Macro Stageless payload troubles

[ghost]

The image above shows command output from tool when building payload. Tool version is current build as of today for IVY 1.12 and CS (CobaltStrike 4.7.1).

Stageless payload from CS is "Windows Stageless Payload"->RAW (also tried Stageless Payload Generator->raw)

Here is what was observed:

• macro payload in excel appears to execute without visible errors (even when cscript is run on test.txt in the appdata excel path)
• test.txt is pulled down from local py webserver, no issues.
• outlook.exe spawns -> cscript.exe (with F://jscript .... args) which spawns -> excel.exe
• No call back attempt from macro :( verified via FW log and c2 server.

Troubleshooting done so far:

• CS c2 profile validated to call home via stageless windows exe. no UDRL in play. not even sleepmask. No CNA's. No kits.
• Run w/ -debug command
• Tried without -unhook command as well. no change.
• No IPS no egress filtering in play

My Current Theory:

• Maybe c2 profile has wonky settings not tested with tool? Have you had issues with custom mall c2 profile and tool? (just came to me)
• struct.go exec issue for macro?
• shellcode file doesnt make its way into payload (but size of b64 blob in test.txt makes me think it does)
• Shellcode exec call not working

Any help would be great.

[ghost]

Update: Today i used the Default out of the box CobaltStrike profile (no profile) used in testing. no major change. Except with the same generated macro's ive had excel.exe crash 1 time but the 3+ other times its has simply spawned and not attempted to call home.

[ghost]

with some changes i got 1 callback working .

[Tylous]

what changed?

[ghost]

sry i missed your reply. from what i recall (if i recall correctly) there was a file exists input/output check(s). yep i put the file path in wrong :( and....im sry i forgot the rest.