danielwolfmann / Invoke-WordThief

This script runs multithreading module that connects to a remote TCP server, monitors active (opened) Microsoft Word documents (.doc,.docx,etc') and extracting their text using Word application's COM Object. The script adds HKCU registry (no admin needed) Run key, so this script runs persistently.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

invoke-wordthief-logo This script runs multithreading module that connects to a remote TCP server, monitors active (opened) Microsoft Word documents (.doc,.docx,etc') and extracting their text using Word application's COM Object. The script adds HKCU registry (no admin needed) Run key, so this script runs persistently

Special Thanks

How To Use

# Run attacker's log server with Python 3
python ./logger.py -h

# Run Powershell in Windows machine, show module help info and examples
PS> Import-Module .\Invoke-WordThief.ps1
PS> help Invoke-WordThief
PS> help Invoke-WordThief -Examples

Research Overview

At the beginning, I wasn't sure how I should extract text from active Word processes. I searched a bit online but I figured out quickly it isn't much of a legit action to do, so I didn't find much.
I started by analysing WINWORD.EXE processes with SysInternals tools like ProcMon and ProcessExplorer, but those didn't fit in this specific task.
I kept digging the internet until I encountered COM Objects.
With some reading, I figured out some core methods I can use to get an handle of active documents in Microsoft Office, for example: GetActiveObject(), Document Interface in Office API.
From there, the development went straight forward. I decided to get along with victim's environment (living-of-the-land style), so I built a Powershell multi job script, means a background job for each opened document. I chose Powershell because every Windows 10 has the engine built-in, and accessing .NET API is pretty comfortable.
Alongside the Powershell tool, there is a Python listener that should receive the text and piping it to local files in the attacker's machine.
This tool was fun to build and I hope I'll find the time to create more tools like it because I can find the use in many situations in Red Team operations.

About

This script runs multithreading module that connects to a remote TCP server, monitors active (opened) Microsoft Word documents (.doc,.docx,etc') and extracting their text using Word application's COM Object. The script adds HKCU registry (no admin needed) Run key, so this script runs persistently.


Languages

Language:PowerShell 76.7%Language:Python 23.3%