PoisonHandler

lateral movement techniques that can be used during red team exercises.

Execute-PoisonHandler.ps1

This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.

This cmdlet create a protocol handler that will call your payload. Then execute it over WMI using explorer.exe.

the command that will be execute will look like the following one:

cmd.exe /c start ms-browser://

Where ms-browser is the custom handler you registered and will execute the payload you specified.

The default handler name is ms-browser but it can be set with the -Handler switch

The handler can also be executed through rundll32 using the following command rundll32 url.dll,FileProtocolHandler

Usage:

module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run"
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Handler ms-handler-name 
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password -UseRunDLL32 True
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password -RemoteCommand "custom command to run the handler"

The -RemoteCommand switch can be used to specify the remote command used. the handler name will be appended at the end automatically.

Command that can be used

• rundll32 url.dll,FileProtocolHandler
• rundll32 url.dll,OpenURL
• explorer
• start

To do

• add more way to execute the protocol handler

Credit

Mr.Un1k0d3r RingZer0 Team

Tazz0 RingZer0 Team