Scribd
Upload
21 views

Maldocs - Tips For Red Teamers, Didier Stevens

The document discusses tips for red teamers when using malicious documents (maldocs). It provides 4 tips: 1) Analyze your documents thoroughly, 2) Learn from real-world actors, 3) Read technical documentation and use documented features, and 4) Read documentation to find undocumented features that can be abused. Several examples are described to illustrate the tips, such as hiding strings and code in unusual document locations.

Uploaded by

tsth4ck
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
21 views

Maldocs - Tips For Red Teamers, Didier Stevens

The document discusses tips for red teamers when using malicious documents (maldocs). It provides 4 tips: 1) Analyze your documents thoroughly, 2) Learn from real-world actors, 3) Read technical documentation and use documented features, and 4) Read documentation to find undocumented features that can be abused. Several examples are described to illustrate the tips, such as hiding strings and code in unusual document locations.

Uploaded by

tsth4ck
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 83

www.nviso.

eu

Maldocs: Tips for Red Teamers

Pen Test HackFest & Cyber Ranges Summit

Classification: Internal
1 Quick intro Office file format

2 4 tips for red teamers

3 Examples (with some disclosures)

4 Questions

Classification: Internal
Didier Stevens
Senior Analyst, SANS ISC Senior Handler

[email protected]

Classification: Internal
Quick intro Office file format

www.nviso.eu
Classification: Internal
Maldocs: Tips for Red Teamers

www.nviso.eu | 5
Classification: Internal
OOXML: Office Open XML
ZIP + XMLs (+ sometimes a bit more)

.docx, .docm, .xlsx, …

www.nviso.eu | 6
Classification: Internal
CFBF: Compound File Binary Format
I like to call this OLE format

.doc, .xls, …

www.nviso.eu | 7
Classification: Internal
www.nviso.eu | 8
Classification: Internal
4 tips for red teamers

www.nviso.eu
Classification: Internal
4 tips for red teamers
1 Analyze your sh+chr(105)+t

Classification: Internal
4 tips for red teamers
1 Analyze your sh+chr(105)+t

2 Learn from actors

Classification: Internal
4 tips for red teamers
1 Analyze your sh+chr(105)+t

2 Learn from actors

3 RTFM & use it

Classification: Internal
4 tips for red teamers
1 Analyze your sh+chr(105)+t

2 Learn from actors

3 RTFM & use it

4 RTFM & abuse it

Classification: Internal
Examples (with some disclosures)

www.nviso.eu
Classification: Internal
Example 1: the power of strings
Tip 1: Analyze!

www.nviso.eu | 15
Classification: Internal
Example 1: the power of strings
Tip 1: Analyze!

www.nviso.eu | 16
Classification: Internal
Example 1: the power of strings
Tip 1: Analyze!

www.nviso.eu | 17
Classification: Internal
Example 2: limiting the power of strings
Tip 2: Learn!

www.nviso.eu | 18
Classification: Internal
Example 2: limiting the power of strings
Tip 2: Learn!

www.nviso.eu | 19
Classification: Internal
Example 2: limiting the power of strings
Tip 2: Learn!

www.nviso.eu | 20
Classification: Internal
Example 2: limiting the power of strings
Tip 2: Learn!

www.nviso.eu | 21
Classification: Internal
Example 2: limiting the power of strings
Tip 2: Learn!

www.nviso.eu | 22
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 23
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 24
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 25
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 26
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 27
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 28
Classification: Internal
Example 3: very hidden
Tip 3: Use!

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/cd03cb5f-ca02-4934-a391-bb674cb8aa06
www.nviso.eu | 29
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 30
Classification: Internal
Example 3: very hidden
Tip 3: Use!

www.nviso.eu | 31
Classification: Internal
Example 4: very, very hidden?
Tip 4: Abuse!

www.nviso.eu | 32
Classification: Internal
Example 4: very, very hidden?
Tip 4: Abuse!

www.nviso.eu | 33
Classification: Internal
Example 4: very, very hidden?
Tip 4: Abuse!

www.nviso.eu | 34
Classification: Internal
Example 4: very, very hidden?
Tip 4: Abuse!

www.nviso.eu | 35
Classification: Internal
Example 5: unused bits
Tip 4: Abuse!

www.nviso.eu | 36
Classification: Internal
Example 5: unused bits
Tip 4: Abuse!

www.nviso.eu | 37
Classification: Internal
Example 5: unused bits
Tip 4: Abuse!

www.nviso.eu | 38
Classification: Internal
Example 5: unused bits
Tip 4: Abuse!

www.nviso.eu | 39
Classification: Internal
Example 5: unused bits
Tip 4: Abuse!

www.nviso.eu | 40
Classification: Internal
Example 5: unused bits
Tip 4: Abuse!

www.nviso.eu | 41
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 42
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 43
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 44
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/575462ba-bf67-4190-9fac-c275523c75fc
www.nviso.eu | 45
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 46
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 47
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 48
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 49
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

Alter

Supress

www.nviso.eu | 50
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 51
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 52
Classification: Internal
Example 6: VBA stomping
Tip 2: Learn!

www.nviso.eu | 53
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

Alter

Supress

www.nviso.eu | 54
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

Supress -> VBA Purging

https://blog.nviso.eu/2020/02/25/evidence-of-vba-purging-found-in-malicious-documents/
www.nviso.eu | 55
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

www.nviso.eu | 56
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

www.nviso.eu | 57
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

www.nviso.eu | 58
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

www.nviso.eu | 59
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

www.nviso.eu | 60
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

https://www.virustotal.com/gui/file/b829ef640b3ee2965e25453727598509aff4a461d41ac7d1be56d8c8f917c2c1/detection
www.nviso.eu | 61
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

https://www.virustotal.com/gui/file/e7788fbbf072b34484abe68255a63b8722f0dd406d3f2f68ce956bd92e60e3b6/detection
www.nviso.eu | 62
Classification: Internal
Example 7: VBA purging
Tip 3: Use!

https://www.virustotal.com/gui/file/f44e067e011ab13bddf3e3143ea427090ac07c59dcb434d069bcefb4fe3cb434/detection
www.nviso.eu | 63
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

Alter

Supress

www.nviso.eu | 64
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

Alter -> code signing tampering

www.nviso.eu | 65
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/575462ba-bf67-4190-9fac-c275523c75fc
www.nviso.eu | 66
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/575462ba-bf67-4190-9fac-c275523c75fc
www.nviso.eu | 67
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

Ignored for contents hashes

www.nviso.eu | 68
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 69
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 70
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 71
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 72
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 73
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

Launch calc

MsgBox Hello (signed)

www.nviso.eu | 74
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 75
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 76
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 77
Classification: Internal
Example 8: Code signing tampering
Tip 4: Abuse!

www.nviso.eu | 78
Classification: Internal
Overview examples

1 The power of strings 5 Unused bits (D)

2 Limiting the power of strings 6 VBA stomping

3 Very hidden 7 VBA purging

4 Very, very hidden? (D) 8 Code signing tampering (D)

Classification: Internal
4 tips for red teamers
1 Analyze your sh+chr(105)+t

2 Learn from actors

3 RTFM & use it

4 RTFM & abuse it

Classification: Internal
More info
https://isc.sans.edu
https://isc.sans.edu/handler_list.html#didier-stevens

https://blog.nviso.eu
https://blog.didierstevens.com

www.nviso.eu

Classification: Internal
Questions?

www.nviso.eu | 82
Classification: Internal
Thank you

www.nviso.eu

Classification: Internal

You might also like