Initial Access

MacroPack

Generate Delivery-Ready Payloads. In Minutes.

MacroPack covers the entire initial access and assume breach payload pipeline for Windows environments. State of the arts attack methods and formats, built-in evasion for modern EDR, and native integration with every major C2 framework.

€1,350 / year per user · Volume discounts available

Dashboard overview

1 / 6

What MacroPack Does

MacroPack is a Swiss-army knife for initial vector generation. It helps Red Teams automate, weaponize and deliver payloads while offering robust defense bypass techniques. MacroPack handles everything, format selection, obfuscation, evasion technique application, social engineering mechanisms, and output.

The problem it solves is specific: red teams spend disproportionate time building and testing payloads before engagements. Evasion methods that worked last month may fail today. Formats that bypass one EDR get caught by another. MacroPack abstracts that iteration loop so operators can focus on scenario execution. MacroPack will help you for initial access hassle such as SmartScreen, and in assume breah scenario, MacroPack is useful to run tools in locked environment where most payloads are not allowed to run.

For TIBER-EU engagements specifically, where timelines are fixed and scenarios are intelligence-led, payload preparation time is not a variable that should eat into execution time. MacroPack handles it.

Features Overview

MacroPack features by category
Category	Features
Use Case	Initial Access, Assume Breach, Weaponize third party tooling
Payloads	LNK, ClickOnce, HTML/SVG smuggling, Office (Word, Excel, PowerPoint, Publisher, OneNote, Visio, Project), XLM macros, HTA, WSF, VBS, ISO/ZIP/7z/MSI containers, PDF, .vsix, .chm
EDR Evasion	Evade static and runtime detections. Tested in real operations against multiple EDRs and Antivirus.
Social Engineering	Add decoy, spoof extension, spoof icon, etc, Mark Of the Web evasion help
Payload Customization	Multiple methods to launch shellcodes, drop files, execute command line, etc , Guardrails (such as domain name, validy dates, etc), possibility to add custom code, different ways to run a payload
Platforms	GUI and CLI, tested on Windows 10 and 11

Key Capabilities

Initial Access Formats

DotNET Assembly

Weaponized third-party exe or dll .NET assemblies

LNK files

Shortcut-based execution with configurable icon, description, and lure content. Including multiple techniques to drop the payload.

ClickOnce applications

.NET ClickOnce deployment packages for trusted application delivery

Office documents

Word, Excel (including Legacy XLM / Excel 4.0 macros), PowerPoint, Publisher, OneNote, Visio, Project with macro-based execution

Various Scripts

VBS, HTA, WSF, XSL, CMD, etc.

Container delivery

ISO, ZIP, Tar, 7z (with password encryption), MSI container formats for file smuggling

HTML and SVG smuggling

JavaScript-based payload delivery in HTML or SVG with WASM-based unpacking

URL and shortcut files

.url, .inf, .scf, .slk, .library-ms, .website, .glk for browser and Explorer delivery

Dev supply chain attacks formats

.vsix, .csproj, .npm, .chm, .vsdx, .mdb for developer and specialist lure scenarios

EDR Evasion Methods

Advanced code obfuscation

Obfuscation of VBA, Scripts, .NET assemblies, Python, command lines, with several level of encryption

AMSI and ETW bypass

Multiple methods to evade these mechanisms before payload execution

ASR rule circumvention

Attack Surface Reduction rules bypassed for relevant execution methods

Machine Learning Evasion

Multiple options to trick or break the EDR analysis based on Machine Learning

Runtime Detection Evasion

PPID Spoofing, AMSI & ETW evasion, encryption/packing, etc.

Run code in memory

Several methods to load PE, Assembly, or Shellcode in memory, ex Process hollowing (RunPE), code injection, private Gadget2JS

Domain and date restrictions

Payload scope controls - bind execution to a specific domain or validity window

Sandbox Detection and anti Reverse Engineering

Timing-based delays, environment checks, anti-analysis triggers, formats patching

Complexe payloads and private research

Combine multiple stage and nested formats with private undisclosed evasion tricks

C2 Framework Integration

Native shellcode and stager compatibility across every major C2 framework used in professional red team engagements.

All Commercial C2s (Tutorial available)
Adaptix C2 (Tutorial available)
Sliver (Tutorial available)
Mythic Apollo, Merlin, etc (Tutorial available)
Empire (PowerShell and .NET agents)
Other Open Source C2s

Ready to use Scenarios

1Shellcode Loader (embedded and remote)
2DotNET Assembly Weaponization
3Drop and execute exe, dll, scripts (including with DLL sideloading)
4Downlowd and execute a payload
5Malicious Clickonce and MSI installers
6Run a command line
7Run weaponized Python script
8Target Enumeration
9Social Engineering tricks

EDR Bypass Profiles

Pre-built, production-tested profiles for major EDRs and Antivirus. Select a profile for your target environment and MacroPack applies the appropriate bypass chain automatically.

Per-target profiles

Each profile is tuned to the specific detection logic of the target EDR, not a generic bypass.

Profile combinations

Profiles combines format, execution method, and evasion technique for common engagement scenarios.

Profile updates

Profiles are updated as EDR vendors release new detection improvements. Licenses include regular profile updates.

MITRE ATT&CK Technique Coverage

MacroPack generates payloads that accurately reproduce documented threat actor TTPs. Each output format and execution method maps to specific ATT&CK techniques - critical for threat-intelligence-led engagements where scenario accuracy is verified against the Threat Intelligence Report.

T1566

Phishing

HTML smuggling, Office lure delivery

T1566.001

Spearphishing Attachment

Office document delivery (.docm, .xlsm, .pptm)

T1566.002

Spearphishing Link

URL file and HTML-based delivery

T1204.002

Malicious File

LNK, Office, ClickOnce, PDF execution

T1059.005

Visual Basic

VBS and VBA macro execution

T1059.007

JavaScript

HTA, WSF, XSL script execution

T1218.005

Mshta

MSHTA proxy execution method

T1218.010

Regsvr32

Regsvr32 / scrobj.dll proxy execution

T1218.011

Rundll32

Rundll32 DLL proxy execution

T1055.012

Process Hollowing

RunPE template - hollow legitimate process and inject shellcode

T1134.004

Parent PID Spoofing

PPID_SPOOF template - forge process ancestry

T1027.010

Command Obfuscation

Dosfuscate cmd.exe obfuscation

T1548.002

Bypass UAC

UAC bypass for privilege escalation

T1221

Template Injection

CVE-2022-30190 (Follina) MSDT template injection

T1553.005

Mark-of-the-Web Bypass

ISO/container delivery bypasses MoTW propagation

T1105

Ingress Tool Transfer

ClickOnce, MSI, and dropper templates

Technique coverage is used by red teams to verify scenario accuracy against the Threat Intelligence Report in TIBER-EU and equivalent intelligence-led red team programs globally.

TIBER-EU

MacroPack for TIBER-EU Initial Access

TIBER scenarios demand threat-intelligence-led attack vectors that accurately emulate specific threat actor TTPs. MacroPack's configurable execution chains, metadata control, and per-target evasion profiles make threat-actor-accurate payload generation executable without custom development per engagement.

Learn how BallisKit supports TIBER-EU