Author Archives: Stan Hegt

Mark-of-the-Web from a red team’s perspective

Zone Identifier Alternate Data Stream information, commonly referred to as Mark-of-the-Web (abbreviated MOTW), can be a significant hurdle for red teamers and penetration testers, especially when attempting to gain an initial foothold. Your payload in the format of an executable, MS Office file or CHM file is likely to receive extra scrutiny from the Windows […]

Abusing the SYLK file format

This blog is about the SYLK file format, a file format from the 1980s that is still supported by the most recent MS Office versions. As it turns out, this file format is a very good candidate for creating weaponized documents that can be used by attackers to establish an initial foothold. In our presentation […]

Evil Clippy: MS Office maldoc assistant

At BlackHat Asia we released Evil Clippy, a tool which assists red teamers and security testers in creating malicious MS Office documents. Amongst others, Evil Clippy can hide VBA macros, stomp VBA code (via p-code) and confuse popular macro analysis tools. It runs on Linux, OSX and Windows. In this blog post we will explore […]

Recordings of our DerbyCon and BruCON presentations

This month (October 2018) our team members presented at two hacker conferences: The MS Office magic show at DerbyCon Mirror on the wall: using blue team techniques in red team ops at BruCON Below, you can find the video recordings of these presentations.

Old school: evil Excel 4.0 macros (XLM)

In this post, I will dive into Excel 4.0 macros (also called XLM macros – not XML) for offensive purposes. If you grew up in the Windows 95 age or later, just as I did, you might have never heard of this technology that was introduced as early as 1992. Virtually all malicious macro documents […]