Is my host protected against Microsoft Office add-ins?

A chain that is configured to stage a upx packed Microsoft Word add-in file which dumps a copy of the SAM registry hive into c:\temp\. Once the add-in is staged Word is then executed to trigger execution of the add-in.

Is my host protected against Microsoft Office add-ins?

Office add-ins provide additional functionality within Office applications. Office add-ins are available in several types; including WLL and XLL shared libraries, COM, VBA Editor, VSTO, and Outlook add-ins. WLL and XLL add-ins are dynamic link libraries with special function exports that Word and Excel utilize. These functions contain user-defined code, so malicious add-ins may be used to execute arbitrary code on a victim machine and to establish persistence. Notably, ransomware operators have been known to phish their victims with malicious XLLs to gain initial access.

At a high level, Office add-in capabilities are:

  • Persistence - Add-ins may be executed automatically when the Office application starts.
  • Execution - Add-ins may run arbitrary code on the victim host.
    This TTP was designed to demonstrate a generic Office WLL add-in. Microsoft Defender may flag this TTP as Trojan:Win64/Meterpreter.F.

Testing

Execute Is my host protected against Microsoft Office add-ins? in Operator on each host in your environment to test if you are vulnerable.

This TTP will stage a UPX packed Microsoft Word add-in file which dumps a copy of the SAM registry hive into C:\temp\. Once the add-in is staged Word is then executed to trigger execution of the add-in.

Remediation

Microsoft has released an Attack Surface Reduction (ASR) rule to prevent Office from spawning child processes. Additionally, a GPO may be used to block unmanaged add-ins in Office applications.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current

See the latest kill chain and TTP Releases: https://chains.prelude.org

See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu

Reddit: https://www.reddit.com/r/preludeorg/

Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg

Read our blog: https://feed.prelude.org

Watch our live streams: https://www.twitch.tv/preludeorg

Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky

Alex: https://twitter.com/khyberspache

Octavia: https://twitter.com/VVX7

Waseem: https://twitter.com/gerbsec

Robin: https://twitter.com/bfuzzy1

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Dump registry SAM Hive via Microsoft Word Add-in