This is a fantastic article, this kind of content is absolutely awesome!
I am surprised that this bypasses falcon, especially unsigned exes. I’d love to give this method a shot with a cobalt strike beacon, I wonder how we’d do it?
I also wonder if this method would work with HTA’s or XSLs.
I’ve actually been working on a code execution/LOLBin for windows that doesn’t use the norms. Was going to incorporate https://github.com/itm4n/VBA-RunPE somewhere (this allows you to embed PE files in VBA), this might be helpful to streamline this process. What do you think?
Hey thanks! I don’t have much experience at writing this kind of article in general so I appreciate any feedback. Please try with whatever product you can. I’d be curious to know the results and I think it’s really important to properly test these products (meaning not using the usual techniques) considering how much they cost and all the buzzwords they use to sell them. In Crowdstrike’s case, I was pleasantly surprised with they’re quick answer and collaboration on the subject.
Regarding HTAs and XSLs, I previously read one of your articles on the subject a while ago and I did some tests where Falcon had caught them all. I never tried to do a macro with RunPE (first time I hear of this project, looks really cool!) but I definitely will. That said, I don’t focus on the macros because they’re easily detected by email filters and a company with good security practice will disable the execution via GPOs but I don’t doubt lots of people are still using them.
I’ll keep you posted by PM when I try in a few days.
If you want more articles like these, please consider funding us these products (anti-virus, anti-malware, anti-xyz, Microsoft Office, (mail) servers, licensed Cobalt Strike, etc.)
Did you test in a fresh install or on a pre-configured machine? Depending on the organization and GPOs that are pushed for Office, the execution of external DDE servers might be disabled by default. In the organization where I tested, macros are disabled by default but external DDE servers are enabled and the settings can’t be controlled by the user. It’s a feature often used in financial institutions. You can go enable it in the Options > Trust Center > External content.
I’m not sure what the defaults are on a fresh Office install on a non domain-connect machine. I’m building a VM with a fresh Office 2016 without connecting it to the domain so we’ll see.
These were the first ones I used! Excellent article by the way. I did try most of the payloads you suggested and compiling them on the fly with Microsoft.Workflow.Compiler.exe and even tried with csc.exe in the .NET folder. Unfortunately they were all detected. Crowdstrike prevented the execution on my machine so I’m surprised it didnt show up in Virus Total but my tests are fairly recent.
However, I have an idea that I want to test and it might work well with your payloads. Instead compiling on the fly with both of these, about using the IL disassembly and recompile it on the fly instead or compiling the code itself?
If it works I’ll probably do another write up and give you credit for some ideas
Just did a fresh install in a VM on Windows 10 Pro fully patched and I don’t have the issue.
You probably have a GPO that adds two additional check boxes (within the red box I added on the picture) to enable/disable the DDE server lookup and launch. The DDE server launch one if probably not checked (which is a good thing).
Hello. Nice write-up and finding! Are you aware of what GPOs this can bypass? What is a solution that can block execution from the GPO’s level without bricking excel? I can’t fully test this since I don’t have the proper environment for it, yet it seems to be a bypass …
I’m not sure I understand the question very well but I’ll try to answer. The reason DDE is used is because the environment has the macros disabled by GPO. The GPOs in question I believe are:
Block macros from running in Office files from the Internet
Disable VBA for Office applications
VBA Macro Notification Settings set to Disable all with notification
As far as I know and as shown in my reply to Alfred above, by default DDE execution of external content is enabled by default. It will however create a pop-up message asking the user if he wishes to run cmd.exe (but as you know most people click stuff without reading) like this:
There is also a way to manipulate that message to replace cmd.exe with excel.exe using the following line: =EXCEL|'\..\..\..\Windows\System32\cmd.exe /c notepad.exe'!_xlbgnm.A1
My question falls there exactly. How can you secure your Windows system against that by using GPOs and user restrictions? Reading as well on DDE since I am barely aware of it. Thank you for the extra bit as well!
After thinking through i went to Trust Security center Option and found this
after checking that it works. so for some reason i do not understand how that possibly got UNchecked in the first place and i have seen people make a test on 2016 excel which works
Hi, I think it depends - in Excel 2016 via office 365 has it in by default but the standalone installer which most enterprises use don’t have it. At least that’s my experience so far. Nice post.
To satisfy OP’s curiosity about half of the Endpoint products in the space currently have protection for Excel.exe -> cmd.exe, including Carbon Black. More have protection for Winword.exe -> cmd.exe and less have protection for Outlook.exe -> cmd.exe. So Outlook DDEs are great since Outlook is often overlooked.
If you use the uncommon LoLBins found at https://lolbas-project.github.io/ DDEs will have success against any product.
