Navigating The Shadows
  • About This Gitbook
  • Red Team Operations
    • Initial Access
      • Webshells
        • Java (JSP) - Bring Your Own Jar
        • IIS - SOAP
      • Macro Attacks
        • Talking Documents with SpVoice COM
        • Binary File Write via Microsoft Speech API
        • Mark-Of-The-Web Bypass with 7-zip
    • Azure and O365
      • PRT Abuse from Userland with Cobalt Strike
      • Enumerate Azure AD with AzureHound from Userland
    • AWS
      • Role Abuse: SSM
    • OffSecOps
      • Arsenal Aggressor Script
  • Red Team Infrastructure
    • AWS
      • Connectionless Ansible Deployment with Terraform via SSM
  • Training
    • Operational Purple Teaming for Defenders
  • Training Reviews
    • Offensive Security
      • OSED
  • VULNERABILITY RESEARCH
    • RCE In HPE Insight Cluster Management Utility (CVE-2024-13804)
Powered by GitBook
On this page
  • Introduction
  • 7-Zip
  • Pretext
  • Extraction
  • Execution
  • Backend
  • Conclusion
  1. Red Team Operations
  2. Initial Access
  3. Macro Attacks

Mark-Of-The-Web Bypass with 7-zip

PreviousBinary File Write via Microsoft Speech APINextAzure and O365

Last updated 2 years ago

Introduction

In 2022, , a major leap forward to reduce the popular maldoc attack surface. However, attackers could still overcome this Mark-Of-The-Web restriction by packing the malicious document in a container, such as zip or ISO files. Upon extraction, the macro-enabled document would not appear to be downloaded from the internet and the evil macros can be executed. Tools like demonstrate this concept.

7-Zip

The popular software is one of the possibilities to bypass Mark-Of-The-Web. An attacker can simply 7-zip the malicious Word document and provide the victim with instructions to extract it via 7-zip, which would result in a macro-enabled document.

Pretext

For example, the attacker could reply to a job posting and send his resume in an attached 7-zip file, with specific instructions on how to extract the document via 7-zip.

Extraction

Pepper, the hiring manager who has 7-zip installed, can simply double-click the file and press "Open".

This would automatically open the archive with 7-zip.

From here, a simple drag-and-drop to desktop is enough to avoid Mark-Of-The-Web.

Execution

After opening the document, the victim is presented with a classic encouragement to Enable Content. Additionally, the CV appears to be encrypted for GDPR reasons. One can never have enough protection layers for his personal data!

When the victim follows the instructions, a legitimate-looking resume appears.

Backend

However, in the backend the malicious macro replaced a DLL on disk in a Microsoft Teams directory. This causes Teams to load the attacker's malware the next time the program starts.

DLL Proxying was used to preserve the functionality original DLL and the malicious DLL loaded encrypted Command and Control shellcode, embedded in a remote png on a webserver via steganography.

In this case, a Brute Ratel C2 session was started in Microsoft Teams.

Conclusion

In this article, we demonstrated that office macros can still be used to establish an initial foothold on a victim's machine through the use of containers to deliver the payload. However, it has become harder and takes more effort to convince the victim, which is definitely a step in the right direction!

Microsoft restricted the usage macros in office documents downloaded from the internet
PackMyPayload
7-zip
Unzipping the document with 7-zip
Example phishing mail
Prompt to open 7-zip attachment
7-zip archive containing resume
Resume dragged-and-dropped to desktop
Instructions after opening the document
Resulting resume
Visualization of the Microsoft Teams DLL hijack
Brute Ratel C2 session on Pepper's computer