This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments
Click for full size.
The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.
The 64-bit version is a contribution brought by @py7hagoras.
Acknowledgments & inspiration
- "Red Teaming in the EDR age" by Will Burgess
You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.