Auto_Open()
, Document_Open()
etc. and follow the execution flow a user would have experienced upon opening the document and “Enabling Content”.Application.Shell
or WMI methods to run command lines. Benefit of the latter is that it does not create a suspicious and rather easy to detect parent-child process relationship.Start-BitsTransfer
cmdlet being passed to the newly created object — this technique will be less likely to decrease in popularity in the coming years as most cyber criminals are moving away from using highly logged PowerShell, to less transparent interfaces like WMI or direct API calls.CreateProcess
, CreateProcessAsUser
. kernel32.CreateProcessW
/ CreateProcessA
. We should reach the call to it after running the macro.lpCommandLine
.RDX
register, which indeed seems to contain our payload. (on x86 systems you’d find all the parameters on the stack)NT AUTHORITY/SYSTEM
) debugger to the WmiPrvSE.Exe process, and dump parameters of the CreateProcessAsUser
function.R8 — lpCommandLine
) parameter in the dump reveals a PowerShell payload which can be copied and further analyzed in CyberChef:CreateProcess
API is not used here due to the difference in security context of EXCEL and WMI Privileged Hoster.OFFICE_VBA
entries. There will often be multiple events generated throughout the execution — Microsoft does not document this well, but experience shows that the bigger the contentsize
of an event, the more complete it is.VirtualAlloc
is often substituted with HeapCreate
and HeapAlloc
, while CreateThread
can be replaced with, for example — EnumResourceTypesW
for the same results. RtlMoveMemory
API could get logged.