GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Inf0secRabbit → BadAssMacros

Inf0secRabbit / BadAssMacros

Licence: other
BadAssMacros - C# based automated Malicous Macro Generator.

Programming Languages

C#
18002 projects

Labels

redteam

Projects that are alternatives of or similar to BadAssMacros

certexfil
Exfiltration based on custom X509 certificates
Stars: ✭ 18 (-93.59%)
Mutual labels:  redteam
Father
LD_PRELOAD rootkit
Stars: ✭ 59 (-79%)
Mutual labels:  redteam
moonwalk
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚
Stars: ✭ 544 (+93.59%)
Mutual labels:  redteam
Offensive-Reverse-Shell-Cheat-Sheet
Offensive Reverse Shell (Cheat Sheet)
Stars: ✭ 138 (-50.89%)
Mutual labels:  redteam
linkedinscraper
LinkedinScraper is an another information gathering tool written in python. You can scrape employees of companies on Linkedin.com and then create these employee names, titles and emails.
Stars: ✭ 22 (-92.17%)
Mutual labels:  redteam
AggressorScripts
A collection of Cobalt Strike aggressor scripts
Stars: ✭ 18 (-93.59%)
Mutual labels:  redteam
365-Stealer
365-Stealer is a phishing simualtion tool written in python3. It can be used to execute Illicit Consent Grant Attack.
Stars: ✭ 200 (-28.83%)
Mutual labels:  redteam
100-redteam-projects
Projects for security students
Stars: ✭ 731 (+160.14%)
Mutual labels:  redteam
gitoops
all paths lead to clouds
Stars: ✭ 579 (+106.05%)
Mutual labels:  redteam
RedTeam
One line PS scripts that may come handy during your network assesment
Stars: ✭ 56 (-80.07%)
Mutual labels:  redteam
anti-honeypot
一款可以检测WEB蜜罐并阻断请求的Chrome插件,能够识别并阻断长亭D-sensor、墨安幻阵的部分溯源api
Stars: ✭ 38 (-86.48%)
Mutual labels:  redteam
DiscordGo
Discord C2 for Redteam....Need a better name
Stars: ✭ 55 (-80.43%)
Mutual labels:  redteam
ImpulsiveDLLHijack
C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
Stars: ✭ 258 (-8.19%)
Mutual labels:  redteam
Behold3r
👻Behold3r -- 收集指定网站的子域名,并可监控指定网站的子域名更新情况,发送变更报告至指定邮箱
Stars: ✭ 29 (-89.68%)
Mutual labels:  redteam
gtfo
Search for Unix binaries that can be exploited to bypass system security restrictions.
Stars: ✭ 88 (-68.68%)
Mutual labels:  redteam
pentesting-dockerfiles
Pentesting/Bugbounty Dockerfiles.
Stars: ✭ 148 (-47.33%)
Mutual labels:  redteam
goblin
一款适用于红蓝对抗中的仿真钓鱼系统
Stars: ✭ 844 (+200.36%)
Mutual labels:  redteam
NewNtdllBypassInlineHook CSharp
Load a fresh new copy of ntdll.dll via file mapping to bypass API inline hook.
Stars: ✭ 35 (-87.54%)
Mutual labels:  redteam
ReversePowerShell
Functions that can be used to gain Reverse Shells with PowerShell
Stars: ✭ 48 (-82.92%)
Mutual labels:  redteam
Sherlock
This script is designed to help expedite a web application assessment by automating some of the assessment steps (e.g., running nmap, sublist3r, metasploit, etc.)
Stars: ✭ 36 (-87.19%)
Mutual labels:  redteam
View All Similar Projects ➔

Supported Python versions

BadAssMacros

Description

Proof of Concept tool to generate malicious macros leveraging techniques like VBA Purging and Shellcode Obfuscation to evade AV engines.

This tool takes in raw shellcode that can be generated by popular C2 frameworks like (Metasploit,Cobalt Strike etc) and outputs a VBA macro.

The tool takes in the malicious doc/excel file ready and embedded with the generated VBA code and performs VBA purging.

Current Features

BadAssMacros features currently include:

  • Classic VBA shellcode injection.
  • Indirect VBA shellcode injection (using LoadLibrary).
  • Sandbox Detection.
  • VBA Purging.
  • Shellcode obfuscation.
  • Variable name Randomization.

Shellcode Injection Techniques

|   Name   | x32 |     x64     |
| -------- | --- | ----------- |
| Classic  | Yes | Yes         |
| Indirect | Yes | In Progress |

Ethical use

The BadAssMacros tool is meant to only be used for ethical purposes. Don't use it for bad things.

Build Instructions

Build from sources

BadAssMacros require 3rd party libraries that can be installed from the NuGet package manager.

  • Clone the repository in Visual Studio
  • Once project is loaded in Visual Studio go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings" --> "NuGet Package Manager" --> "Package Sources"
  • Check if there is a package source with URL - "https://api.nuget.org/v3/index.json". If not create the same.
  • Run the following commands
    • Install-Package Costura.Fody -Version 3.3.3
    • Install-Package OpenMcdf -Version 2.2.1.3
    • Install-Package Fody -Version 4.0.2
  • Build the project :)

The BadAssMacros.exe will be inside the bin directory.

Examples

  • Show Help
BadAssMacros.exe -h
  • Create VBA for classic shellcode injection from raw shellcode
BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s classic -c <caesar_shift_value> -o <path_to_output_file>

ClassicVBA

  • Create VBA for indirect shellcode injection from raw shellcode
BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s indirect -o <path_to_output_file>

IndirectVBA

  • List modules inside Doc/Excel file
BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -l

ListingModules

  • Purge Doc/Excel file
BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_output_file> -m <module_name>

PurgedDocument

Detection

BadAssMacro was tested against local Antivirus solutions and online services like antiscan.me. The results of testing the same using the Indirect shellcode execution method is attached below.

NOTE: Please do not submit the samples to VirusTotal

Contact

Credits

  • OfficePurge by FireEye here
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].