BC-SECURITY/Offensive-VBA-and-XLS-Entanglement

Stars
124
Rank 288,207 (Top 6 %)
Language VBA
License
MIT License
Created over 3 years ago
Updated over 3 years ago

BC-SECURITY/Offensive-VBA-and-XLS-Entanglement

BC-SECURITY

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Offensive VBA and XLS Entanglement

This repo provides examples of how VBA can be used for offensive purposes beyond a simple dropper or shell injector. As we develop more use cases, the repo will be updated. The main entry in the repo is the code for demonstrating the XLS Entanglement attack.

Why VBA?

VBA provides every capability that other offensive languages offer including rudimentry reflection capability with the modification of the AccessVBOM registry key. In addition to that, VBA runs inside of programs that are traditionally long running programs on a victim's computers including Outlook. This means that a beacon can run entirely inside "native processes without the need to migrate processes or open additional ports. If Outlook is converted to a C2 beacon, then there is no need for the beacon to reach out of the network either. With the ability to export Win32 APIs we have the ability to execute all kinds of attacks, including things like Kerberoasting or running Embedded PEs.

Examples

File	Description
HelloWorld.vba	Demonstrates disabling the protections against accessing the VBA project and dynamically injecting VBA code
HelloWorldWin32_API.vba	Same as HelloWorld.vba but uses Win32 APIs instead of WScript to modify the registry
OutlookC2_POC.vba	Macro to convert Outlook into a C2 that watches for an email and injects VBA into an Excel file
XLS Entaglement	Contains the files for executing a rudimentry XLS Entanglement attack

Starkiller

Starkiller is a Frontend for PowerShell Empire.

Beginners-Guide-to-Obfuscation

Moriarty

Moriarty is designed to enumerate missing KBs, detect various vulnerabilities, and suggest potential exploits for Privilege Escalation in Windows environments.

Malleable-C2-Profiles

Malleable C2 Profiles. A collection of profiles used in different projects using Cobalt Strike & Empire.

Invoke-ZeroLogon

Invoke-ZeroLogon allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.

Invoke-PrintDemon

This is a PowerShell Empire launcher PoC using PrintDemon and Faxhell.

DEFCON27

DEFCON 27 slides and workshop materials.

IronSharpPack

IronSharpPack is a repo of popular C# projects that have been embedded into IronPython scripts that execute an AMSI bypass and then reflective load the C# project.

Long-Live-The-Empire

A comprehensive workshop aimed to equip participants with an in-depth understanding of modern Command and Control (C2) concepts, focusing on the open-source Empire C2 framework.

ScriptBlock-Smuggling

Example code samples from our ScriptBlock Smuggling Blog post

Empire-Cli

CLI Frontend for PowerShell Empire.

Taming-Offensive-IronPython

This workshop is designed to provide you with a solid understanding of IronPython, its integration with the .NET framework, and how it can be used to interact with other .NET languages.

Red-Team-Village-CTF-2023

Secure Terminal CTF Challenge for DC31 Red Team Village

SocksProxyServer-Plugin

Socks Proxy Server Plugin for Invoke-SocksProxy

DeathStarPlugin

Deathstar is an Empire plugin that automates gaining Domain and/or Enterprise Admin rights in Active Directory environments using common offensive tactics, techniques, and procedures (TTPs).

empire-docs

https://bc-security.gitbook.io/empire-wiki/

DEFCONSafeMode

DEFCON Safe Mode Slides

ChiselServer-Plugin

DEFCON24

DEFCON 24 slides and materials.

intro-ctf

Empire-Compiler

Twilio-Plugin

Empire-Launcher

denylist-plugin

Report-Generation-Plugin

Plugin for replacing the original reporting functionality in Empire with customizable PDFs.

AutoRun-Plugin

Plugin to automatically execute an agent tasking on checkin