ShellApplication_ShellExecute.vba Execute an OS command via ShellApplication object and ShellExecute method ShellApplication_ShellExecute_privileged.vba Execute an privileged OS command via ShellApplication object and ShellExecute method - UAC prompt Shellcode_CreateThread.vba Execute shellcode in the current process via Win32 CreateThread Shellcode_EnumChildWindowsCallback.vba Execute shellcode in the current process via EnumChildWindows Win32_CreateProcess.vba Create a new process for code execution via Win32 CreateProcess function Win32_ShellExecute.vba Create a new process for code execution via Win32 ShellExecute function WMI_Process_Create.vba Create a new process via WMI for code execution WMI_Process_Create2.vba Another WMI code execution example WscriptShell_Exec.vba Execute an OS command via WscriptShell object and Exec method WscriptShell_run.vba Execute an OS command via WscriptShell object and Run method VBA-RunPE @itm4n's RunPE technique in VBA GadgetToJScript med0x2e's C# script for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts. PPID_Spoof.vba christophetd's spoofing-office-macro copy AMSIBypass_AmsiScanBuffer_ordinal.vba rmdavy's AMSI Bypass to patch AmsiScanBuffer using ordinal values for a signature bypass AMSIBypass_AmsiScanBuffer_Classic.vba rasta-mouse's classic AmsiScanBuffer patch AMSIBypass_Heap.vba rmdavy's HeapsOfFun repo copy AMSIbypasses.vba outflanknl's AMSI bypass blog COMHijack_DLL_Load.vba Load DLL via COM Hijacking COM_Process_create.vba Create process via COM object Download_Autostart.vba Download a file from a remote webserver and put it into the StartUp folder Download_Autostart_WinAPI.vba Download a file from a remote webserver via URLDownloadtoFileA and put it into the StartUp folder Dropper_Autostart.vba Drop batch file into the StartUp folder Registry_Persist_wmi.vba Create StartUp registry key for persistence via WMI Registry_Persist_wscript.vba Create StartUp registry key for persistence via wscript object ScheduledTask_Create.vba Create and start sheduled task for code execution/persistence XMLDOM_Load_XSL_Process_create.vba Load XSL from a remote webserver to execute code regsvr32_sct_DownloadExecute.vba Execute regsvr32 to download a remote webservers SCT file for code execution BlockETW.vba Patch EtwEventWrite in ntdll.dll to block ETW data collection BlockETW_COMPLUS_ETWEnabled_ENV.vba Block ETW data collection by setting the environment variable COMPLUS_ETWEnabled to 0, credit to @xpn ShellWindows_Process_create.vba ShellWindows Process create to get explorer.exe as parent process AES.vba An example to use AES encryption/decryption in VBA from Here Dropper_Executable_Autostart.vba Get executable bytes from VBA and drop into Autostart - no download in this case MarauderDrop.vba Drop a COM registered .NET DLL into temp, import the function and execute code - in this case loads a remote C# binary from a webserver to memory and executes it - credit to @Jean_Maes_1994 for MaraudersMap Dropper_Workfolders_lolbas_Execute.vba Drop an embedded executable into the TEMP directory and execute it using C:\windows\system32\Workfolders.exe as LOLBAS - credit to @YoSignals SandBoxEvasion Some SandBox Evasion templates Evasion Dropper Autostart.vba Drops a file to the Startup directory bypassing file write monitoring via renamed folder operation Evasion MsiInstallProduct.vba Installs a remote MSI package using WindowsInstaller ActiveXObject avoiding spawning suspicious office child process, the msi installation will be executed as a child of the MSIEXEC /V service StealNetNTLMv2.vba Steal NetNTLMv2 Hash via share connection - credit to https://book.hacktricks.xyz/windows/ntlm/places-to-steal-ntlm-creds Parse-Outlook.vba Parses Outlook for sensitive keywords and file extensions, and exfils them via email - credit to JohnWoodman Reverse-Shell.vba Reverse shell written entirely in VBA using Windows API calls - credit to JohnWoodman