using vba
play

USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro - PowerPoint PPT Presentation

Jul 29, 2023 •582 likes •1.05k views

REFERENCE THIS: SANDBOX EVASION USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro Graduate of Israeli Army s elite 28 years old from Tel-Aviv. 8200 intelligence unit. BSC in

  1. REFERENCE THIS: SANDBOX EVASION USING VBA REFERENCING

  2. WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro • • Graduate of Israeli Army ’ s elite 28 years old from Tel-Aviv. 8200 intelligence unit. • BSC in Computer Science, BA in • Over 15 years of experience in Psychology from TAU. telecommunications and InfoSec. • • Inventor of Votiro ’ s enterprise Formerly researched Exploit Kits at protection solutions. Check Point. • BSC in Computer Science, BA in • Skate, swim, guitar. economics, MBA from TAU. • Sushi, running, quiet walks along the beach. X33FCON: May 7-8, 2018

  3. ABSTRACT Sandbox had become a standard security solution in organizations nowadays which makes it a prime target. This talk will demonstrate a new way to perform sandbox evasion. In contrast to common evasion techniques, our technique doesn ’ t require code execution to detect the sandbox environment. X33FCON: May 7-8, 2018

  4. ABSTRACT Evasion Detection Sandbox Evasion techniques Sandbox-user Differences VBA Referencing Server-Side Sandbox Detection X33FCON: May 7-8, 2018

  5. RELEVANT BACKGROUND We assume familiarity with the following concepts: 1 2 VBA macros Office Protected View 3 4 Sandbox solutions Tracking pixels X33FCON: May 7-8, 2018

  6. SANDBOX EVASION With the introduction of the sandbox, malware authors have introduced Sandbox Evasion. The term is used to describe all the techniques utilized to identify a sandbox, trick it, manipulate it and evade it. X33FCON: May 7-8, 2018

  7. SANDBOX EVASION TECHNIQUES Detect the sandbox: detect virtualization Hypervisor, Virtualization DLLs, Side channels, unusual hardware Detect the sandbox: Artificial Environment Username, Cookies and browser history, recent file count, screen resolution, Old vulnerabilities, Running processes X33FCON: May 7-8, 2018

  8. SANDBOX EVASION X33FCON: May 7-8, 2018

  9. SANDBOX EVASION TECHNIQUES Evade the sandbox: Defeat the Monitor Remove hooks, work around hooks, delay execution Evade the sandbox: Context Aware Require user interaction, check date and time-zone, encrypted payload X33FCON: May 7-8, 2018

  10. SANDBOX EVASION All of the mentioned techniques, require code execution (sandbox-side) in order to collect the data and analyze it. As a result, most of these techniques can be identified by static analysis tools which will flag the file as suspicious prior to execution. Furthermore, the actions executed to fingerprint the system are flagged as evasion techniques - which immediately raise a warning flag. X33FCON: May 7-8, 2018

  11. VBA REFERENCING

  12. WHAT IS VBA REFERENCING? In order to truly understand the capabilities of VBA macros, one must dive into the macros bible: MS-OVBA document. [MS-OVBA]: Office VBA File Format Structure Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. X33FCON: May 7-8, 2018

  13. MS-OVBA The MS-OVBA, Office VBA File Format Structure, specifies the Office VBA File Format Structure, AKA vbaProject.bin . MS-OVBA specifies the structure of this binary and all of its features and attributes. X33FCON: May 7-8, 2018

  14. WE ’ RE NOT THE FIRST TO HUNT HERE In “ Analysis of the attack surface of Microsoft Office from user perspective ” by Mr.Haifei Li, a RCE flaw in the VBA engine is shown. It appears that VBA engine accepts a path to a remote .tlb file, which will be fetched and loaded into Word upon execution. X33FCON: May 7-8, 2018

  15. VBA REFERENCES Another previously unexplored section of the MS-OVBA document is of PROJECTREFERENCES, which allows a VBA project to fetch and execute VBA macros, found in a remote project. 2.3.4.2.2. PROJECTREFERENCES Records Specifies the external REFERENCES of the VBA project as a variably sized array of reference (section 2.3.4.2.2.1). The termination of the array is indicated by the beginning of PROJECTMODULES (section 2.3.4.2.3), with is indicated by a REFERENCE (section 2.3.4.2.2.1) being followed by an unsigned 16-bit integer with a value of 0x000F. X33FCON: May 7-8, 2018

  16. VBA REFERENCES 0000002 003 Array of bytes – *\cc:\Example Path\Example- A7 0 LibidAbsolute ReferenceProject.xls It appears as if one can provide an absolute(or relative) path to an Office file and use its VBA project. LET ’ S EXPLORE! X33FCON: May 7-8, 2018

