MacroMania

MacroMania is a VBA-based security auditing toolkit that runs directly inside Microsoft Excel. It was created by the need to perform situational awareness and privilege escalation checks in a hardened Windows environment where common techniques like PowerShell, CMD, or LOLBAS were not available.
Additionally, a simple command-line interface (named VBAShell) was built using a VBA UserForm, enabling basic file operations, system queries, and program execution entirely within VBA.

More information can be found in our blog post.

Usage

Steps

1. Open Excel
   Start Excel with a blank workbook.
2. Open the VBA Editor
   Press ALT + F11 to launch the VBA editor.
3. Import the modules
   • Option 1: drag & drop the files (except the .frx) into the editor
   • Option 2: In the editor: right-click "VBAProject" → "Import File..."
     Select the modules one by one.
4. Run the audit/shell
   • Open the immediate window ctrl + g (optional but recommended)
   • Press F5 or go to Run → Run Sub/UserForm... and select RunMacroMania or StartShell.

Features

MacroMania implements a set of audit checks inspired by WinPEAS, but fully rewritten in pure VBA. All checks rely only on Windows APIs or WMI moniker queries, making them usable even in highly restricted environments. Output is written both to the Immediate Window (for quick checks during execution) and to dedicated Excel worksheets (for structured analysis and documentation).

Currently implemented checks include:

General information

• System information
• Network adapters and configuration
• Installed security updates (KBs) & Windows Update history
• Disks and network shares
• Installed antivirus / endpoint products
• Environment variables
• Local users and local groups

Registry & configuration checks

• Audit / logging configuration
• Windows Event Forwarding settings
• LAPS status
• WDigest, LSA protection, Credential Guard status
• WinLogon stored credentials
• RDCMan / RDP saved connections
• PuTTY stored credentials & known hosts
• OpenSSH keys
• WinVNC, TightVNC, SNMP stored passwords
• UAC settings
• Recently run commands (WIN+R)
• AlwaysInstallElevated policy
• PowerShell configuration (version, execution policy)
  • PowerShell registry transcript
  • Module logging
  • Script block logging
• WSUS configuration (HTTP usage check)
• Internet / IE settings

Privilege‑escalation checks

• Running processes and user permissions
• Vulnerable service binaries & service registry permissions
• Unquoted service paths
• Scheduled tasks
• Installed applications

Policy output

• AppLocker policy and enforcement status

VBAShell

Includes a lightweight command-line shell that allows you to execute basic file system commands (such as dir, cd, mkdir, and del), system queries (such as whoami, tasklist, and printenv), and even run programs (exec) directly within VBA scripts—entirely without relying on external tools, using only the Office object model and WMI.

Contributing

Contributions, issues and feature requests are welcome. Please open a GitHub issue or submit a pull request.

Advisory

MacroMania is intended for authorized penetration testing and/or educational purposes only. The tool is aimed at security auditors, administrators, and developers who want to assess their environments for potential misconfigurations. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.

License

This project is licensed under the GPLv3 License.