This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments

Demo

Click for full size.

Notes

• The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.

• The 64-bit version is a contribution brought by @py7hagoras.

• The size of the original command line stored in originalCli needs to be greater than the size of the real one stored in cmdStr

Acknowledgments & inspiration

• "Red Teaming in the EDR age" by Will Burgess
• https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
• https://twitter.com/subtee

Disclaimer

You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.