Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to do the Microsoft Access Macro MAM shortcut fishing test. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The following will introduce a new fishing program Microsoft Access Macro "MAM" shortcut fishing. The MAM file is a shortcut that links directly to Microsoft Access Macro (starting with Office 97).

Create a MAM file

Let's first create a simple Microsoft Access database that pops up the local computer to practice. First, we open MS Access and create an empty database. As follows:

Next, locate Create ribbon and select Module. This will open Microsoft Visual Basic for Applications design editor for us.

In Microsoft Access, our module will contain our code base, and macro will make Access execute VB code.

Here is a simple computer pop-up code I wrote:

Notice how I added the Function call to this code. When we create a macro, it will look for function calls instead of sub.

Now, let's save the module and exit the code editor.

After the module is saved, we can create a macro to call the module. Open Create ribbon and select "macro". Use the drop down box to select "Run Code" and point to your macro function.

Next, we click the "Run" menu option to test the macro, and Access will prompt you to save the macro. If you want to run the macro automatically when you open the document, be sure to save the macro as Autoexec.

Save the project, and we save it in .accdb format for subsequent modifications to the project.

Then we will save our project again. This time, we select the Make ACCDE option. This creates a "execute only" version of the database for us.

We can add ACCDE to emails or links as payload when phishing. We can create a MAM shortcut that links remotely to our ACCDE file and runs its contents over the network.

Make sure the ACCDE file is open, left-click and drag the macro to the desktop. This will create an initial .MAM file that we can modify. Open it with your favorite editor or notepad and see what we need to change.

As you can see, shortcuts don't have many properties. The only thing we need to change is the DatabasePath variable, which specifies our remote hosting address path. We can host the ACCDE file through SMB or Web. SMB hosting can achieve the dual purpose of capturing credentials and allowing port 445 to leave the target network. In this article, I'll demonstrate how to do this through http.

Fishing

On the remote host, provide the ACCDE file using the preferred Web hosting method.

Edit the .MAM file to point to the ACCDE file hosted on the Web server.

Now our task is to transmit the MAM payload to our target. Some providers block MAM files and Outlook by default, so in this case, we will send phishing links to the target and only host our MAM files on our web server, or you can use Apache mod_rewrite to do some redirection, for more information, please click here.

Once the target user clicks on our phishing link (in the case of an Edge browser), they will be prompted to open or save the file.

Next, the system pops up a security warning box to the user again.

Finally, the system will warn you once, and the user will be shown the IP or domain name of the remote host (hopefully persuasive). After that, there will be no security warnings and conditions that prevent this macro payload from running.

When the user clicks "Open", our code is executed.

Although there are several security tips, it is also easy for unsuspecting and unsuspecting users to succeed. In addition, we can also combine some social engineering skills to achieve our ultimate goal.

OPSEC

At the end of the penetration test, one thing we can't forget is to clean up any traces that may be left on the target system. So what clues will be left after the implementation of the payload against us? Let's find out through procmon.

The first entry that deserves our attention is the "CreateFile" call, which executes the command shown above. Find the "ShellOpenMacro" string used for command line auditing.

Next, let's take a look at the remote ACCDE files saved from the local computer and executed. Although it looks as if our payload is called remotely, it is downloaded to "% APPDATA%\ Local\ Microsoft\ Windows\ INetCache\ Content.MSO\ 95E62AFE.accde\ PopCalc.accde". Therefore, special attention must be paid to the cleaning of the file.

Mitigation measures

In Microsoft Office 2016, you can enable GPO to prevent macro execution from the network or set the following registry key for each office product.

Computer\ HKEY_CURRENT_USER\ Software\ Microsoft\ Office\ 16.0\ Access\ Security\ blockcontentexecutionfrominternet = 1

If the user makes this setting, the phishing program will be rejected. It is important to note that even if the macro is blocked, the MAM file will still pull down Access the file out. So, the target user will still know that you receive execution or steal credentials through smb.

On how to carry out the Microsoft Access Macro MAM shortcut fishing test to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.