Background

There are occasions during a red team engagement where you'll want to use executable file to accomplish something. We recently had the opportunity to perform a watering hole attack using a website we compromised. We embedded JavaScript into the logon page of the website which alerted users that the application now required a browser plugin to function properly, and then proceeded to download said "plugin". At first, we attempted to use an HTA file to execute PowerShell on users' systems which would establish a command and control (C2) channel back to our server (Cobalt Strike). For some reason it wasn't working on the systems we were targeting. We had tested the attack on several of our own systems where it went off without a hitch, so we weren't sure if something was blocking it, or if users were just overly suspicious or confused by the HTA file. No worries though, we swapped the HTA for a custom made exe which had an over 50% success rate.

The issue with an exe file (also called a portable executable, aka PE, because it contains all the info necessary for it to be run by Windows) is that it generally has to be written to disk, so AV is going to check it out. Every red team tool from Metasploit to Cobalt Strike has the ability to generate an exe file which will establish a C2 channel back to the attacker's machine. While these files are slightly different every time (so different hashes) AV is extremely likely to flag them as malicious.