You are here : Home » Security tools » MacroPack » RedTeam With OneNote

RedTeam With OneNote

Windows Initial Vector Series

D 9 August 2022     H 17:07     A Emeric Nasi     C 0 messages

License : Copyright Emeric Nasi (@EmericNasi), Lance James, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

1. Foreword

OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.

In a nutshell, OneNote:

  • Is not affected by Protected View/ MOTW
  • Allows embedding Malicious Excel/Word/PPT files that will be played without protected view
  • Allows embedding HTA, LNK, EXE files and spoof extensions
  • Allows formatting document in a way user are tricked into opening a malicious file or a link
  • Can be automated using OneNote.Application and XML
  • Is supported by BallisKit MacroPack Pro tool

Note 1: There are several versions of OneNote. In this post we focus on the OneNote desktop App delivered with Office. That version used to be called “OneNote 2016” but since Office 2019 it has been called “OneNote”.
Note 2: Some examples in this document rely on the use of MacroPack Pro which is a commercial tool for RedTeams legal use only. Reading this post, you should be able to reproduce those examples manually even if you don’t have MacroPack Pro.

Let’s review how those work as well as the pros and cons of using a OneNote section as an initial RedTeam payload.

Please open the PDF below to read the full article.

PDF - 576.3 kb
Any message or comments?

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post