Repository files navigation

This repo provides examples of how VBA can be used for offensive purposes beyond a simple dropper or shell injector. As we develop more use cases, the repo will be updated. The main entry in the repo is the code for demonstrating the XLS Entanglement attack.

VBA provides every capability that other offensive languages offer including rudimentry reflection capability with the modification of the AccessVBOM registry key. In addition to that, VBA runs inside of programs that are traditionally long running programs on a victim's computers including Outlook. This means that a beacon can run entirely inside "native processes without the need to migrate processes or open additional ports. If Outlook is converted to a C2 beacon, then there is no need for the beacon to reach out of the network either. With the ability to export Win32 APIs we have the ability to execute all kinds of attacks, including things likeKerberoasting or runningEmbedded PEs.