Executing Macros From a DOCX With Remote Template Injection
![Image](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheBDmDG9Wf_oMFg02qSu1M3gJM0TmqNFeSNp-9blPmsLjh9kZpS1IBG9OPMjT2IlKKc9qacuraznShyphenhyphenh_OoQ1RZDFMC-nK_mhXAGYjMnUTmqf4VbykiRDMPi3-mqQQehzRcPO6ciqWJCib/s640/1.png)
The What: In this post, I want to talk about and show off a code execution method which was shown to me a little while back. This method allows one to create a DOCX document which will load up and allow a user to execute macros using a remote DOTM template file. This attack has been seen in the wild, is partially included in open-source offensive security tools , as has been blogged about by Cisco Talos , but in the blog post and the open-source tool, it is only seen as a credential stealing attack typically over the SMB protocol. This blog post will detail how to use this method to download a macro-enabled template over HTTP(S) in a proxy-aware method into a DOCX document. The Why: The benefit of this attack versus a traditional macro enabled document is multidimensional. When executing a phishing attack against a target, you able to attach the .docx directly to the email and you are very unlikely to get blocked based on the file extension. Many organizations block .doc or .do