Pieter Ceelen

@ptrpieter

Red teamer @ Outflank, Wizard with Word

Nederland
outflank.nl
Vrijeme pridruživanja: ožujak 2018.
6 fotografija ili videozapisa Fotografije i videozapisi

Tweetovi

Blokirali ste korisnika/cu @ptrpieter

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @ptrpieter

  1. proslijedio/la je Tweet
    9. sij

    Video recording of my presentation with at Black Hat Asia 2019 is online. MS Office in Wonderland: 50 minutes of offensive tradecraft with Word and Excel. Exploiting fields, Power Query, VBA stomping, Excel4 macros, AMSI bypasses and more fun.

    101 proslijeđeni tweet 190 korisnika označava da im se sviđa
    Poništi
  2. 3. stu 2019.

    Lol, another SLK/XML macro warning bypass. Recommendation do NOT “Disable all macros without notification” on excel4mac, this setting enabled direct execution of any Xlm macro.. Nice find

    30 proslijeđenih tweetova 80 korisnika označava da im se sviđa
    Poništi
  3. proslijedio/la je Tweet
    5. svi 2019.

    Evil Clippy: our new tool for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse many macro security analysis tools. Read our blog post for details:

    10 replies 404 proslijeđena tweeta 878 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  4. 17. tra 2019.

    New blog: Bypassing AMSI for VBA No need for complex stuff / memory patching, you can circumvent this AMSI implementation in many other ways

    1 reply 85 proslijeđenih tweetova 168 korisnika označava da im se sviđa
    Poništi
  5. 11. tra 2019.

    Mailman just delivered inspiration for research: an old school book on Word. Gotta love legacy, 1993 here I come :-)

    1 proslijeđeni tweet 22 korisnika označavaju da im se sviđa
    Poništi
  6. proslijedio/la je Tweet
    18. ožu 2019.

    More info on hiding HTTP requests, this time using Pipelining:

    136 proslijeđenih tweetova 370 korisnika označava da im se sviđa
    Poništi
  7. 2. tra 2019.

    New blog on Word Field abuse, . Contains full details on 'arbitrary file read' and 'credential popup' in Microsoft Word (CVE-2019-0540 and CVE-2019-0561) as reported by and me and presented at

    59 proslijeđenih tweetova 111 korisnika označava da im se sviđa
    Poništi
  8. 1. tra 2019.

    Slides and recording of 'MS Office file format sorcery' and I gave at are live. Lots of offensive Office tricks; hiding macros from AV, AMSI bypasses, persistence and much more... Video: slides:

    1 reply 146 proslijeđenih tweetova 277 korisnika označava da im se sviđa
    Poništi
  9. proslijedio/la je Tweet
    28. ožu 2019.

    Slides from the BlackHat presentation of and myself titled “Office in Wonderland” are now available at . This deck is packed with offensive MS Office tradecraft, abusing “features” in Word and Excel.

    92 proslijeđena tweeta 171 korisnik označava da mu se sviđa
    Poništi
  10. 27. ožu 2019.

    Just finished my Blackhat Asia talk with ! We disclosed why Microsoft introduced a new security warning to mitigate our "Word field" trickery (CVE-2019-0540 and CVE-2019-0561) and a lot other cool stuff.

    13 proslijeđenih tweetova 36 korisnika označava da im se sviđa
    Poništi
  11. proslijedio/la je Tweet
    26. ožu 2019.

    Lateral movement via ExecuteExcel4Macro and DCOM. Big plus: this method allows for direct shellcode injection into Excel.exe on the remote host. Moreover, AMSI is completely blind to XLM. I just released PowerShell and Cobalt Strike implementations at .

    6 replies 399 proslijeđenih tweetova 692 korisnika označavaju da im se sviđa
    Poništi
  12. proslijedio/la je Tweet
    21. sij 2019.

    New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange.

    28 replies 660 proslijeđenih tweetova 1.031 korisnik označava da mu se sviđa
    Poništi
  13. 8. stu 2018.

    October has been a heavy research month. Lots of cool office tricks and attacks discovered. Just submitted a talk for troopers with . Next up: finalize some blogs on older stuff, submit newer stuff to MS security

    1 reply 2 proslijeđena tweeta 6 korisnika označava da im se sviđa
    Poništi
  14. 12. lis 2018.

    Full writeup and explanation of code at

    58 proslijeđenih tweetova 123 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  15. 12. lis 2018.

    Still having Office 2011 for MacOS installed? Don't open CSV's anymore. Attached a 400 bytes CSV file that gives 0 warnings, can write to an arbitrary (persistence) location (Sylk+XLM named CSV). Who though you couldn't weaponize CSV files...

    16 replies 723 proslijeđena tweeta 1.004 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  16. 12. lis 2018.

    We've reported the issue to Microsoft, as product is EOL no patch will be created. And all because I mis clicked a document on my train ride home 😀

    3 korisnika označavaju da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  17. 12. lis 2018.

    New Office Magic from and me. Opening Sylk files + XLM Macro on Office 2011 for Mac shows no Macro warning, no protected mode. All Macro's are directly executed! Full details at . Attack may even work when both office 2016 + 2011 are installed

    1 reply 12 proslijeđenih tweetova 19 korisnika označava da im se sviđa
    Prikaži ovu nit
    Prikaži ovu nit
    Poništi
  18. 7. lis 2018.

    The Sylk file that just shared can also be renamed to .csv. Requires one additional click, but hey. We have just weaponized CSV!

    14 proslijeđenih tweetova 28 korisnika označava da im se sviđa
    Poništi
  19. 7. lis 2018.

    Ever seen a phishing campaign that uses macros and DocX files? Come to the Office Magic Show 12:00 , where and I will show how its done and a lot of other cool tricks.

    1 reply 3 proslijeđena tweeta 5 korisnika označava da im se sviđa
    Poništi

@ptrpieter još nije objavio nijedan Tweet.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·