.html files that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This tool is not designed to create awesome HTA content. There are many other The aim of this project is to generatefiles that contain an encrypted HTA file. The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. This is an evasion technique to get round content / file-type inspection implemented by some security-appliances. This tool is not designed to create awesome HTA content. There are many other tools techniques that can help you with that. What it might help you with is getting your HTA into an environment in the first place, and (if you use environmental keying) to avoid it being sandboxed.

How does it do it?

This is achieved by encrypting the HTA file using RC4, and then using navigator.msSaveBlob to "save" the file at runtime - rather than fetching the HTA directly from the server. Meaning that at no point is there any HTTP request/response that contains your HTA file in a plain-text form - the proxy will simply see a text/html file containing your encrypted blob. In the latest version of Edge, this will result in the user being prompted to "run" the HTA.

Matthew Demaske, mshta.exe . As mentioned previously, the content of the HTA is not the primary aim of this tool. I'd encourage you to modify the HTA template to contain your own custom code :) Although not the primary aim of this tool, there are a couple of payload-options for the underlying HTA. Each option uses different techniques as previously documented by Matt Nelson Ryan Hanson and Etienne Stalmans . The benefit of using these techniques is that your code does not execute as a child of. As mentioned previously, the content of the HTA is not the primary aim of this tool. I'd encourage you to modify the HTA template to contain your own custom code :)

How do I run it?

Run the demiguise.py file, giving it your encryption-key, payload-type, output file-name and command that you want the HTA run.

Example: python demiguise.py -k hello -c "notepad.exe" -p Outlook.Application -o test.hta

Environmental Keying