persisting with microsoft office: abusing extensibility ... con 25/def con 25...•easy for xll,...
TRANSCRIPT
![Page 1: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/1.jpg)
PUBLIC
Persisting with Microsoft Office:Abusing Extensibility Options
William Knowles
![Page 2: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/2.jpg)
PUBLIC
Obligatory $whoami
• William Knowles
• Security Consultant at MWR InfoSecurity
• @william_knows
1
![Page 3: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/3.jpg)
PUBLIC
Agenda
• DLL
• VBA
• COM
• VSTO
• Prevention and Detection
2
![Page 4: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/4.jpg)
PUBLIC
Motivations
• It’s –everywhere- and it’s got lots of use cases
• Office templates? What else?
3
![Page 5: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/5.jpg)
PUBLIC
Word … Linked Libraries?
• It’s just a DLL …
• “… are standard Windows DLLs that implement and export specific methods to extend Word functionality”
• “… no enhancements and no documentation updates to Word WLLs since Microsoft Office 97”
4
![Page 6: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/6.jpg)
PUBLIC
Excel (XLL?) too …
• Slightly more updated … latest SDK from 2007.
• You need to export the right functions.
• Also slightly more configuration:
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options
5
![Page 7: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/7.jpg)
PUBLIC
DLL Add-Ins for Word and Excel
![Page 8: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/8.jpg)
PUBLIC
Excel VBA Add-Ins
• It’s all VBA, no spreadsheets.
• *.xla // *.xlam
7
![Page 9: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/9.jpg)
PUBLIC
PowerPoint VBA Add-Ins
• *.ppa // *.ppam
• Again, it’s inconsistent, and needs manual configuration:HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\PowerPoint\AddIns\<AddInName>
8
![Page 10: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/10.jpg)
PUBLIC
VBA Add-Insfor Excel and PowerPoint… and others
![Page 11: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/11.jpg)
PUBLIC
COM in Two Minutes
• Based on OLE and ActiveX – it’s a standard to enable component interaction.
• COM objects, DLLs and .Net
10
![Page 12: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/12.jpg)
PUBLIC
COM Add-Ins for *
• COM – the legacy way is always a good way.
• The “IDTExtensibility2” interface.
• Registration can be problematic …HKEY_CURRENT_USER\Software\Microsoft\Office\<Program>\Addins\<AddInName>
• Register with “regasm.exe /codebase InconspicuousAddIn.dll”.
11
![Page 13: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/13.jpg)
PUBLIC
=sum(calc) with Excel Automation Add-Ins
• Specific COM use case – for user defined functions.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Excel\Options
• Register again with “regasm.exe”.
12
![Page 14: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/14.jpg)
PUBLIC
=sum(calc) with Excel Automation Add-Ins
13
![Page 15: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/15.jpg)
PUBLIC
Attacking VBA Snoopers with VBE Add-Ins
• Why? Why? Why?
• More registry edits, more “regasm.exe”HKEY_CURRENT_USER\Software\Microsoft\VBA\VBE\6.0\Addins\<VBEAddIn.Name>
14
![Page 16: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/16.jpg)
PUBLIC
COM Add-Ins
![Page 17: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/17.jpg)
PUBLIC
*.VSTO
• Visual Studio Tools for Office – it’s a COM replacement and requires a special runtime.
• Build and install – very, very loudly.
16
![Page 18: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/18.jpg)
PUBLIC
VSTO Add-Ins
![Page 19: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/19.jpg)
PUBLIC
Defending Against Malicious Add-Ins
• Easy for XLL, COM, Automation, and VSTO add-ins:
• If required – sign and disable notifications.
18
![Page 20: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/20.jpg)
PUBLIC
Defending Against Malicious Add-Ins
• For WLL and VBA add-ins … not so much.
• (1) Remove or relocate trusted locations.
• (2) Detective capability: – Monitor trusted locations for changes
– Monitor registry keys used to enable add-ins.
– Process relationships.
19
![Page 21: Persisting with Microsoft Office: Abusing Extensibility ... CON 25/DEF CON 25...•Easy for XLL, COM, Automation, and VSTO add-ins: •If required –sign and disable notifications](https://reader033.vdocuments.site/reader033/viewer/2022060601/60553ee3bd527b4cb420e36f/html5/thumbnails/21.jpg)
PUBLIC
Conclusion@william_knows