Morph-hta
Jump to navigation
Jump to search
Description
Morph-hta is a python script that will obfuscate the code of a powershell based *.hta file generated by Cobalt-Strike to evade anti-virus.
Installation
$ git clone https://github.com/vysecurity/morphHTA.git
Usage
Syntax
usage: python2 morph-hta.py [-h] [--in <input_file>] [--out <output_file>]
[--mode <default: explorer>] [--maxstrlen <default: 1000>]
[--maxvarlen <default: 40>] [--maxnumsplit <default: 10>]
[--maxvalsplit <default: 10>]
Note
Compatible with python2 only
Optional arguments
- -h, --help
- show this help message and exit
- --in <input_file>
- File to input Cobalt Strike PowerShell HTA
- --out <output_file>
- File to output the morphed HTA to
- --mode <default: explorer>
- Technique to use: MSHTA, Explorer, WmiPrvSE
- --maxstrlen <default: 1000>
- Max length of randomly generated strings
- --maxvarlen <default: 40>
- Max length of randomly generated variable names
- --maxnumsplit <default: 10>
- Max number of times values should be split in chr obfuscation
- --maxvalsplit <default: 10>
- Max value of each split