The MS Office Magic Show

DerbyCon 8.0 - Evolution

Presented by: Pieter Ceelen, Stan Hegt
Date: Sunday October 07, 2018
Time: 12:00 - 12:50
Location: Kentucky E
Track: Track 3

In this talk we will explore a wide range of novel techniques that abuse Microsoft Office features for offensive purposes. No bugs, no software vulnerabilities, only features. In recent years, we have seen a strong focus on offensive research with regard to macros, DDE and OLE. However, there is so much more interesting and unexplored functionality in the MS Office suite that can be abused in all stages of an attack. Stan Hegt and Pieter Ceelen will discuss typical Office security configurations and demonstrate a variety of new offensive techniques within the Office suite. These techniques range from abusing old school Office ’97 features to abuse of the latest and greatest Office 2016 features. Amongst others, we will demonstrate how to abuse Word documents for gathering sensitive information from systems, how to create phishing documents for credential harvesting without a macro payload, new Office lateral movement techniques and bypasses of security features (such as Attack Surface Reduction), and how to hide your macros from antivirus and analyst tools by abusing interesting features in Office file formats and VBA specifications.

Stan Hegt

Stan has more than a decade of experience in offensive security, with a strong focus on red teaming and attack simulations. His passion is to analyse and adopt the tradecraft of the bad guys in order to closely mimic their techniques in attack simulations for his clients, ranging from banking to military. Stan loves developing malware for red teaming purposes (WinAPI <3) and exploring opportunities for abuse in Windows components such as MS Office, COM, .NET and PowerShell. During the conference you can ask him any question about the Dutch basketball league, and as a Scotch drinker (Islay, of course) he'd love to get a proper introduction into bourbon from a local expert.

Pieter Ceelen

Pieter is a seasoned security specialist with 10 years of hands-on hacking experience. As a consultant he executed large scale pentest and red teaming engagements for numerous large multinationals. Furthermore Pieter worked as a SOC/threat intelligence analist and within Outflank executed incident response engagements for targeted attacks. As such he combines knowledge of real-life attacks and creative ways to detect them. Around the year 2000 Pieter maintained Office documents and templates, developed macro’s for Office and AutoCad and could program in native PostScript. Nowadays, he applies this knowledge to develop new ways to (ab)use Office to it's fullest extent.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats