Creating a malicious Word Document using macro

Malicious office documents are one of the main attack vectors for attackers trying to compromise a system.

There are 2 main methods to create a malicious Word Document:

  1.  CVE-based.
  2.   Functionality-based.

Both methods have their pros and cons, but the main problem with the CVE-based approach is that it usually requires certain versions of the software to be used by target. In reality, we are not always aware of the exact version of the software installed, so that using CVE-based approached can lead to a failed attack attempt.

On the other hand, functionality-based approach, as can be understood from the name, uses functionalities that are part of the software itself (Microsoft Word, in our case) and can be successfully executed on all versions of the software.

In the article the functionality-based approached will be discussed with the main focus on Macros.

Read more »
Posted by at
Labels: ,

Learning About Process Hollowing

 

Process hollowing is a useful subtechnique of process injection used by adversaries to execute malicious code in the context of otherwise a legitimate process. It can be used potentially as a privilege escalation method whilst bypassing any process based defenses which may be implemented on the system.

In this article we will take a deeper dive into the topic and create a windows executable which will write our malicious shell code inside a legitimate process.

To understand this technique more thoroughly I suggest to first check this post about Windows processes and how they work.

This technique in essence consists of three main stages,

  • creating or finding a process to inject into
  • injecting our shellcode inside this process
  • resuming the execution of the target process

We can use many different techniques for each of these stages as time goes by I will be expanding this topic to include more topics.

Here I will be developing a native executable using Visual Studio via pinvoke techniques. Initially let’s set up our environment.

Read more »
Posted by at
Labels: ,

Threat Modelling is Important!

Intro

Today I wanted to write a bit about threat modelling. Unfortunately, in our local information security culture, terms such as penetration testing, red teaming exercises overshadow threat modelling if you have had a proper introduction to cyber security. You will have heard about the famous CIA(Confidentiality, Integrity and Availability) triad and the notion of a threat violating these values. But how often do we use this information we learned during practice?

This is where threat modelling comes in.

“Experience shows that nearly 50% of security flaws will be discovered from Threat Modeling because it finds different threats than those found through other assessment techniques.”

 - Michael Howard
 Security Architect, Microsoft

Read more »
Posted by at
Labels: ,
Subscribe to: Posts (Atom)