Weaponization - HackMD

# Weaponization * Weaponization is the second stage of the Cyber Kill Chain model. * In this stage the attacker generates and develops their own malicious code using delivarable payloads such as word documents,PDFs etc. * The weaponization stage aims to use the malicous weapon to exploit the target machineand gain inital access. * Most organizations block or monitor the execution of .exe files within their controlled environment. For that reason, red teamers rely on executing payloads using other techniques, such as built-in windows scripting technologies. Therefore, this task focuses on various popular and effective scripting techniques, including: 1. The Windows Script Host (WSH) 2. An HTML Application (HTA) 3. Visual Basic Applications (VBA) 4. PowerShell (PSH) ## Windows Script Host * Windows scripting host is a built-in Windows administration tool that runs batch files to automate and manage tasks within the operating system. * It is a Windows native engine, cscript.exe for command line scripts and wscript.exe for UI scripts, which are responsible for executing various Microsoftvisual basic scripts including vbs and vbe. > it is important to note that the VBscript engine on windows operaring system runs and executes applications with the same level of access and permission as a regular user ## HTML Application (HTA) * it allows to create a downloadable file that takes all the information regarding how it is displayed and rendered. * HTAs,which are dynamic HTML pages containing JScript and VBScript. ## PowerShell (PSH) * PowerShell is an object-oriented programming language executed from the Dynamic Language Runtime (DLR) in .NET ### Execution Policy * Poweshell's execution policy is a security option to protect the system from running malcious scripts. * By default, Microsoft executing PowerShell scripts .ps1 for security purposes. The execution policy is set to *Restricted*,Which means it permits individual commands but not run any scripts. * You can determine the current PowerShell setting of your Windows as follows. ``` PS C:\Users\thm> Get-ExecutionPolicy Restricted ``` * You can easily change the PowerShell execution policy by running: ``` PS C:\Users\thm\Desktop> Set-ExecutionPolicy -Scope CurrentUser RemoteSigned Execution Policy Change The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose you to the security risks described in the about_Execution_Policies help topic at http://go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): A ``` #### Bypassing Execution Policy * One of the ways of bypassing is giving an argument option to the PowerShell command to change it to your Desired setting * For Example,we can change it to *bypass* policy which means nothing is blocked or restricted. ``` C:\Users\thm\Desktop>powershell -ex bypass -File thm.ps1 ```