当前位置:网站首页>Phishing & filename inversion & Office remote template
Phishing & filename inversion & Office remote template
2022-07-06 06:32:00 【zxl2605】
This article involves procedures / Technical principles can be offensive , Only for safety research and teaching , Be sure to experiment in a simulated environment , Do not use it for other purposes .
The consequences caused thereby shall be borne by oneself , In case of violation of national laws, it shall bear all legal responsibilities by itself , It has nothing to do with the author and the sharer
0x01 Piece name reversal
In the process of infiltration , Sometimes you need to spread some Trojan files by fishing , These Trojan files need careful camouflage .RLO namely Start Of Right-to-Left override. We can insert Unicode Control characters RLO To achieve the effect of reversing file names
With CobaltStrike Generated Trojan BypassAV.exe For example
1、 Generating Trojan files
2、 Join us and we want this trojan horse to be disguised as zip The file of
because RLO It's from right to left , We edit the file and choose Rename , stay .exe Front input piz
3、 stay BypassAV after piz Right click the front position to select Unicode Control characters , And then choose RLO
4、 Check the file properties. The file suffix has become zip
0x02 Self decompression release execution
Self extracting is a way to bundle files , utilize WinRAR Compress the normal file with the Trojan , And create a self extracting exe file , After the decompression process, you can automatically run the released file
Operation steps
1、 We put the generated Trojan horse in the same level directory with the files that need to be compressed ( You can also use different levels of directories ), Name the Trojan file envchk.exe
2、 Right click all to select the file to be compressed , And then click " Add to compressed file "
3、 Choose to create a compressed file in self extracting format
4、 Select the self extracting option in the advanced options
5、 Configure the decompression path , The release path of the program after level 1 runs
Here we configure C:\PragramData Catalog
6、 In the Settings tab, set the program to be run after the program is decompressed
The path here is filled in the absolute path or relative path after file decompression
7、 Quiet mode in mode is configured to hide all
8、 Configure shortcuts
At advanced level > Add shortcuts to shortcuts
9、 Click Finish to generate the self extracting package
10、 Run the generated self decompression to find that the software can be opened normally ,CS You can also go online normally
see Programdata Catalog , You can see that the file was released successfully
0x3 Office Load remote template
Remote macro template technology , It is based on the principle that documents created with templates will load templates at startup , Replace its loaded normal template with a malicious template with a macro virus , Two documents are mainly involved :
1、docx: Documents created using templates normally
2、dotm: Compared with sending macro documents directly, malicious macro template files with macro viruses , Sent in this way docx The document will be more hidden , It will not be detected by the killing software , Because the document itself does not contain macros .
office Load templates remotely
1、 First create a macro template file
2、 Select the macro location as the current document , Then create a macro
3、 Write and save the macro code as dotm file
4、 Upload the macro template file to the Internet
5、 Use the template to create a docx file
6、 After saving the document , Change the suffix to zip Format , And will word_res\settings.xml.res Extract the file
7、 modify settings.xml.res Medium tartget Field , Replace it with the macro virus template file on the Internet , And compress the file into a document
8、 Open the modified document , I saw that the template with macro virus was downloaded from the Internet when the document was opened
9、 Then click enable macro , Find out CS Online
边栏推荐
- 翻译影视剧字幕,这些特点务必要了解
- Summary of the post of "Web Test Engineer"
- Full link voltage measurement: building three models
- 今日夏至 Today‘s summer solstice
- Still worrying about how to write web automation test cases? Senior test engineers teach you selenium test case writing hand in hand
- php使用redis实现分布式锁
- 云服务器 AccessKey 密钥泄露利用
- Database - current read and snapshot read
- How to translate biomedical instructions in English
- [no app push general test plan
猜你喜欢
专业论文翻译,英文摘要如何写比较好
Manage configuration using Nacos
如何做好金融文献翻译?
University of Manchester | dda3c: collaborative distributed deep reinforcement learning in swarm agent systems
Redis 核心技术与实战之 基本架构:一个键值数据库包含什么?
商标翻译有什么特点,如何翻译?
Mise en œuvre d’une fonction complexe d’ajout, de suppression et de modification basée sur jeecg - boot
Esp32 esp-idf watchdog twdt
Construction and integration of Zipkin and sleuth for call chain monitoring
生物医学本地化翻译服务
随机推荐
Summary of the post of "Web Test Engineer"
Black cat takes you to learn UFS protocol Chapter 4: detailed explanation of UFS protocol stack
Address bar parameter transmission of list page based on jeecg-boot
Simulation volume leetcode [general] 1219 Golden Miner
sourceInsight中文乱码
端午节快乐Wish Dragon Boat Festival is happy
Simulation volume leetcode [general] 1314 Matrix area and
Financial German translation, a professional translation company in Beijing
【MQTT从入门到提高系列 | 01】从0到1快速搭建MQTT测试环境
leetcode 24. 两两交换链表中的节点
私人云盘部署
MySQL5.72. MSI installation failed
Selenium source code read through · 9 | desiredcapabilities class analysis
Still worrying about how to write web automation test cases? Senior test engineers teach you selenium test case writing hand in hand
MySQL is sorted alphabetically
Thesis abstract translation, multilingual pure human translation
Data type of MySQL
Is the test cycle compressed? Teach you 9 ways to deal with it
Simulation volume leetcode [general] 1218 Longest definite difference subsequence
記一個基於JEECG-BOOT的比較複雜的增删改功能的實現