1
00:00:01,240 --> 00:00:04,360
‫OK, let's have another example of the Empire project.

2
00:00:05,990 --> 00:00:11,060
‫This time, we're going to create a macro to prepare a malicious office document at this point, we

3
00:00:11,060 --> 00:00:12,140
‫already have a listener.

4
00:00:12,290 --> 00:00:14,810
‫So I jump to the stage your generation step.

5
00:00:16,400 --> 00:00:24,380
‫Type used, Stager put a space character and press tab twice to see all of the available stages, and

6
00:00:24,380 --> 00:00:30,920
‫we use Windows Macro to create a macro which will open a back door into the victim's machine type,

7
00:00:31,400 --> 00:00:34,580
‫use stager windows, macro and hit enter.

8
00:00:38,580 --> 00:00:46,830
‫Type info to see the options, we have to set the listener now type set listener, my HTP listener,

9
00:00:46,830 --> 00:00:51,600
‫or if you gave it another name to the listener, type it, leave the other options with the default

10
00:00:51,600 --> 00:00:52,170
‫values.

11
00:00:54,260 --> 00:00:54,710
‫Run.

12
00:00:55,040 --> 00:01:01,550
‫Execute command, generate the macro, the macro is generated in the temp folder temp folder with the

13
00:01:01,550 --> 00:01:02,570
‫name of macro.

14
00:01:03,380 --> 00:01:06,770
‫Let's go to the temp folder and look at the file using Cat Linux Command.

15
00:01:09,940 --> 00:01:11,770
‫Select and copy the macro code.

16
00:01:12,520 --> 00:01:17,050
‫Now it's time to create the malicious office file using this macro code.

17
00:01:17,560 --> 00:01:18,910
‫We're now in a Windows system.

18
00:01:19,330 --> 00:01:22,030
‫I'm going to create a word document.

19
00:01:36,790 --> 00:01:40,750
‫Open a new document from the View tab open macro window.

20
00:01:49,750 --> 00:01:55,450
‫Paste a macro code that we copied in Cali, save and close the macro window.

21
00:01:56,170 --> 00:02:00,280
‫The macro code is not in the clipboard of your victim windows machine.

22
00:02:00,940 --> 00:02:06,730
‫I mean, if you cannot paste the macro code in Windows system, copy paste action may not be allowed

23
00:02:06,730 --> 00:02:08,710
‫by your virtualization platform.

24
00:02:09,160 --> 00:02:11,200
‫VMware VirtualBox etc.

25
00:02:11,680 --> 00:02:14,590
‫Don't worry, there are lots of ways to bring the macro code in.

26
00:02:15,220 --> 00:02:20,560
‫For example, you may change the configuration of your virtualization environment to allow copy paste

27
00:02:20,560 --> 00:02:21,910
‫between the virtual machines.

28
00:02:22,990 --> 00:02:29,440
‫Another method is sending the code to yourself in an email so you can open the email and the victim's

29
00:02:29,440 --> 00:02:31,210
‫machine and copy the macro code.

30
00:02:32,180 --> 00:02:37,220
‫Now, of course, to be able to see the effects of our code, the macro has to be enabled in the victims

31
00:02:37,220 --> 00:02:37,880
‫office tool.

32
00:02:38,580 --> 00:02:41,870
‫Now I'm using an Office 2013 to enable macros.

33
00:02:41,870 --> 00:02:49,880
‫I follow the Path File Options Trust Center Trust Center Settings and click Enable All Macros, then

34
00:02:49,880 --> 00:02:50,960
‫the OK button.

35
00:02:52,560 --> 00:03:00,030
‫Save the word document on the desktop and close now the document has the macro code inside and the macros

36
00:03:00,030 --> 00:03:01,800
‫are enabled in the office tool.

37
00:03:02,730 --> 00:03:04,590
‫Now I want to touch on two topics here.

38
00:03:04,950 --> 00:03:10,440
‫First, as you can see in the right hand corner of the screen, I'm going to open the malicious document

39
00:03:10,440 --> 00:03:12,600
‫while Windows Defender is running.

40
00:03:13,290 --> 00:03:17,100
‫So we'll see if we can bypass the security systems or not.

41
00:03:18,260 --> 00:03:21,770
‫Second, of course, we don't expect the victim to prepare the fire themselves.

42
00:03:22,400 --> 00:03:24,980
‫We are testing the document that we prepared.

43
00:03:25,610 --> 00:03:29,330
‫Sending it to victims and convincing them to open the files is another case.

44
00:03:30,600 --> 00:03:33,810
‫Now open the word document, it seems everything's fine.

45
00:03:34,530 --> 00:03:36,120
‫Something abnormal doesn't appear.

46
00:03:37,280 --> 00:03:42,500
‫Let's go to our Cal system, as you see, we have a new agent initialized.

47
00:03:43,600 --> 00:03:46,630
‫Go to the main menu using main command.

48
00:03:47,680 --> 00:03:49,390
‫There was one agent at the beginning.

49
00:03:50,110 --> 00:03:51,730
‫Now we have two of them.

50
00:03:52,920 --> 00:03:55,770
‫Go to agents state using agents command.

51
00:03:56,490 --> 00:04:01,560
‫The second one is our new session, which started when the victim open the word document.

52
00:04:02,530 --> 00:04:06,370
‫Use interact command with the agent named Activate the Session.

53
00:04:12,930 --> 00:04:16,770
‫Now, the victim machine is in your hands.