Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun.
Collect user name from Microsoft Office
$userName = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\
Start-Process -FilePath "notepad.exe" -ArgumentList $userNameOffice\Common\UserInfo"). UserName
Run a Microsoft Word doc with.. .asd extension
- C:\Users\USERNAME\AppData\Local\Microsoft\Word
- C:\Users\USERNAME\AppData\Roaming\Microsoft\Word
- C:\Users\USERNAME\AppData\Local\Temp
- C:\Users\USERNAME\\AppData\Local\Microsoft\Office\UnsavedFiles
I haven't seen much use of actual .asd files, likely as the documents will need to be loaded from one of the above directories, however... after crafting your malicious document, you can simply rename it from badfile.docx to badfile.asd, and it will run fine.
It seems at least 1 actor has used an .asd extension before, as reported on by Didier Stevens:
https://isc.sans.edu/diary/CrowdStrike+Outage+Themed+Maldoc/31116
In short, it's another way of evading sandboxes or other potential detection mechanisms thay may not support these .asd or .wbk extensions or even consider them harmless.
No comments:
Post a Comment