Once a hacker creates a PowerShell payload to bypass antivirus software and set up msfconsole on its attack system, they can disguise their executable file to make it appear as a plain text file. This gives a Windows 10 user the ability to actually open the payload without knowing that this is the case.
The Unicorn-generated PowerShell payload works as expected on the Windows 10 target computer. It creates a reverse HTTPS connection back to the attacker's Kali setup while actively bypassing Windows Defender and Avast antivirus detections. That's all great, but the real challenge is getting the Windows destination user to run the code on his computer.
To accomplish this, some things can be done to the PowerShell payload before it is sent to the victim. The payload must be converted to an executable Windows file (EXE). The icon (ICO file) must also be changed to look like a regular text file. The biggest red flag that the fake text file is actually an executable file is the file extension. Some Windows users disable the Hide Existing Known File Types option to protect against file extension spoofing attacks. In this article I will show how to spoof the file extensions ̵
For readers who may have skipped the first part of this article, here is the GIF showing again the real and wrong text files Side:
The file on the left is a real text file. The file to the right is the PowerShell payload, which was designed to open Notepad before running the PowerShell payload.
Step 1: Save the PowerShell Payload
The following steps require a Windows operating system. I recommend using a Windows 10 Virtual Machine (VM) in VirtualBox
On Amazon: VirtualBox Guide for Beginners
Before you go further, the previously created PowerShell Payload should be moved to the Windows system are saved as payload.bat with Notepad or a favorite text editor. The payload.bat file is manipulated to appear as a plain text file in the following steps.
Windows 10 icons must be downloaded to begin converting the payload.bat file into a fake text file. These icons are used to fake the file icon. You can download the Windows 10 icons with git clone & # 39; https: //github.com/B00merang-Project/Windows-10-Icons' .
git clone & # 39; https://github.com/ B00merang Project / Windows 10 Icons & # 39; Cloning in & # 39; Windows 10 icons & # 39; ... remote: counting objects: 3495, done. remote: Total 3495 (delta 0), reused 0 (delta 0), packet reused 3495 Receiving objects: 100% (3495/3495), 14.69 MiB | 294,00 KiB / s, finished. Resolution deltas: 100% (393/393), done. Verify connectivity ... complete.
This repository may not contain exact replicas of the built-in Windows 10 icons, but appears close enough and will work well for the purposes of this article. If readers are able to design icons or find better icons online, I agree to their use.
I use text-x-generic.png in the Windows 10 icons / 256×256 / mimetypes / directory, but PNG continues to work.
Step 3: Convert the PNG to ICO Format
The PNG must be converted to the Windows ICO symbol format. This can be done with online tools like ConvertICO. Simply upload the desired PNG to the website and it will reproduce it in ICO format. Save the new ICO with the filename fakeTextFile.ico .
Step 4: Install BAT2EXE
To download B2E, users must use crypto-currency on the site for several minutes to download their free software . If you want to support the B2E developer, go to the download page and access the latest B2E software. Otherwise, readers can use my mirror on a slightly older version of B2E.
Using my GitHub mirror, visit the following URL in Windows to download B2E:
Use the download and run the file "Bat_To_Exe_Converter_ (Installer) .exe" to install it.