Skip to content

Instantly share code, notes, and snippets.

@Antonlovesdnb

Antonlovesdnb/VSTODetectionNotes.md Secret

Created April 17, 2022 15:45
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Antonlovesdnb/c85053f4171bfa92a7ea4b0b56e5c50e to your computer and use it in GitHub Desktop.
Save Antonlovesdnb/c85053f4171bfa92a7ea4b0b56e5c50e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
VSTODetectionNotes.md

VSTO Office Files Detection Notes

Original Work:

https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010

Interesting Sysmon Events

Image Loads

Loading of VBE/VBA DLLs, even though document is not a macro

Image loaded:
RuleName: Image Load-Include
UtcTime: 2022-04-17 14:06:36.035
ProcessGuid: {26d732db-1eeb-625c-f001-000000007400}
ProcessId: 7224
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
ImageLoaded: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL
FileVersion: 7.01.1091
Description: Visual Basic Environment International Resources
Product: Visual Basic Environment
Company: Microsoft Corporation
OriginalFileName: -
Hashes: MD5=CDA3EA478C604783B76964E88FD7030D
Signed: true
Signature: Microsoft Corporation
SignatureStatus: Valid
User: LARES\Administrator

Loading of CLR

Image loaded:
RuleName: -
UtcTime: 2022-04-17 14:06:36.082
ProcessGuid: {26d732db-1eeb-625c-f001-000000007400}
ProcessId: 7224
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
ImageLoaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
FileVersion: 4.8.4470.0 built by: NET48REL1LAST_C
Description: Microsoft .NET Runtime Common Language Runtime - WorkStation
Product: Microsoft® .NET Framework
Company: Microsoft Corporation
OriginalFileName: clr.dll
Hashes: MD5=3C242B76E36DAB6C0B1E300AE7BC3D2E
Signed: true
Signature: Microsoft Corporation
SignatureStatus: Valid
User: LARES\Administrator

Loading of Microsoft.Office.Tools.ni.dll - this is one of the DLLs that gets downloaded

Image loaded:
RuleName: -
UtcTime: 2022-04-17 14:06:36.207
ProcessGuid: {26d732db-1eeb-625c-f001-000000007400}
ProcessId: 7224
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
ImageLoaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O5949707a#\9488eaffce7b80b43c74164f10974bf2\Microsoft.Office.Tools.ni.dll
FileVersion: 10.0.60828.0
Description: Microsoft.Office.Tools.dll
Product: Microsoft (R) Visual Studio (R) 2010
Company: Microsoft Corporation
OriginalFileName: Microsoft.Office.Tools.dll
Hashes: MD5=DC96A989F72E15002DC96DB7A0286BDA
Signed: false
Signature: -
SignatureStatus: Unavailable
User: LARES\Administrator

Other potentially interesting DLLs/Images Loaded:

