At a high level, Office add-in capabilities are:
Trojan:Win64/Meterpreter.F
.Execute Is my host protected against Microsoft Office add-ins?
in Operator on each host in your environment to test if you are vulnerable.
This TTP will stage a UPX packed Microsoft Word add-in file which dumps a copy of the SAM registry hive into C:\temp\
. Once the add-in is staged Word is then executed to trigger execution of the add-in.
Microsoft has released an Attack Surface Reduction (ASR) rule to prevent Office from spawning child processes. Additionally, a GPO may be used to block unmanaged add-ins in Office applications.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec
Robin: https://twitter.com/bfuzzy1