MS Office

Trusted Locations

Add-ins that are placed in trusted locations are automatically ran when Office is opened despite any configured security settings like ignoring macros or add-ins from GPO.

Add-ins are just DLLs renamed with a WLL extension.

You can find trusted locations based on this query, note that you have to change the version to match up with the version of Office installed

 Get-ChildItem "hkcu:\Software\Microsoft\Office\16.0\Word\Security\Trusted Locations"

This will give you multiple registry key values which are trusted locations.

To achieve code execution we have to add a WLL file to these files. You can make a simple DLL shellcode execution and but it in the folder. For example:

copy payload.dll %APPDATA%\Microsoft\Word Startup\WordPresistence.wll


Template macros are similar to add-ins in the fact that they get executed when Word is opened. templates are used to customise Office documents and by default a base template exists under the %APPDATA%\Microsoft\Templates\Normal.dotm path for Word and %APPDATA%\Microsoft\Excel\XLSTART\PERSONAL.XLSB for Excel:

Depending on the security settings, it may execute without any prompts if it is in a trusted location.

To abuse this for persistence, simply modify the template files to execute your payload.

Last updated