Specific areas you will look into...

And explore in your test environment:

Upgrade Sysmon (for ProcessTampering)

YJ's Findings

Office 2013 Download Link: https://mega.nz/file/EDwAHQzT#AnEX1EA2jpq7Ez_zXAGK6gOLMYlVz_VR4CulDmzH8Cw

*Note to enable DetectOnly when installing Office

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/c88b8ca4-889d-4047-b4ee-9be3e833151f/Screenshot_2021-06-01_at_2.06.58_PM.png

Offensive Step Documentation

VBA macro codes:

https://gist.github.com/real-yj98/0a2eae52293860646c3900332c88c982

Description:

Use a VBA macro to download a payload from the Internet to spawn calc.exe with a spoofed parent i.e. explorer.exe and command line.

How is it achieved:

  1. Retrieve the PID of a legitimate-looking process i.e. explorer.exe

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/abf9b31d-5498-425c-af1f-54d27483ef6c/Untitled.png

  2. Create a new process (such as powershell.exe) with this process as a parent, with a legitimate looking command line, and in a suspended state

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/1fb728e0-f698-4750-9264-6870a6f98de5/Untitled.png

  3. Overwrite the process command line in the PEB

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/be8ef177-bc9e-4df0-b9c9-2caa29c8c1bc/Untitled.png

  4. Resume the process