This post is part of the ‘EmPyre Series’ with some background and an ongoing list of series posts [kept here].
One of the (many) challenges with operating in an OS X heavy environment is initial access. Without a still working exploit/0day or compromising something like JAMF to deploy out OS X agents/commands you need some way to trigger initial access on target machines. Luckily there’s a way to craft macros for OS X Office 2011 documents that trigger system commands, meaning we can weaponize documents for EmPyre just like its Windows equivalent.
Note: we are not claiming that we invented macros on OS X or this approach in general, that OS X is more/less secure than Windows, or any other broad-sweeping generalizations. We’re only trying to demonstrate our experience with the environments we’ve operated in and the solutions we’ve produced. If there is additional research applicable to this area please contact us and we will update content appropriately. We also have only tested this on Office for Mac 2011. Some people have reported that Office 2016 properly sandboxes execution, but we haven’t had time to investigate the ramifications yet, so (as always) use at your own risk!
There’s a great 2011 StackOverflow post that describes how to use the system() call exposed from libc in order to execute shell commands from VBA macro scripts. Here’s what the simple skeleton code looks like:
Private Declare Function system Lib "libc.dylib" (ByVal command As String) As Long
Private Sub Workbook_Open()
Dim result As Long
result = system("COMMAND")
EmPyre has a macro stager module that will generate a macro that triggers the Python launcher command:
If you create an Office 2011 “Excel Macro-Enable Workbook” (.xlsm) and save the macro as a new module, the code will be triggered as soon as “Enable Macros” is clicked by the user. Click “Tools -> Macro -> Macros…”, name the macro and create it, double click ‘ThisWorkbook’ and paste in the generated macro code. Then save and close the document.
Now test it all by opening up the workbook and click “Enable Macros”:
Even if the document is closed, your agent should still continue execution. The Thunderstrike demo video also shows this process.
Yes, macros aren’t just a Windows-only threat ;)