Skip to content

Word Library Add-Ins

It' possible to persist in the userland by abusing word library add-ins by putting your malicious DLL into a Word's trusted location. Once the DLL is there, the Word will load it next time it is opened.

Execution

Get trusted locations:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

 Get-ChildItem "hkcu:\Software\Microsoft\Office\16.0\Word\Security\Trusted Locations"
{% endcode-tabs-item %} {% endcode-tabs %}

Those trusted locations are actually defined in Word's Security Center if you have access to the GUI:

Let's create a simple DLL that will launch a notepad.exe once DLL is attached:

Compile the DLL and copy it over to Startup folder and rename it to evilm64.wll:

mv .\evilm64.dll .\evilm64.wll

Next time the victim opens up Word, evilm64.wll will be loaded and executed:

Interesting to note that Process Explorer does not see the evilm64.wll loaded in any of the currently running processes:

...although we can definitely see that the add-in is now recognized by Word:

{% hint style="info" %} Interesting
This technique did not work for me on Office 365 version, but worked on Office Professional. Not sure if there's a bug in the 365 version or it's just a limitation of that version. {% endhint %}

References

{% embed url="https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office/" %}

{% embed url="https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" %}