Spoofing Office Macro Save
:fish: PoC of a VBA macro spawning a process with a spoofed parent and command line.
Project README
This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments
Demo
Click for full size.
Notes
-
The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.
-
The 64-bit version is a contribution brought by @py7hagoras.
-
The size of the original command line stored in
originalClineeds to be greater than the size of the real one stored incmdStr
Acknowledgments & inspiration
- "Red Teaming in the EDR age" by Will Burgess
- https://blog.xpnsec.com/how-to-argue-like-cobalt-strike/
- https://twitter.com/subtee
Disclaimer
You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.
Open Source Agenda is not affiliated with "Spoofing Office Macro" Project. README Source: christophetd/spoofing-office-macro
Stars
372
Open Issues
5
Last Commit
4 years ago
Repository
License
Open Source Agenda Badge
