Office in Wonderland

Presented at Black Hat Asia 2019, March 28, 2019, 10:15 a.m. (60 minutes)

In this talk we will explore a wide range of novel techniques that abuse Microsoft Office features for offensive purposes. We will disclose details on new Word and Excel vulnerabilities, release attack vectors that Microsoft deemed features and demonstrate the security impact of the architectural design of the MS Office suite. A journey down the rabbit hole with offensive surprises ahead.

In previous research, we have already demonstrated that abusing legacy functionality (such as a macro language that pre-dates VBA) bypasses many existing security controls. In this talk we will go even further and share our most recent findings and insights into unexplored legacy functionality in the MS Office suite that can be abused in all stages of an attack.

Amongst others, we will demonstrate how to abuse Word documents for stealing sensitive information from systems, how to create phishing documents for credential harvesting without a macro payload, how to bypass the most recent security features in MS Office (AMSI for VBA, ASR) and much more.

Presenters:

• Stan Hegt - Red teamer & Security researcher, Outflank B.V.
  <span>Stan has more than a decade of experience in offensive security, with a strong focus on red teaming and attack simulations. His passion is to analyse and adopt the tradecraft of the bad guys in order to closely mimic their techniques in attack simulations for his clients. Stan loves developing malware for red teaming purposes (WinAPI <3) and exploring opportunities for abuse in Windows components such as MS Office, COM, .NET and PowerShell.</span>
• Pieter Ceelen - Red Teamer & Security Researcher, Outflank B.V.
  Pieter is a seasoned security specialist with 10 years of hands-on hacking experience. As a consultant, he executed large scale pentest and red teaming engagements for numerous large multinationals. Furthermore, Pieter worked as a SOC/threat intelligence analyst and within Outflank executed incident response engagements for targeted attacks. As such he combines knowledge of real-life attacks and creative ways to detect them. Around the year 2000 Pieter maintained Office documents and templates, developed macro's for Office and AutoCad and could program in native PostScript. Nowadays, he applies this knowledge to develop new ways to (ab)use Office to it's fullest extent.

Links:

• https://www.blackhat.com/asia-19/briefings/schedule/#office-in-wonderland-13709
• https://www.youtube.com/watch?v=9ULzZA70Dzg

Similar Presentations:

• DerbyCon 8.0 Evolution (2018) / The MS Office Magic Show
• HushCon Seattle 2016 / Next Generation MS Office Malware
• HushCon East 2017 / Next Generation MS Office Malware Part Deux