https://github.com/trustedsec/auto_settingcontent-ms

This is a quick POC for using the Matt Nelson (enigma0x3) technique for generating a malicious .SettingContent-ms extension type for remote code execution. This automates generating an HTA downloader and embeds it in the SettingContent-ms file for you and starts Apache.
https://github.com/trustedsec/auto_settingcontent-ms

Last synced: about 1 year ago
JSON representation

This is a quick POC for using the Matt Nelson (enigma0x3) technique for generating a malicious .SettingContent-ms extension type for remote code execution. This automates generating an HTA downloader and embeds it in the SettingContent-ms file for you and starts Apache.

• Host: GitHub
• URL: https://github.com/trustedsec/auto_settingcontent-ms
• Owner: trustedsec
• License: other
• Created: 2018-06-15T14:50:50.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2018-06-15T14:55:39.000Z (about 8 years ago)
• Last Synced: 2025-03-28T03:41:24.730Z (over 1 year ago)
• Language: Python
• Size: 2.93 KB
• Stars: 51
• Watchers: 7
• Forks: 19
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

README

          
### Auto .SettingContent-ms

This is a simple script for automating the creation of a MSHTA downloader (HTA) through the .SettingContent-ms extension type discovered by Matt Nelson (@engima0x3) from SpecterOps. Simply run the tool, and ensure that Metasploit and Apache is installed. It will generate a Metasploit Meterpreter (reverse https) payload through a malicious HTA. THe .SettingContent-ms can then be used inside of an office document, an attachment, or downloaded from the Internet to coax victim to clicking.

Simply run:

python auto_settingcontent-ms.py

Enter the IP address or hostname of the reverse shell

Enter the port

Let the magic happen.

CREDIT: Matt Nelson (@enigma0x3) for the discovery

Written by: Dave Kennedy (@HackingDave, @TrustedSec)