Offensive VBA 0x2 - Program & Command Execution

hey guys hack exploit here back again with another video Welcome Back to the offensive VBA series um in this video we're going to be you know building on what we um what we covered in the previous video um the previous video essentially being an intro or a foray into um creating VBA macros um and of course this series is uh geared towards red teers or pen testers and the ultimate OB objective is to give you the knowledge and skills required to again craft VB for uh initial axis as well as a plethora of other um tasks or objectives right um in this video and this is going to be quite an important video we're going to be focusing on um command and program execution or program and command execution uh this is uh quite seminal or this particular video is quite important because as you probably you know uh instin instinctively um you know utilizing a word or a macro enabled Word document let's say you know for initial access or to give you a reverse shell will ultimately require you to uh or you know the macro to execute a system command or a particular payload or executable and uh this is something we'll be exploring the next video and process of um you know integrating Powershell a little bit uh more into our VBA macros we're going to be exploring that right in this video but we're going to be taking a look at uh in the next video how to develop a PO shell dropper but with that being said uh let's get started as I said I don't want to waste too much time and uh we're going to you know dive into program and command execution with uh VBA macros so we'll follow the steps outlined in the previous video we'll just um go ahead and create a blank document uh in word and I'm going to save this on my desktop and I'm just going to call it um uh we'll just call it uh let's see uh execution and we want to save it as a docm file which is a word macro enabled document format there we are and now we'll go into the developer tab and uh we will open up the macros dialogue here menu and we'll limit this just to the current document and we'll create a macro doesn't it really doesn't matter what name we use uh we can just you know go for something like uh VBA uh execution or something like this just click on Create and we are in the VBA um integrated development environment so um one um thing that I mentioned in the previous video uh fleetingly of course um objects uh as a data type if you will in VBA so um I want to touch on that before we you know get into any of the techniques that you can use uh to execute programs or commands and of course we'll be exploring standard Windows commands and then Powershell but um objects um you know generally speaking in programming um are constructs that uh essentially um represent or allow you to represent uh you know entities in the case of uh VBA and office they allow you to uh represent um entities like um you know file or document application or workbook and the key thing about objects is that they have Properties or characteristics if you will uh they have methods or actions and events you know also known or referred to as triggers so um let's go ahead and cover that right now so I'm just going to create a new sub routine here and we'll just call it um sub uh I'll just say VBA objects and um let's uh go ahead and uh get that going so um you know given that this is a data type uh we can declare um a variable like uh for example and we can utilize um The W script or wind script. shell method um here to demonstrate this so I'm just going to create um a variable called uh obj shell or object shell and this is going to be of type object okay and now we're going to set the uh variable or the value of the

