JustForFun
  • Hello World
  • AI/ML/LLM Security
    • 🐣What is this AREA?
    • 📚Self-Study AI/ML/LLM Roadmap for Security Folks
    • 🌟AI/ML Dictionary
    • 🌰Generative AI in a Nutshell
    • 👹(WIP) AI/ML/LLM Application Security Testing
      • 💉(WIP) Offensive Approach for Prompt Injection Attacks
      • 👾Standard Input: Prompt Injection
      • ⚠️(WIP) Training Issues
      • 🎑(WIP) Multi-Modal LLM Application Security Testing
      • ✨(WIP) Resources
  • Random Research Area
    • What is this AREA?
    • Phishing with MS Office Docs
      • VSTO and Malicious Office Docs
    • Malware Analysis & Development
      • Malware Development
  • AppSecNotes
    • 3rd Party Recon with Javascript - Part1
    • DAV Methods and Old Features
    • API Security Notes
  • OSEP Preperation Notes
    • OSEP Journey Begin!
    • Basics and More
    • Payload Types (Staged vs. Non-Staged)
    • File Smuggling with HTML & JS
    • VBA Basics
    • Basic Phishing Macro Creation Tricks
  • Somethings and Past
    • HackTheBox Lab – Invite Code Write-Up
    • OSCP Yolculuğum
    • VulnHub – SkyTower CTF Walkthrough
    • Markdown Syntax
    • Web Uygulama Güvenliği Ve Güvenli Kod Geliştirme LYK-2014 Notlarım
    • Yalnızca Eğlenmek İçin
Powered by GitBook
On this page

Was this helpful?

  1. Random Research Area
  2. Phishing with MS Office Docs

VSTO and Malicious Office Docs

These are the voyages of a security enthusiast. Its continuing mission: to explore strange new knowledge. To seek out new ideas and new technics. To boldly go where no one has gone before!

PreviousPhishing with MS Office DocsNextMalware Analysis & Development

Last updated 2 years ago

Was this helpful?

It's not a bug, it's a feature!

What is the Visual Studio Tools for Office (VSTO)?

  • Visual Studio Tools for Office (VSTO) is a set of development tools available in the form of a add-in (project templates) and a that allows and later versions of Office applications to host the (CLR) to expose their functionality via .NET.

Any Malicious Payload can be emplaced into any office documents using VSTO. You can find detailed explanations in the below links.

Quick practice in a YouTube video:

PS:

  • More powerful than Macro and formula injection! You can write anything with C# smoothly.

  • It can update itself and .NET libraries in every execution. (OMG! It can be a self-updated dropper!)

  • EDRs can not detect in the same way as macros.

Prevention:

  • Disable all add-ins for office in the Group Policy (This may not be useful for large companies.)

  • Require that application add-ins are signed by Trusted Publisher in the Group Policy. (There are many bypass ways for this(^^,) )

  • I have not done it yet, but behavioral analysis can be done for this situation. Also, C# projects could be restricted with the company signature. If a subprocess of a C# project compiling and executing without a signature is observed under an office document, it can be blocked by the EDR.

  • Also, the below blog post should be read to create a prevention scenario against this kind of phishing attack.

-EOF

Visual Studio
runtime
Microsoft Office
2003
.NET Framework
Common Language Runtime
Visual Studio Tools for OfficeWikipedia
Office Developer Tools | Visual StudioVisual Studio
visualstudio-docs/visual-studio-tools-for-office-runtime-overview.md at main · MicrosoftDocs/visualstudio-docsGitHub
Make phishing great again. VSTO office files are the new macro nightmare?Medium
ClickOnce (Twice or Thrice): A Technique for Social Engineering and (Un)trusted Command Executionbohops
Logo
VSTO: The Payload Installer That Probably Defeats Your Application Whitelisting Rulesbohops
Logo
Analyzing VSTO Office FilesNVISO Labs
Logo
Logo
Logo
Logo
Logo