Will use a couple of tools for weaponizing an HTA Payload.

HTA payloads are another method of attachments, but these also work better with Spearphishing via Links since we wonโ€™t be attaching a non-standard file on an email, it would stick out a file that is usually never seen by a regular everyday user (not focus on the security of course). So will be showing this via the Link method.

I created a very standard HTA Generator that will point to a PowerShell command to execute a PS1 Script via a Webserver but I will change this to execute calc only various examples and methods are all over the internet a simple google search will point you in the right direction.

I used the HTA Generator tool to create the HTA File which will open the calculator

Will use any phishing method to have the user Open or Save the HTA File IE is a great way to have the user open these files as it will give the option to Open directly instead of saving like other Browser but this will need thorough testing as some EDRs block because a file directly executes when downloading, suspicious right? So will continue saving the file here.

We deliver our payload with any method at our disposal in this example a benign word document containing the malicious link

User follows instruction

The user proceeds to open the file. And we achieve execution

This method is also another way to weaponize obfuscation and encryption exist for this procedure some tools are very popular for creating these payloads sometimes the attachments of a file are completely unnecessary when sending our links, we just use this to avoid some AV scanning on the email providers. But please feel to explore and try different techniques.

Last updated