Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add module to enumerate trusted documents and locations for MS Office. #118

Merged
merged 6 commits into from Dec 27, 2015

Conversation

Projects
None yet
3 participants
@jamcut
Copy link
Contributor

commented Dec 23, 2015

This module adds the ability to enumerate the trusted documents and locations for MS Office. Currently only Excel is supported, however support for other Office applications can be added in the future. Additionally, the information is stored in HKCU so local admin access is not required.

The benefit to having this ability is, if there are trusted documents identified, an attacker can download them and modify the macro contents to include additional functionality, such as spawning an agent. If the document is then uploaded to the original location (which will overwrite the original file), it will retain the trust and continue to execute the macro, including the attacker macro code, while not prompting the user. Example output follows:

demo

@kokoown

This comment has been minimized.

Copy link

commented Dec 24, 2015

What is the idea of the module? If i can query the registry remotly i can also run any command i want. So why i need to know the trust locations? It doesnt matter

@HarmJ0y

This comment has been minimized.

Copy link
Contributor

commented Dec 26, 2015

From what I understand it, this method would heavily be used for backdooring/persistence (corrent @jamcut ?) "If the document is then uploaded to the original location (which will overwrite the original file), it will retain the trust and continue to execute the macro, including the attacker macro code, while not prompting the user."

Two requests- can you remove the commented out script = "" source in the module itself, and rename "Enumerate-TrustedDocuments" using an approved PowerShell verb? I'd recommend something like Get-TrustedDocuments or Find-TrustedDocuments.

@jamcut

This comment has been minimized.

Copy link
Contributor Author

commented Dec 27, 2015

@kokoown Sorry the description wasn't more clear. @HarmJ0y is correct, the main purpose would be a mechanism for persistence. I also can see situations where this could be used for lateral movement, is the trusted document resides on a share and is accessed by multiple accounts. @HarmJ0y, thanks for the feedback. I'll get those changes pushed up in a new commit shortly.

HarmJ0y added a commit that referenced this pull request Dec 27, 2015

Merge pull request #118 from jamcut/trusted-document-store
Add module to enumerate trusted documents and locations for MS Office.

@HarmJ0y HarmJ0y merged commit da439c4 into EmpireProject:master Dec 27, 2015

@HarmJ0y

This comment has been minimized.

Copy link
Contributor

commented Dec 27, 2015

Awesome! Landed.

@jamcut jamcut deleted the jamcut:trusted-document-store branch Dec 28, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.