Attachments: Macros

Macros are series of instructions to automate tasks, it's a scripting language that help adversaries to automate various attacks

Let me explain a little on Macros, they are a series of commands and instructions that you group together as a single command to accomplish a task automatically. Versions of Windows 2007 and newer, to save tasks you do often you can bundle them into a macro.

These macros also help red teamers to execute code or to accomplish a command since this is coming from a legitimate source MS Office these guys pass undetected by Antivirus, but of course nowadays the AV are getting more sophisticated and can actually detect these malicious tasks that macros shouldn't be executing. A way to avoid this is by adding obfuscation onto the file. These can also execute code such as VB (Visual Basic).

Example

In this example I will be using 2 tools the Unicorn tool from Dave Kennedy at TrustedTec and a simple PowerShell Reverse Shell, by combining these tools I will be able to create a Macro Payload that will gain me access to the target machine when executing on the Victim Machine.

Unicorn Menu

From the payloads offered on unicorn I will use the Custom PS1 Attack Example with the Macro included, then from here it will be simple to combine the 2 and create a Macro

A new file will be created (powershell_attack.txt) and when viewing this file we will see the VBA Code created to copy and paste onto our Word Document.

We move to our Sample machine running Windows and Create a New Word Document.

To enable this feature we will need to go to the Options Menu, then the Customize Ribbon and Select the Developer Options. Once from there we can create a macro.

Create a New macro and Name it Auto_Open

On the next windows we will copy the entire code from our powershell_attack.txt file and save it.

We continue and then we will save the file and this is what will need to ba attached and sent onto our Target. Make sure to choose the Macro-Enabled Document

From here we will go back to our attacking machine and start our listener and wait for a shell connection back to our attacking machine. Once the user opens the Document they will receive an Application Error, no worries this behavior is intended making them think that the document is meant for "Older" versions of the file.