1. MSOffice Malware in Memory
   1. Macros
      1. Useful Win32 APIs
         1. 3 from Kernel32.dll
            1. VirtualAlloc
            2. RtlMoveMemory
            3. CreateThread
            4. Check MSDN Function Prototypes
      2. Good To Know
         1. LPDWORD
            1. (C) Pointer or Ref to a DWORD
         2. LPSTR
            1. (C) Pointer to a String
      3. Download Cradle + IEX
         1. Powershell
            1. Win32 APIs
            2. (C#) DllImportAttribute
            3. C data types to C# data types translation
            4. P/Invoke APIs
            5. System namespace
            6. System.Runtime.InteropServices namespace
            7. www.pinvoke.net might help
            8. Add-Type
            9. RtlMoveMemory
            10. System.Runtime.InteropServices.Marshal
            11. .NET Copy
            12. Allows data to be copied from a managed array to an unmanaged memory pointer
            13. WaitSingleObject
            14. Artifacts
            15. CSC: C# Command Line Compiler
            16. List loaded assemblies
            17. Add-Type
            18. [appdomain]::currentdomain.getassemblies()
            19. In this case, could be flagged by antivirus
            20. Dynamic Lookup
            21. Add-Type
            22. System.dll
            23. Microsoft.Win32.UnsafeNativeMethods class
            24. GetModuleHandle
            25. GetProcAddress
            26. Create the .NET assembly in memory instead of writing code to disk and compiling it. These methods are only meant to be used internally by the .NET code. Therefore it's impossible to call them directly from Powershell or C#. - Check UnsafeNativeMethods branch -
            27. Create New Assemblies
            28. GetAssemblies
            29. ForEach-Object
            30. GetTypes
            31. Get-Member
            32. Static Flag
            33. Where-Object
            34. Unsafe Keyword in TypeName
            35. Search for preloaded assemblies that could match our criteria
            36. UnsafeNativeMethods
            37. Assembly filtering
            38. GlobalAssemblyCache
            39. Location
            40. List of all native and registered assemblies on Windows: this is what we want
            41. Last part of the file path must be “System.dll”
            42. Reference to System.dll
            43. GetType
            44. $dllvar.GetType('Microsoft.Win32.UnsafeNativeMethods')
            45. GetMethod
            46. Invoke
            47. GetMethod function to obtain a reference to the internal GetModuleHandle method
            48. Use the internal Invoke method to call GetModuleHandle and obtain the base address of an unmanaged DLL
            49. .NET Reflection
            50. GetMethods vs GetMethod
            51. GetProcAddress
            52. Locate GetProcAddress to resolve arbitrary APIs
            53. Delegate Type Reflection
            54. (C#) delegate
            55. Creation using Reflection
            56. Create New Assembly
            57. AssemblyName Class
            58. Access mode
            59. DefineDynamicAssembly
            60. System.Reflection.Emit.AssemblyBuilderAccess namespace - Value set to RUN
            61. Access mode configuration: no disk access and executable
            62. Creating Content
            63. DefineDynamicModule
            64. DefineType
            65. Custom Name
            66. Attributes
            67. Class
            68. Public
            69. Sealed
            70. AnsiClass
            71. AutoClass
            72. Check MS Doc
            73. MulticastDelegate class
            74. Inside an assembly the main building bloc is a Module
            75. DefineType takes 3 args
            76. Construct our Custom Delegate Type
            77. DefineConstructor
            78. MethodAttributes Enum
            79. [System.Reflection.CallingConventions]::Standard
            80. Types of the Constructor
            81. Constructor Call
            82. SetImplementationFlags
            83. Runtime
            84. Managed
            85. Invoke
            86. DefineMethod
            87. Method Name
            88. Method Attributes
            89. Return Type
            90. Array of Arg Types
            91. Takes 4 args
            92. MethodImplAttributes Enum
            93. Delegate Type Instantiation
            94. CreateType
            95. 2004 Blog post
            96. Generate Shellcode
            97. ps1 format
            98. 32bit architecture (cf. MS Office arch)
            99. Use of msfvenom (shortcut)
            100. Copy it with .NET Copy method
            101. Use System Proxy (optional)
            102. Natively not accessible in Powershell. Thank you .NET -> C#
            103. Invoke functions in unmanaged dynamic link libraries
            104. Once translation done: use of the .NET framework to compile and create objects containing the structures, values, functions, or code inside the Add-Type statement
            105. Avoid Powershell termination before Shell fully executed.
      4. Be aware, closing MSOffice will kill the Shellcode - Check advanced attack with Powershell
2. Client Side Code Execution With Windows Script Host
   1. Must Read
      1. TrickBot
      2. Emotet
   2. Jscript
      1. DotNetToJscript
   3. C#
      1. Win32 APIs
         1. C data types to C# data types translation
            1. pinvoke
         2. dllImport
            1. System.Diagnostics namespace
            2. System.Runtime.InteropServices namespace
            3. Mandatory
      2. Shellcode
3. Process Injection and Migration
4. Antivirus Evasion
5. Targeting Windows Creds
6. Windows Lateral Movement
7. Active Directory Exploitation
8. Under Construction...