1
00:00:01,220 --> 00:00:04,430
‫OK, let's have another example in the NPR project.

2
00:00:05,990 --> 00:00:11,480
‫This time, we're going to create a macro to prepare malicious office document at this point, we already

3
00:00:11,480 --> 00:00:12,200
‫have a listener.

4
00:00:12,320 --> 00:00:14,870
‫So I jumped to the stage your generation step.

5
00:00:16,460 --> 00:00:24,440
‫Type used stager put a space character and press tab twice to see all of the available stagers, and

6
00:00:24,440 --> 00:00:31,830
‫we use Windows Macro to create a macro which will open a back door into the victim's machine type used

7
00:00:31,830 --> 00:00:34,610
‫stager windows macro and hit enter.

8
00:00:38,600 --> 00:00:46,880
‫Type info to see the options, we have to set the listener now type set listener, my HTP listener,

9
00:00:46,880 --> 00:00:52,220
‫or if you gave it another name to the listener, type it leave the other options with the default values.

10
00:00:54,310 --> 00:01:01,360
‫Run, execute, command to generate the macro, the macro is generated in the tent folder, TMP folder

11
00:01:01,360 --> 00:01:02,630
‫with the name of Macro.

12
00:01:03,430 --> 00:01:06,850
‫Let's go to the tent folder and look at the file using Cat Linux Command.

13
00:01:09,970 --> 00:01:11,800
‫Selective copy the macro code.

14
00:01:12,550 --> 00:01:18,920
‫Now it's time to create the malicious office file using this macro code, we're now at a Windows system.

15
00:01:19,330 --> 00:01:22,060
‫I'm going to create a word document.

16
00:01:36,820 --> 00:01:40,780
‫Open a new document from The View tab, open macro window.

17
00:01:49,750 --> 00:01:57,730
‫Paste the macro code that we copied in Cali, save and close the macro window, the macro code is not

18
00:01:57,730 --> 00:02:00,330
‫in the clipboard of your victim windows machine.

19
00:02:00,940 --> 00:02:06,790
‫I mean, if you cannot paste the macro code and Windows system, copy paste action may not be allowed

20
00:02:06,790 --> 00:02:11,230
‫by your virtualization platform, VMware Virtual Box, etc..

21
00:02:11,740 --> 00:02:14,620
‫Don't worry, there are lots of ways to bring the macro code in.

22
00:02:15,190 --> 00:02:20,620
‫For example, it may change the configuration of your virtualization environment to allow copy paste

23
00:02:20,620 --> 00:02:22,000
‫between the virtual machines.

24
00:02:22,970 --> 00:02:29,480
‫Another method is sending the code to yourself in an email so you can open the email in the victim's

25
00:02:29,480 --> 00:02:31,270
‫machine and copy the macro code.

26
00:02:32,210 --> 00:02:37,280
‫Now, of course, to be able to see the effects of our code, the macro has to be enabled in the victim's

27
00:02:37,280 --> 00:02:37,920
‫office tool.

28
00:02:38,630 --> 00:02:41,930
‫I'm using my office 2013 to enable macros.

29
00:02:41,930 --> 00:02:46,100
‫I follow the path file options trust center, trust centre settings.

30
00:02:47,110 --> 00:02:51,100
‫And click, enable all macros, then the OK button.

31
00:02:52,590 --> 00:03:00,090
‫Save the word document on the desktop and close now the document has the macro code inside and the macros

32
00:03:00,090 --> 00:03:01,850
‫are enabled in the office tool.

33
00:03:02,790 --> 00:03:04,600
‫I want to touch on two topics here.

34
00:03:04,980 --> 00:03:10,500
‫First, as you can see on the right hand corner of the screen, I'm going to open the militias document

35
00:03:10,500 --> 00:03:12,660
‫while Windows Defender is running.

36
00:03:13,290 --> 00:03:17,160
‫So we'll see if we can bypass the security systems or not.

37
00:03:18,260 --> 00:03:21,830
‫Second, of course, we don't expect the victim to prepare the file himself.

38
00:03:22,460 --> 00:03:28,130
‫We are testing the document that we prepared, sending it to victims and convincing them to open the

39
00:03:28,130 --> 00:03:29,390
‫files as another case.

40
00:03:30,630 --> 00:03:33,850
‫Now, open a word document seems everything's fine.

41
00:03:34,560 --> 00:03:36,180
‫Something abnormal doesn't appear.

42
00:03:37,270 --> 00:03:42,550
‫Let's go to our call system, as you see, we have a new agent initialised.

43
00:03:43,630 --> 00:03:46,730
‫Go to the main menu using main command.

44
00:03:47,680 --> 00:03:49,420
‫There was one agent at the beginning.

45
00:03:50,140 --> 00:03:51,790
‫Now we have two of them.

46
00:03:52,970 --> 00:03:59,120
‫Go to Agent State using agents command, the second one is our new session, which started when the

47
00:03:59,120 --> 00:04:01,610
‫victim opened the word document.

48
00:04:02,530 --> 00:04:06,430
‫Use Interac command with the agent named Activate the Session.

49
00:04:12,950 --> 00:04:16,810
‫Now the victim machine is in your hands.