{"id":13643029,"url":"https://github.com/mgeeky/RobustPentestMacro","last_synced_at":"2025-04-20T21:32:37.581Z","repository":{"id":149787211,"uuid":"101194312","full_name":"mgeeky/RobustPentestMacro","owner":"mgeeky","description":"This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.","archived":false,"fork":false,"pushed_at":"2021-10-24T21:19:36.000Z","size":106,"stargazers_count":142,"open_issues_count":0,"forks_count":46,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-10-30T00:38:16.234Z","etag":null,"topics":["macro","office","penetration","pentest","testing","vbscript"],"latest_commit_sha":null,"homepage":null,"language":"VBScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mgeeky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-08-23T15:11:03.000Z","updated_at":"2024-10-01T23:18:12.000Z","dependencies_parsed_at":null,"dependency_job_id":"aabdc42f-7870-4c77-8b3a-2149f01af3b0","html_url":"https://github.com/mgeeky/RobustPentestMacro","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FRobustPentestMacro","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FRobustPentestMacro/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FRobustPentestMacro/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mgeeky%2FRobustPentestMacro/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mgeeky","download_url":"https://codeload.github.com/mgeeky/RobustPentestMacro/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223839285,"owners_count":17211906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["macro","office","penetration","pentest","testing","vbscript"],"created_at":"2024-08-02T01:01:39.966Z","updated_at":"2024-11-09T14:31:27.291Z","avatar_url":"https://github.com/mgeeky.png","language":"VBScript","funding_links":["https://github.com/sponsors/mgeeky"],"categories":["VBScript"],"sub_categories":[],"readme":"## RobustPentestMacro\n\nThis is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques like sandbox evasion, WMI persistence and ~~page substitution~~. Intended to be able to infect both Windows and Mac OS X Office platforms by implementing platform-detection logic.\n\nCreated to make it possibly to simply _Paste Payload then Copy \u0026 Paste entire macro_ into phished document.\n\nFor list of example Macro generation and usage scenarios one can check out author's gist here:\n\n[Various-Macro-Based-RCEs.md](https://gist.github.com/mgeeky/9dee0ac86c65cdd9cb5a2f64cef51991)\n\n\n---\n\n### SYNOPSIS:\n\nThis is a skeleton code for the malicious Macro that could\nbe used during Penetration Testing assignments (or for education\npurposes), in order to embed it within Phishing documents as a\nMicrosoft Office macro.\n\nThere are following features implemented:\n\n- **Platform detection logic (Windows/MacOS X)** - All the penetration tester has to do, is to generate both Windows and Mac OS X commands and put them into appropriate macro's functions: `WindowsMalware()` and `MacMalware()`\n- **Sandbox detection** (Windows) - allowing to exit macro when being scanned\n- **WMI Subscription persistence** (Windows) - allowing to survive system restart\n- **Social Engineering trick by shape removing** - for hiding fake \"Enable Content\" warning.\n- **Supporting both MSWORD and EXCEL startup routines**\n\n\n\u003e One should definitely feed this script into some kind of \n\u003e Visual Basic obfuscator, like the author's one:\n\u003e\t[VisualBasicObfuscator](https://github.com/mgeeky/VisualBasicObfuscator)\n\nThe macro's code has been built up from other author's building blocks:\n- [WMIPersistence.vbs](https://gist.github.com/mgeeky/d00ba855d2af73fd8d7446df0f64c25a)\n- [MacroDetectSandbox.vbs](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d)\n\n\n---\n\n### CONFIGURATION\n\nThe most essential configuration here is filling up functions like `MalwareWindows()` and `MalwareMac()`.\nOne can for instance leverage **Empire** stager's functionality and obtain two payloads - for:\n- `windows/macro`\n- `osx/macro`\n\nThen one have to put this way generated macros into aforementioned `Malware*()` functions. The penetration tester also can use buil-in primitives like:\n- `ExecuteCommand(command)`\n- `ExecuteCommandAndPersist command, startupTaskName`\n\nFor instance, such modifications to the script could look like:\n\n```\nPrivate Sub WindowsMalware()\n\t[...]