Author Archives: Pieter Ceelen

Bypassing AMSI for VBA

This blog is a writeup of the various AMSI weaknesses presented at the Troopers talk ‘MS Office File Format Sorcery‘ and the Blackhat Asia presentation ‘Office in Wonderland’. We will explore the boundaries and design weaknesses of AMSI for VBA that would allow attackers to bypass and evade this defensive mechanism. Note that attacks on […]

MS Word field abuse

In January and February 2019 Microsoft provided patches for CVE-2019-0540 and CVE-2019-0561, which were reported by Stan and me. We disclosed the details in our Blackhat Asia talk “Office in Wonderland”. Both vulnerabilities abuse a feature in word called “fields”. In this blog post we will dive into this.

Sylk + XLM = Code execution on Office 2011 for Mac

At our Derbycon talk, the MS Office Magic Show, Stan and myself presented various novel techniques for abusing Excel and Word in Red Teaming operations. One of the tricks introduced was about the Sylk fileformat and Excel 4.0 / XLM macro’s. Full detailled blogs on Sylk and other discussed subjects will follow later. For now it […]

Hunting for evil: detect macros being executed

In many of our red teaming and incident response engagements, we encounter the abuse of MS Office macros as a vector to drop a remote access trojan and thereby gain initial foothold. From many discussions with our clients we have learned that macros are hard to secure and often a necessity for business operations. In […]