Ok, apart this explanation, you'll asking how I launch the nc and plink command if I have not yet uploaded a working copy (if you remember I said that I'm allowed to upload only scripting file, all the executables I upload have a 16-bit error), considering also that I said that I wont to use the other people files in order to be sure that my way to proceed is correct. Well, the true is that after after ideating this process, I got stuck and I had to understand how others were able to upload correctly, well, I went back to the python script (the first of this writeup) and I studied it carefully, identifying a feature which allowed the execution of commands from the browser. With some disbelief, I tried the curl command again and this time it worked.

By certain means, I have obtained a copy of Cobalt Strike version 4.5, released on December 14th, 2021. As this is a recent, licensed version, I was curious about which type of malicious operations I could successfully perform and the code behind them. Of course, as with all content posted on my website, education is the only objective. I carried out all testing in a cloud lab environment, and I suggest you do the same should you follow my processes here. Enjoy!

FULL Microsoft Windows 12 PRO FULL (x65-x88) Sep 2018

Many more antivirus engines (32/59) detected this script than the Excel macro. Examining the code, you may notice the [Byte[]]$var_code = [System.Convert]::FromBase64String('') line; while the code is relatively short, the Base64 string contained within it exceeds 350,000 characters, so I did not include the full output. Using alternative encoding is a classic malware obfuscation tactic, and I am not surprised to see it employed here. 2ff7e9595c