.HTA file execution doesn't call back

[stormfleet]

Hi,

Currently I'm generating a RAW payload in Cobalt Strike for a windows/beacon/reverse_https listener. Output is a standard payload.bin file, which is then used as input to SharpShooter as follows:

SharpShooter.py --stageless --dotnetver 4 --payload hta --output test --rawscfile payload.bin

I've also tried the following variation:

SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile payload.bin --smuggle --template mcafee

However every time I try to run the HTA file on Windows, the payload fails to call back. Windows Defender is disabled for all of this testing, and no other AV is present. Network monitoring with Wireshark confirms too that the payload is not calling out. I have tried modifying the harness.hta template to just take the payload.bin as input, without any base64 encoding or the rc4 encipherment to check if it works, however the payload still refuses to call out or even make a network connection attempt.

Am I being obtuse or can someone confirm these findings? I have tried with both Internet Explorer and of course Microsoft (R) HTML Application Host.

[mrevilnerd]

I am having the exact same issue. I have tried both js and HTA call backs using both dotnetver vversion variable and neither seems to call back to Cobalt Strike.

[araaj]

I came across sharpshooter, after playing with the JSWebMeter project. I faced a similar issue there, defender was switched off from the console but debugging the script showed anti malware was still interfering, could be the AMSI picking up my script. This helped

https://www.windowscentral.com/how-permanently-disable-windows-defender-antivirus-windows-10