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\System32\wbem\wbemprox.dll
C:\Windows\System32\wbem\wbemsvc.dll
C:\Windows\System32\wbemcomn.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\350cc142cbf24bf0c58b8a15a4a7576c\Accessibility.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O2eb0cc9a#\2f1bcc300f118525a68e7bc0b75fa36b\Microsoft.Office.Tools.v4.0.Framework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O4a946565#\783e0007ed9243399dc317981d74bdb8\Microsoft.Office.Tools.Common.Implementation.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O5949707a#\9488eaffce7b80b43c74164f10974bf2\Microsoft.Office.Tools.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O854200f9#\cb740b751dba9b84b69c1c632dfbb00e\Microsoft.Office.Tools.Common.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Oab3f8ec6#\1b15b7d9214b992dbf40dc1e0480aff0\Microsoft.Office.Tools.Word.Implementation.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Oeab01fba#\8c5505c1dba74a57fb87edacc141bcfe\Microsoft.Office.Tools.Word.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V1955d7fd#\af1b73e85f62700723d027eb23a07f9f\Microsoft.VisualStudio.Tools.Applications.ServerDocument.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V28a60cc2#\145fe9f32778b075efeca52fa504b7ae\Microsoft.VisualStudio.Tools.Office.Runtime.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V883708cb#\eb6b6fb0f21915830b28c9e0f1d434eb\Microsoft.VisualStudio.Tools.Applications.Runtime.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf9a08577#\6ad9a85d12bc9d7fb10254634e375474\Microsoft.VisualStudio.Tools.Applications.Hosting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\4046283e0547cf962895addfab543a71\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\297cb0e6fe49a124df05271c2ae25f4d\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\168562c979bde30e369325e74ca2d255\System.Configuration.Install.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\b975269524a5b5c4024312664f699596\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\e950876872d82f53f34ddb39c91b2d04\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\d9075d43740193513df92ce40e7eb314\System.Data.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\c4585423a73adaee454e8b5a2bbc5034\System.DirectoryServices.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\7b4834f232ee0b2acdbb224f8126d451\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\92568befc418011446e548ce95a1dfa3\System.Numerics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\1a753fc53faf9402dcf22bc88ff9dfa4\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\c2bd3e51726bac781e7bc8fd7111bd16\System.Runtime.Serialization.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\0451c9c979cd106d4d2616937abc7aca\System.ServiceProcess.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\dfb4bad9d5eed5a79b21677bff43283f\System.Transactions.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Services\080998bec79b73d6a70ba1f3700719d6\System.Web.Services.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5de36576d8e9f22de79c12c86bb1b178\System.Web.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\21880015ae86d10263ebb0b6b0b96141\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml\662111c906d9fbe00e8ebfd692ad1734\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml.Linq\2775ea251939b1fe4b8115ce54b9a097\System.Xml.Linq.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\4b4c18876d4db2b65562def74ec6630f\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6aaf038fc5a894ddf3cbce94407fb772\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\f244ed885f26c41420cef02a61dae140\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\c5986fd5d6139abd4222b5cb6a32cadf\mscorlib.ni.dll

Applicable Sigma Rules:

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml

Process Access - Function Calls

C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d9437 - InternalCreateProcessWCommand
C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d848f - ExternalCreateProcessWCommand
C:\Windows\SYSTEM32\windows.storage.dll+1a166d - CallCreateProcess
C:\Windows\SYSTEM32\windows.storage.dll+19a733 - InvokeCreateProcessVerbLaunch
C:\Windows\SYSTEM32\windows.storage.dll+19a61d - InvokeCreateProcessVerbExecute
C:\Windows\System32\SHELL32.dll+5e3d9 - DoExecute
C:\Windows\System32\SHELL32.dll+610be - ShellExecuteW

Sample Sysmon Config Snippets:

<Rule groupRelation="and">
    <SourceImage condition="contains">Microsoft Office</SourceImage>
    <CallTrace condition="contains" name="function_name=InternalCreateProcessWCommand">C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d9437</CallTrace>
</Rule>
    <Rule groupRelation="and">
    <SourceImage condition="contains">Microsoft Office</SourceImage>
    <CallTrace condition="contains" name="function_name=CallCreateProcess">C:\Windows\SYSTEM32\windows.storage.dll+1a166d</CallTrace>
</Rule>

Sample Event:

