A guide to creating malicious macro-enabled Excel worksheets
An tutorial by Niall.
This guide will go through the steps taken in order to create a malicious macro-enabled Excel worksheet. The tutorial will explain how to use msfvenom to create an x64 reverse shell, how to install and use luckystrike and how to set up a listener in order to detect the reverse shell. This tutorial will be catered to work on a local area network
This guide will not give details on how to distribute the documents created and is for educational purposes only.
Pre-requisites
Windows with Powershell V5 (update here: Windows Management Framework 5)
Microsoft office - at minimum Excel. Luckystrike uses Excel COM objects to build .xls documents
Metasploit (found on Kali) or your own executable.
Creating your reverse shell
This part of the tutorial will contain instructions on how to create your reverse shell.
The image above shows a terminal running the msfvenom command that will generate a x64 windows reverse shell. When entering this command, ensure that LHOST is the IP address of your Kali machine. You will want to now store your executable on a USB or transfer it over to your windows machine. Please note: You may use any executable, powershell module or shell command, but this tutorial will use a simple reverse shell.
Building Luckystrike
This part of the tutorial will walk through how to install Luckystrike in order to create our macro-enabled worksheets.
Method 1
Open powershell as admin and run the following:
Method 2
Luckystrike can be downloaded from their github here: LuckyStrike Github Once you have downloaded the source, browse to the Luckystrike directory and run
If you get the execution policy error, the fix is:
Both these methods do the following:
Installs the PSSQLLite module if you don't have it (hence the admin rights needed)
Creates .\Luckystrike\
Creates the database (ls.db) and puts it into .\luckystrike
Copies luckystrike.ps1 into .\luckystrike
You should have now successfully built Luckystrike
Creating the macro-enabled worksheet
Once the above step has been completed, browse to your Luckystrike directory and run
. If all has went well, you will get the following screen:
Now we need to add our payload to Luckystrikes catlogue, select the payload and generate the .xls document. See the following images:
The image above shows the commands and how to add the executable to the tool. Ensure to use the absolute patch when entering the file path.
Now select the payload for use.
Now generate the .xls file.
Your .xls file should be generated and stored in the path specified. Now rename it to something better and set up a listener.
Setting up the listener
In order for our shell to connect back to our Kali machine, we need to set up a listener.
Distribution
As you are in a test environment and wouldn't be doing anything illegal, simply open your excel document on the machine you created it on and enable macros when prompted.
Success?
If successful and your document is ran and macros enabled, it will connect back to your Kali machine and your listener will look like this:
Additional work
Use a more interesting payload rather than a reverse shell
It is possible to add payloads to existing worksheets, so create a nice encoded doc that will decrypt upon the macros being enabled
Write your own payload
Find a way to get the same idea working with MS Word (speak to Colin)
Think of something interesting to do post-exploitation
Last updated