 Hello, I'm Didier Stavens and I'm providing a training attacking with Excel. In this training, as penetration testers or hackers, we will put ourselves in a restricted environment so that we can learn new skills. We are going to put ourselves in an environment where we can only execute VBA, and in our case that will be Excel. So let's see what we can do with that. So we have our network spreadsheet. We can do several things with this spreadsheet, like a ping to these IP addresses and domains. So here we see we get the result with 100 milliseconds, and here we get a timeout. Now all of this is done from Excel. It's not that the ping command is launched in the background, all of this is done in the single process of Excel. We can also do a port scan, like this, the IP address and the ports we want to scan. Again, this is being done from memory, and we see which ports are open and which not. We also have a task manager. This task manager can list all the processes running on the machine, and it can also suspend, resume, kill processes and even inject shellcode. Here is a shellcode that can be injected. This is an exit process shellcode, 32-bit, the same but 64-bit, and this is a message box 32-bit shellcode that we will use here. So let's start the process here, calculator. We list the processes and we see calc running here. And now I will do an execute of shellcode mba32, the message box 32, and I execute the command. And now here you can see calculator with the message box appearing, hello from injected shellcode. So we just injected shellcode in the calculator process from Excel. Let's close this. Then we have a file container. This allows us to drop and load files into Excel spreadsheets. So for example, we have here in documents a secret file. We want to exfiltrate, and instead of just exfiltrating the file, we will do this via Excel. We are going to encode the file with keyword secret. We add the file, we select it secret, and then it is added here, and you see the file name, MD5 hash, and then the hex and the ASCII dump of that file. So you can no longer see here the secret. If we don't encode it and we add it like this, then you can read the message here. Now that is one thing exfiltrating with the file container. It can also load DLLs from memory into memory. So here I have my command spreadsheet. When you run this, it will execute shellcode that runs command interpreter from ReactOS that I adapted. This is all in memory. It has several options like this DLL option. DLL can load DLLs even from memory. And here we are going to take the reedit DLL that I took that I created. So here is the DLL. You can see here the MZ, and this program cannot be run in DOS mode. And now we will inject this into the memory of Excel, like this inject process files. This will take a couple of seconds. Okay, so now from the spreadsheet it has been loaded into the process memory of Excel, and this is the address at which it has been downloaded. And now I can go to my command interpreter here and type DLL to load the DLL with the address, which is 3DZ, sorry 3DE000, like this. And then you have reedit in memory running. So it's not a separate process. This is reedit running in memory. So let's close this. And the last example, again file container with the Mimicats. So I have the Mimicats zip file here, and I'm going to show you how you can drop files. So we save it, process file. We are going to store it here in documents folder. It's a zip file. Okay, the file has been saved. And now if we go to documents we can indeed see here the zip file with the Mimicats.