MS Office

Trusted Locations

Add-ins that are placed in trusted locations are automatically ran when Office is opened despite any configured security settings like ignoring macros or add-ins from GPO.
Add-ins are just DLLs renamed with a WLL extension.
You can find trusted locations based on this query, note that you have to change the version to match up with the version of Office installed
Get-ChildItem "hkcu:\Software\Microsoft\Office\16.0\Word\Security\Trusted Locations"
This will give you multiple registry key values which are trusted locations.
To achieve code execution we have to add a WLL file to these files. You can make a simple DLL shellcode execution and but it in the folder. For example:
copy payload.dll %APPDATA%\Microsoft\Word Startup\WordPresistence.wll


Template macros are similar to add-ins in the fact that they get executed when Word is opened. templates are used to customise Office documents and by default a base template exists under the %APPDATA%\Microsoft\Templates\Normal.dotm path for Word and %APPDATA%\Microsoft\Excel\XLSTART\PERSONAL.XLSB for Excel:
Depending on the security settings, it may execute without any prompts if it is in a trusted location.
To abuse this for persistence, simply modify the template files to execute your payload.
Last modified 1yr ago
Copy link
On this page
Trusted Locations