Powershell Empire Stagers 1: Phishing with an Office Macro and Evading AVs

May 31, 2016 | Views: 34021

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

Welcome Cybrarians,

Phishing is one of the important things that attackers carefully plan for – compromising one device on the network can help attack the whole connected network. It’s also stealthy way of gathering more information about certain users or companies

As you know, they are many ways of phishing. Creativity is a key in emulating a real situation scenarios to keep it believable to the victims. In this tutorial, we’re going to use a PowerShell tool called Empire to create a malicious Office Macro that can not be filtered by emails or recognized by Anti-Virus software.

Empire PowerShell gives us “the ability to run PowerShell agents without needing powershell.exe.” This helps us evade email filters that focus on the exe formats as well as Anti-Virus software.

Let’s begin…

Tutorial Requirements :

1- Empire Powershell at GitHub:  https://github.com/PowerShellEmpire/Empire

2- Microsoft Office document

3- Kali Linux on VirtualBox

4- Another system either Mac or windows


Step 1: Install Empire

Start your Kali linux box and clone Empire repository to your machine:

  >>> git clone https://github.com/PowerShellEmpire/Empire.git

Empire1.JPG
empire2.JPG

 

After cloning the repository, move to the setup directory and install the tool:

>>> cd Empire/setup

>>>./install.sh

empire3.JPG

 

Type Y for Yes to continue:

empire4.JPG

 

When you get to the server negotiation password, press Enter without entering anything – just Enter:

empire5.JPG

Notes:

Make sure that Kali box has the right date and time and English set at the language. This step is very important if you want to avoid issues with getting information back when you’re running Empire.

Step 2 : Run Empire

Now that the tool is installed on your machine, run Empire by typing:

>>> ./empire

empire6.JPG

empire7.JPG

 

Step 3: Preparing the Listener

Now that Empire is running, type Listeners to switch to listeners mode:

empire8.JPG

 

When you run Empire for the first time, you won’t have listeners. You’ll get a red colored message says “No listeners currently active”

Type Options to list all the options that are related to the listener setting:

empire9.JPG

In this step, I’ll change the Name of the listener from Test to ProjectData:

empire11.JPG

Type Execute to change the name:

>> execute

empire13.JPG

 

Type Options again to make sure the listeners name is changed:

>>options

empire12.JPG

 

Step 4: Create Macro

In this step, we’re going to use usestager type macro to create the malicious macro:

>>> usestager macro projectData

empire15.JPG

 

Once you switch to the stager/macro mode, type Options to list all the associated options:

>> options

empire16.JPG

 

Next, type Execute:

>> execute

empire17.JPG

 

Once executed, the macro will be created and saved in the tmp file. To make sure it’s created, type:

>>>> cat /tmp/macro

Copy the whole output code.

empire18.JPG

 

Step 5:Embed Macro into an Office document

Now that the code is ready, open an MS Office file. For this tutorial, I’m using a Word document.

 

Go to View and click on Macro———> click on View Macros

empire19.JPG

 

Click on View Macros

Type the name of the macro under Macro Name and click Create.

Note:

Use an inconspicuous name – preferably something related to the documentation you’re sending.

empire20.JPG

 

Paste all the macro code in below window:

empire21.JPG

 

Once the whole code is pasted, save it. Then, save the document as Word 97-2003.

empire23.JPG


Step 6: Send the File

In this step, to make sure your file looks legitimate, choose a file that contains information that you think would be relevant to the victim. This step depends on how good are you at gathering information about the victim before sending him the file.

4.JPG Note:

If you scan the file, you’ll get a clean file result from your Anti-Virus software. In this example, I scanned it with Kaspersky.

 

Step 7: Getting the Connection

After sending the email, wait for the connection. It might take a while…..

Once you get the connection, you’ll get a message colored in green that says “agent is active.”

em1.PNG

 

That’s all for this tutorial. Stay tuned for the next one. It will cover how to move inside the victim’s system once you get the connection.

@Z33MaXX

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
38 Comments
  1. thanks for this great tutorial, but when i downloaded it.. it installed Empire V 2.0 not 1.5 like yours.. and there is no “options” option “*** unknown syntax”, and no macro module in the listeners

  2. Can you explain why macro is missing on other test machine and running normaly on buildmachine. Because i did some tests, but macro is only running on the build machine.And I saw that many people having problems running the macro on test machine. Quistion is simple,how to run macro file on test machine after building macro on build machine.

  3. Btw. if you want to send this document over e-mail, place it on shared network etc. this macro can not be only uner the Normal template module section. In that case the macro disappers since it is connected to your Normal template on the computer where the document was built.

Page 6 of 6« First...«23456
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel