Hi Readers, In this post discussing how Microsoft Office Word Macros can be used to gather information of a remote system. A Macro is a series of commands or instructions grouped together as a single command to accomplish a task automatically. These are seen in different applications of Microsoft Office like Word, Excel, PowerPoint, and Access etc. they have been developed to automate the frequently used tasks in the process of building a document.
Macros can be used by the RED-Teams/Penetration Testers for gathering information related to target or also one can use this methodology in Forensic/Social Engineering Operations.
The below-shown figure of creating a Macro in Microsoft Office word document, on creating a macro opens a VBA window and also supports different options on how one wants to execute it.
The opened VBA window can be used to write the VB scripts and run commands or task for the document to execute, using this feature of macros to execute the commands. On selecting the “open” option a private function will be created (figure 2) to write the task that will be executed when the document is opened.
Macros also allows executing the Windows Management Instrumentation (WMI) commands, according to Microsoft WMI is the infrastructure for management data and operations on Windows-based operating systems using this one can automate the administrative tasks on remote computers, for demonstration purpose writing a code using WMI to collect the system name and product id this can be sent as a POST request.
The generated POST information can be called to any listening services or command control server, here using an online third part server listen to the data sent from the POST request.
Below shown the script (figure 3) to collect the system name and its product information in Macros, this collect the information and will be sent it as POST request, in the below code the
- RegisteredUser collects the user information
- SerialNumber the windows serial number
- An Array is created to store the collected information and sent to the “URL”.
Once the file is opened macro will be triggered and execute the code, to execute the macros sometimes one need to use the social engineering skill, like a message to enable the macros content or to use the supported version of office (figure 4). A macro-enabled document will not need this as it is executing without any constraints.
On successful execution the response is seen in listening service figure 5, the raw body section shows the information such as username and product id.
Comparing the results by the environment in which the file was opened (Figure 6). Username and product id information are the same as which is received in listening service, using this method one can gather more information with WMI.
This above-mentioned method is just a base for the information gathering, using this one can go further and insert a malware or any reverse shellcode in macros to execute and gain the access of the system but this needs antivirus bypass and other environment supporting resources.
Hope you enjoyed the post, for any questions and suggestions comment us below.
Prakash Dhatti, is an Information Security enthusiast working as Information Security Consultant @ISECURION and interested in the application and network security.