Custom Undetectable Macro Development

Scenario

In the following lab, you will learn how to generate custom undetectable Microsoft Office macros through the use of a toolkit called MacroPack.

MacroPack is an open source toolkit used by penetration testers and red teamers to automate the generation and obfuscation of malicious Microsoft Office documents.

Goals

• Learn how to use MacroPack to generate MS Office macros.

• Develop a custom macro-based attack and the accompanying payloads.

• Evade any A/V or IDS in place.

What you will learn

Your goal is to develop a custom macro-based attack (and the accompanying payloads), to compromise a target without being detected.

In this lab's context we are going to be exploring various MS Office macro attack techniques ranging from executing MSF payloads to utilizing file droppers to facilitate our attack.

Note: The objective of this lab will be focused entirely on tooling and techniques, generating undetectable macros is a task that requires a lot of research and trial and error. As a result, you can take what you learn here and perform your own tests and come up with your own initial access strategy.

Tasks are meant for educational purposes and to show you the usage of different tools and different methods to achieve the same goal.

They are not meant to be used as a methodology.

Armed with the skills acquired though the task you can achieve the lab goal.

If this is the first time doing this lab, we advise you to follow these tasks.

Recommended tools

• Microsoft Office

• MacroPack

Note: This lab provides you with a pre-configured Windows Attack Box with AV disabled as we will be using it to generate our malicious macros. You will also be provided with access to a Windows Target system to facilitate and test your custom macros.

Lab Access

In this lab you will be provided with access to 2 Windows systems, an Attacker system and a Target. By default, you will be provided with RDP access to the Attacker system and you can access the Windows target via RDP.

• Windows Target - 10.100.11.128

You can access the Target Windows system via RDP using the following credentials: Administrator/abc_123321!@#

Tasks

Task 1: Learn how to use MacroPack to generate a custom macro

To begin with, you will need to learn how to use MacroPack and get an understanding of some of the most important features it offers.

The MacroPack Windows executable has been saved on the Desktop of the Attacker System in a folder called macro_pack.

You can learn more about MacroPack by visiting the following link: https://github.com/sevagas/macro_pack

To get started, we can execute macro_pack.exe by launching a command line terminal and navigating to the directory where it is stored:

We can execute macro_pack.exe and display tool's the help menu by running the following command in the command line:

As shown in the following screenshot, this command will display a list of useful commands that can be used with macro_pack.exe.

If this is your first time using MacroPack, please pay close attention to the tool's syntax from the usage examples listed.

Now that we have verified that MacroPack is working as intended, we can move on to the next step and generate our very first macro!

Task 2: Generate a custom macro that performs arbitrary command execution

We can get a good understanding of the power and functionality of MacroPack by exploring a few practical examples of how penetration testers and red teamers utilize it to generate custom macros and embed them in MS Office documents.

Before we generate our macro, it is important to understand the various MS Office file formats supported by MacroPack and how they should be specified when generating macros. We can list out the supported MacroPack file formats by running the following command:

As shown in the following screenshot, this will list all the supported MS Office file formats and their file extensions which are in direct correlation to the format in which they should be specified when usingMacroPack.

The first example we can explore will involve generating a custom MS Word document with a macro that executes some arbitrary Windows native command like the classic calc.exe. This can be done by running the following command in the Windows command line:

Before proceeding, let's get a better understanding of the options we specified in the commands and what they are used for.

1. -t - Specifies the type of payload/template being used, in this case the template type is CMD.

2. -o - This enables VBA code obfuscation.

3. -G - This specifies the name and type of the output file, in this case the output file is "test.doc".

As shown in the following screenshot, this will initiate the process of generating the MS Word document and will also perform automatic obfuscation and injection of the VBA code/macro for purposes of evading detection.

After MacroPack has generated your document with the custom macro, it will display the path to where the document is stored.

We can verify the efficacy of the macro by navigating to where it is stored and launching it.

Opening the MS Word document will prompt users to enable the execution of the macro injected in the document. Click on the "Enable Content" button to execute the macro.

Enabling the execution of the macro will result in calc.exe being executed prompting you with a calculator as shown in the following screenshot.

Excellent, we have been able to generate a MS Word document with a custom macro, albeit non-malicious in nature, this verifies that MacroPack is functional. This testing process is the cornerstone of Resource Development when performing red team operations.

Task 3: Generate a custom Meterpreter reverse shell macro

In the previous task, we took a look at how to generate a simple macro that launched calc.exe where we utilized the CMD payload template.

MacroPack has various other payload templates that can be used when generating custom macros.

We can list these templates by running the following command:

As shown in the preceding screenshot, MacroPack provides you with various payload templates for a plethora of use cases and deployments and also supports the ability to inject and embed Meterpreter payloads, EXEs and DLLs.

For this example, we can generate and inject a Meterpreter reverse shell payload in to an MS Word document with MacroPack.

The Windows Attacker System comes pre-packaged with the Metasploit Framework and all required dependencies to run the framework without issues.

We can get started by generating the reverse shell payload with Msfvenom and pipe the output to macro_pack.exe. This can be done by running the following command:

As shown in the following screenshot, MacroPack generates the custom MS Word document successfully and displays the path to where the document is stored.

The next step will involve setting up a reverse shell handler with Msfconsole, this can be done by opening a new command line terminal with Administrator privileges and running the following command:

We can now transfer the custom malicious MS Word document we generated with MacroPack, we will accomplish this by hosting it on a web server running on the Attacker System. This can be done by navigating to the directory where the document is stored and running the following command:

Now that we have our web server and listener setup, we can switch over to the Target system, launch Firefox and navigate to the IP of the Attacker system that has the web server running.

You will then need to download the resume.doc file being hosted as shown in the following screenshot.

After downloading the document, you can now launch it and enable the execution of the macro contained within the document.

After executing the macro contained within the document, you should receive a meterpreter session on your listener.

Task 4: Using a dropper to orchestrate your macro attacks

When performing a social engineering attack it is very important to consider AV evasion. As a result, it is always recommended to avoid using popular payloads and stagers (MSF & Empire) when generating malicious MS Office documents.

MacroPack provides us with the ability to drop download and drop your own malicious payload in the event you do not want to use MSF or Empire.

Using this technique, you can generate, obfuscate and pack your payload in order to evade AV detection. Host it on a web server and let the dropper download and execute it.

In this case, i have generated a custom obfuscated reverse shell payload called update.exe and have saved it in the directory where macro_pack.exe is located.

After generating your own payload, you will need to host it on a web server. This can easily be done by running the following command:

We can now generate our malicious MS Office dropper document that will download and execute our custom payload. This can be done by running the following command:

You can now transfer the MS Excel workbook you generated to the target system. After which, you will need to open it and enable macros for the payload to be downloaded from the server and executed consequently providing you with a reverse shell.

In this lab, we have explored the process of how to utilize MacroPack to generate undetectable MS Office macros. Feel free to experiment with the other features and functionality offered by MacroPack.