Microsoft Office products are so popular that it is found from basically every workplace. The Office products such as Word, Excel and PowerPoint are needed tools in many fields as these tools are packed with different functionalities. The wide use of the Office products makes them an interesting attack vector for an attacker to exploit as these applications tend to be installed on all machines.
Office products are commonly used by attackers to deliver malicious code to their victims, to gain the initial foothold on the computer and the corporate network. This is done by sending an email with a malicious Office attachment. For now, we are skipping the macro exploitation, as it is very widely known method. There are good resources online to learn VBA programming and how to develop malicious macros for Word and Excel.
In this post, we focus on the Office products from the post-exploitation perspective and how to maintain persistence in a Windows computer that has already been compromised. The methods we will cover only work in the Windows operating system.
Trusted Locations are folders which are trusted by Office applications. The files placed in these locations are not checked by the Trust Center. Users are advised to use the Trusted Location only when they know the file is from a reliable source and they want to allow macro execution and other active content.
Trusted Locations can be added, removed and changed by navigating to the Trust Center by selecting Options from the File menu. From the Trust Center select Trust Center Settings and then Trusted Locations. You should now be able to manage the Trusted Locations.
Abusing Word’s or Excel’s trust in the files located in these folders is very straightforward. Nevertheless we are not focusing on macros in this post, it should be mentioned that when a file containing macros is opened from a Trusted Location, the macros are executed. This works even if macros are disabled or when the user clicks on the popup to not allow macro execution when opening the file. Just opening the file is enough and the macros are executed straightaway as the application blindly trusts all files placed in the Trusted Locations.
The part about Trusted Locations for Word we are interested in post-exploitation is the fact, that any .dll file placed in the StartUp Trusted Location and renamed to .wll will be executed when the user opens Word. The same method works for Excel with some slight modifications to the method.
.dll, .wll and .xll
.dll files are Dynamic-Link Libraries. These .dll files are used in the Windows environment and the libraries contain code which can be used by multiple programs at the same time.
.wll files are Microsoft Word add-in files, they are just .dll files renamed to .wll used to add new features to Word. To execute the code, the file needs to be placed in the StartUp Trusted Location. When a user opens Word, the .wll file in the StartUp Trusted Location will be executed.
This StartUp location folder is located in the user’s home folder, which is great if the users are logging in from different computers and the home folder files are made available to them on any machine inside their organization. The .wll file is executed even if the Word add-ins are disabled from the Trust Center.
Word makes this very simple to do, to achieve the same in Excel requires some extra step and isn’t as easy as just changing the file extensions and moving files to different folders. Excel needs to be configured to use the add-in with changing registry keys. Also, the add-ins are named as .xll instead of .wll. However, the same method of changing the file extension from .dll to .xll is used to successfully create .xll files.
The registry changes do not need administrative permissions but if the add-ins are disabled from the Trust Center, the .xll file will not be executed when opening Excel. The Word method is simpler and not as restricted as the method for Excel.
In summary, if an attacker has gained access to a Windows computer which has Office 365 or just for example, Word installed they can use it to gain persistent access to the computer by abusing Trusted Locations. This way the attacker’s code is executed every time Word is opened. Gaining code execution in this manner is helpful in order to keep accessing the hacked machine over a period of time.
Mitigation and Detection
Macros and add-ins should be disabled if they are not needed. The same applies to the StartUp Trusted Locations, they should simply be removed completely if possible.
If it is not possible to remove the StartUp Trusted Locations entirely, the file writes to these locations should be monitored and inspected heavily as it is not a very common for a normal user to move files in there. Also, it might be a good idea to monitor the processes on the machine for processes and sub-processes related to Office products.