There's been some really interesting security research done recently around obscure Windows executables with interesting features. Some of them auto-elevate and bypass UAC, some execute code, and some package scripts into executables. subTee has been posting about many of these discoveries for a few years now.
iexpress.exe resurfaced. Apparently it's an old trick used by graybeard pentesters going back to the dawn of NT, but I wasn't in the game back then so I figured I'd write it up this time around.
First, you're going to need a PS1 containing whatever PowerShell script you're looking to run. You can't pass parameters using this method, so you'll need to bake them into your script.
iexpress.exeas an administrator.
- Select Create new Self Extraction Directive file and then click Next.
- Select Extract files and run an installation command and then click Next.
- Name your package something awesome and then click Next.
- Select No prompt and then click Next again.
- Select Do not display a license and then click Kangaroo. Just kidding! Click Next.
- Click Add and browse to the location of your PowerShell script. Click Next.
- In the Install Program field, enter
PowerShell.exe -NonI -NoP -Exec Bypass -W Hidden -File evil.ps1and then click Next.
- Select Hidden and then click Next.
- Select No message and then click Next.
- Browse for the desired output path for your shiny new executable, and then click Next.
- Select No restart and then click Next.
- Select Don't save and then click Next.
- Click Next.
- Click Finish.
And presto! You have a PS1 embedded in an EXE that you can drop and run anywhere!
If you're interested in automating this process a bit, the SED file contains all the parameters you'll need to do so. I've added comments behind the relevant sections below: