Text‐based files - hegusung/Windows-Initial-Access GitHub Wiki

VBA

Input

  • Macro

Output

  • COM objects
  • Windows APIs
  • SCT

VBS/VBE

Input

  • click !
  • wscript.exe / cscript.exe
  • HTA
  • XSL
  • WSF
  • SCT

Output

  • COM objects
  • Windows APIs
  • SCT

JS/JSE

Input

  • click !
  • wscript.exe / cscript.exe
  • HTA
  • XSL
  • WSF
  • SCT

Output

  • COM objects
  • SCT

PS1

Input

  • powershell.exe

Output

  • COM objects
  • Windows APIs
  • SCT

HTA

Input

  • click !
  • mshta.exe

Output

  • VBS/VBE - local
  • JS/JSE - local

XSL

Input

  • msxsl.exe
  • wmic
  • COM objects

Output

  • VBS/VBE - local
  • JS/JSE - local

WSF

Input

  • click !

Output

  • VBS/VBE - local
  • JS/JSE - local
  • VBS/VBE - remote
  • JS/JSE - remote

SCT

Input

  • click ???
  • regsvr32.exe - remote & local
  • rundll32.exe - remote & local
  • powershell.exe - remote & local
  • pubprn.vbs - remote & local
  • VBS/VBE
  • JS/JSE
  • INF

Output

  • VBS/VBE - local
  • JS/JSE - local
  • VBS/VBE - remote
  • JS/JSE - remote

INF

Input

  • Excel
  • cmstp.exe - local
  • rundll32.exe - local

Output

  • SCT

SettingContent-ms

Input

  • Click !

Output

  • Command execution

CHM

Input

  • hh.exe - local & remote

Output

  • Command execution