In preparation for a VBS AV Evasion Stream/Video I used to be doing a little analysis for Workplace Macro code execution strategies and evasion strategies.
The listing bought longer and longer and I discovered no central place for offensive VBA templates – so this repo can be utilized for such. It is vitally distant from being full. If every other cool method or helpful template be at liberty to contribute and create a pull request!
Many of the templates on this repo have been already revealed someplace. I simply copy pasted most templates from ms-docs websites, weblog posts or from different instruments.
Templates on this repo
Lacking – ToDos
File | Description |
---|---|
Unhooker.vba | Unhook API’s in reminiscence to do away with hooks |
Syscalls.vba | Syscall utilization – contemporary from disk or Syswhispers like |
Manymore.vba | When you’ve got any extra concepts be at liberty to contribute |
Obfuscators / Payload turbines
- VBad
- wePWNise
- VisualBasicObfuscator – wants some modification because it does not cut up up traces and is subsequently not usable for workplace doc macros
- macro_pack
- shellcode2vbscript.py
- EvilClippy
- OfficePurge
- SharpShooter
- VBS-Obfuscator-in-Python – – wants some modification because it does not cut up up traces and is subsequently not usable for workplace doc macros
Credit / usefull assets
ASR bypass: http://weblog.sevagas.com/IMG/pdf/bypass_windows_defender_attack_surface_reduction.pdf
Shellcode to VBScript conversion: https://github.com/DidierStevens/DidierStevensSuite/blob/grasp/shellcode2vbscript.py
Bypass AMSI in VBA: https://outflank.nl/weblog/2019/04/17/bypassing-amsi-for-vba/
VBA purging: https://www.mandiant.com/assets/purgalicious-vba-macro-obfuscation-with-vba-purging
F-Safe VBA Evasion and detection put up: https://weblog.f-secure.com/dechaining-macros-and-evading-edr/
Yet one more F-Safe weblog: https://labs.f-secure.com/archive/dll-tricks-with-vba-to-improve-offensive-macro-capability/