Press "Enter" to skip to content

OS X Office Macros with EmPyre

This post is part of the ‘EmPyre Series’ with some background and an ongoing list of series posts [kept here].

One of the (many) challenges with operating in an OS X heavy environment is initial access. Without a still working exploit/0day or compromising something like JAMF to deploy out OS X agents/commands you need some way to trigger initial access on target machines. Luckily there’s a way to craft macros for OS X Office 2011 documents that trigger system commands, meaning we can weaponize documents for EmPyre just like its Windows equivalent.

Note: we are not claiming that we invented macros on OS X or this approach in general, that OS X is more/less secure than Windows, or any other broad-sweeping generalizations. We’re only trying to demonstrate our experience with the environments we’ve operated in and the solutions we’ve produced. If there is additional research applicable to this area please contact us and we will update content appropriately. We also have only tested this on Office for Mac 2011. Some people have reported that Office 2016 properly sandboxes execution, but we haven’t had time to investigate the ramifications yet, so (as always) use at your own risk!

There’s a great 2011 StackOverflow post that describes how to use the system() call exposed from libc in order to execute shell commands from VBA macro scripts. Here’s what the simple skeleton code looks like:

EmPyre has a macro stager module that will generate a macro that triggers the Python launcher command:

empyre_macro_generation

If you create an Office 2011 “Excel Macro-Enable Workbook” (.xlsm) and save the macro as a new module, the code will be triggered as soon as “Enable Macros” is clicked by the user. Click “Tools -> Macro -> Macros…”, name the macro and create it, double click ‘ThisWorkbook’ and paste in the generated macro code. Then save and close the document.

empyre_macro1

empyre_macro2

empyre_macro3

Now test it all by opening up the workbook and click “Enable Macros”:

emypre_enable_macros

empyre_macro_checkin

Even if the document is closed, your agent should still continue execution. The Thunderstrike demo video also shows this process.

Yes, macros aren’t just a Windows-only threat ;)

2 Comments

  1. Da Scho Da Scho June 1, 2016

    Love love love this. And I appreciate you not choosing to get into OS sweeping statements and inciting silly flame wars. I appreciate you sharing with the class!

    • harmj0y harmj0y June 1, 2016

      Thanks! If we’ve missed previous work in some place please let us know. We tried to do our homework but things always can slip through.

Leave a Reply

Your email address will not be published. Required fields are marked *