Closed ghost closed 6 years ago
trustedsec
commented
6 years ago Thanks for the submission, I'll check on this later tonight.. Can you by any chance do me a favor and instead of /w 1 and /c change the / to a - and see if that works? Want to rule that out as a problematic area.
ghost
commented
6 years ago Thank you for the quick response. I changed "/w 1 /C" to "-w 1 -C" and tried again. No change.
trustedsec
commented
6 years ago Alright cool, I'll take a peek in a little bit after I wrap up the normal work day :) Thanks for reporting. This only happens with the macro powershell attack? Does not happen when doing the regular powershell attack vector correct? I get a shell there. I need to load up my VM with office installed next on Win10.
ghost
commented
6 years ago Yup, just the macro attack. Chatted with Elze earlier today - he thinks it might be a HTTPS payload length limit issue.
pubeosp54332
commented
6 years ago with windows defender no reverse shell is coming up, the payload is being detected
trustedsec
commented
6 years ago Right .. windows releases signatures all the time .. it’s a cat and mouse game. Would recommend if you need immediately write your own obfuscation
trustedsec
commented
6 years ago New version is out, gets around it all. Macros work as well.
Using unicorn 3.2.4, Windows 10 1703 w/Office 2016, I am having difficulty getting the reverse_https 443 macro PowerShell attack to connect back to the meterpreter. A wireshark capture at the Windows 10 client shows no attempt at an outbound connection to the LHOST. Defender is disabled and the windows firewall is disabled.
When testing on Windows 7 w/Office 2016, I have no such issue and the same payload works flawlessly.
As a test, I used the reverse_tcp 443 macro PowerShell attack from unicorn 2.6 and I was able to connect back from Windows 10 to meterpreter.
Thoughts?
Thank you TrustedSec!