Macros

Macro are series of instructions to automate tasks a scripting language helping adversaries to automate various attacks.

Let me explain a little on Macros, they are series of commands and instructions that you group together as a single command to accomplish a task automatically. Versions of Windows 2007 and newer, to save tasks you do often you can bundle them into a macro.

These macros also help red teamers to execute malicious code or accomplish a malicious command since this is coming from a legitimate source MS Office these guys pass undetected by AV's frequently of course nowadays they are getting more sophisticated and can actually detect these malicious tasks that macros shouldn't be executing. A way to avoid this is by adding obfuscation onto the file. These can also execute code such as VB (Visual Basic)

This example will show how we can generate a macro onto a word Document send it to our user victim and gain a shell.

For the time of writing the majority of tools call back using a powershell shell. I will be using NISHANG a very well know pack of tools written in powershell, then I will adapt the attack using TrustedSec tool named Unicorn.

Invoke-PowerShellTcp.ps1

NIshangs Shells

We will need to edit this shell lightly so it can execute its call, to connect back to us will move to the very bottom of the File and edit according to our needs.

With this we will save the file and go towards using unicorn to create a macro and afterwards continue on a Windows machine create a Document with Macro's Enable and get a Shell.

This is the unicorns help menu that demonstrates examples for various attacks as mentioned previously we used files such as HTA that we created with empire.

Unicorn

I will not use any of the offered shells from unicorn I will use a Custom PS1 file and let unicorn format it into a macro capable format unicorn by default only executes powershell callbacks. The following command will do this.

sudo python unicorn.py ~/Documents/payloads/Invoke-PowerShellTcp.ps1 macro

We will copy the contents of the powershell_attack.txt file and continue on to a Windows Machine, on our Windows machine we will open a word Document, move towards our Developer Tab [Needs to be enabled] and Create a Macro with the name of AutoOpen this will help in executing once the file is open.

We can delete all the content that is on the windows and paste our content from the powershell attack file we will save this Document as Macro-Enable then we will close, If you read carefully there is a MsgBox that informs the user that this file is not compatible don't worry this is just a tactic to confuse our user that is opening the file once they close we will get a shell.

From here is a good time to setup our listener on our attacking machine, I used a simple ncat command to listen for the callback, because once the user open's the Document an Error is shown, remember this is all planned, it is meant to happen.

Once the user closes we receive a shell