Husky vs. PTXv2 Part 1: Macro Mayhem, Advanced Social Engineering, and a Free Upgrade #sponsored

<disclaimer> This post series is still sponsored by eLearnSecurity and VetSec! As always, a huge thank you goes to both of them and please consider this while enjoying the content. Check out my first post to see the details.

Additional disclaimer: This is where I begin to talk about the tradecraft and the specific, technical red-teaming stuff I’ve learned in this module. Obviously, this stuff is dangerous and can be used for evil. Please use this information responsibly. I am not even close to responsible/liable if you decide to use this stuff for malicious purposes, without consent of the target network, etc etc. Neither VetSec nor eLearnSecurity are responsible/liable as well. Play nice, kiddos, and stay on the Light Side of the Force.  </disclaimer>

Hey everybody, HuskyHacks the hacker-hiker here!

Let me start by saying that eLearnSecurity really gets customer service.

Let’s consider for a moment just how fast this field moves. Speaking from the perspective of a cybersecurity content and training developer, I can say that a huge, comprehensive, in-depth course like PTX is a feat to pull off in the first place. Coupling this with the constantly evolving nature of cyber-attacks, you can imagine that the work-hours and production power necessary to build and polish a training program like this is tough to justify when the content may be dated or even totally obsolete within a few years.

This is the great trade-off of the field and it’s true not only for content developers, but anyone who is building a skillset in cybersecurity in general; there is really no other approach than entering into a constant feedback loop of researching, learning, applying learned skills, learning new skills, and realizing that those skills lead to the need to research, learn, and apply skills some more!

If you’re anything like me, that’s the best part of the whole game. But it makes designing training programs tough. Which is why that I was very happy when I saw that eLearnSecurity would be dropping a new, updated version of the PTX course by the end of June.

And I was even more delighted to learn that, instead of requiring me to fork over some arbitrary “upgrade fee” like some other training providers (a practice I find outright Offensive, if you catch my drift),  eLS was going to upgrade my course to the new version on the house. And that is why I stand by my statement that eLearnSecurity really gets customer service.

I could include the specs on the upgrade and my thoughts on the amount of new training content and new labs, but the breakdown can be found on eLearnSecurity’s page for PTX. And to keep things concise, I’ll say the amount of new content is certainly something to behold, but I need to reserve judgment until after I see the real substance of the new stuff. It’s unlikely that you, dear reader, came here to read my thoughts about how excited I am for the new content down the road.

I think you came here to learn something. And, oh baby, am I ready to teach something.

Advanced Social Engineering

PTX kicks off with one of the most interesting concepts in red teaming: advanced social engineering. This topic is as wide as the great seas and twice as deep (there’s a Phishing pun in here somewhere), but the module hones in on a few key topics. Many of the examples in this module center on the development and delivery of embedded maldocs, Microsoft Office macro abuse, phishing, and (a recent addition from what I can tell) C2 frameworks that assist in social engineering like SilentTrinity and Covenant.

Huge plus one for including Covenant, because I was about done with Empire. If you recall, my PTP review included a section about how difficult the Powershell module was due to its reliance on Empire, which is a framework about as old as Methuselah. I ended up switching to Covenant to finish the module. (Here’s a digression worth mentioning: did you know Methuselah translates to “Man of the javelin” or “Death of Sword”??!! How badass is that?)

This topic covers the basics of maldoc delivery by email and identifies the large obstacles present if you’re fixin’ to send people evil emails: Sender Policy Framework (SPF), Domain Key Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC). ELI5 version: SPF standardizes the FROM: address in an SMTP transaction and publishes a list of authorized senders in DNS, DKIM verifies a given email messages contents by signing the email and flags emails that don’t have a valid signature, and DMARC announces these security features to all entities that want to send a message to that server. All three of these work together to implement a system of checks and balances that smacks down evil emails before they reach a target.

So what’s the takeaway here? Before you begin a social engineering campaign based on mailing maldocs, check if the target domain is using these technologies. You can do this by sending an email to a nonexistent user in the domain and analyzing the non-delivery notice for DKIM signature headers and other signs of these security features. And if you can’t manage to spoof an email from the target domain, set up a phony domain mail server and use SPF, DKIM, and DMARC to seem more legit to the target domain’s server.

The content that follows the introduction to social engineering provides tons of examples of attack vectors for this type of tradecraft. Here’s a fun one: VMB embedded macros are so last decade. Why not use an Excel 4.0 Macro to launch an exe? In a fresh Excel workbook, right-click on ‘Sheet 1’ and select ‘Insert’, then from the selections, select MS Excel 4.0 Macro.

In the new Macro sheet, put a few choice commands to exec followed by ‘=HALT()’. Then, right click on A1 and select ‘Run.’

Oh, jeez Rick.

The module is full of tricks like this. But more specifically, I want to review one of the first labs in the course: Custom Undetectable Macro Development. So, strap on your butts, folks, it’s time to go Phishing.

Lab: Custom Undetectable Macro Development

This lab is very simple: by using an Excel document with an embedded macro, you will stage a multi-step exploit that sends an obfuscated, encoded Ncat.exe binary to the target and reflectively inject it into the target’s memory. The binary will map itself into memory without dropping anything to disk, then execute with given parameters to create a bind shell on a given port. This macro uses a few different tricks to evade A/V and IDS alerts.

The first thing you need for this lab is a server to develop, stage, and serve out an Excel document with the embedded malicious macro. A good rule of thumb in exploit engineering is to develop and stage in an environment that matches the target. A social engineering campaign against an organization will almost always target Windows 10 x64 hosts, so it’s wise to build a dev box with that in mind. Fortunately, FireEye Mandiant has made this very easy by making CommandoVM open-source. All of the scripts that I reference were developed on my CommandoVM, and I ended up serving the maldocs from Kali for the actual attack.