  17. VBA REFERENCING TRIALS X33FCON: May 7-8, 2018

  18. VBA REFERENCING TRIALS X33FCON: May 7-8, 2018

  19. VBA REFERENCING TRIALS X33FCON: May 7-8, 2018

  20. VBA REFERENCING DEMO X33FCON: May 7-8, 2018

  21. VBA REFERENCING DEMO X33FCON: May 7-8, 2018

  22. VBA REFERENCING DEMO It seems that VBA REFERENCING works, and is most silent in Excel. X33FCON: May 7-8, 2018

  23. CRAFTING AN ATTACK

  24. STACKING IT UP VBA projects can fetch code from remote VBA projects. An attacker can create a document which will fetch a VBA project from his server. Wouldn ’ t it be very cool if we (as attackers) could identify the environment issuing the requests and respond accordingly? X33FCON: May 7-8, 2018

  25. SANDBOX AS A BOTTLENECK In order to prevent this, a sandbox must be AUTOMATIC the process happens without interaction from users/admins FAST the sandbox uses a time limit alongside further optimizations. SECURE-LESS most security mitigations are disabled. X33FCON: May 7-8, 2018

  26. STACKING IT UP So when a user opens a document with VBA referencing: Disable VBA Document VBA Engine Protected Referencing Open Load View occurs Sandbox have disabled Protected View in advance, so it looks like: Disable VBA Document VBA Engine Protected Referencing Open Load View occurs X33FCON: May 7-8, 2018

  27. STACKING IT UP Protected View blocks macro execution until disabled. In fact, it disables the VBA engine as a whole. However, Protected View is not just for code! It tackles various other objects from being loaded! X33FCON: May 7-8, 2018

  28. WHAT IS EXTERNAL CONTENT, AND WHY ARE WEB BEACONS A POTENTIAL THEREAT? more information, see Block or unbleock automatic picture downloads in email External content is any content that is linked messages. from the Internet or an intranet to a Linked media - A hacker sends you a workbook or presentation. Some examples of presentation as an attachment in an email external content are images, linked media, message. The presentation contains a media data connections, and templates. object, such as a sound, that is linked to an Hackers can use external content as Web external server. When you open the beacons. Web beacons send back, or beacon, presentation in Microsoft PowerPoint, the information from your computer to the media object is played and in turn executes server that hosts the external content. Types code that runs a malicious script that harms of Web beacons include the following: your computer. Images - A hacker sends a workbook or Data connections - A hacker creates a Images - A hacker sends a workbook or presentation for you to review that contains workbook and sends it to you as an presentation for you to review that contains images. When you open the file, the image is attachment in an email message. The images. When you open the file, the image is downloaded and information about the file is workbook contains code that pulls data from downloaded and information about the file is beaconed back to the external server or pushes data to a database. The hacker beaconed back to the external server. does not have permissions to the database, Images in Outlook e-mail massages - but you do. As a result, when you open the Microsoft Office has its own mechanism for workbook in Microsoft Excel, the code blocking external content in messages. This executes and accesses the database by using helps to protect against Web beacons that your credentials. Data can be accessed or could others capture your email address. For changed without your knowledge or consent. X33FCON: May 7-8, 2018

  29. STACKING IT UP In order to provide protection to the user, Protected View loads objects in a specific order. Considering Protected View is enabled, it will first load all non-executable objects (external content for example): Only then it will prompt for the VBA engine and other executables: X33FCON: May 7-8, 2018

  30. STACKING IT UP This is in complete contrast to what happens when Protected View is disabled. First, the VBA engine would load causing VBA referencing. Then, the rest of the document ’ s content would load. X33FCON: May 7-8, 2018

  31. SERVER-SIDE SANDBOX DETECTION We plan on using this difference to detect the sandbox on the attacker ’ s side. We chose to use a linked image, a sort of tracking pixel, which will serve as a “ baseline ” . X33FCON: May 7-8, 2018

  32. SERVER-SIDE SANDBOX DETECTION With the addition of the tracking pixel, our detection scheme is done. When a sandbox is used, When a user opens the document, Protected View is disabled: = Protected View Protected View is enabled: Document Document Open Open User Clicks Enable Editing VBA Engine load Load Image VBA Referencing User Clicks Enable Content VBA VBA Load Image Referencing Engine load X33FCON: May 7-8, 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF Bundang, July 2018 Outline Who tried what Intel, Panasonic, Smart Things, Siemens, EURECOM, others? HTTPS (direct and via proxy), Auth

109 views • 10 slides
Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions

Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions

Proposition 64 Public Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions Overview of the BSCC and the Executive Steering Committee (ESC) Grant Summary & Instructions Applicant

