RedTeam With OneNote
Windows Initial Vector Series
9 August 2022 17:07 0 messages
License : Copyright Emeric Nasi (@EmericNasi), Lance James, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
1. Foreword
OneNote is one of the Office suite components which is often overlooked when RedTeaming. Though OneNote cannot execute VBA Macros, it has an important potential for phishing as an initial vector.
In a nutshell, OneNote:
- Is not affected by Protected View/ MOTW
- Allows embedding Malicious Excel/Word/PPT files that will be played without protected view
- Allows embedding HTA, LNK, EXE files and spoof extensions
- Allows formatting document in a way user are tricked into opening a malicious file or a link
- Can be automated using OneNote.Application and XML
- Is supported by BallisKit MacroPack Pro tool
Note 1: There are several versions of OneNote. In this post we focus on the OneNote desktop App delivered with Office. That version used to be called “OneNote 2016” but since Office 2019 it has been called “OneNote”.
Note 2: Some examples in this document rely on the use of MacroPack Pro which is a commercial tool for RedTeams legal use only. Reading this post, you should be able to reproduce those examples manually even if you don’t have MacroPack Pro.
Let’s review how those work as well as the pros and cons of using a OneNote section as an initial RedTeam payload.
Please open the PDF below to read the full article.
Also in this section
28 April 2022 – RedTeam With Publisher
21 January 2021 – Launch shellcodes and bypass Antivirus using MacroPack Pro VBA payloads
18 September 2020 – Advanced MacroPack payloads: XLM Injection
18 September 2020 – EXCEL 4.0 XLM macro in MacroPack Pro