So spin up a VM with a fresh install of Windows 10, perform the time honored tradition of using Edge to download Chrome and then unceremoniously unpin Edge from the taskbar, do all Windows updates, take a VM snapshot, and then follow the install instructions on the CommandoVM github page.

The install takes a while. So while we wait for it to complete, let me regale you with a social engineering story. My last job did a social engineering campaign against the staff to gauge our receptiveness to obvious attempts to steal our information. They let us know ahead of time and I guess I anticipated something kind of subtle and sophisticated. So imagine my confusion when I received a phone call from someone on our risk analysis team whose voice I recognized immediately in spite of the worst attempt at a Cockney British accent I had ever heard, claiming he was “Lewis from” wanting to see if I would be interested in storing federal information system data on their platform. Greater men than I have been caught off-guard by such attempts, but no data would be stored at that day. I caught the guy in the hallway a few months later and we both had a good laugh about it.

Anyway, I digress. Once CommandoVM has been installed, you can begin to stage the needed pieces of the exploit. The exploit chain can be broken down into five composite elements:

  1. A malicious Excel macro that points to your staging server and downloads a certificate file to kick off the exploit. The certificate file is actually…
  2. …a compressed, base64 encoded version of PowerSploit’s Invoke-ReflectivePEInjection script, which can inject an executable directly into a target’s memory without dropping anything to disk. This script also has a download cradle that grabs…
  3. …an XOR’d version of Ncat.exe along with its XOR key, generated by base64 encoding the binary and changing every instance of one letter in the file to something else and XORing the two files. Invoke-ReflectivePEInjection injects the binary into memory along with…
  4. …a basic argument to open a bind shell on port 4444. All of these steps together make…
  5. …an IDS and A/V resistant, memory-injected binary that spawns a bind shell available on port 4444, which is kicked off when the useful idiot clicks on “Enable Content” in Excel.

All of the referenced PoCs for this exploit available at my Github for those of you who want to play along at home. But please, be responsible with this stuff. Don’t send ol’ Grand-ma-ma “nothingSuspicious.xlsm” just because you can.

First up is the embedded macro, and it doesn’t get much more simple than this. Download and execute, point it to your staging server, and it grabs the malicious .crt file to execute. Easy.

Macro script to kick off the attack chain- it downloads the malicious ps1_b64.crt that calls back to the server to grab the second stage payload.

Next up is a script to make Ncat.exe into a base64 encoded string. Again, easy day.

Make an XOR key with the base64 Ncat.exe file by copying it and finding/replacing all ‘A’s with ‘M’s. Then, use this script to XOR the two files into an XOR out file.

PowerSploit’s Invoke-ReflectivePEInjection script, badass as it may be, gets smacked down by A/V every time it’s dropped to disk or ran in memory. So to avoid this, you can use the super-sophisticated, red-team Ninja master level, highly classified technique of renaming the functions and deleting the inline comments. ¯\_(ツ)_/¯

Then, you add a download cradle to the end of the script to grab and inject the XOR’d Ncat.exe file:

This is the added download cradle for the XOR’d Ncat.exe file and its XOR key, along with the call to inject the PE into memory and the additional argument to open a port on 4444.

You compress this modified PE injection script with an online gzip utility and embed that long string of gobbledy-guck into this Powershell script:

The final preparation step is to take the Powershell script mentioned above and base64 encode it. Save this as ‘ps1_b64.crt’, which is the referenced file that our malicious macro tries to grab from the staging server.

So what is really happening when this kicks off? Put simply:

  • Useful idiot receives “marineCrayonRecipes.xlsm” and can’t help but imagine what wonderful wax delicacies await inside. But wait! The Excel document seems to have broken content inside. Better enable macros to see the delicious crayon connoisseur delights held within.
  • Fool! The macro runs: ps1_b64.crt is grabbed and copied to disk by the macro, base64 decoded, and ran with Powershell on the target.
  • Powershell executes the long string of compressed nonsense, which is actually Invoke-ReflectivePEInjection.
  • This script grabs the XOR’d version of Ncat.exe along with its XOR key, maps this binary into the memory of the target, runs it like a command, and adds a command line argument to start a listening port on 4444.
  • A port on 4444 is opened up for you to prosecute.

And after some trial and error and stepping through each stage of the exploit, I got it to kick off with no problem:

Yes, that’s Windows 8 running on the target.

The beauty of this exploit is that, with a similar approach but different payloads, you can inflict all kinds of havoc on the target. And with a few modifications of the contents along the way, A/V and IDS evasion is easy. That lab was a lot of fun, and PTX is only just starting. Next up is Advanced Active Directory Red-Teaming tactics, and I can’t wait!

And for the love of all that is good and decent in this world, I will say again to be responsible with this stuff. Thank you for reading! If you enjoyed this, please share and comment. Also, please subscribe to VetSec or my own blog if you’d like to see more. And I will see you next time for Active Directory Red-Teaming!

About the Author: HuskyHacks is on a path to mastery and ready to stumble over every rock on the way! He is a USMC veteran and served as the lead embedded cybersecurity analyst at the MIT Lincoln Laboratory Space Systems and Technology research division. He has hiked Mount Kilimanjaro and 1/20th of the Appalachian Trail. His credentials include the OSCP, eCPPTv2, BS-IT from Northeastern, and an Advanced Certificate in Cybersecurity from RIT. His main blog is