luckystrike: PowerShell based utility for the creation of malicious Office macro documents
luckystrike
a PowerShell based generator of malicious .xls documents (soon to be .doc). All your payloads are saved into a database for easy retrieval & embedding into a new or existing document. Luckystrike provides you several infection methods designed to get your payloads to execute without tripping AV. See the “Installation” section below for instructions on getting started.
Infection Types
- PAYLOAD TYPE: Shell Command
- Infection Type: Shell Command:
- What you see above. Simply uses Wscript.Shell to fire a command. Shell commands run via powershell or cmd.exe do not pop a command window in the user’s view. More likely to get caught by AV.
- Infection Type: Metadata
- Embeds the payload into the file’s metadata, specifically the Subject field. A one-liner method is fired in the macro to execute whatever is in the metadata. Very low detection rate!
- Infection Type: Shell Command:
- PAYLOAD TYPE: PowerShell Script. [Note: ALL .ps1 files that you save as payloads must be non-encoded! Luckystrike will b64 encode where necessary)
- Infection Type: CellEmbed.
- Your “go to” for firing .ps1 scripts. Embeds a base64 encoded ps1 script into cells broken up into chunks. A Legend string is associated with the payload so it can be reconstructed at runtime. The payload can exist anywhere on the workable sheet, but will start, at minimum, Column 150 & Row 100. The base64 payload is saved to disk in C:\users\userid\AppData\Roaming\Microsoft\AddIns as a .txt file. The macro reads in the text file then fires with powershell.
- Infection Type: CellEmbedNonBase64
- Embedding is the same as #1 above, but is not base64 encoded. The script is read directly from the cell and fired via powershell. Never touches disk. Recommended!
- Infection Type: CellEmbed-Encrypted
- Personal favorite. When choosing this, you will be prompted for your target’s email domain name. Example, if your target is bob@evilcorp.com, then you would use “evilcorp.com” (no quotes) as that string, even if it’s different than their main web url! The reason for this is luckystrike will RC4 encrypt the ps1 file (with the email domain as the key) prior to embedding. The macro code will then retrieve the user’s email address from Active Directory, split the string, and decrypt the payload prior to running. If an AV vendor gets ahold of the payload, they won’t be able to decrypt & run. MUAHAHAHA
- Infection Type: CellEmbed.
- PAYLOAD TYPE: Executable
- Infection Type: Certutil.
- Based on @mattifestation’s excellent work (here), this attack embeds a base64 encoded binary into cells, then saves it as a .txt file to disk, using certutil to decode the payload & save as an .exe. Exe is then fired.
- Infection Type: Save To Disk
- What you’d think. Exe is saved to disk then fired. Straightforward
- Infection Type: ReflectivePE
- Naughty! Both the .exe and a copy of Invoke-ReflectivePEInjection (here) are saved to disk as txt files. Exe is then fired using Invoke-ReflectivePEInjection. Be sure to test this one! Very important to know the architecture of your target vs the payload you’re using. Additionally, I recommend testing your .exe with Invoke-ReflectivePEInjection prior to embedding as if your .exe is not ASLR/DEP compliant, the attack will not work (I’m not using -ForceASLR). On the positive side, only .txt files are written to %APPDATA%, so those relying on simply blocking execution from appdata are out of luck!
- Infection Type: Certutil.
Getting Started
- Read this
- Read the wiki!
- Make sure you are on a Win7-10 machine (32 or 64bit).
- You must be running a current version of PowerShell (v5+).
- You must have Microsoft Excel installed (I did my testing in 2013).
- From an ADMINISTRATIVE PowerShell prompt, run the following command. A luckystrike folder will be created for you.
iex (new-object net.webclient).downloadstring('https://git.io/v7kbp')- Run .\luckystrike\luckystrike.ps1 (also as an administrator).
Download
Source: https://github.com/curi0usJack/