Process accessed:
RuleName: function_name=InternalCreateProcessWCommand
UtcTime: 2022-04-17 15:23:32.082
SourceProcessGUID: {26d732db-30f3-625c-3803-000000007400}
SourceProcessId: 8104
SourceThreadId: 11180
SourceImage: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
TargetProcessGUID: {26d732db-30f4-625c-3b03-000000007400}
TargetProcessId: 4852
TargetImage: C:\Windows\system32\notepad.exe
GrantedAccess: 0x1FFFFF
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9e664|C:\Windows\System32\KERNELBASE.dll+8e73|C:\Windows\System32\KERNELBASE.dll+71a6|C:\Windows\System32\KERNEL32.DLL+1cbb4|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d9437|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d848f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d8ef8|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d192e|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d24c7|C:\Windows\SYSTEM32\windows.storage.dll+1a166d|C:\Windows\SYSTEM32\windows.storage.dll+136c92|C:\Windows\SYSTEM32\windows.storage.dll+19a90c|C:\Windows\SYSTEM32\windows.storage.dll+19a733|C:\Windows\SYSTEM32\windows.storage.dll+19a61d|C:\Windows\SYSTEM32\windows.storage.dll+1d9724|C:\Windows\SYSTEM32\windows.storage.dll+c1fc7|C:\Windows\SYSTEM32\windows.storage.dll+135cf7|C:\Windows\System32\SHELL32.dll+4dfa1|C:\Windows\System32\SHELL32.dll+5e3d9|C:\Windows\System32\SHELL32.dll+60d00|C:\Windows\System32\SHELL32.dll+6187b|C:\Windows\System32\SHELL32.dll+610be|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6aaf038fc5a894ddf3cbce94407fb772\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6aaf038fc5a894ddf3cbce94407fb772\System.ni.dll+2d41f2
SourceUser: LARES\Administrator
TargetUser: LARES\Administrator

File Creation Events

Log File created in: C:\Users\administrator\AppData\Local\Microsoft\Windows\INetCache\IE\3YO3RLUX (directories will vary)

Log File contents

This looks like a great forensic artifact, it contains

  • Windows + DLL Versions
  • Source where the add on files were downloaded from (!!)
  • Name of assembly loaded
PLATFORM VERSION INFO
	Windows 			: 10.0.19044.0 (Win32NT)
	Common Language Runtime 	: 4.0.30319.42000
	System.Deployment.dll 		: 4.8.4270.0 built by: NET48REL1LAST_C
	clr.dll 			: 4.8.4470.0 built by: NET48REL1LAST_C
	dfdll.dll 			: 4.8.4270.0 built by: NET48REL1LAST_C
	dfshim.dll 			: 10.0.19041.1 (WinBuild.160101.0800)

SOURCES
	Deployment url			: http://192.168.1.158:9999/VSTOTest.vsto
	Application url			: http://192.168.1.158:9999/Application%20Files/VSTOTest_1_0_0_4/VSTOTest.dll.manifest

IDENTITIES
	Deployment Identity		: VSTOTest.vsto, Version=1.0.0.4, Culture=neutral, PublicKeyToken=8b52e2ca6fb271a7, processorArchitecture=msil
	Application Identity		: VSTOTest.dll, Version=1.0.0.4, Culture=neutral, PublicKeyToken=8b52e2ca6fb271a7, processorArchitecture=msil, type=win32

APPLICATION SUMMARY
	* Online only application.

ERROR SUMMARY
	No errors were detected during this operation.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
	No transaction error was detected.

WARNINGS
	There were no warnings during this operation.

OPERATION PROGRESS STATUS
	No phase information is available.

ERROR DETAILS
	No errors were detected during this operation.

COMPONENT STORE TRANSACTION DETAILS
	No transaction information is available.

Sysmon Snippet:

Warning: This might also trigger on Office Updates (Needs more testing)

<Rule groupRelation="and" name="">
    <Image condition="contains">root\Office16\</Image>
    <TargetFilename condition="contains">\AppData\Local\Temp\Deployment\</TargetFilename>
</Rule>

Files written with this rule:

Note: VSTOTest is the name of the project

C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Common.v4.0.Utilities.dll
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.genman
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Word.v4.0.Utilities.dll
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Word.v4.0.Utilities.dll.genman
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\VSTOTest.dll
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\VSTOTest.dll.genman
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\VSTOTest.dll.manifest
C:\Users\administrator\AppData\Local\Temp\Deployment\C2DH4D67.KJJ
C:\Users\administrator\AppData\Local\Temp\Deployment\C2DH4D67.KJJ\QDACZWRV.8JJ.application
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment