Discover and read the best of Twitter Threads about #VBA

Most recents (4)

#VBA declare statement: from libname #obfuscation to remote dll loading 🧵

Declare is used to declare a ref to an external proc in a DLL

Syntax:
[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]

ref: docs.microsoft.com/en-us/office/v…
0⃣ both "kernel32" and "kernel32.dll" are acceptable libnames
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
Is libname actually a file path? yes
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
Read 6 tweets
Gather round #infosec fam

Warning: This is a long Thread with lots of #VBALostArts & new goodies for #c2c #opsec & #payloads in Office Malware #VBA

Spoilers: This thread is gonna make some Blue Teams & sandboxes mad

Red Teams: There is plenty of fun up ahead.

Enjoy.
Currently Office Malware is 3 steps generally:

1. Encrypt/Obfuscate Your #Macro Dropper
2. Get Your Powershell/Java/JS/DLL flavor of the week onto the victim ASAP
3. Bug out

I want to change all of this, however before we do that we need to upgrade Office Malware
For now lets focus on the first step and why obfuscating/encrypting your macros not ideal.

1. Your code will eventually get deobfuscated
2. Your code is not unique - same sample <-> many targets
3. Most obfuscation methods = Noise/Signatures
4. Your code becomes evidence
Read 18 tweets
So for today's lesson in C2C for #VBA I will be discussing abusing the AddWebVideo method.

This feature is literally for (surprise) adding videos inside documents.

However it is one of the most overlooked ways to implement C2C or exfil

#VBALostArts
AddWebVideo has 3 parameters that are partial to abuse for C2C and exfil (among other things).

EmbedCode, PosterFrameImage, and URL being the ones we are interested.

However they each have their own behavior and benefits. Image
Starting off with EmbedCode this variable accepts HTML content that is to be rendered within MS Office

So using EmbedCode you can trigger a HTTP[s] connection to your C2C Server as well as store some HTML (more on that in the future)

Something like this gets the job done: Image
Read 9 tweets
UPA supporters blaming VBA & AIMM 4 "cutting votes" & UPA loss in 25 seats, let's understand the nuances. Politics is a spectrum, there isn't just a left & right. Every political agenda has a right to exist. We aren't a 2 party system. We are in danger of 1party system tho.
Those who voted for #VBA & #AIMM had a choice. They could have voted for UPA if they felt concerned that their votes would "go wasted". Many have weighed this decision and decided that UPA didn't fit in their plans & they would rather risk a Right candidate winning than vote for
Someone from the Left who wouldn't. They wanted to make a point, and they did. If you have to blame anybody, blame those voters, not the parties. But also ask why they didn't choose UPA against "the common enemy"
Read 3 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!