In preparation for a VBS AV Evasion Stream/Video I was doing some research for Office Macro code execution methods and evasion techniques.

The list got longer and longer and I found no central place for offensive VBA templates - so this repo can be used for such. It is very far away from being complete. If you know any other cool technique or useful template feel free to contribute and create a pull request!

Most of the templates in this repo were already published somewhere. I just copy pasted most templates from ms-docs sites, blog posts or from other tools.

Templates in this repo

File	Description
ShellApplication_ShellExecute.vba	Execute an OS command via ShellApplication object and ShellExecute method
ShellApplication_ShellExecute_privileged.vba	Execute an privileged OS command via ShellApplication object and ShellExecute method - UAC prompt
Shellcode_CreateThread.vba	Execute shellcode in the current process via Win32 CreateThread
Shellcode_EnumChildWindowsCallback.vba	Execute shellcode in the current process via EnumChildWindows
Win32_CreateProcess.vba	Create a new process for code execution via Win32 CreateProcess function
Win32_ShellExecute.vba	Create a new process for code execution via Win32 ShellExecute function
WMI_Process_Create.vba	Create a new process via WMI for code execution
WMI_Process_Create2.vba	Another WMI code execution example
WscriptShell_Exec.vba	Execute an OS command via WscriptShell object and Exec method
WscriptShell_run.vba	Execute an OS command via WscriptShell object and Run method
VBA-RunPE	@itm4n's RunPE technique in VBA
GadgetToJScript	med0x2e's C# script for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
PPID_Spoof.vba	christophetd's spoofing-office-macro copy
AMSIBypass_AmsiScanBuffer_ordinal.vba	rmdavy's AMSI Bypass to patch AmsiScanBuffer using ordinal values for a signature bypass
AMSIBypass_AmsiScanBuffer_Classic.vba	rasta-mouse's classic AmsiScanBuffer patch
AMSIBypass_Heap.vba	rmdavy's HeapsOfFun repo copy
AMSIbypasses.vba	outflanknl's AMSI bypass blog
COMHijack_DLL_Load.vba	Load DLL via COM Hijacking
COM_Process_create.vba	Create process via COM object
Download_Autostart.vba	Download a file from a remote webserver and put it into the StartUp folder
Download_Autostart_WinAPI.vba	Download a file from a remote webserver via URLDownloadtoFileA and put it into the StartUp folder
Dropper_Autostart.vba	Drop batch file into the StartUp folder
Registry_Persist_wmi.vba	Create StartUp registry key for persistence via WMI
Registry_Persist_wscript.vba	Create StartUp registry key for persistence via wscript object
ScheduledTask_Create.vba	Create and start sheduled task for code execution/persistence
XMLDOM_Load_XSL_Process_create.vba	Load XSL from a remote webserver to execute code
regsvr32_sct_DownloadExecute.vba	Execute regsvr32 to download a remote webservers SCT file for code execution
BlockETW.vba	Patch EtwEventWrite in ntdll.dll to block ETW data collection
BlockETW_COMPLUS_ETWEnabled_ENV.vba	Block ETW data collection by setting the environment variable COMPLUS_ETWEnabled to 0, credit to @xpn
ShellWindows_Process_create.vba	ShellWindows Process create to get explorer.exe as parent process
AES.vba	An example to use AES encryption/decryption in VBA from Here
Dropper_Executable_Autostart.vba	Get executable bytes from VBA and drop into Autostart - no download in this case
MarauderDrop.vba	Drop a COM registered .NET DLL into temp, import the function and execute code - in this case loads a remote C# binary from a webserver to memory and executes it - credit to @Jean_Maes_1994 for MaraudersMap
Dropper_Workfolders_lolbas_Execute.vba	Drop an embedded executable into the TEMP directory and execute it using C:\windows\system32\Workfolders.exe as LOLBAS - credit to @YoSignals
SandBoxEvasion	Some SandBox Evasion templates
Evasion Dropper Autostart.vba	Drops a file to the Startup directory bypassing file write monitoring via renamed folder operation
Evasion MsiInstallProduct.vba	Installs a remote MSI package using WindowsInstaller ActiveXObject avoiding spawning suspicious office child process, the msi installation will be executed as a child of the MSIEXEC /V service
StealNetNTLMv2.vba	Steal NetNTLMv2 Hash via share connection - credit to https://book.hacktricks.xyz/windows/ntlm/places-to-steal-ntlm-creds
Parse-Outlook.vba	Parses Outlook for sensitive keywords and file extensions, and exfils them via email - credit to JohnWoodman
Reverse-Shell.vba	Reverse shell written entirely in VBA using Windows API calls - credit to JohnWoodman

Missing - ToDos

File	Description
Unhooker.vba	Unhook API's in memory to get rid of hooks
Syscalls.vba	Syscall usage - fresh from disk or Syswhispers like
Manymore.vba	If you have any more ideas feel free to contribute

Obfuscators / Payload generators

1. VBad
2. wePWNise
3. VisualBasicObfuscator - needs some modification as it doesn't split up lines and is therefore not usable for office document macros
4. macro_pack
5. shellcode2vbscript.py
6. EvilClippy
7. OfficePurge
8. SharpShooter
9. VBS-Obfuscator-in-Python - - needs some modification as it doesn't split up lines and is therefore not usable for office document macros

Credits / usefull resources

ASR bypass: http://blog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf

Shellcode to VBScript conversion: https://github.com/DidierStevens/DidierStevensSuite/blob/master/shellcode2vbscript.py

Bypass AMSI in VBA: https://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/

VBA purging: https://www.mandiant.com/resources/purgalicious-vba-macro-obfuscation-with-vba-purging

F-Secure VBA Evasion and detection post: https://blog.f-secure.com/dechaining-macros-and-evading-edr/

One more F-Secure blog: https://labs.f-secure.com/archive/dll-tricks-with-vba-to-improve-offensive-macro-capability/