You are here : Home » Learning security » Operating Systems » Windows » Hide HTA window for RedTeam

Hide HTA window for RedTeam

D 15 July 2021     H 20:14     A Emeric Nasi     C 0 messages


agrandir


License : Copyright Emeric Nasi (@EmericNasi), some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

About

I wrote this short post to explain how to create a stealthy HTA file that launches without any window or taskbar mention.
An invisible HTA file can be used combined with other techniques to create advanced payloads for redteaming/supply chain attacks.
The goal of this post is not to describe what is an HTML Application or HTA.
If you don’t know what HTA are you can read the Introduction to HTML Applications

1. Some unsatisfying solutions:

When you google "hide hta files" you will find two different solutions, none of which are very satisfying:

  • Minimizing the HTA window via WINDOWSTATE="minimize"
  • Minimizing the HTA windows using via the script (ex window.resizeTo(0,0);)

An example of HTA file using method 1 (a hello world):

  1. <!DOCTYPE html>
  2. <html>
  3. <head>
  4. <HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
  5. <script type="text/vbscript">
  6.  
  7. Private Sub Hello()
  8. MsgBox "Hello from Sevagas" & vbCrLf & "Have a nice day!"
  9. End Sub
  10.  
  11. ' Auto launch when VBA enabled
  12. Sub AutoOpen()
  13. Hello
  14. End Sub
  15.  
  16. AutoOpen
  17. Close
  18. </script>
  19. </head>
  20. <body>
  21. </body>
  22. </html>

The problem with WINDOWSTATE="minimize" is that a small UI with the path to script appear in the corner.
It is discrete but can be detected if the payload is running for some time.
Notice the message in the bottom left corner:

A better method consist into playing with the HTA window from the script itself.
If possible for example to use window.resizeTo to make the window collaps or use window.moveTo to move the HTA window out of the screen.

  1. <!DOCTYPE html>
  2. <html>
  3. <head>
  4. <HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
  5. <script>
  6. window.resizeTo(0,0);
  7. ....
  8. </script>
  9. </head>
  10. <body>
  11. </body>
  12. </html>

This method is better as there is no more small HTA UI in the corner. The problem, however is that there is a "glitch"; the HTA window appears very briefly before the script is applied.
This glitch could be considered suspicious in a redteam scenario, an attentive user could report it.

2. Best solution

The second proposition is the best but how to remove the glitch? Well it appear that the windows that pops briefly is the HTA windows and its borders.
I tested with various attributes and whats nice is that glitch disappears when you remove the borders. This can be done with the attribute BORDER="none"
So here is the best proposition to hide a running HTA file;

  1. <!DOCTYPE html>
  2. <html>
  3. <head>
  4. <HTA:APPLICATION icon="#" WINDOWSTATE="normal" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" BORDER="none" SCROLL="no" />
  5. <script type="text/vbscript">
  6.  
  7. Private Sub Hello()
  8. MsgBox "Hello from Sevagas" & vbCrLf & "Have a nice day!"
  9. End Sub
  10.  
  11. ' Auto launch when VBA enabled
  12. Sub AutoOpen()
  13. Hello
  14. End Sub
  15.  
  16. window.resizeTo 0,0
  17. AutoOpen
  18. Close
  19. </script>
  20. </head>
  21. <body>
  22. </body>
  23. </html>

This way, the running HTA is totally invisible and there is no windows briefly appearing when its started.
This template is implemented in the latest versions of MacroPack community and MacroPack Pro which can be used to automatically generate weaponized HTA files.

3. Usage in redteam scenario

There are several interesting scenario where you can use an invisible HTA.

Using the HTA file format

Concerning HTA files themselves, you could spoof the extension using special Unicode characters such as described in this post.
For example, you could create an HTA file which seems to end in *.jpg so the target thinks its a picture.
Then, from the HTA script you can launch a decoy image so the user really thinks he has opened a picture.

The HTA script can be used to run any VBS payload on the computer, including shellcode injection payload using Win32 API via Office application com objects.

Using other file formats (polyglot self calling HTA)

A few years ago I wrote a post about some HTA nice properties (Hacking around HTA files).
A nice property of HTA is that its easy to create polyglot formats compatible with MSHTA.
I recommend you read the blog post it if you are now aware about that.
This way its possible to add VBS scripting capabilities to non VBscript formats such as LNK shortcuts, Windows help files, or Visual Studio Project files.
In all those case, the HTA part should run invisible to avoid suspicion

This can lead to the creation of complex payloads all in a single file. In the example below I trojan an existing shortcut pointing to notepad.exe with a special HTA Macro.
Here is what happens when someone double clicks on the short cut:

  • LNK execute mshta on itself
  • Embedded HTA script uses COM to launch Excel in background
  • HTA script copies a VBA macro in the Excel memory (not persisted)
  • The VBA macro is executed and use some Win32 API to execute a raw Meterpreter shellcode.

Finally

Note that there are plenty other ways to use regular HTA or HTA polyglot in red team scenario (web download, phishing, supply chain attack)
Going through those is out of the context of this short post, but it might be interesting to explore later.
I already wrote a post about advanced USB key phishing based on weaponized HTA you can find here.
Also note that all the advanced scenarios including decoy launch and HTA polyglot abuse are implemented in MacroPack Pro .

Also in this section

24 February 2019 – Bypass Windows Defender Attack Surface Reduction

23 January 2019 – Yet another sdclt UAC bypass

23 June 2018 – Advanced USB key phishing

7 February 2018 – Hacking around HTA files

29 June 2014 – String encryption using macro and cryptor

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post