Abuse of Office macro is perhaps one of the most widely employed method to deliver malware payloads, even with the declined of file-based malware-executables & increase of "Living-off-the-Land" methods. The latter methods are reliable & unhindered by most host controls.
Under "normal" circumstances, MS-Office related process that has user-interaction (eg. Word, Excel, Ppt...) will not create a child process. There are however some background process that might (tested under Office 2013 & 2016):
Generalized Offensive Macro
Execute-after-write; payload could be (encoded &) embedded into the document for networks that block binary-file transfers, macro writes to disk & then launches the file. OpenEDR will block since the file will be owned by the user.
Abuse native tool/feature (Living-off-the-Land) for further processing (this feature blocks such method)
Calls Win32 API directly via Visual Basic scripting to access another process (eg. inject shellcode, Reflective DLL loads & so on) without touching the disk.
The last 2 are typically considered as "File-less" since it does not involve writing binary-files to disk for execution. This feature can be used together with Windows Defender Attack Surface Reduction (WDASR).
OpenEDR works for non-Windows 10 (eg. legacy Windows 7) & out-of-the box without the complexity of GPO, even for environments without Active-Directory.
How
Two-prong approach:
Deny child process from macros (this thread)
Strip macro from office files upon written to disk (next task)
Sevagas sums it up nicely in the last page of his/her article of evading WDASR, the 2nd step above actually helps to ensure first step is not easily bypass without the fine-grain rules like WDASR.
2nd approach is a form of Content Disarm & Reconstruction. Unlike fine-grain WDASR rules which are specific to method (eg. WMI block, call to Win32 API etc), CDR is a broader control which in a way covers any gaps not dealt by those specific rules.
jymcheong
commented
3 years ago
What & Why
Abuse of Office macro is perhaps one of the most widely employed method to deliver malware payloads, even with the declined of file-based malware-executables & increase of "Living-off-the-Land" methods. The latter methods are reliable & unhindered by most host controls.
Under "normal" circumstances, MS-Office related process that has user-interaction (eg. Word, Excel, Ppt...) will not create a child process. There are however some background process that might (tested under Office 2013 & 2016):
Generalized Offensive Macro
The last 2 are typically considered as "File-less" since it does not involve writing binary-files to disk for execution. This feature can be used together with Windows Defender Attack Surface Reduction (WDASR).
How
Two-prong approach:
Sevagas sums it up nicely in the last page of his/her article of evading WDASR, the 2nd step above actually helps to ensure first step is not easily bypass without the fine-grain rules like WDASR.
2nd approach is a form of Content Disarm & Reconstruction. Unlike fine-grain WDASR rules which are specific to method (eg. WMI block, call to Win32 API etc), CDR is a broader control which in a way covers any gaps not dealt by those specific rules.
References