Helper script for mangling CS payloads through various methods to create a macro to bypass AV vendors.
This is not my own research, it is merely the combination and weaponization of various techniques i have found online.I assume no responsibility for any misuse of this tool
Full credit goes to Carlos Perez for his ASR Rules and the Walmart Labs team for the techniques used in the tool.
The Macro is executed via WMI is order to bypass the AMSI scan engine. In addition the script runs the payload.ps1 file through Invoke-Obfuscation for evading AV. The default commands used in Invoke-Obfuscation are TOKEN\ALL\1,COMPRESS\1 which is hardcoded in the script. The resulting code is then Base64 encoded and the strings are reversed. Finally all variables in the script are randomly generated every time the script is executed to avoid at least static signatures.
Extract a .ps1 payload from Cobalt Strike and save it in the tetanus directory. Run the script with:
python tetanus.py -f <payload>.ps1
Copy the output macro to a Microsoft Word/Excel document and save it. I have also succesfuly imported the macro in a PowerPoint (pptm) file by adding a Custom UI to load the script on file open.
You will need to have both PowerShell/pwsh and Invoke-Obfuscation for the script to work.
The tool was developed by SecGroundZero and Stella