Kostas Lintovois presented "One Template To Rule 'Em All" at T2 2016.
Although malicious VBA code contained with Office documents or templates is a known and well understood attack vector for many years, it still remains current against today's security defences. The business requirements for the presence of MS Office combined with the human factor makes the choice of VBA-enabled files an attractive and reliable malware delivery mechanism, particularly in targeted attacks.
This presentation discussed how Office security settings and templates can be abused to gain persistence in VDI implementations where traditional techniques relying on the file system or the Registry are not applicable. Additionally, it was described how the introduction of application control and anti-exploitation technologies may affect code execution in locked down environments and how these controls can be circumvented through the use of VBA.
The talk concluded with the demonstration of WePWNise, a proof-of-concept tool that generates architecture independent VBA code to dynamically evaluate certain security controls and circumvent them in order to successfully deliver payloads.
WePWNise is open source software maintained by MWR InfoSecurity and is available on Github.