The MS Office Magic Show presented at DerbyConVIIIEvolution 2018

by Stan Hegt, Pieter Ceelen,

Summary : In this talk we will explore a wide range of novel techniques that abuse Microsoft Office features for offensive purposes. No bugs, no software vulnerabilities, only features. In recent years, we have seen a strong focus on offensive research with regard to macros, DDE and OLE. However, there is so much more interesting and unexplored functionality in the MS Office suite that can be abused in all stages of an attack. Stan Hegt and Pieter Ceelen will discuss typical Office security configurations and demonstrate a variety of new offensive techniques within the Office suite. These techniques range from abusing old school Office ’97 features to abuse of the latest and greatest Office 2016 features. Amongst others, we will demonstrate how to abuse Word documents for gathering sensitive information from systems, how to create phishing documents for credential harvesting without a macro payload, new Office lateral movement techniques and bypasses of security features (such as Attack Surface Reduction), and how to hide your macros from antivirus and analyst tools by abusing interesting features in Office file formats and VBA specifications.