PoSHMagiC0de Posted October 12, 2017 Share Posted October 12, 2017 So, first, check this out. There is a version of mimikatz that works for Windows 10 Creator Update but no success getting it injectable for powershell like the old. The info is here. Now....for the topic. So, I seen lots of payloads with physical vbs files. I have a tendency that when I see something using physical file writing, I try to find a way to prevent that....and I did though I leave the rest of the work to you. The secret, if it is not blocked, is mshta.exe. This bad boy can run in line vbs scripts from the command line, no file needed to reference. Differences are so. Below is a simple 2 step command. It will pop open a message box and once you hit "OK", it will open a second one to show the vbscript window is not popping up. After you close that one it will run the Window.close command closing the vbscript window that you will see briefly. You will notice I have a window.close method at the very end. If this is not present, when the box closes you are left with a big empty WScript window that you have to manually close. The last command closes that window. So, stealthiness of this method is not completely silent. The window will not pop up until the end of the script. if you remove the window.close command you will see what I am talking about. So, the command line for this is. mshta vbscript:Execute("Msgbox ""Hello World1"":Msgbox ""Hello World2"":window.close") So you can use your imagination and see how you can make your vbscript perform like powershell inline. Difference is how you pull the extra payloads but to execute them you just use the Execute command on them to run a string elements as vbs commands. Similar to what I did inline above. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.