variable obj shell and uh we now need to and this is sort of the key thing when you're dealing with objects again remember um objects are essentially constructs that represent um real world uh entities and if uh you know let's say we wanted to use some of the um methods uh in this case specific to word or I should say office or VBA uh we would need to utilize uh create object so we would say create um create object not objects um and then we specify you know what method we want to call and in this case we can use W script um and we say do shell and uh this needs to be encapsulated with double quotes and then we say uh we can now instan iate methods like run for example uh native to um native to W script or wind script depending on how you pronounce it so we'll say objshell uh. run and then we specify what we want to run so if we wanted to execute notepad um notepad. exe we can do that and if we save this now should launch up notepad all right and obviously as I mentioned in the previous video um you know if we were to open uh this macro enabled document um you know there's a high likelihood um you know well not high likelihood this macro will not be executed because again we haven't called this um sub routine um and uh you know we could utilize something like Auto open to do that for us but again that's beyond what I want to get into right now so that's um you know that's what I wanted to highlight with regards to objects and the reason this is important is because you'll come across you know objects quite a bit um When developing macros but let's dive into program and command execution so I just highlighted one technique which is using the you know W script or wind script but let's go back to the basics or you know the rudimentary um technique which is the shell function right um so what I'll do is um let me just create a sub routine called uh we'll just call uh shell exac you know something nonis or you know descriptive to a point but what is the shell function well the shell function is a built-in VBA function that can be used to execute programs and uh system commands on windows so uh the way you use it is fairly simple um the syntax is fairly simple you just you know specify shell of course this is case sensitive the Shell Key keyword or function and then you know essentially tell Shell what you want to execute so I can say notepad. exe or let's go for a classic one calc. exe and you can then specify some other options to do with um you know um to do with the execution of whatever you want executed more specifically um you know the actual uh window if you will um so we'll dive into this at the end of the video but for example I can uh utilize um something like a VB uh normal focus and uh you'll see what that does um now these options here uh are also or can also be represented in the form of uh numerical values and again I'll not dive too much into that but let's go ahead and hit save and if I run this now you can see Kelk brings up it executes sc. exe you know normal Focus um if I went ahead and this is very important uh especially in the um you know from an offensive perspective um or from a stealth perspective I should say um what if I wanted to hide the execution of calc. exe well I could say something like uh VB hide right and I go ahead and run this now and in this case that should have actually hidden it let me C VB hide uh VB normal F Focus VB hide um let's see so if I want V behind let's try and say uh let's use the numerical value for V Behind still brings it up um normal Focus would be one yeah normal focus and then uh minimized Focus so if I wanted to minimize it run still brings it up that's very

strange uh oh yeah that's when we using winds script in any case uh we'll get to that shortly um so still using shell that's you know how to execute a program um let me just switch this back to what I had set there um what if we wanted uh to execute a command so in this case uh we can create another sub routine here called uh you know run command and uh in here we can then say shell and let's say CM we want to use cmd. exe so you know system command and uh we then say something like um you know Echo hello world you know just the basic stuff here and in this case we can say uh VB normal Focus like so um and then we are just um we are just going to get uh rid of this actually we can just call uh it so call run command and uh so there we are Kelk and uh you can see this executed however um you know because it's uh a CMD command uh we still got the window right so if I run it again um why is that not opening up Kel that's very strange okay there we are yeah so you saw the command prompt window if I now say VB hide something like this that's very strange uh try that again VB hide uh call run command VB normal Focus Cal should have executed without any issues um let me just try and debug this uh yeah that should be okay um okay so one second let me just uh save that and run it again uh yeah uh just a second okay that's working VB normal Focus call uh run command yeah that should be fine uh let's go ahead and set this to um as double uh VB normal Focus uh oh yeah one second those are the window options let me just check something here that's very strange C should execute sh xron command g. exe yeah there we are okay so that works without any issues anyway so um let's take a look at this particular sub routine here we you know we we haven't been able to confirm that this actually happened so we can actually try and uh verify this by outputting the value of the echo um into using a redirector so we can say C uh let's store it in the temp folder and we can just call it uh we can save it under output. txt okay so let's stop that run it again uh let's see this PC uh temp uh that's very strange not reset uh run command

