If you have a command & control server running a RAT, you should protect this server from possible detections. This is one of the golden rules for OPSEC. There has been a lot of content shared on this topic lately, and researchers are detecting command & control servers on the internet, fetching Stages and analyzing them. Thus, they can detect many post exploitation flows. The best example of this is the research for Cobalt Strike. Stage created by Cobalt Strike has parameters to be used for all post exploitation and if you get the Stage you can get almost all the information.

Setting the host_stage option to false used to degrade the product’s post-ex workflows in a noticeable way. Now, if you set this option to false, you won’t feel an impact once you have initial access. Setting this option to false has a huge OPSEC benefit as it hinders efforts to survey team servers and analyze their payload data.

If you have such concerns, one of the preferred ways is to embed the Stage into your Loader. In some cases, the use of long strings and large arrays can cause errors by the compiler, and your code may compile with long compilation times even if no errors occur. There are many ways to solve these problems and one of them is to add the Stage as a Resource to your binary. Thus, when your file runs, you can read its own Resource and then do the work you want to do. For example, you can run the Stage you added as a Resource into an EXE file with the following sample code.

HRSRC shellcodeResource = FindResource(NULL, MAKEINTRESOURCE(IDR_RESOURCE_NAME1), L"RESOURCE_NAME");
DWORD shellcodeSize = SizeofResource(NULL, shellcodeResource);
HGLOBAL shellcodeResouceData = LoadResource(NULL, shellcodeResource);

However, the code block we have provided here is valid for a sample EXE Loader. One of my personal favorite methods for Initial Access is send Loader to the target(s) with XLL file format.

A file with the XLL file extension is an Excel Add-in file. These files provide a way to use third-party tools and functions in Microsoft Excel that aren’t natively part of the software. Excel Add-in files are similar to DLL files except that they’re built specifically for Excel.

In short, XLL files are DLL files that Excel can load. Since XLL files are actually DLL files and the Resource you will add will be the Resource of the XLL file, you need to make changes as in the code block below. Because the Resource we need to call is the Resource of the loaded XLL file, not the Resource of the Excel.exe running the Loader.

EXTERN_C IMAGE_DOS_HEADER __ImageBase;
HRSRC shellcodeResource = FindResource((HINSTANCE)&__ImageBase, MAKEINTRESOURCE(IDR_RESOURCE_NAME1), L"RESOURCE_NAME");
DWORD shellcodeSize = SizeofResource((HINSTANCE)&__ImageBase, shellcodeResource);
HGLOBAL shellcodeResouceData = LoadResource((HINSTANCE)&__ImageBase, shellcodeResource);

Pro Tip

Below is the YARA rule, which contains the commonly used detection logic for XLL files.

import "pe"

rule susp_msoffice_addins_wxll {
meta:
 author = "SBousseaden"
 date = "11/10/2020"
 description = "hunt for suspicious MS Office Addins with code injection capabilities"
 reference = "https://twitter.com/JohnLaTwC/status/1315287078855352326"
strings:
 $inj1 = "WriteProcessMemory"
 $inj2 = "NtWriteVirtualMemory"
 $inj3 = "RtlMoveMemory"
 $inj4 = "VirtualAllocEx"
 $inj5 = "NtAllocateVirtualMemory" 
 $inj6 = "NtUnmapViewOfSection"
 $inj7 = "VirtualProtect"
 $inj8 = "NtProtectVirtualMemory"
 $inj9 = "SetThreadContext"
 $inj10 = "NtSetContextThread"
 $inj11 = "ResumeThread"
 $inj12 = "NtResumeThread"
 $inj13 = "QueueUserAPC"
 $inj14 = "NtQueueApcThread"
 $inj15 = "NtQueueApcThreadEx"
 $inj16 = "CreateRemoteThread"
 $inj17 = "NtCreateThreadEx"
 $inj18 = "RtlCreateUserThread"
condition: uint16(0) == 0x5a4d and (pe.exports("wlAutoOpen") or pe.exports("xlAutoOpen")) and 3 of ($inj*)
}

If you examine, wlAutoOpen and xlAutoOpen values are passed for the export values of the file. This is a situation I encounter in many red team operations. Many EPPs only look at the Export section when examining XLL files and classify them as malicious because the xlAutoOpen value is passed. Keep this in mind and it’s better to use XLL files if you know what EPP technology your target is using. That’s why the information gathering section is one of the key points of any red team operation. ;)

Happy hunting!

References