Sevagas

The last articles

Windows Initial Vector Series

by Emeric Nasi

Article published on 9 August 2022

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.

License : Copyright Emeric Nasi (@EmericNasi), Lance James, some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

1. Foreword

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote (...)

Read more ...

RedTeam With Publisher

Windows Initial Vector Series

by Emeric Nasi

Article published on 28 April 2022

Microsoft Publisher is another tool of the Office suite which is often ignored when RedTeaming. This is a basic review of the great potential Publisher has for Offensive Security engagements.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

1. Foreword

Microsoft Publisher is another tool of the Office suite which is often ignored when RedTeaming.

However, it has been (...)

Read more ...

MSDT DLL Hijack UAC bypass

by Emeric Nasi

Article published on 2 February 2022

UAC Bypass via DLL hijacking of Microsoft Support Diagnostic Tool (MSDT). The UAC bypass method described here is based on DLL hijacking which happens when loading the Bluetooth diagnostic package.

Note: This post requires some basic knowledge about Windows security and SysInternals toolsuit.

License : Copyright Emeric Nasi, some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

1. Introduction

At the end of my talk at (...)

Read more ...

Hide HTA window for RedTeam

by Emeric Nasi

Article published on 15 July 2021

last modification on 22 November 2021

Short post to explain how to create a stealthy HTA file running without any window or taskbar mention. This can be used combined withe other techniques to create advanced payloads for redteaming/supply chain attacks.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

About

I wrote this short post to explain how to create a stealthy HTA file that launches without any window or taskbar mention. (...)

Read more ...

Launch shellcodes and bypass Antivirus using MacroPack Pro VBA payloads

by Emeric Nasi

Article published on 21 January 2021

last modification on 22 November 2021

If you have ever been frustrated with manually writing Office/VBS payloads that ends up being detected by antivirus read this post!
MacroPack Pro provides multiple options and templates related to shellcode launch, these options enable to build VBA code which is not detected by most security solutions.
Let me show you how MacroPack Pro automatically generates Office, HTA, shortcut, etc. shellcode launcher payloads which bypass security solutions.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

About

If you have ever been frustrated with manually writing Office/VBS payloads that ends up being detected by antivirus read this (...)

Read more ...

Advanced MacroPack payloads: XLM Injection

by Emeric Nasi

Article published on 18 September 2020

last modification on 22 November 2021

How it is possible to inject and run Excel 4.0 macro in memory from a non Excel format payload (ex Word, HTA, Help files,...). How to generate using MacroPack Pro.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

1. About

While developing MacroPack Community and Pro version I have been searching for nice existing or new ways to generate (...)

Read more ...

EXCEL 4.0 XLM macro in MacroPack Pro

by Emeric Nasi

Article published on 18 September 2020

last modification on 22 November 2021

Excel 4.0 macro (also called XLM) have been commonly used by malicious operators these last years, it has also been analyzed and commented by several researches (red or blue). So I decided to add the support of this language for MacroPack Pro.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

1. About

Excel 4.0 macro (also called XLM) have been commonly used by malicious operators these last years, it has also been (...)

Read more ...

Code Injection - Weaponize GhostWriting Injection

Code injection series part 5

by Emeric Nasi

Article published on 2 September 2020

Lets talk about this code injection technique called GhostWriting that works by manipulating the register states of the target process thread.

Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative (...)

Read more ...

Bypass Defender and other thoughts on Unicode RTLO attacks

by Emeric Nasi

Article published on 25 May 2020

I have been looking a bit into Unicode and Right-To-Left-Override phishing attacks lately. Mainly because I noticed that Windows Defender was detecting payloads generated with the "—unicode-rtlo" options of MacroPack...

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative Commons Attribution 4.0 International License.

I. About

I have been looking a bit into Unicode and Right-To-Left-Override phishing attacks lately. Mainly because I noticed that (...)

Read more ...

Code Injection - Disable Dynamic Code Mitigation (ACG)

Code injection series part 4

by Emeric Nasi

Article published on 1 December 2019

How to disable Dynamic Code Mitigation Policy (ACG) to be able to inject code and deploy hooks into Microsoft Edge and others

Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1 and 2.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a (...)

Read more ...

Code Injection - Exploit WNF callback

Code injection series part 3

by Emeric Nasi

Article published on 1 December 2019

In this post I am going to take the WNF code injection method described in https://modexp.wordpress.com/2019/06/15/4083/, and generalize it to execute remote code that was injected into any process.

Prerequisites: This document requires some knowledge about Windows system programming. Also, it is mandatory to be familiar with concepts presented in Code injection series part 1.

License : Copyright Emeric Nasi (@EmericNasi), some rights reserved

This work is licensed under a Creative (...)

Read more ...

After spending a while to get everything to compile the injected code execution is blocked by (...)

Doubt

In the code segment for stub at line 38, the realmain() function call is given. If we are (...)

PE injection explained

Hi, I am currently writing a new series of post on injection including a refresh of this one (...)

Fun combining anti-debugging and anti-disassembly tricks

Sevagas ... ok I figured out the PEB byte check, looks like I could simply replace the last je (...)

Sevagas- Your approach is great, perspective from both viewpoints. "know your adversary", (...)

Latest comments