Hello, welcome to the Tuesday, May 3, 2022 edition of the Sandsenet Storms,

and its Stormcast. My name is Johannes Ulrich. And then I'm recording from Jacksonville, Florida.

Well, I talked a few times already about how attackers are attempting to bypass issues with macros.

Macros have been the go-to-way how attackers tricked victims into running code in Microsoft Office.

But of course, Microsoft has gotten or is going to be more tied in when they allow macros to run at all, regardless of user permission.

DDA today has an interesting article looking at one way how this restriction could possibly bypass.

This is VSTO Office Files.

VSTO stands for Visual Studio Office and that's exactly sort of what it is. It's a Visual Studio application linked in to an office document like a

VERT document. Now there are some restrictions.

It's not quite as easy as just adding a random binary to a VIRD document.

They have to be validly signed or they have to come from the intranet zone and the like.

But yes, they can be downloaded from a remote location. And that's what did he looked at, whether or not he's able to detect, whether or not a document

is including a URL that's downloading these additional applications.

And well, it turns out he didn't even have to write a new tool.

XIF tool does the job for you. The two properties

you're looking for here is assembly location and assembly name. So when you're running XF tool,

just grab for it or the DA actually used this handy head-tail tool, which will display

the first 10 and the last 10 lines of the output, which then also

includes these two properties. X-F tool works for OXML files. That's what the D is demonstrating

here, but if you use Siptum.Py, you can also get the same result or Oli Dump will return it for Oli files.

This article by D-D-D was in part based on a tweet by Mark Oxenmeyer, and in general,

if you haven't looked at VSTO files, you definitely should take a moment and read up on how these files work and

...