID 11
• the lagecy feature DDE can be abused in Excel to execute CLI commands
• "CreateObject" in Outlook and Visio might be used to excute an arbitrary VBScript or JScript payload
• Whitelisted URI’s can be listed using the netsh http show urlacl command

Env

• Provided by Wild West Hackin’ Fest
• Presenter: Kyle Avery

additional links

• https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide
• https://blog.palantir.com/microsoft-defender-attack-surface-reduction-recommendations-a5c7d41c3cf8