hm uh yeah that should work actually let's get rid of this here uh what if I save it on my desktop uh so we'll go to users admin desktop and uh let's try and save it here so I think that executed there we output uh so the folder needs to exist I forgot that so we can see that works and uh you can then hide um the window so you know it does not look like anything fish is going on anyway that's the shell function um now uh the reason I mentioned objects um as you saw uh or as we did in the beginning uh is going to become important now so that's where or that brings us to the wind script or W script uh shell object so um what uh you know before we actually get into that what is um what is w script referring to well you may uh be thinking to yourself that sounds familiar and you're right um W script or wind script is a abbreviation for the windows script host or wsh what is wsh well it is a an inbuilt uh Windows scripting environment that allows you know to it allows you to execute um scripts that are written in languages like VB script and jscript and uh in the context of VBA um you know this particular object is part of the windows script host and it really provides more flexibility or functionality I would say than the shell function um and basically at a general level when it comes down to the Windows operating system it uh provides you with a powerful interface to interact uh with the Windows operating system and allows you to do a lot more things then you can do let's say with something like shell um so in VBA or when you're writing VBA macros you typically use uh wind script. shell or the wind script. shell object uh that's provided by the windows script host um to perform you know various system level tasks uh one key thing to note is that it's not a standalone language or a host um in VBA but uh it's really another way to interface with uh the wsa functionalities directly or from within VBA um and uh there are two methods that the object allows us to utilize when it comes down to program and command execution the first is run and the second is exact so in the case of run this allows you to execute a command asynchronously or synchronously and in the case of the exec method um this is very useful because it allows you to execute a command and then Pro provides you with access as we saw in the previous video to input and output stream so you can actually control um or you can take output uh from a particular command and then um sort of um display or pass that output in let's say a message box if that makes any sense so the bottom line is that uh the wind script or W script. shell object allows you or you know allows you when you're developing your Macros to interact with Windows and you know allows you to execute commands programs launch files applications uh or even open up URLs it allows you to modify environment variables it also and this is uh quite important and we'll see that in the next video it allows you to access and manipulate the Windows registry so you can actually like um you know download or drop an executable or a payload and then configure it um as an autorun program because again you can modify the registry um and get it to execute on a system startup um so uh we have already you know covered how to use this um and uh what we're I'm going to do is I'm just going to call create a new create a new sub routine here called win script some something like this and then you know we create a variable in this case I'll just call it um you know what we call it previously which is going to be um obj

shell um and this is um going to be as object so we can then set obj shell uh and then we create object and then we specify you know what we want um so we essentially creating an instance of uh wscript dotshell um and uh we specify it here so wind script shell uh this is K sensitive obviously and uh there we are so we can now you know pretty much do what we want um which brings us to the key execution methods that can be used uh so I mentioned the first being uh run and then exit so for example in the case of run I can say uh you know obj shell and of course we took a look at this run and then uh Notepad not exe for example and then we specify uh you know the actual uh window options so you know whether we want it hidden Etc um and then uh we can also specify a couple of other things um so the syntax is fairly simple um we have the command or the program we want to run and then the windows style uh which can either be the actual name of the windows style um or the numerical equivalent um so you know we wanted it hidden Etc we can do that as well and then we also have the ability to you we have an optional argument we can specify and that is uh the wait on return um argument which U you know depending on on uh what you set will allow you to wait for uh we'll essentially tell VBA to either wait for the command to finish executing or not so in this case uh you know we can say false for example I run this here there we are and now if I change this you can see to True doesn't really affect anything in this particular case you know this will become uh useful or the importance of this will become apparent as we progress but um we also have the exec method which is um you know gives us a bit more functionality but is uh quite tedious to use um so what I'll do is let me get rid of this let's use another example um that allows me that will allow me to show you um the benefits of the exec method when using the winds script. shell object so um I mentioned previously or a couple of minutes ago the fact that the exag method allows you to you know access um standard input output and also error streams so I'm just going to create a new variable called uh output to manage output or to handle output and this is obviously going to be uh off type string and then we're going to create another one here and we'll just say obj XC uh this is going to be object and then we're going to say uh set uh obj exec is going to be equal to OBG obj um no we can just call it uh let's see huh and we can just say obj shell. exac and um yeah and in here is where we would execute what we want to execute so cmd. exe command Echo uh you know something like hello or something simple and then we can use a uh do while loop so we can say do while uh not um obj dot uh sorry obj exec dot um standard out so dot uh at end of stream yeah that should be correct and then we say output is going to be equal to output and uh we're going to concatenate so obj exac do standard out. readline okay and then next uh do a line carriage here that can be done using VB

