We can notice that the documents do not include Outlook, which we use to create a Shell object and bypass the rule from MS Defender. ![]() Malware that abuses Office as a vector often runs VBA macros and uses code to download and run additional code. Creating malicious child processes is a common malware strategy. Office applications include Word, Excel, PowerPoint, OneNote and Access. The rule blocks Office applications from creating child processes. Specifically, Microsoft states the following in its documentation: If we want to create a Shell instance, a rule from MS Defender will block our request. This event is executed by a service code located in a separate Module. In our code, we use the Workbook_Open event, which starts when a document is opened. These event handling procedures are contained in the document instead of in the code module. In addition to these application events, the Office documents themselves trigger various events and may contain their own utilities. Our event handlers can be registered simply by giving the procedure the same name as the event we want to run, or by naming one of our code modules after the automatic macro and including the procedure in that module. Before describing the technical details, the following infographic accurately describes our process of infecting a computer and taking complete control of it. After macros are enabled, we can proceed to the actual execution of the code. Macros can be enabled, but we need an entry point for our malicious program. One way, for example, might be to make the document look encrypted and ask the user to enable the macro for security reasons. One of these protection mechanisms, which is implemented directly in MS Excel, is that macros do not run automatically when a dangerous document is opened.Īs a result, social engineering methods have begun to be used to force the user to allow the use of macros. When malicious code starts executing, the attacker will be able to work with Win32 API, COM objects, VBA code, or it is possible to invoke the loading of their own library.Īs macro security went unnoticed, Microsoft and other security companies began working on protection mechanisms. AutoClose : Launches when the document is closed.AutoOpen : Launches when an existing document is opened.AutoNew : Launches when a new document is created.AutoExec : Launches when a document is opened. ![]() Script execution is configurable according to events that occur based on user action Macros are written in the VBA (Visual Basic) scripting language, which can work with the system application interface from a privileged context (MS Excel), thanks to which it allows good interaction with the operating system. ![]() Because macros are part of an Excel document and can run automatically, they are a good tool for an attacker to control a computer. Unfortunately, software that offers script-based automation capabilities also has its downsides.Ī macro is a script that is used to automate tasks in Excel documents, e.g. It is a robust tool for data collection and visualization, creation of calculations and more. Microsoft Excel is a very useful program that makes life easier for millions of people and companies around the world.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |