There are a number of tools to perform this attack but this one in particular states:  "DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain."

There was a story a couple of years ago that talked about how help desks were resetting passwords using the words Winter, Spring, Summer, Fall, the year, and possibly some special characters.  If we think about password complexity rules, we need an uppercase letter, a lowercase letter, a number, and maybe a special character.

There are lots of tools that overlap and this one is no different.  It has a few tricks that I haven't seen in other tools and it has some similar features to others.  I didn't play with the Pro version but I did ask the author if the Pro version was still capable of evading a/v and he said yes.  Before I move on, the description of the product states:  "macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments."

Evil Clippy is described as:  "A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows."  I didn't have much luck with some of the other features but the feature that was of most interest to me, hiding macros, was functional.

We work with small businesses and the goal is to hide -- well enough, meaning that we want to show that if a small business is attacked, assigning attribution is difficult.  We're not hiding from competent investigators, we're just hiding from the average Joe. 

This is not original work, I found it here on Github.  Interesting idea with a somewhat limited use... in my opinion.  The description states:  "c# reverse shell poc that also does TLS".  I keep reading that CSharp is the new PowerShell but as far as I can tell, CSharp payloads are getting detected so maybe that ship has passed.  I will say that this shell goes undetected but it does require the arguments so it's not something you can get a user to click on. 

One final thought -- you only need Program.cs which can be compiled in the .NET folder.

The other day I wrote about EmbedInHTML and like most things, I wanted to learn more about the mechanics.  While poking around, I found an article, HTML Smuggling, which I guess is the technical term but it started to spell things out for me.  The article is worth reading and there's no need for me to rehash the entire post but the gist of it is that we're taking a document, converting it to Base64, and we're passing that across to the browser with an auto download function.

I'll warn you up front, this may or may not work with certain a/v products.  You also don't need to use Metasploit and in fact, you're probably better off if you don't.  The concept is the same though, we're going to schedule a task to run in Windows on login.  What we choose to execute can be anything really and it's probably better if it's something that can avoid detection from a/v. 

Using the Metasploit method, we setup script delivery: