S

security-lab

Abusing Microsoft Office Macros for Client-Side Code Execution (Educational Lab)

This project demonstrates a controlled and educational lab environment for studying client-side attacks through Microsoft Word macro execution.

The lab simulates a realistic phishing scenario where a macro-enabled Word document (.docm) executes predefined VBA actions upon user interaction (e.g., “Enable Content”).

The purpose of this repository is to help students understand:

How macro-based attacks work

How client-side execution chains operate

How organizations can detect and defend against malicious Office documents

Mapping techniques to MITRE ATT&CK

All payloads in this repository are lab-safe and designed strictly for academic use in a controlled, offline testing environment.

This repository includes:

Full lab setup (Kali Linux + Windows 10)

Macro structure & analysis

Documentation (OSCP-style report)

MITRE ATT&CK mapping

Demo screenshots & optional video

⚠️ Disclaimer: This project is designed exclusively for educational purposes and must only be executed inside an isolated lab environment. Do not use these techniques on systems where you do not have explicit permission.