\n\tstr = \"powershell -noP -sta -w 1 -enc  ABCDEFGHIJKLMNOPQ\"\n    str = str + \"ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789\"\n    ' Rest of the powershell command cut for brevity\n    ' [...]\n    str = str + \"ABCDEFGHIJKLMNOPQRSTUWXYZ0123456789\"\n    \n    ExecuteCommandAndPersist str, \"\"\nEnd Sub\n\nPrivate Sub MacMalware()  \n\t[...]\n\tcmd = \"abcdefghijlmnopqrstuxwyz012345678990\"\n    cmd = cmd + \"abcdefghijlmnopqrstuxwyz012345678990\"\n    ' Rest of bash command cut for brevity\n    ' [...]\n    cmd = cmd + \"abcdefghijlmnopqrstuxwyz012345678990\"\n    \n    Dim fullCommand As String\n    fullCommand = \"echo \"\"import sys,base64;exec(base64.b64decode(\\\"\" \" \u0026 cmd \u0026 \" \\\"\"));\"\" | python \u0026\"\n\n    ExecuteCommandAndPersist fullCommand, \"\"\n```\n\nAlso, there are `Const` options documented within code's CONFIGURATION section that are self-explanatory and left to be reviewed by the user.\n\n---\n\n### SOCIAL ENGINEERING SHAPE REMOVAL:\n\nIn order to leverage this feature, one has to prepare a fake \"_Enable Content_\" warning message\nlike for instance Microsoft Office compatibility issues, AV scanned flag or something imaginary,\nand then to create a shape consisting of TextBox (via INSERT -\u003e Shapes... -\u003e TextBox). Then cover\nthe document with this shape. Having that, one has to rename that shape using the path:\n\t\n`(Ribbon -\u003e HOME -\u003e Editing -\u003e Select... -\u003e Selection Pane -\u003e give it a name, like \"**warning-div**\")`\n\nAfter that, the shape can be further modified to be floating and cover up entire document by clicking:\n\t\t\n`Right click on shape -\u003e Move selected shape -\u003e then setting up Position and Size to 100%, Left-Top aligned.`\n\nAmong various _Social Engineering_ shapes that could be used - two of them had been attached to this repository:\n\n![Example shape](1.png \"Example Shape\")\n\n---\n\n### TODO:\n\n- Add **OpenOffice** platform detection and autorun logic (`OnOpen`), then modify OS detection if's to support `getGUItype` method offered by OpenOffice.\n- Add document layout switching functionality, like the original page subsitute function did.\n- Implement host reconnaissance and situation exfil functionality\n- Refactor the code to make it a bit less detectable by AVs\n- Add architecture bitness detection logic and specific payload usage\n- ~~Add macOS related function for platform indepency~~\n- Add macOS X persistence functionality (`MacPersistence()`) in form of for instance per-user _LaunchAgents_ PLIST\n- Prepare builder-script customizing script's backbone as needed by user and offering instant obfuscation\n- Add more Sandbox evasion and avoidance techniques, as documented in [pafishmacro](https://github.com/joesecurity/pafishmacro/blob/master/code.vba), [here](https://securingtomorrow.mcafee.com/mcafee-labs/macro-malware-employs-advanced-obfuscation-to-avoid-detection/), [here](https://securingtomorrow.mcafee.com/mcafee-labs/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection/) and [here](https://phishme.com/macro-based-anti-analysis/)\n\n---\n\n### KNOWN BUGS:\n\n- The routine: `DeleteWarningShape` doesn't support Excel sheets at the moment (`ActiveWorkbook`)\n\n---\n\n### DISCALIMER:\n\nThe author of this code is not taking any responsibilities of\nany illegal usage of it. The code had been created solely for \nPenetration Testing purposes.\n\n\n---\n\n### ☕ Show Support ☕\n\nThis and other projects are outcome of sleepless nights and **plenty of hard work**. If you like what I do and appreciate that I always give back to the community,\n[Consider buying me a coffee](https://github.com/sponsors/mgeeky) _(or better a beer)_ just to say thank you! 💪 \n\n---\n\n## Author\n\n```   \n   Mariusz Banach / mgeeky, '17\n   \u003cmb [at] binary-offensive.com\u003e\n   (https://github.com/mgeeky)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2FRobustPentestMacro","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmgeeky%2FRobustPentestMacro","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmgeeky%2FRobustPentestMacro/lists"}