# HTA Files

An HTML Application (HTA) is a Microsoft Windows program whose source consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.

In this example we will be assuming that attachments are not allowed in our Emails, so we will need to send a user a Direct link where we will bypass the email attachment and directly download our Binary(HTA), in the following we will use Empire Framework to create our malicious binary. This attack can also be considered an attachment but here an HTA file is being downloaded and executed.

Empire is a post-exploitation framework that includes a pure Powershell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. Empire implements the ability to run Powershell agents without the need of powershell.exe, rapidly deployable post-exploitation modules from keyloggers to evade network detection PowerShell premiered at BSides in 2015.

### Examples

We can create Macros, HTA files and OLE Objects for phishing (this example will contain a HTA phishing style and there will be links for reference) we can start Empire from our Linux box and use the following steps \[Remember this is the most basic attack so it will get detected].

`At the time of writing I was using Empire 2.5 there is a newer version 3.0, major updates but procedure is similar`

We execute Empire

![](/files/-Lx3NorsV7s_7dPZxKQ-)

We will need to setup a listener that will listen for our connection once executed on the victim

![](/files/-Lx3PU9zBt3gLQ4vxJ0S)

We proceed to execute

![](/files/-Lx3PpOW6UkFu7FEj1cL)

We will setup our listener and an OutFile to send to our victim

![](/files/-Lx3QHlIprhpowdqYA-0)

Execute again to create our payload, make sure to add the extension to it or Empire will create a file not functional for our attack.

![](/files/-Lx3QbcgxFSQYVf7vixT)

Once here it's up to creativity on how to send this file I will continue with this just for DEMO purposes.

![](/files/-Lx3R637sjfDkqCpXiYE)

I will simply Run the file

![](/files/-Lx3RSQauISPzCwrq4aq)

And Empire will receive a call back

![](/files/-Lx3Rut9y8X8mmGcEeVl)

Empire may use many other stagers, here are a few examples

![](/files/-Lx3S3kuLtzrVg5XG692)

Explore the many other options to learn how they function.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes/initial-acces/spear-phishing-links/tools.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.