934 views • 45 slides
Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew

Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew

1 of 24 slides Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng; 2007 Department of Computer Science Cornell University Ivan Hristov

450 views • 28 slides
Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development Many different platforms: Android, IPhone, Symbian, Windows Phone/ Mobile, MeeGo (only a few of them) Reasons for mobile web development

435 views • 31 slides
Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

IMPECS WWW Presentation- April 24, 2008 Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot Carleton University, Canada M. Mannan April 24, 2008 1 IMPECS The need for sharing is real People

422 views • 19 slides
Ronny Krashinsky and Hari Balakrishnan MIT Laboratory for Computer Science {ronny,

Ronny Krashinsky and Hari Balakrishnan MIT Laboratory for Computer Science {ronny,

Ronny Krashinsky and Hari Balakrishnan MIT Laboratory

357 views • 20 slides
A Privacy Awareness System for Ubicomp Marc Langheinrich ETH Zurich, Switzerland Motivation !

A Privacy Awareness System for Ubicomp Marc Langheinrich ETH Zurich, Switzerland Motivation !

A Privacy Awareness System for Ubicomp Marc Langheinrich ETH Zurich, Switzerland Motivation ! Ubicomp features real-world electronic services, often without user interface Privacy Awareness System ! Automated data transfer facilitates

593 views • 10 slides
IEEE 802.11 Basic Connectivity Manuel Ricardo Faculdade de Engenharia da Universidade do Porto

IEEE 802.11 Basic Connectivity Manuel Ricardo Faculdade de Engenharia da Universidade do Porto

WLAN 1 IEEE 802.11 Basic Connectivity Manuel Ricardo Faculdade de Engenharia da Universidade do Porto WLAN 2 Acknowledgements Based on Jochen Schiller slides Supporting text Jochen Schiller, Mobile Comunications,

1.13k views • 44 slides
W3C Web and Automotive Workshop Tizen IVI Vehicle Data Mikko Ylinen Intel Open Source Technology

W3C Web and Automotive Workshop Tizen IVI Vehicle Data Mikko Ylinen Intel Open Source Technology

W3C Web and Automotive Workshop Tizen IVI Vehicle Data Mikko Ylinen Intel Open Source Technology Center Nov 14th 2012 Agenda Position Paper Highlights The API Demo Setup and Architecture 2 Position Paper Highlights (1/2)

305 views • 15 slides
NGS Resource Broker Presented by Mike Mineter Slides from: Matthew Viljoen, STFC RAL Grid

NGS Resource Broker Presented by Mike Mineter Slides from: Matthew Viljoen, STFC RAL Grid

http://www.nesc.ac.uk/training http://www.ngs.ac.uk NGS Resource Broker Presented by Mike Mineter Slides from: Matthew Viljoen, STFC RAL Grid Deployment Group, RAL Grid Deployment Group, RAL http://www.grid-support.ac.uk/ Talk Outline Talk

476 views • 16 slides
Service Blueprint and Deployment for an IoT Cloud Integration Platform Ludwigsburg October

Service Blueprint and Deployment for an IoT Cloud Integration Platform Ludwigsburg October

Service Blueprint and Deployment for an IoT Cloud Integration Platform Ludwigsburg October 24th 2017 Stefano Morson Senior Software Manager at Eurotech Jens Reimann Senior Software Engineer at Red Hat Eclipse Kapua Agenda

430 views • 24 slides
Overview of Web Services with Examples Riina Maigre 11.05.2006 1 Outline Web Services

Overview of Web Services with Examples Riina Maigre 11.05.2006 1 Outline Web Services

Overview of Web Services with Examples Riina Maigre 11.05.2006 1 Outline Web Services Architecture Service Provider Service Requester Service Broker Web Services Protocol Stack WSDL based Semantics based Web Services Composition Editors

324 views • 28 slides
Migration Broker: Our requirements Simon.Muyal@renater.fr Jerome.Durand@renater.fr Major goal

Migration Broker: Our requirements Simon.Muyal@renater.fr Jerome.Durand@renater.fr Major goal

Migration Broker: Our requirements Simon.Muyal@renater.fr Jerome.Durand@renater.fr Major goal To provide temporary IPv6 connectivity to: sites not connected to Renaters IPv6 service 30% of RENATERs access networks support IPv6

169 views • 5 slides
ARG Availability and reliability monitoring for e-Infrastructures C. Kanellopoulos, GRNET K.

ARG Availability and reliability monitoring for e-Infrastructures C. Kanellopoulos, GRNET K.