CR um LF and loop okay and then we can also use a message box to display the output or the value of output the output variable so me go ahead and run this object require oh my bad I made a mistake there we are yeah just call this uh objx yes so OB BJ made a mistake there set obj XC um ah I forgot I didn't make any mistake I forgot to declare um yeah so we need to say set um we need to set um actually we need to create a dim um let's see here yeah so I created um yeah so we're going to say obj shell as object yeah go ahead and then uh going to say set um obj shell and we're going to say create object yeah there we are that worked and uh we can now see anyway just uh forgot to create uh the object to handle or to essentially allow us to access um you know this particular object and its methods um so we created um output variable or variable to handle output and then uh created two objects obj xec obj shell uh is what we use to execute the actual command here with CMD and then we set um obj xec to you know obj shell. xec cuz you know now objshell can actually call on uh the windows script uh the wind script um methods so. exec being one of them then we essentially executed and then we have a you know dual Loop here um where we say uh do while not uh obj xx. standard output at end of stream and then you know output uh is going to be equal to output and um obj uh xx. standardout uh. readline so essentially getting stuff in and there we are so for example we can also replace this with a command like ip config um and then run that here and you can see it passes that out into a message box so quite powerful um now if we wanted uh let's say to run a command asynchronously and uh let me just create uh Auto open just so I can control a few things I'm going to create um we're just going to call this uh so async XC um you know something like this so we can say dim uh obj shell as object and uh we're then going to say set um obj shell is equal to you know create object uh and then we call wind script here classes string so wind script. shell and uh we can then say obj so a synchronous execution I think already highlighted but uh obj shell. run um yeah and then uh notepad or elk. exe uh the window options here and then we can just set this to true sorry true there we go and then in here I will call a s

EXC there we go all right so now that we have that basis or that setup uh there we can now actually um proceed so let's move on to executing poell commands so I'm going to create another um sub routine here and I'm just going to call it a sub uh run power shell I think we can just call it that uh let me just comment that out there we don't want that to be executed so how do we execute um poell well we would need to use the wind script or W script object so we can say dim obj shell uh as object and then uh as you know already set obj and you can use different variable names depending on your requirements um that's going to be equal to create uh object and then now this is where things become different we just say obj shell do run and then instead of CMD we say partial do exe and then command and then in here we need to specify in this case Cas let's try and get a list of processes and um pipe this and say out file uh let's save it and believe I still have the path here desktop and uh I will just call it processes. txt uh there we go and we can actually have this hidden and then okay and uh can I actually wrap here my code anyway so let's go ahead and call this one call run po shell okay and let's go ahead and uh run that now okay it is uh running there we are processes open this up and there we are we're able to dump the processes so this is how powerful VBA is and of course you know I'm sort of building or leading towards the reverse shell stuff but uh um you can imagine what can be accomplished uh with this again you need you need not necessarily even um you know try and get a reverse shell you know from a malicious Word document or a micro enabled document perspective you can also you know just uh try and dump information or you know execute stuff like that or stage um specific files that let's say would be uh you dat a plan on exfiltrating and stuff like this but there you are um okay so um one more technique that I want to highlight light is uh inmemory execution of Powershell so I'll create another um yeah my bad that is a single quote I will create another sub routine here called um now we'll just call it in uh yeah inm uh inm exec so in memory partial execution so well we actually don't need to go through this process of typing this in sorry let me just copy this here paste that in there and then now we would say uh obj shell. run and then in here we can say powershell. exe uh then no profile so this is the partial uh standards or you know what you typically do so execution policy um we want to set that to bypass and then uh the command uh in here we would essentially say uh system do um in this case system Diagnostics process uh start we specify what we

