Generate-Macro: malicious Microsoft Office document with a specified payload & persistence method
SYNOPSIS
Generate-Macro is a standalone PowerShell script that will generate a malicious Microsoft Office document with a specified payload and persistence method.
[!] This script will temporarily disable 2 macro security settings while creating the document. [!] The idea is to generate your malicious document on a development box you OWN and use that document to send to a target.
DESCRIPTION
This script will generate malicious Microsoft Excel Documents that contain VBA macros. This script will prompt you for an IP address and port (you will receive your shell at this address and port) and the name of the malicious document. From there, the script will then prompt you to choose from a menu of different attacks, all with different persistence methods. Once an attack is chosen, it will then prompt you for your payload type. Currently, only HTTP and HTTPS are supported.
When naming the document, do not include a file extension.
These attacks use Invoke-Shellcode, which was created by Matt Graeber. Follow him on Twitter –> @mattifestation
ATTACK TYPES
- Meterpreter Shell with Logon Persistence:
This attack delivers a meterpreter shell and then persists in the registry by creating a hidden .vbs file in C:\Users\Public and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that will execute the .vbs file on login. - Meterpreter Shell with PowerShell Profile Persistence:
This attack requires the target user to have Administrator privileges but is quite creative. It will deliver you a shell and then drop a malicious .vbs file in C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\cookie.vbs. Once dropped, it creates an infected PowerShell Profile file in C:\Windows\SysNative\WindowsPowerShell\v1.0\ and then creates a registry key in HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load that will execute Powershell.exe on startup. Since the PowerShell profile loads automatically when Powershell.exe is invoked, your code is executed automatically. - Meterpreter Shell with Alternate Data Stream Persistence:
This attack will give you a shell and then persists by creating 2 alternate data streams attached to the AppData folder. It then creates a registry key that parses the Alternate Data Streams and runs the Base64 encoded payload. - Meterpreter Shell with Scheduled Task Persistence:
This attack will give you a shell and then persist by creating a scheduled task with the action set to the set payload.
Download
git clone https://github.com/enigma0x3/Generate-Macro.git
Usage
Coded by Matt Nelson (@enigma0x3)
Source: https://github.com/enigma0x3/