ARG Availability and reliability monitoring for e-Infrastructures C. Kanellopoulos, GRNET K. Kagkelidis, GRNET/AUTH You can not manage, what you do not monitor Usage Responsiveness Availability Reliability Profit Performance Cost

803 views • 19 slides
Dis istributed Environment or: im imple lementin ing Lin Linked Data Br Broker usin sing

Dis istributed Environment or: im imple lementin ing Lin Linked Data Br Broker usin sing

Practical Data Provenance in in Dis istributed Environment or: im imple lementin ing Lin Linked Data Br Broker usin sing Micr icrose serv rvic ices Archit itecture Joonas Kesniemi, Stefan Negru, Joo da Silva SWIB 2017 Hamburg

798 views • 22 slides
Introduction to the Open Service Broker API Doug Davis | IBM dug@us.ibm.com | @duginabox A

Introduction to the Open Service Broker API Doug Davis | IBM dug@us.ibm.com | @duginabox A

Introduction to the Open Service Broker API Doug Davis | IBM dug@us.ibm.com | @duginabox A Brief History... u PaaS with a mission to make managing Cloud apps simple $ cf push myapp $ cf scale myapp -i 5 u CF manages deployment, orchestration,

448 views • 19 slides
Migrating to Vitess at (Slack) Scale Michael Demmer Percona Live - April 2018 This is a

Migrating to Vitess at (Slack) Scale Michael Demmer Percona Live - April 2018 This is a

Migrating to Vitess at (Slack) Scale Michael Demmer Percona Live - April 2018 This is a (brief) story of how Slack's databases work today, why we're migrating to Vitess, and some lessons we've learned along the way. Michael Demmer Senior

1.18k views • 58 slides
Failure Comes in Flavors Part II: Patterns Michael Nygard mtnygard@gmail.com

Failure Comes in Flavors Part II: Patterns Michael Nygard mtnygard@gmail.com

Failure Comes in Flavors Part II: Patterns Michael Nygard mtnygard@gmail.com www.michaelnygard.com Failure Comes in Flavors Part II: Patterns Michael Nygard mtnygard@gmail.com www.michaelnygard.com My Rap Sheet 1989 - 2008: Application

779 views • 47 slides
Analysis of Privacy-Enhancing Protocols Based on Anonymity Networks abio Borges , Leonardo A.

Analysis of Privacy-Enhancing Protocols Based on Anonymity Networks abio Borges , Leonardo A.

Analysis of Privacy-Enhancing Protocols Based on Anonymity Networks abio Borges , Leonardo A. Martucci , Max M auser F uhlh Technische Universit at Darmstadt Telecooperation Lab 64293 Darmstadt, Germany Email:

67 views • 6 slides
Edge Caches and Localization Nicholas Weaver International Computer Science Institute

Edge Caches and Localization Nicholas Weaver International Computer Science Institute

Edge Caches and Localization Nicholas Weaver International Computer Science Institute (Apologies for my absence) Bulk data P2P shifts costs By default, bulk-data P2P shifts the deliver costs from the content provider to the retail ISPs

302 views • 6 slides
1945: Vannevar Bush The Internet End-End As we may think, Atlantic The Web Monthly,

1945: Vannevar Bush The Internet End-End As we may think, Atlantic The Web Monthly,

2/24/2019 1945: Vannevar Bush The Internet End-End As we may think, Atlantic The Web Monthly, July, 1945. Describes the idea of a 15-441 Spring 2018 distributed hypertext system Profs Peter Steenkiste & Justine Sherry A

403 views • 12 slides
CSEE 3827: Fundamentals of Computer Systems, Spring 2011 11. Caches Prof. Martha Kim

CSEE 3827: Fundamentals of Computer Systems, Spring 2011 11. Caches Prof. Martha Kim

CSEE 3827: Fundamentals of Computer Systems, Spring 2011 11. Caches Prof. Martha Kim (martha@cs.columbia.edu) Web: http://www.cs.columbia.edu/~martha/courses/3827/sp11/ Outline (H&H 8.2-8.3) Memory System Performance Analysis

539 views • 35 slides
Lanyrd's Inside Architecture Andrew Godwin Web Engineer, Lanyrd @andrewgodwin WHO AM I?

Lanyrd's Inside Architecture Andrew Godwin Web Engineer, Lanyrd @andrewgodwin WHO AM I?

Lanyrd's Inside Architecture Andrew Godwin Web Engineer, Lanyrd @andrewgodwin WHO AM I? Andrew Godwin Web developer Systems administrator Technical architect Django core developer LANYRD: THE EARLY YEARS The Origin Story LANYRD: THE

952 views • 55 slides
CS 10: Problem solving via Object Oriented Programming Winter

CS 10: Problem solving via Object Oriented Programming Winter

CS 10: Problem solving via Object Oriented Programming Winter 2017 Tim Pierson 260 (255) Sudikoff Agenda 1. Webcam processing 2. Color tracking 3.

173 views • 14 slides

More recommend