want to start uh so if we didn't want to use a script and we wanted to execute this partial command in memory then we can do that here and um I think the syntax is good so we'll hide this as well uh through okay and in here we'll now just say call in M exac all right let's see that work um actually in this case I hid it my bad so let's try and use the windows style one which is essentially would be VB normal Focus that's weird notepad. exe no profile yeah partial exe no profile execution policy bypass and then yeah system. Diagnostics process and then start uh notepad. exe let's try something else let's change this to Hidden I don't want to see the partial window uh if I go in here uh let me just check something so processes what are we executing here calc. exe if I say uh notepad. exe I'm just going to minimize this or just resize it a little bit here and I just want to see whether we're actually seeing any uh we don't have notepad uh open up okay so let me just go ahead and save this in here uhuh my bad I forgot uh that I'm not supposed to concatenate or encapsulate it in single quote so let me show you this now um so if I run it now uh you can see Cal works and that's executed in memory um again in this case let me just set this to True again just really quickly uh run that again yeah that should be fine and then if I say notepad exe there we are okay fantastic so in memory execution so a few things I want to just uh point out here um and that is uh the actual Windows Styles uh more specifically for Shell so let me I know this is getting quite messy at the moment but um let me create a new sub routine here I'm just going to call it uh run shell just with the Run function um I just wanted to highlight that so uh you know I brought it up but let's say notepad. exe this is very important because you generally speaking want to hide your uh your windows you don't want stuff coming up that looks uh eily suspicious so um as I said the windows Styles can either be written um you know in their constant value name or the you know the constant name which would either be something like VB High or something like this VB hiide is equal to zero so you have VB

hiide VB normal Focus which would be one and then you have V uh VB minimized Focus which will um essentially bring up the window as minimized and then uh VB maximized Focus would be three this displays the window as maximized and then VB normal Focus or VB normal no Focus which will this will display the window that's the value would be four but this would dis display the window in its most recent Siz and position without Focus so for example um let me just use something a little bit more um illustrative here so you know if I say we'll use Calia so we'll use the numerical value and I uh hit so I'm just going to call this one here um run sorry all run shell okay and I'm going to execute this now so you can see we use the first one VB hiide uh in this case does not seem to be working in terms of hiding that let's try notepad just a second actually let's try and maximize this maximized um okay H that's very strange if I say um the be maximized Focus that is very strange indeed let's try notepad yeah that works so I don't think we can do it with Cal anyway so maximized Focus um then if we try um let's actually demonstrate this I'll demonstrate it to you so if I set this to um let's just use normal Focus so the numerical value would be one so I'll now run this okay normal Focus now let's take a look at uh this tree here okay and I'm just going to resize it so you can actually see that there um I'm now going to set this to Z to essentially hide it and then I'm going to run pay attention so you can see it's open in the background there's no window that popped up this is very important as a red teamer to take note of and then of course uh we did uh let's try minimized Focus which would be the value would be two so VB minimized Focus opened up another one there let me just uh terminate these two here just want to confirm something yeah minimized focus and then we did maximize uh we can also try six which would be VB minimize no Focus yeah so that minimize no Focus because it opens it up but it's minimized um all right so those are the uh Windows Styles and um VB High just to summarize is useful for silent execution especially when automating commands that really don't require user interaction VB normal focus is typically used when you know you want the user to interact with the program that's been executed and then um VB minimized Focus and VB maximize Focus are really ideal for controlling the initial size and uh the focus state of the window and then VB normal uh no focus and VB minimize no um minimized no Focus allow background execution without uh interrupting uh the user's flow so uh that is I know this has been quite a long video that is command and program execution in VBA and now we can start diving into the more traditional offensive stuff uh you know like developing a dropper or a macro to You Know download and execute a payload and stuff like this but uh one more thing remember we have Auto open we always need to test and see whether I'm going to use one there just to see whether we can get notepad to open up I'm going to save this dock let's actually confirm that it executes and I'm going to resize my task manager here uh but I'm going to open that up and I'm

going to run the macro and there we are Works fantastic um and yeah so hopefully you found this uh video valuable if uh you liked this video found value in it please leave a like down below if you have any comments or questions or feedback please leave them in the comment section um down below thank you very much for watching that's going to be it uh from me and I'll be seeing you in the next video