-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFind-TrustedDocuments.ps1
executable file
·79 lines (68 loc) · 3.25 KB
/
Find-TrustedDocuments.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
function Find-TrustedDocuments
{
<#
.SYNOPSIS
This script is used to get useful information from a computer.
Function: Enumerate-TrustedDocuments
Author: Jeff McCutchan, Twitter: @jamcut
Required Dependencies: None
Optional Dependencies: None
Version: 0.1
.DESCRIPTION
This script is used to enumerate trusted documents and trusted locations for Micorsoft Office. Currently, the script only supports Excel enumeration.
.EXAMPLE
Enumerate-TrustedDocuments
Enumerates trusted documentd and trusted locations from the registry.
.NOTES
This script is useful for identifying which documents have been trusted by the user already. The attacker can manually download the document and modify the macro.
When uploaded to the original locations (thus overwriting the original document) the modified macro will continue to execute without prompting the user.
.LINK
https://github.com/jamcut/one-offs/blob/master/Find-TrustedDocuments.ps1
#>
$BASE_EXCEL_REG_LOCATIONS = "HKCU:\Software\Microsoft\Office\11.0\Excel\Security", "HKCU:\Software\Microsoft\Office\12.0\Excel\Security", "HKCU:\Software\Microsoft\Office\14.0\Excel\Security", "HKCU:\Software\Microsoft\Office\15.0\Excel\Security"
$verified_excel_base_reg_locations = @()
$trusted_excel_documents = @()
# Verify registry locations for Excel exist
foreach ($location in $BASE_EXCEL_REG_LOCATIONS){
$valid_path = Test-Path $location
if ($valid_path -eq $True){
$verified_excel_base_reg_locations += $location
}
}
if ($verified_excel_base_reg_locations.length -eq 0){
Write-Output "[*] No trusted document locations found"
}
else {
Write-Output "[+] Trusted Document Locations for Excel"
# String manipulation to create and print the full path for each trusted location
foreach ($base_excel_reg_location in $verified_excel_base_reg_locations){
$trusted_location_root = $base_excel_reg_location + "\Trusted Locations"
$all_trusted_locations = (Get-ChildItem $trusted_location_root) | Select Name
foreach ($loc in $all_trusted_locations){
$complete_reg_path = $trusted_location_root + "\" + ($loc.Name | Split-Path -leaf)
$location_props = Get-ItemProperty $complete_reg_path
$path = $location_props.Path
Write-Output $path
}
}
}
# Enumerate registry to identify documents that have previously been trusted
foreach ($valid_location in $verified_excel_base_reg_locations){
$valid_location = $valid_location + "\Trusted Documents"
if ((Test-Path $valid_location) -eq $True){
$trusted_document_property = Get-ChildItem $valid_location | select Property
$trusted_document = [System.Environment]::ExpandEnvironmentVariables($trusted_document_property.property)
$trusted_excel_documents += $trusted_document
}
}
if ($trusted_excel_documents.length -eq 0){
Write-Output "`n[*] No trusted documents found"
}
else{
Write-Output "`n[+] Trusted documents:"
foreach ($doc in $trusted_excel_documents){
Write-Output $doc"`n"
}
}
Write-Output "`n"
}