PoSHMagiC0de Posted October 12, 2017 Share Posted October 12, 2017 So, first, check this out. There is a version of mimikatz that works for Windows 10 Creator Update but no success getting it injectable for powershell like the old. The info is here. Now....for the topic. So, I seen lots of payloads with physical vbs files. I have a tendency that when I see something using physical file writing, I try to find a way to prevent that....and I did though I leave the rest of the work to you. The secret, if it is not blocked, is mshta.exe. This bad boy can run in line vbs scripts from the command line, no file needed to reference. Differences are so. Below is a simple 2 step command. It will pop open a message box and once you hit "OK", it will open a second one to show the vbscript window is not popping up. After you close that one it will run the Window.close command closing the vbscript window that you will see briefly. You will notice I have a window.close method at the very end. If this is not present, when the box closes you are left with a big empty WScript window that you have to manually close. The last command closes that window. So, stealthiness of this method is not completely silent. The window will not pop up until the end of the script. if you remove the window.close command you will see what I am talking about. So, the command line for this is. mshta vbscript:Execute("Msgbox ""Hello World1"":Msgbox ""Hello World2"":window.close") So you can use your imagination and see how you can make your vbscript perform like powershell inline. Difference is how you pull the extra payloads but to execute them you just use the Execute command on them to run a string elements as vbs commands. Similar to what I did inline above. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 12, 2017 Share Posted October 12, 2017 I'm confused. Isn't the whole point of getting rid of .vbs scripts to limit the amount of files needed? Adding an executable won't help if you're only using one vbscript file.. It would be potentially worse because it is an executable which Windows can block easier than vbs. Unless I'm missing a point here? Though I always do like the idea of running script via in-line functions. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted October 13, 2017 Author Share Posted October 13, 2017 mshta is in windows already like powershell.exe. No adding an executable. So, for those who like vbscript ( I go powershell myself), you can use the inline portion to initiate a download cradle, like with powershell, to download vbscript and run it. It is just an alternative. Nothing new to download, all part of windows still. I have not looked up what this app is but if I would guess, it has something to do with handling HTA files. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 13, 2017 Share Posted October 13, 2017 1 hour ago, PoSHMagiC0de said: mshta is in windows already like powershell.exe. No adding an executable. So, for those who like vbscript ( I go powershell myself), you can use the inline portion to initiate a download cradle, like with powershell, to download vbscript and run it. It is just an alternative. Nothing new to download, all part of windows still. I have not looked up what this app is but if I would guess, it has something to do with handling HTA files. Do you need Admin perms to be able to run an executable that I assume would be located in the system32 folder? Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted October 13, 2017 Author Share Posted October 13, 2017 13 minutes ago, Dave-ee Jones said: Do you need Admin perms to be able to run an executable that I assume would be located in the system32 folder? Nope. Normal user can do it. In essence, it can be a file-less VBS. I think I am going to go through the payloads and find the ones that do vbs and redo them to use this method if possible as a POC. If possible what can be done? Welp, for Office macros I obfuscate all the methods and procedures in the macro to fire off my Powershell script. Same can be done with these scripts so they can be stored obfuscated. You can deobfuscate in memory and execute them. Here is an example, if you run Windows 10 or 7. On your desktop create a file called "vbtest.txt". Inside it up the following code. Msgbox "I ran from vbtest, first line." Msgbox "Just to prove I am multiline, here is the second." Msgbox "Don't believe me? Here is a third." Now, launch a command prompt window and navigate to your desktop. Makes the commandline shorter since you can reference the file from your location. Now, in the command prompt put in the following code. mshta vbscript:Execute("Set fso=CreateObject(""Scripting.FileSystemObject""):Set osc=fso.OpenTextFile(""vbtest.txt"", 1):sc=osc.ReadAll:osc.Close:Execute(sc):window.close") This should read that vbtest.txt file in and execute it giving you 3 message boxes 1 after the other showing it is running the whole script multiline, closing the mshta window that opens afterwards. Imagine instead of reading that file from the local drive but from say SMB or download it from the net to a variable the execute. Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted October 15, 2017 Share Posted October 15, 2017 Yep, that would definitely work. I've never had to use VBS, might look into it a bit more.. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted October 15, 2017 Author Share Posted October 15, 2017 I prefer not to use vbs myself too. Only looked into it because I seen a lot of payloads folks been writing using vbs. Figured might as well see if vbs could be fileless too. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.