1
00:00:01,180 --> 00:00:04,390
OK, let's have another example in the Empire project.

2
00:00:05,960 --> 00:00:11,450
This time, we're going to create a macro to prepare malicious office document at this point, we already

3
00:00:11,450 --> 00:00:12,160
have a listener.

4
00:00:12,290 --> 00:00:14,840
So I jumped to the stage your generation step.

5
00:00:16,400 --> 00:00:24,410
Type used stager put a space character and press tab twice to see all of the available stagers, and

6
00:00:24,410 --> 00:00:31,790
we use Windows Macro to create a macro which will open a back door into the victim's machine type used

7
00:00:31,790 --> 00:00:34,610
stager windows macro and hit enter.

8
00:00:38,580 --> 00:00:46,830
Type info to see the options, we have to set the listener now type set listener, my HTP listener,

9
00:00:46,830 --> 00:00:52,170
or if you gave it another name to the listener, type it leave the other options with the default values.

10
00:00:54,260 --> 00:01:01,310
Run, execute, command to generate the macro, the macro is generated in the tent folder, TMP folder

11
00:01:01,310 --> 00:01:02,600
with the name of Macro.

12
00:01:03,380 --> 00:01:06,800
Let's go to the tent folder and look at the file using Cat Linux Command.

13
00:01:09,940 --> 00:01:11,800
Selective copy the macro code.

14
00:01:12,520 --> 00:01:18,910
Now it's time to create the malicious office file using this macro code, we're now in a Windows system.

15
00:01:19,300 --> 00:01:22,060
I'm going to create a word document.

16
00:01:36,760 --> 00:01:40,780
Open a new document from The View tab, open macro window.

17
00:01:49,720 --> 00:01:57,700
Paste the macro code that we copied in Cali, save and close the macro window, the macro code is not

18
00:01:57,700 --> 00:02:00,300
in the clipboard of your victim windows machine.

19
00:02:00,910 --> 00:02:06,760
I mean, if you cannot paste the macro code in Windows system, copy paste action may not be allowed

20
00:02:06,760 --> 00:02:11,200
by your virtualization platform, VMware Virtual Box, etc..

21
00:02:11,710 --> 00:02:14,590
Don't worry, there are lots of ways to bring the macro code in.

22
00:02:15,170 --> 00:02:20,590
For example, it may change the configuration of your virtualization environment to allow copy paste

23
00:02:20,590 --> 00:02:21,970
between the virtual machines.

24
00:02:22,960 --> 00:02:29,440
Another method is sending the code to yourself in an email so you can open the email and the victim's

25
00:02:29,440 --> 00:02:31,230
machine and copy the macro code.

26
00:02:32,180 --> 00:02:37,250
Now, of course, to be able to see the effects of our code, the macro has to be enabled in the victim's

27
00:02:37,250 --> 00:02:37,920
office tool.

28
00:02:38,390 --> 00:02:41,900
Now I'm using my office 2013 to enable macros.

29
00:02:41,900 --> 00:02:49,630
I follow the path file options, trust center, trust centre settings and click enable all macros,

30
00:02:49,640 --> 00:02:50,960
then the OK button.

31
00:02:52,560 --> 00:03:00,060
Save the word document on the desktop and close now the document has the macro code inside and the macros

32
00:03:00,060 --> 00:03:01,820
are enabled in the office tool.

33
00:03:02,790 --> 00:03:04,570
I want to touch on two topics here.

34
00:03:04,950 --> 00:03:10,470
First, as you can see on the right hand corner of the screen, I'm going to open the malicious document

35
00:03:10,470 --> 00:03:12,630
while Windows Defender is running.

36
00:03:13,260 --> 00:03:17,130
So we'll see if we can bypass the security systems or not.

37
00:03:18,230 --> 00:03:21,800
Second, of course, we don't expect the victim to prepare the file himself.

38
00:03:22,400 --> 00:03:28,100
We are testing the document that we prepared, sending it to victims and convincing them to open the

39
00:03:28,100 --> 00:03:29,360
files as another case.

40
00:03:30,600 --> 00:03:33,820
Now, open a word document, it seems everything's fine.

41
00:03:34,530 --> 00:03:36,150
Something abnormal doesn't appear.

42
00:03:37,250 --> 00:03:42,530
Let's go to our Calli system, as you see, we have a new agent initialised.

43
00:03:43,600 --> 00:03:46,700
Go to the main menu using main command.

44
00:03:47,650 --> 00:03:49,390
There was one agent at the beginning.

45
00:03:50,110 --> 00:03:51,790
Now we have two of them.

46
00:03:52,920 --> 00:03:59,100
Go to Agent State using agents command, the second one is our new session, which started when the

47
00:03:59,100 --> 00:04:01,590
victim opened the word document.

48
00:04:02,500 --> 00:04:06,400
Use Interac command with the agent named Activate the Session.

49
00:04:12,930 --> 00:04:16,790
Now the victim machine is in your hands.