{
	"id": "768b0165-de97-4af2-b91f-ee5c44679346",
	"created_at": "2026-04-06T00:17:26.623009Z",
	"updated_at": "2026-04-10T03:20:05.839723Z",
	"deleted_at": null,
	"sha1_hash": "be7656be97b8f5f002e5989c8ab3d932bad64e0c",
	"title": "Beyond good ol’ Run key, Part 62",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 138707,
	"plain_text": "Beyond good ol’ Run key, Part 62\r\nPublished: 2017-04-19 · Archived: 2026-04-05 18:20:25 UTC\r\nUpdate\r\nThis is not an RCE. If it was, I would not publish it on this blog 🙂\r\nTurns out “Simpsons already did it” and as pointed out by @arekfurt a normal template-based persistence is\r\nalready implemented in EmpireProject and is based on awesome work of @enigma0x3. Interestingly, enabling\r\nmacros is not needed to deliver the same functionality (as explained below).\r\nDropping any macro sheet inside the XLSTART folder and opening it from there will not show the macro warning\r\n🙂\r\nOld Post\r\nEvery once in a while we come across weird things that we not only discover accidentally, but are finding hard to\r\nunderstand. Today I was playing around with Word Macros and to my surprise I was able to accidentally run one,\r\nwhile my Macro Options were set to Disable all macros with notification.\r\nIntrigued, I quickly realized that\r\ninstead of adding it to a test word document, I accidentally added it to the normal template file.\r\nCould it be… ?\r\nI rushed to add the AutoOpen macro to the normal template that will launch the Calculator anytime the template is\r\nused:\r\nNow I only needed to open some word\r\ndocument…\r\nhttp://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/\r\nPage 1 of 3\n\nHow nice!\r\nInterestingly, the Security Warning appears ONLY after I visit options while the document is open.\r\nSwap calculator with\r\nanything else, and a new stealth persistence mechanism is born…\r\nNow, what about Excel?\r\nExcel doesn’t have the Normal template equivalent by default, but you can add one. To do so, you just need to\r\nrecord any macro named Auto_Open and store it inside a personal template (by choosing ‘Store macro in Personal\r\nMacro Workbook‘):\r\nhttp://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/\r\nPage 2 of 3\n\n(alternatively, you can create a personal template directly on the system by placing a prepared XLSB file in a\r\nfollowing location: c:\\Users\\\u003cUSER\u003e\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB)\r\nThen switch to the macro editor, and write the code as below:\r\nThis will ensure the Calculator will be executed anytime someone opens Excel, even if the macros are *cough*\r\n*cough* disabled…\r\nSource: http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/\r\nhttp://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/"
	],
	"report_names": [
		"beyond-good-ol-run-key-part-62"
	],
	"threat_actors": [],
	"ts_created_at": 1775434646,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be7656be97b8f5f002e5989c8ab3d932bad64e0c.pdf",
		"text": "https://archive.orkl.eu/be7656be97b8f5f002e5989c8ab3d932bad64e0c.txt",
		"img": "https://archive.orkl.eu/be7656be97b8f5f002e5989c8ab3d932bad64e0c.jpg"
	}
}