In preparation for a VBS AV Evasion Stream/Video I was doing some research for Office Macro code execution methods and evasion techniques.
The list got longer and longer and I found no central place for offensive VBA templates – so this repo can be used for such. It is very far away from being complete. If you know any other cool technique or useful template feel free to contribute and create a pull request!
Most of the templates in this repo were already published somewhere. I just copy pasted most templates from ms-docs sites, blog posts or from other tools.
Templates in this repo
Missing – ToDos
|Unhooker.vba||Unhook API’s in memory to get rid of hooks|
|Syscalls.vba||Syscall usage – fresh from disk or Syswhispers like|
|Manymore.vba||If you have any more ideas feel free to contribute|
Obfuscators / Payload generators
- VisualBasicObfuscator – needs some modification as it doesn’t split up lines and is therefore not usable for office document macros
- VBS-Obfuscator-in-Python – – needs some modification as it doesn’t split up lines and is therefore not usable for office document macros
Credits / usefull resources
ASR bypass: http://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf
Shellcode to VBScript conversion: https://github.com/DidierStevens/DidierStevensSuite/blob/master/shellcode2vbscript.py
Bypass AMSI in VBA: https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/
VBA purging: https://www.mandiant.com/resources/purgalicious-vba-macro-obfuscation-with-vba-purging
F-Secure VBA Evasion and detection post: https://blog.f-secure.com/dechaining-macros-and-evading-edr/
One more F-Secure blog: https://labs.f-secure.com/archive/dll-tricks-with-vba-to-improve-offensive-macro-capability/