Creating Microsoft Office and HTML Payloads | TryHackMe Weaponization

We demonstrated the weaponization phase of the red team engagement. We covered the scenarios in which a red teamer or an attacker would create a weaponized payload whether if its a part of social engineering campaign or a vulnerability exploitation in a web application. Weaponized payloads can come in the form of Microsoft office marco-enabled payloads, HTML application payloads, PDF payloads or with PowerShell. This was part of red team track in TryHackMe platform.

Get Reverse shells and red team scripts

What is Weaponization?

Weaponization is the second stage of the Cyber Kill Chain model. In this stage, the attacker generates and develops their own malicious code using deliverable payloads such as word documents, PDFs, etc. [1]. The weaponization stage aims to use the malicious weapon to exploit the target machine and gain initial access.

Most organizations have Windows OS running, which is going to be a likely target. An organization’s environment policy often blocks downloading and executing .exe files to avoid security violations. Therefore, red teamers rely upon building custom payloads sent via various channels such as phishing campaigns, social engineering, browser or software exploitation, USB, or web methods.

The following graph is an example of weaponization, where a crafted custom PDF or Microsoft Office document is used to deliver a malicious payload. The custom payload is configured to connect back to the command and control environment of the red team infrastructure.

• The Windows Script Host (WSH)
• An HTML Application (HTA)
• Visual Basic Applications (VBA)
• PowerShell (PSH)

Video Walkthrough